Installing a fix

You can install a fix for a CVE that affects one or more servers in your inventory from the Security page in the WebSphere Automation UI.

Before you begin

You must have a user profile with the Manage security data permission. For more information, see Configuring roles and permissions.
Important: WebSphere Automation cannot install or uninstall fixes on WebSphere® Application Server or WebSphere Application Server Liberty that are installed on z/OS or iSeries platforms.

About this task

Note:
  • When a single user attempts to do multiple installations on separate servers with shared directories, each directory generated will be unique. This ensures that each installation operates independently without causing interference to the other.
  • Regarding the tWAS servers, a privilege mismatch arises when the IM owner of the WebSphere Server is root, and the IM Install Directory owner is a non-root user. If the installation is executed by root, the install directory's ownership changes to root, leading to failed server restarts. To resolve this issue, a task has been introduced to revert the Install Directory ownership to the non-root user, guaranteeing successful server restarts.

Procedure

  1. Log in to WebSphere Automation; in the menu, click Operate > Application runtimes.
    For more information, see Accessing the WebSphere Automation UI.
  2. If necessary, open the Security page, and then click CVEs.
    Figure 1. Example Security page with installation status of fixes
    Example CVEs page with security vulnerabilities that affect server inventory. Column headings include Risk level, CVE, Days exposed, Servers fixed, Servers vulnerable, and Initial detection time.
    If you do not see the menu option Operate > Application Runtimes, or if you see a message that you are not authorized, then you do not have permission to access the page. For more information about permissions, see Roles and permissions.
  3. Select and click a CVE from the list.
    For more information about the CVEs page, see Viewing security alerts that affect your servers.
  4. On the information page for the CVE, in the Affected servers section, note the servers to which the fix has not been applied. Select the checkbox for one or more servers that you want to apply fixes to.
    Affected servers section of the CVE details page showing a server selected to have a fix applied.

    If a listed server is installed on a z/OS or iSeries platform, an information icon displays with more information, and the checkbox for that server cannot be selected.

    If both registered servers and unregistered servers exist in the same installation on the target host, only registered servers appear in the Affected servers section, but if WebSphere Automation applies a fix to the registered servers, the unregistered servers in the same installation on the target host also are fixed.

  5. To begin the process of retrieving and installing a fix, click Prepare fixes.
    The Prepare fix dialog opens.
    The Prepare fix dialog showing the first panel with options to select Fix type and toggle selector for cleaning up fix files.
    1. On the Choose global options page, select the type of fix to apply to the selected server or servers.
      • Choose iFix to apply only the fix for this vulnerability.
      • Choose Fix Pack to install not only the fix for this vulnerability, but all of the updates that are included in the service level that you want to install. A service level that includes the iFix for the vulnerability might not be available yet.
    2. If you want to have the downloaded fix files deleted from WebSphere Automation storage after the fixes have been installed, set the Cleanup fix files toggle to On.

      The selection that you make applies to all of the selected servers.

    3. Click Next.
    4. Choose fixes to be installed for each group.
      If you selected multiple servers, they are grouped by installation information. For each group, complete the following steps.
      1. Review the servers in the installation on the target host.
        WebSphere Automation applies the fix to the servers in this list. If the installation on the target host also has unregistered servers, they also are fixed. Servers in the installation that are running are stopped to install the fix, and are restarted after the fix is installed. Any servers in the installation that are already stopped when the fix is installed remain stopped after it is installed.
        Note: WebSphere Automation can install only one fix on a particular server at a time. If a fix is being installed on a server, do not initiate the installation of another fix. Attempting to install more fixes while the installation of a fix is in progress results in a Problem with request to install fix error message.
      2. In the Select fix section, you can find the list that displays the available fixes for a vulnerability. The list includes the latest fix pack and interim fixes, also known as iFixes. By default, this list shows only the most recent fixes, as the option to view all available iFixes and Fix Packs is initially toggled OFF. If you want to see the full range of available fixes, then you can toggle this option ON. The system does not automatically select a fix; you can choose the specific fix that you want to use.
        Important: When you install a fix pack to a node in a WebSphere Application Server Network Deployment cell, check the version of the fix pack against the version of the deployment manager host. If the deployment manager version is older than the fix pack version, the WebSphere Application Server admin console might not show the correct running status and synchronization for the node agent. For more information, see Errors in running status or synchronization of node agent after a fix pack is installed.
      3. If you chose to install a fix pack, review the fix pack license using the View license link. To accept the license, check the Accept license box.
      4. If you want WebSphere Automation to create a backup of the server environment and metadata before installing the fix, expand Additional options and set the Create backup toggle to On. The backup is an archive of the Installation Manager installation directory, Installation Manager data directory, and WebSphere Application Server installation directory. To back up your configuration and profiles, use existing WebSphere Application Server or WebSphere Application Server Liberty processes. For more information, see Restoring a server from a backup.
        Note: If there is a privilege mismatch between the WebSphere Application Server directory owner and the IMCL owner, automatic escalation to root or the provided user occurs to try to complete the installation. The backup folder gets created under the .wsa directory of the privileged user, not the WebSphere Application Server directory owner.
      5. If you want to set the path on your local machine where the fix is downloaded, select the Override download check box, and enter the path in the Download directory field.
      6. The selection for the Cleanup fix files toggle that you made on the Choose global options page is shown but cannot be changed on this page. To edit this selection, click Back to return to the Choose global options page.
      7. If Installation Manager was installed in administrator mode but the WebSphere Application Server directory owner does not have administrative permissions, consider the following information.
        For a server on Linux:
        • You can specify the system user that can be used for running Installation Manager commands on the target host.
        • If no specific user is designated and a permission disparity exists, the WebSphere Application Server automatically escalates the permissions to the root level in an attempt to reduce the risk of the playbook from failing prematurely.
        For a server on Windows:
        • When Installation Manager is installed in administrator mode, the user managing the installation must have administrative permissions. You cannot start an account with fewer privileges and then upgrade its permissions to an Administrator.
        • If the Installation Manager was exclusively installed for a single user, you can designate a user to run Installation Manager commands on the target host, provided they have the necessary permissions.
  6. Click Install fixes.
    If the Install fixes button is not active, a fix is not selected for one or more of the groups.
  7. Monitor the fix management record status.
    For more information about monitoring the status of a fix management record, see Viewing and managing fix management records.

What to do next

Monitor the installation of the fix until it completes. If the installation of the fix fails, view the runbook.log file for more information about the cause of the failure.