IBM Support

IBM Application Performance Management 8.1.3 Readme

Fix Readme


Readme file for: IBM Performance Management, Version Server Interim Fix 16
Product/Component Release: 8.1.3
Update Name:
Fix ID:
Publication Date: 24 October 2019
Last modified date: 24 October 2019

This is a cumulative interim fix for the IBM Performance Management server for these offerings:
- IBM Application Performance Monitoring, Version
- IBM Application Performance Monitoring Advanced, Version
- IBM Application Diagnostics, Version
- IBM Monitoring, Version


Download location
Prerequisites and co-requisites
Known issues
Known limitations
Installation information
Troubleshooting installation problems from the Support site
Additional information
New Features
List of fixes
Document change history

Download location

IMPORTANT NOTE: To download this update, you must first login to IBM Fix Central using the link below . Once logged in, you may select from the individual download packages. When selecting fixes, ensure your download options are set to "Include requisites: Yes".

Fix Download for Linux

Below is a list of components, platforms, and file names that apply to this Readme file.

Product / Component Name Platform Fix
IBM Performance Management Server v8.1.3.0 Linux x86_64

Prerequisites and co-requisites

General description 
This is a cumulative interim fix for the IBM Performance Management family of products, Version 

It includes these component patch versions for the IBM Performance Management server:


Platforms and prerequisites 
This interim fix is supported on the IBM Performance Management server platforms documented here.

Prerequisites for this interim fix 
This interim fix is intended to be applied to any of the following levels of IBM Performance Management server software:

IBM Application Performance Monitoring, Version
IBM Application Performance Monitoring Advanced, Version
IBM Application Diagnostics, Version
IBM Monitoring, Version

Known issues


Known limitations


Installation information

Prior to installation

1. The IBM Performance Management server Version must be installed and running before applying the interim fix.
2. The IF16 server patch backs up the <install_dir>/wlp directory. You must ensure that you have enough disk space to backup that directory structure before installing the patch. If there is not sufficient disk space, the Liberty component patch will not install but the other component patches will install. You will then have to run the again to install the Liberty patch once you've ensured sufficient disk space is available. 

You can reduce the amount of disk space required for the backup of the <install_dir>/wlp directory by performing this cleanup before installing the interim fix:

- Delete file with names that start with javacore, heapdump or core in the <install_dir>/wlp/usr/servers/apmui, <install_dir>/wlp/usr/servers/min and <install_dir>/wlp/usr/servers/server1 directories

- Delete file with names that start with trace_ and messages_ in the <install_dir>/wlp/usr/servers/apmui/logs, <install_dir>/wlp/usr/servers/min/logs and <install_dir>/wlp/usr/servers/server1/logs directories
- Delete the <install_dir>/wlp-backup-04,  <install_dir>/wlp-backup-03, <install_dir>/wlp-backup-02,  or <install_dir>/wlp-backup-01 directories if they exist
- Delete the <install_dir>/backup/java*  directories if they exist


Installing the IBM Performance Management Server update 

  1. As the root user, download from IBM Fix Central to a temporary local directory (e.g. /tmp/IF16-patch) on the computer where you installed the Cloud APM server. The root user must have read/write access to the directory.
  2. Change your current directory to the download location, e.g. 

    cd /tmp/if16-patch
  3. Expand the archive file using the tar command e.g.

    tar -xf
  4. Check if the <install-dir>/ccm/fixes directory exists. If the directory exists then enter this command to get the list of Performance Management server interim fixes that are already installed:

    ls server*

  5. If the server- file or a later server*.xml file do not exist in the <install_dir>/ccm/fixes directory, enter the following command:

    <install_dir>/kafka/bin/ --zookeeper localhost:2181 --topic alarm.enriched.json --alter --config

    Note: the command displays this message if it is successful:

    WARNING: Altering topic configuration from this script has been deprecated and may be removed in future releases. Going forward, please use for this functionality Updated config for topic "alarm.enriched.json".

6. Run the script


7. If the server- file or later server*.xml file does not exist in the <install_dr>/ccm/fixes directory, wait a couple of minutes and then enter the following command:

<install_dir>/kafka/bin/ --zookeeper localhost:2181 --topic alarm.enriched.json --alter --config
8. If this is the first server patch you are installing and if you are using mobile devices to access the Performance Management console and have existing applications defined, perform these steps:
  • Verify that the following directories exists

  • cd <install_dir>/wlp/usr/servers/apmui/apps/customCfg
  • Run the following command:

    ./ -u apmadmin -p apmpass -o 9443 -s -a g -f "<install_dir>/wlp/usr/servers/apmui/apps/customCfg/groupwidget-updates" --replace-groupwidget-template --ootb

    where you should replace:

          -apmpass with the password of the apmadmin user if the apmadmin user is using a non-default password

          - <install_dir> with the directory where the Performance Management server is installed
9. If you are using LDAP, edit <install_dir>/wlp/usr/shared/config/ldapRegistry.xml and remove the loginProperty line.
The sample loginProperty lines for Active Directory and Tivoli Directory Store are listed below.
  • Active Directory:
  • Tivoli Directory Service:


    Note: this step is needed so that the session lock function will work for your Performance Management console users.
10. If the vmware-app-support- file (from the or later server patch) does not exist in the <install_dir>/ccm/fixes directory and if VMWare agents are being used then perform these steps:

apm stop apmui 
apm stop server1
rm <install_dir>/wlp/usr/servers/apmui/apps/components.log 
apm start server1 
apm start apmui

If  VMWare Virtual Infrastructure or ESX server components are already included in applications:
    - edit each application and delete the VMWare Virtual Infrastructure and ESX server components from the application
    - save the application
    - then edit the application a second time and add the VMWare Virtual Infrastructure and ESX server components back to the application.   

Note:  these steps are required so that the updated VMWare agent dashboard definitions are used for your existing applications.
11. If the Microsoft Exchange agent is already included in applications and the APM or patches were not already installed then
  • Edit each application that contains the Microsoft Exchange agent and delete the agent from the application
  • Save the application.
  • Then edit the application a second time and add the agent components back to the application.

Note: this step is required so that the updated agent dashboard definitions are used for your existing applications.
12. If you are using the Monitoring Agent for WebSphere Applications, perform the following steps to improve performance of your prefetch database
  • cd <install_dir>/ccm
  • Execute the following script
    ./ [ -h <install_dir> ] [ -server db_server_hostname] [ -pw instance_pw]

    • <install_dir> is the APM server home directory (e.g. /opt/ibm by default). If you are using the default APM server home directory then you can omit the -h option
    • db_server_hostname is the hostname of your DB2 server. If your DB2 server is local then you can omit the -server option
    • instance_pw is the password of your db2apm instance user. It must be specified. The default value is db2Usrpasswd@08
    • The script disables summarization of the Log_Analysis table in the prefetch database since that table is not used by the TCR reports for the Monitoring Agent for WebSphere Applications.  
13. If you are using WebSphere Applications monitoring agent then perform these steps to reduce the size of your WAREHOUS database. (This step removes summarized tables that are not used by any Performance Management components.) If you are using a remote Db2 server then perform the steps on the remote server; otherwise, perform the steps on the Performance Management server.
su - db2apm
db2 connect to warehous user db2apm using 

db2 "UPDATE ITMUSER.WAREHOUSESUMPRUNE SET MONSUM = '-16823', WEEKSUM = '-16823', DAYSUM = '-16823', HOURSUM = '-16823', PMON = '-16838', PMONUNIT = '-16835', PWEEK = '-16838', PWEEKUNIT = '-16835', PDAY = '-16838', PDAYINT = 1, PDAYUNIT = '-16836', PHOUR = '-16838', PHOURUNIT = '-16835' WHERE TABNAME = 'KYNLOGANAL' " 

db2 drop table itmuser.\"Log_Analysis_D\" 
db2 drop view itmuser.\"Log_Analysis_DV\" 

db2 drop table itmuser.\"Log_Analysis_H\" 
db2 drop view itmuser.\"Log_Analysis_HV\" 

db2 drop table itmuser.\"Log_Analysis_M\" 
db2 drop view itmuser.\"Log_Analysis_MV\" 

db2 drop table itmuser.\"Log_Analysis_W\" 
db2 drop view itmuser.\"Log_Analysis_WV\" 

14. After your Performance Management server has been running successfully for a few day with the latest interim fix, you can remove the <install_dir>/wlp-backup-05 directory to free up disk space. 


  1. Because Performance Management services need to be stopped for the patch to be applied, you will be asked to confirm that you want to install the patch.
  2. When is complete, a summary is displayed showing the number of fixes that were installed, the number of fixes that were not installed because they have previously been installed, and the number of fixes that failed to install. If any fixes failed to install, more information can be found in the file apmpatch.log in the logs directory,
    e.g. /opt/ibm/ccm/logs/apmpatch.log .
  3. A record of each fix applied can be found in the <install_dir>/ccm/fixes directory, e.g. /opt/ibm/ccm/fixes . Do not modify this directory or its contents. It is needed if other fixes are applied in the future.

Uninstalling if necessary

Files modified by the interim fix are backed up during the installation. If you encounter an issue with the interim fix and need to back it out then contact IBM support for assistance.

For detailed instructions to Uninstall the server, please refer to the IBM Performance Management Knowledge Center, here:

Troubleshooting installation problems from the Support site

For more detailed information, refer to the Troubleshooting and support Guide:  

Additional information

The Secure Hash Algorithm 1 (SHA1) checksum of the image is as follows:
SHA1( 1816211f1a4e7d8f4673cbb77bfbfaeda6c390be

Image Contents 

The following files implement this fix:
- - This README file
- - For extracting patch files use the tar utility

Extracting the above bundle (.tar) creates the following directory and patch files:
|-- apmpatch_functions
|-- msg
|-- nls_replace
|-- patches

New Features


List of fixes

The following problems are addressed by this interim fix.



IBM Performance Management Server defects: 
  • 135447: Clickjacking vulnerability for the Advanced Configuration page 

  • 136453: Uplift Liberty to version for security fixes

  • 137194: Apply LIberty APAR  PH07036 fix

  • 137356: Apply Liberty APAR PH03640 fix

  • 137408: Clickjacking vulnerability  fix for apmui and itportal URIs 

  • 137409: Clickjacking vulnerability for Threshold Manager UI and Resource Group Manager UI

  • 137411: Clickjacking fix for the Synthetic Script Manager UI

  • 137567: Apply fix for Open Liberty issue OLGH7614

  • 138387: Java cacerts keystore is not updated when an ibmjava patch is applied if there is a custom key.jks file for the server1 service

  • 138564: Clickjacking vulnerability fix for online help pages

  • 138695 : Clickjacking fix for oidc process

  • 139137: Uplift to Java version for security fixes

  • 139745: script may not connect to the apmui service when LDAP is configured

Enhancements included from previous interim fixes: 


Superseded and/or included component patches from previous interim fixes: 
  • aixos-agent-appsupport- included from previous interim fixes
  • apmui- superceded by apmui-
  • backup-restore- superceded by backup-restore-
  • ccs- superceded by ccs-
  • data-layer-scripts- included from previous interim fixes
  • dbutils- included from previous interim fixes
  • geolocation- included from previous interim fixes
  • ibmjava- superseded by ibmjava-
  • itmcdp- included from previous interim fixes
  • itportal- superceded by itportal-
  • kafka-  included from previous interim fixes
  • liberty- superseded by liberty-
  • min- superseded by min-
  • msexch-agent-appsupport- included from previous interim fixes
  • oauth2- included from previous interim fixes
  • oidc- superceded by oidc-
  • oslc- included from previous interim fixes
  • os-agent-config- included from previous interim fixes
  • rbac- included from previous interim fixes
  • rbac-ui- included from previous interim fixes
  • scr- included from previous interim fixes
  • spark- included from previous interim fixes
  • synthetics_script_manager- superceded by synthetics_script_manager-
  • vmware-app-support- included from previous interim fixes
  • windowsos-agent-appsupport- included from previous interim fixes
  • wrt- included from previous interim fixes

APARs and defects included in previous interim fixes: 
  • IJ04245: The wrong hostname is associated with an agent when agents have duplicate IP addresses
  • IJ04710: Partitions in the datamart DB are not created because the db2 instance user home path is hardcoded or if the delete partitions script performs a detach into the obsolete_data table when obsolete_data already exists
  • IJ04990: Data provider error may occur after installing the Cloud APM IF0011 server interim fix if custom UI root certificates does not have both of these properties: AuthorityKeyIdentifier and SubjectKeyIdentifier
  • IJ07289: Address Sweet32 vulnerability for the oslc service which listens on port 3661
  • IJ07374: Restrict Zookeeper to only listening for requests on localhost
  • IV85017: User sees an error when they click on a mailbox name in the Microsoft Exchange Database Copy Status group widget
  • IV85490: Users are not authorized to view applications if their username or group contains special characters such as { } &
  • IV85572: When traversing from the VMWare Datastore Name dashboard page to the Virtual Machine page, the following message is displayed -- failed to load page page_vmware_server_vm_details
  • IV85573: CCS component may not be initialized correctly when server1 starts up so Threshold Mangaer UI and Resource Group Manager UI cannot display data. Also CCS may not be able to create files needed for agent builder agents.
  • IV86254: Attribute Details page is not rendered correctly if you display the Attribute Details page for one agent and then select Attribute Details for another agent
  • IV86726: Agent builder agent app support or app support patches may not get processed
  • IV88694: Missing metrics and/or out of memory errors can occur if an agent is sending monitoring data (ASF) requests that are larger than 2M
  • IV90313: When an ITMv6 agent switches from one ITMv6 TEMS to another, the wrong events are being updated in the APM server event database and results in stale events in APM
  • IV90560: Datamart partitions are not created if DB2 password contains special characters
  • IV90845: Data cannot be displayed for applications that have a space in the application name and that display Synthetic transactions.
  • IV91051: Linux OS update for package filesystem-3.2-21.el7.x86_64.rpm fails installation with a transaction check error on the APM server
  • IV91578: Threshold definitions are not distributed to an APMv8 agent if the APMv8 agent replaces an ITMv6 agent that was monitoring the same resource and the ITMv6 agent's data was being sent to the APM server via the hybrid gateway
  • IV91718: APM server backup fails if the APM server is configured to use LDAP
  • IV92448: May see "data not available" in the UI for all dashboard widgets for an agent if the agent sends a message with invalid XML to the APM server
  • IV92955: Custom certificates are not backed up for disaster recovery or for an upgrade to the next APM release
  • IV94600: OMNIbus does not receive all events from the APM server if the connection to OMNIbus is timed out
  • IV94421: MIN process runs out of memory if several agents are sending data larger than the ASF message limit
  • IV95636: APM system performance is degraded when there are a large number of offline agents
  • IV96759: Resource group UI hangs and server1 CPU spikes when there are a large number of agents
  • IV95510: Cannot find OS agent in list of agents to distribute config to it when there are more than 1000 agents for the OS type
  • IV98544: Disable usage of the JVM Shared Class Cache for the APM Liberty processes so that they will not crash if the cache becomes corrupted
  • IV98547: Events status is stale in the APMUI intermittently
  • IV98890: Cannot add agents to applications when they connect to the APM server because of a delay in processing updates to the SCR DB
  • IV98921: User cannot access the Attribute Details page if their LDAP DN contains a comma
  • IJ00238: Prevent transaction log full condition for SCR database when processing the API tables
  • IJ00525: Attribute details tab is showing data for the wrong agent if it errors out before loading the requested data
  • IJ00816: User cannot access the Attribute Details page if their LDAP DN contains an apostrophe
  • IJ01251: Subnodes are offline after an agent is restarted when there is an error when the APM server asks for the list of the agent's subnodes
  • IJ01484: Event status may be stale on the APM UI Events tab
  • 98468: Change Synthetics Script Manager UI to use horizontal tabs
  • 98469: Update Status Overview page to maximize the width of the Aggregate Transaction Topology
  • 99166: The scroll bar for the "Users at Selected Location" widget is not usable if the Response Time agent found more than 32K active users in the last 4 hours for the selected location
  • 99515: Number of Kafka error files continue to grow
  • 99648: An ITMv6 or ITCAMv7 agent whose version number is unknown to ITM will be reported as offline in APMv8 and can also cause data to be discarded for other ITMv6 or ITCAMv7 agents connecting through the hybrid gateway
  • 99839: All data for a dataset is discarded for an ITMv6 or ITCAMv7 agent that is connecting through the hybrid gateway if one of the agent attributes does not conform to expected format (e.g. an empty string is provided for a required attribute)
  • 100009: Deadlock in server1 causes all agents to appear offline on the Performance Management console and the console eventually becomes unusable
  • 100014: No events are returned if the timespan option is specified with the Alarm Service API
  • 100216: Make the default Synthetic playback mode configurable in the Synthetic Script Manager UI
  • 100294: A remote API user may gain access to the Alarm API using the local smadmin administrator account credentials instead of using an LDAP authenticated user
  • 100733: Transaction instance topology hangs when you are using a mobile device (e.g. iPAD) with the Performance Management console
  • 100885: Session lock does not work on the Performance Management console when a LDAP server is used for authentication
  • 100840: The Application Performance Dashboard cannot be displayed if the user's browser is configured for the French locale
  • 100929: It can take 24 hours for UNIX or Windows OS agents to show up in the APMUI if the MIN server is not available when the agent first tries to send data to the server
  • 101079: Mobile device users see the Critical status for an application on the Performance Management console instead of the Warning status
  • 101132: The sort icon is not displayed correctly for mobile device users of the Performance Management console
  • 101158: Synthetic playback agent cannot process a URL with request parameters
  • 101218: For Performance Management on Cloud, user ids in mixed case or upper case cannot access console pages other than the Application Performance Dashboard
  • 101567: Support a new internal admin ID for Federal accounts on Performance Management on Cloud
  • 101865: OOM error occurs if the WAS agent sends a very large AAR request to the APM server
  • 101870: RBAC permissions are reset back to the default values if the XACML files get corrupted because server1 is not stopped cleanly
  • 102112: Application topology shows nodes that should not be displayed when topology calculator reports a different managed system name for a software server
  • 102188: AARs are discarded if one of the fields is larger than the corresponding DataMart DB column
  • 102189: AARs get processed over and over again because they are not being properly aged out of the Kafka logs when an AAR format error is detected
  • 102519: Update backup and restore to support Geolocation entries.
  • 102565: Unnecessary KYNLOGANAL summarization impacts system performance and summarization time
  • 102732: Cannot recreate an application if the application was renamed but the rename failed because user is assigned to multiple roles with different permissions for handling applications.
  • 102843: APMUI Attribute Details page updates to address accessibility gaps
  • 103126: Agents cannot be added to applications if the VMWare virtual machines have an OS type string that includes carriage return characters
  • 103233: AARs with dates far in the future are hanging up the DB2 connection since the APM server keeps retrying the whole batch.
  • 104364: Events are not forwarded to OMNIbus if they can contain special characters such as [,],{,}
  • 104395: Changes to prefech summarization scripts
  • 104966: When an application is created using the Read button in the APMUI Application Composer, multiple RBAC permission are created for the new application . This results in the RBAC Role Editor displaying applications that are not visible via the APMUI since the underlying response time applications are not visible by themselves.
  • 105794: No data in WAS agent log analysis widget when monitoring WAS v9
  • 106733: Events with embedded CDATA are processed over and over again by the Performance Management server. Also exceptions occur when resource monitoring data contains embedded CDATA.
  • 107247: Kafka file was not updated correctly in the Kafka patch
  • 108074: Pick up Liberty security patches
  • 108756: Tabs on the Status Overview page in APMUI are not always displayed
  • 108980: Pick up patches for TWL and CURI for APMUI and ITPortal components
  • 108981: Pick up patched version of CURI for CURI DP component
  • 108982: Pick up patched version of CURI for CCS component
  • 109544: Dashboard component threshold changes are not being saved
  • 109586: ITMV6 agent events are processed out of order so open events may not appear in the APMUI Events tab
  • 109876: Agent builder agents or agent patches with app support changes cannot upload their app support to the APM server if it is larger than 1MB
  • 111093: dbutils.jar file is installed incorrectly by the dbutils patch
  • 111750: Uplift to IBM Runtime Environment, Java Technology Edition Version 8 SR3 FP21
  • 112586: Fix security issue for Authentication Bypass Using HTTP Verb Tampering for the CentralConfigurationServer application
  • 112702: May see "data not available" in the UI for all agents if the prefetch code detects a parsing error
  • 114638: Event status may be stale on the APM UI after server1 has been restarted
  • 115617: RBAC exceptions occur if user has access to all groups but only has access to a subset of the applications
  • 116706: Synthetic Script Manager patch installation fails and then the Synthetic Script Manager UI is not available
  • 117035: EIF forwarder stops forwarding events if there are invalid characters in the event data
  • 118150: fails if the -force option is used because the Java bin path is unlinked
  • 118966: Uplift to IBM Runtime Environment, Java Technology Edition Version 8 SR4 FP5
  • 108478: Components that are not included in an application may appear in the application's aggregate transaction topology
  • 108848: server1 out of memory error may occur after many RBAC policy changes
  • 124131: RBAC policies reset to defaults rather than latest backup copy.
  • 124420: SCR threads may hang when the JDBC connection pool is exhausted
  • 126706: Support DB2 10.5 FP9
  • 128536: Uplift Liberty to version for security fixes
  • 128625: Blaze updates to work with Liberty
  • 128834: Restore fails when retrieving keyfiles from backup
  • 129078: Restore script needs to prompt for LDAP user password when the APM server is configured to use LDAP
  • 129463: Uplift Java to version for security fixes
  • 129603: My Transactions application is missing after restarting apmui
  • 129909: Instance component names are not displayed correctly in the APM UI
  • 130401: Apply Liberty APAR PI94351 for Missing Secure Attribute in Encrypted Session (SSL) Cookie oidcclient/redirect/rpoed
  • 131154: Apply Liberty APAR PI88642 for a security vulnerability
  • 130612: Response time agent event may not appear in the APM UI if the event fires before the agent has been added to an application
  • 130650: Change quiesce of local DB2 database to temporarily revoke the DBADM privilege
  • 130651: Certificate files in Liberty backup directories should not be included when running
  • 130811: Uplift GSKit to for the oslc service
  • 130818: Backup or restore may fail if there are no active database connections
  • 131592: Apply Liberty APAR PI94763 fix for security vulnerability in Apache Commons
  • 131595: Uplift Java to version for security vulnerability fixes
  • 133534: Uplift Java to version for security fixes
  • 133536: Configure Derby DB for the min service to only listen on localhost
  • 133865: Perform runstats for SCR database
  • 134093: APM 8.1.3 backups fail when using default UI certificate passwords and tmp directory option is not working
  • 134559: Cannot log into the APM UI after a restore if custom UI certificates are being used and the encrypted keystore password in the server.xml file contains a /
  • 134655: Uplift Java to version for security fixes
  • 134876: may retrieve the wrong password for the smadmin user
  • 135442: Apply Liberty APAR PH03418 fix 
  • 135448: Uplift Blaze to address reflected cross site scripting issue when OIDC is disabled
  • 135504: Liberty patch may back up the wlp files to the wrong directory
  • 135608: Uplift Java to version for security fixes
  • 137033: Prevent smadmin password from being logged

Document change history

Version Date Description of change
1.0 24 October 2019 Initial Version

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSVJUL","label":"IBM Application Performance Management"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"8.1.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
24 October 2019