IBM PureApplication System Version 2.0.0.1 Interim Fix 3

This readme document provides information on installing PureApplication System Version 2.0.0.1 Interim Fix 3, which includes maintenance updates for the PureSystems Managers. 

Version 2.0.0.1 Interim Fix 3  includes fixes for this security vulnerability:
CVE-2015-2808 Vulnerability in RC4 stream cipher
                                                            


BEFORE YOU BEGIN

1. Ensure that the system is updated to Version 2.0.0.1. For more information, see the PureApplication System Version 2.0.0.1 Interim fix upgrade guide that is available with this interim fix from http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.0.0.1&platform=All&function=textSearch&text=V2.0.0.1+interim+fix+3

2. Ensure that you have administrative user with Hardware Administrator privileges. 

3. Disable Service and Support Manager to prevent PMRs from being automatically opened during the system update process. Select the 
   "Do not collect troubleshooting information and do not open a service request." option from the Service and Support Manager section 
   on the System > Settings page. For more information, see the following links:

	* W2500/W1500 systems: http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/systemconsole/t_service_support.dita
	* W2700/W1700 systems: http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/systemconsole/t_service_support.dita


PROCEDURE

The tasks for installing the interim fix are summarized in the following list. For the detailed steps of each task, see the chapter for 
updating systems in the Version 2.0.0.x Installation Guide.

1. Download the interim fix from http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=2.0.0.1&platform=All&function=textSearch&text=V2.0.0.1+interim+fix+3

2. Upload the interim fix to a server that the target system can access by way of HTTP or SCP.

3. Confirm the system is in a suitable state for system updates.

	a. Log in to the system with your Hardware administrator account credentials. 
	b. Click System > System Maintenance > Check.

   After the operation runs, you can click the Detailed status icon to view more information about the results. You can also click the Download logs icon.

4. Install the interim fix. Click Update System on the System Maintenance page.

5. As the leader PureSystems Manager update is running, monitor the status on the standby Upgrade Status page. Access the page at https://<non_leader_IP_address/upgrade. 
   Refresh the browser to see the latest status.   

6. After the leader PureSystems Manager update is complete, click the system console link to return to the System Updates page and continue with the automated updates process.

7. Verify the system updates are successfully installed by using the Update Completion Time and Status columns in the table showing the list of update steps. 
In addition, you can run the service purescale version command on the leader PureSystems Manager to verify the current level of the system, as illustrated in the following example:

	[root@localhost ipas-manager]# service purescale version
	Red Hat Enterprise Virtualization Hypervisor release 6.3 (0)
	OS buildType=manufacturing
	OS buildLabel=20150501-1020-603
	OS buildVersion=2.0.0.1
	Data buildType=manufacturing
	Data buildLabel=20150501-1020-603
	Data buildVersion=2.0.0.1
	Data ipas.buildLabel=20150427-1546-724
	Data ipas.snapshot=Platform 2.0.0.1 sMash Continuous_20150427-1546-724
	Data iwd.version=version 5.0.0.1 driver 205 versionNum 20150501-0949-953 01 May 2015
	10:14:29

8. Enable Service and Support Manager. For more information, see the links listed in step 3 in the Before you begin section above.
        

*** Security Notice ***
----------------   AFTER THE UPGRADE --------------------------------

Disabling SSLv3 protocol

After upgrading to IBM PureApplication System Version 2.0.0.1, you must apply IBM PureApplication
System V2.0.0.1 Interim Fix 2 to disable SSLv3 due to a vulnerability that has been referred to as the
Padding Oracle On Downgraded Legacy Encryption (POODLE) attack.

Before you begin

Ensure that your IBM service representative has applied IBM PureApplication System Version 2.0.0.1 and that you have upgraded to caching service Version 2.1.0.2.

Note: Caching service Version 2.1.0.0 and earlier instances cannot be upgraded to caching service Version
2.1.0.2. For these instances, you must delete any existing caching service prior to upgrading the
foundation pattern types. After the foundation pattern types upgrade, deploy the new caching service
instances of service Version 2.1.0.2 as described in the following procedure.

About this task

This task describes mitigation procedures for deployed instances of virtual applications, shared services,
and virtual systems, in addition to deployed instances of classic virtual systems.

After you upgrade and apply the mitigation steps and the JRE upgrade emergency fix, Java management
processes that are running on deployed virtual machines are configured to support the SSL_TLSv2
protocol suite. The SSL_TLSv2 protocol suite enables TLSv1.2, TLSv1.1, TLSv1, and SSLv3 in this
precedence order. SSLv3 is disabled by JRE default, therefore, SSL_TLSv2 only enables the TLS protocols:
TLSv1.2, TLSv1.1, and TLSv1. At runtime during client and server SSL handshake, the best protocol that
the client and server have in common is selected. For example, TLSv1.2 is selected if both support
TLSv1.2. For more information on JRE default protocol configuration, see Alternative mitigation options:
http://www-01.ibm.com/support/docview.wss?uid=swg21688165#issues


 -- W2500/W1500 systems --
Download IBM OS Image for Red Hat Linux Systems : 2.1.1.0 (RHEL 6.6 image) from the IBM Passport
Advantage Online website. This image contains the required JRE upgrade of JDK6: SR16 FP3 or later. For
more information, see Downloading IBM OS images.
http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/iwd/pct_downloadosimages.dita

Note: SSLv3 is disabled by JRE default policy in the new base operating system images unless you
remove the jdk.tls.disabledAlgorithms=SSLv3 property from the JRE java.security file.

The following steps are for new pattern deployments leveraging new base operating system images
which eliminate the need for the mitigation procedures.

	• For new virtual application, shared service, and virtual system deployments, use the following
	procedure to change the default deployment settings in order to add the new operating system images:
	1. Click Cloud > Default Deploy Settings.
	2. Click Delete in the Action column to delete the old base operating system image.
	3. Click Add to add the new version of base operating system image.

	• For new classic virtual system deployments, use the new patterns that are built on the new operating
	system images. Alternatively, use the following procedure to upgrade existing patterns:
	1. Extend the original image. For more information, see Extending and capturing virtual images.
	   http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/iwd/pct_extend_vi.dita
	2. Upload IBM PureApplication System V2.0.0.1 Interim Fix 2 JRE emergency fix to the
	   PureApplication System catalog. For more information, see Adding emergency fixes.
	   http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/iwd/pct_add_ef.dita
	3. Apply IBM PureApplication System V2.0.0.1 Interim Fix 2 JRE emergency fix to the extended classic
	   virtual system instance.

	Note: While applying the fix to each instance running on Intel operating systems, clear the check
	from the Take a snapshot before service is applied. check box.

	4. Capture and receive the the new image. For more information, see Extending and capturing virtual
	   images.
	   http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/iwd/pct_extend_vi.dita
	5. Clone existing patterns and specify to use the newly captured image. For more information, see Cloning 
	   virtual system patterns.
	   http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/iwd/pat_clonesvsys.dita?lang=en

Procedure

To disable SSLv3 protocol in virtual application, shared services, and virtual system deployed
instances, perform the following steps:

	Important: You must perform these steps in the following order or the fix will not be successful.

1. Upgrade pattern types to the following versions:
	– Foundation-ptype Version 2.1.0.3
	– itm-ptype Version 1.0.2.3
	– pdk-ptype Version 1.1.0.2
2. For each virtual application and virtual system instance running on Intel operating systems, use the
   following steps to disable the automatic snapshot before applying the emergency fix:
	a. Click Patterns > Pattern Instances and select the instance type.
	b. Click the instance. The instance details display to the right.
	c. Scroll to From pattern and expand Snapshots.
	d. Click Disable Automatic Snapshots.
3. Upload IBM PureApplication System V2.0.0.1 Interim Fix 2 to the PureApplication System catalog.
   For more information, see Adding emergency fixes.
   http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/iwd/pct_add_ef.dita
4. Apply IBM PureApplication System V2.0.0.1 Interim Fix 2 JRE emergency fix to each virtual
   application, shared service, and virtual system instance. See the following links for the detailed
   steps:
	– Applying fixes to virtual application instances
	  http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/iwd/apt_maintfix_ov.dita
	– Applying fixes to shared service instances
	  http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/iwd/ss_applyfix_ov.dita
	– Applying fixes to virtual system instances
	  http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/iwd/pat_vsysmaint.dita
5. Restart each instance or individual virtual machines for the JRE updates to take effect. For more
   information, see Starting and stopping virtual machines.
   http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/systemconsole/t_addvirtmachine.dita
6. Use the following steps to verify that SSLv3 is disabled and that the deployed virtual machine
   supports TLSv1.2 protocols:
	a. Run the following command:

	   openssl s_client -connect vm_ip:9999

	   where vm_ip is the IP address of the deployed virtual machine.

	b. SSH into each virtual machine and run the following command:

	   /opt/IBM/ibm-java-dir/jre/bin/java -version

	   – Virtual machines running JRE6 (classic virtual system instances) see the version updated to
	     SR16
	   – Virtual machines running JRE7 (shared service, virtual applications, and virtual system
	     instances) see the version updated to SR8 FP10

	c. Run the following command:

	   openssl s_client -connect vm_ip:9999 -ssl3

	   where vm_ip is the IP address of the deployed virtual machine.

	   An error message returns showing a handshake failure because SSLv3 is not supported.

7. Use the following steps to deploy a new caching service instance using the new version of the
   caching service plug-in:

	a. Click Manage > Operations > CachingMaster, Grid Administration > Create grid to go to the
	   new caching service instance.
	b. Create a session grid with a dedicated user name and password and a proper grid cap for the
	   web application.
	c. Use a Secure Shell (SSH) connection to connect to the virtual machine where Websphere
	   Application Server is running.
	d. Run the wsadmin command:

	   /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/wsadmin.sh -lang jython

	e. Run the following command to configure the web application's session management with the
	   new caching service IP, user, password, and grid name. The following command uses the
	   example of configuring the web application HttpSessionSample.war.

	   AdminApp.edit(’HttpSessionSample.war’, ’[-SessionManagement [[true XC10SessionManagement "’ + <caching_service_f. Locate the web application's splicer.properties file and set reuseSessionId=true.

	g. Restart WebSphere Application Server for the new configuration to take effect.


To disable SSLv3 protocol in classic virtual system deployed instances, use a Secure Shell (SSH)
connection to connect to each virtual machine and perform the following steps:

	Important: You must perform these steps in the following order or the fix will not be successful.

1. Use one of the following procedures to upgrade pattern types:
	– Directly apply the emergency fix:
		a. Upload the poodle_vsys.ifix.zip file to the PureApplication System catalog. For more
		   information, see Adding emergency fixes.
		   http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/iwd/pct_add_ef.dita
		b. Apply the emergency fix to the classic virtual system instance. See the following link for the
		   detailed steps:Applying fixes to classic virtual system instances
		   http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/iwd/sit_service_vs.dita
	– For classic virtual system instances where the root account login is disabled:
		a. Copy update.py and monitoring_parms.json to each virtual machine.
		   - For Linux and AIX virtual machines, copy the two files to the /0config directory.
		   - For Windows virtual machines, copy the two files to the C:\0config directory.
		b. Run the following command from Oconfig:

		   python update.py

		   The python script performs the following:
		   - Updates the topology using the latest plugins from foundation-ptype Version 2.1 and
	 	     itm-ptype Version 1.0 if it exists on the virtual machine.
		   - Stops the PureApplication System management and monitoring processes on the virtual
		   machine.
		   - Cleans up related paths and files.
		   - Re-launches the 0config initialization process to upgrade foundation-ptype and itm-ptype,
		     if necessary.
2. Upload IBM PureApplication System V2.0.0.1 Interim Fix 2 JRE emergency fix to the
   PureApplication System catalog. For more information, see Adding emergency fixes.
   http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/iwd/pct_add_ef.dita
3. Apply IBM PureApplication System V2.0.0.1 Interim Fix 2 JRE emergency fix to each classic virtual
   system instance.

	Note: While applying the fix to each instance running on Intel operating systems, clear the check
	      from the Take a snapshot before service is applied. check box.

4. Restart your virtual machine for the updates to take effect. For more information, see Starting and
   stopping virtual machines.
   http://www-01.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/systemconsole/t_addvirtmachine.dita
5. Use the following steps to verify that SSLv3 is disabled and that the deployed virtual machine
   supports TLSv1.2 protocols:

	a. Run the following command:

	   openssl s_client -connect vm_ip:9999
	
	   where vm_ip is the IP address of the deployed virtual machine.

	b. SSH into each virtual machine and run the following command:

	   /opt/IBM/ibm-java-dir/jre/bin/java -version

	   – Virtual machines running JRE6 (classic virtual system instances) see the version updated to
	     SR16
	   – Virtual machines running JRE7 (shared service, virtual applications, and virtual system
	     instances) see the version updated to SR8 FP10

	c. Run the following command:

	   openssl s_client -connect vm_ip:9999 -ssl3

	   where vm_ip is the IP address of the deployed virtual machine.

	   An error message returns showing a handshake failure because SSLv3 is not supported.




 -- W2700/W1700 systems --
Download one of the following base operating system images from the IBM Passport Advantage Online
website. These images contain the required JRE upgrade of JDK6: SR16 FP3 or later. For more
information, see Downloading IBM OS images.
http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/iwd/pct_downloadosimages.dita

• IBM OS Image for AIX Systems: 2.1.1.0 (AIX 7.1 image)
• IBM OS Image for AIX Systems: 1.1.1.0 (AIX 6.1 image)

Note: SSLv3 is disabled by JRE default policy in the new base operating system images unless you
remove the jdk.tls.disabledAlgorithms=SSLv3 property from the JRE java.security file.

The following steps are for new pattern deployments leveraging new base operating system images
which eliminate the need for the mitigation procedures.

• For new virtual application, shared service, and virtual system deployments, use the following
procedure to change the default deployment settings in order to add the new operating system images:

1. Click Cloud > Default Deploy Settings.
2. Click Change to change the base operating system image to the new version of the base operating
system.

• For new classic virtual system deployments, use the new patterns that are built on the new operating
system images. Alternatively, use the following procedure to upgrade existing patterns:
1. Extend the original image. For more information, see Extending and capturing virtual images.
   http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/iwd/pct_extend_vi.dita
2. Upload IBM PureApplication System V2.0.0.1 Interim Fix 2 JRE emergency fix to the
   PureApplication System catalog. For more information, see Adding emergency fixes.
   http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/iwd/pct_add_ef.dita
3. Apply IBM PureApplication System V2.0.0.1 Interim Fix 2 JRE emergency fix to the extended classic
   virtual system instance.
4. Capture and receive the new image. For more information, see Extending and capturing virtual
   images.
   http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/iwd/pct_extend_vi.dita
5. Clone existing patterns and specify to use the newly captured image. For more information, see
   Cloning virtual system patterns.

Procedure
To disable SSLv3 protocol in virtual application, shared services, and virtual system deployed
instances, perform the following steps:

	Important: You must perform these steps in the following order or the fix will not be successful.

1. Upgrade pattern types to the following versions:
	– Foundation-ptype Version 2.1.0.3
	– itm-ptype Version 1.0.2.3
	– pdk-ptype Version 1.1.0.2
2. Upload IBM PureApplication System V2.0.0.1 Interim Fix 2 to the PureApplication System catalog.
   For more information, see Adding emergency fixes.
   http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/iwd/pct_add_ef.dita
3. Apply IBM PureApplication System V2.0.0.1 Interim Fix 2 JRE emergency fix to each virtual
   application, shared service, and virtual system instance. See the following links for the detailed
   steps:
	– Applying fixes to virtual application instances
	  http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/iwd/apt_maintfix_ov.dita
	– Applying fixes to shared service instances
 	  http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/iwd/ss_applyfix_ov.dita
	– Applying fixes to virtual system instances
	  http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/iwd/pat_vsysmaint.dita
4. Restart each instance or individual virtual machines for the JRE updates to take effect. For more
   information, see Starting and stopping virtual machines.
   http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/systemconsole/t_addvirtmachine.dita
5. Use the following steps to verify that SSLv3 is disabled and that the deployed virtual machine
   supports TLSv1.2 protocols:
	a. Run the following command:

	   openssl s_client -connect vm_ip:9999

	   where vm_ip is the IP address of the deployed virtual machine.
	
	b. SSH into each virtual machine and run the following command:

	   /opt/IBM/ibm-java-dir/jre/bin/java -version

	   – Virtual machines running JRE6 (classic virtual system instances) see the version updated to
	   SR16
	   – Virtual machines running JRE7 (shared service, virtual applications, and virtual system
	   instances) see the version updated to SR8 FP10

	c. Run the following command:

	   openssl s_client -connect vm_ip:9999 -ssl3

	   where vm_ip is the IP address of the deployed virtual machine.

	   An error message returns showing a handshake failure because SSLv3 is not supported.

6. Use the following steps to deploy a new caching service instance using the new version of the
   caching service plug-in:
	a. Click Manage > Operations > CachingMaster, Grid Administration > Create grid to go to the
	   new caching service instance.
	b. Create a session grid with a dedicated user name and password and a proper grid cap for the
	   web application.
	c. Use a Secure Shell (SSH) connection to connect to the virtual machine where Websphere
	   Application Server is running.
	d. Run the wsadmin command:

  	   /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/wsadmin.sh -lang jython

	e. Run the following command to configure the web application's session management with the
	   new caching service IP, user, password, and grid name. The following command uses the
	   example of configuring the web application HttpSessionSample.war.

	   AdminApp.edit(’HttpSessionSample.war’, ’[-SessionManagement [[true XC10SessionManagement "’ + <caching_service_f. Locate the web application's splicer.properties file and set reuseSessionId=true.

	g. Restart WebSphere Application Server for the new configuration to take effect.


To disable SSLv3 protocol in classic virtual system deployed instances, use a Secure Shell (SSH)
connection to connect to each virtual machine and perform the following steps:

	Important: You must perform these steps in the following order or the fix will not be successful.

1. Use one of the following procedures to upgrade pattern types:
	– Directly apply the emergency fix:
		a. Upload the poodle_vsys.ifix.zip file to the PureApplication System catalog. For more
		   information, see Adding emergency fixes.
		   http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/iwd/pct_add_ef.dita	
		b. Apply the emergency fix to the classic virtual system instance. See the following link for the
		   detailed steps: Applying fixes to classic virtual system instances
		   http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/iwd/sit_service_vs.dita

	– For classic virtual system instances where the root account login is disabled:
		a. Copy update.py and monitoring_parms.json to each virtual machine.
		   - For Linux and AIX virtual machines, copy the two files to the /0config directory.
		   - For Windows virtual machines, copy the two files to the C:\0config directory.
		b. Run the following command from Oconfig:

		   python update.py

		   The python script performs the following:
			- Updates the topology using the latest plugins from foundation-ptype Version 2.1 and
			  itm-ptype Version 1.0 if it exists on the virtual machine.
			- Stops the PureApplication System management and monitoring processes on the virtual
			  machine.
			- Cleans up related paths and files.
			- Re-launches the 0config initialization process to upgrade foundation-ptype and itm-ptype,
			  if necessary.
2. Upload IBM PureApplication System V2.0.0.1 Interim Fix 2 JRE emergency fix to the
   PureApplication System catalog. For more information, see Adding emergency fixes.
   http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/iwd/pct_add_ef.dita
3. Apply IBM PureApplication System V2.0.0.1 Interim Fix 2 JRE emergency fix to each classic virtual
   system instance.
4. Restart your virtual machine for the updates to take effect. For more information, see Starting and
   stopping virtual machines.
   http://www-01.ibm.com/support/knowledgecenter/SSCRSX_2.0.0/doc/systemconsole/t_addvirtmachine.dita
5. Use the following steps to verify that SSLv3 is disabled and that the deployed virtual machine
   supports TLSv1.2 protocols:
	a. Run the following command:

	   openssl s_client -connect vm_ip:9999

	   where vm_ip is the IP address of the deployed virtual machine.

	b. SSH into each virtual machine and run the following command:

	   /opt/IBM/ibm-java-dir/jre/bin/java -version

	   – Virtual machines running JRE6 (classic virtual system instances) see the version updated to
	     SR16
	   – Virtual machines running JRE7 (shared service, virtual applications, and virtual system
	     instances) see the version updated to SR8 FP10

	c. Run the following command:

	   openssl s_client -connect vm_ip:9999 -ssl3

	   where vm_ip is the IP address of the deployed virtual machine.

	   An error message returns showing a handshake failure because SSLv3 is not supported.