IBM Support

IBM Netcool System Service Monitor SSM 4.0 Fix Pack 1 README Netcool/System Service Monitor 4.0.1 4.0.1-TIV-SSM-FP0001 Readme

Fix Readme




Readme file for: 4.0.1-TIV-SSM-FP0001
Product/Component Release: 4.0.1
Update Name: 4.0.1-TIV-SSM-FP0001
Fix ID: 4.0.1-TIV-SSM-AIX-PPC-FP0001, 4.0.1-TIV-SSM-HPUX-IA64-FP0001, 4.0.1-TIV-SSM-LINUX-PPC-FP0001, 4.0.1-TIV-SSM-LINUX-X86-FP0001, 4.0.1-TIV-SSM-LINUX-X86_64-FP0001, 4.0.1-TIV-SSM-SOLARIS-SPARC-FP0001, 4.0.1-TIV-SSM-SOLARIS-X86-FP0001, 4.0.1-TIV-SSM-WIN32-X86-FP0001, 4.0.1-TIV-SSM-MULTIPLATFORM-FP0001-DSCFiles
Publication Date: 17 Jun 2013
Last modified date: 17 Jun 2013

Download location

To download this update you must first login to IBM FixCentral. Once logged in, you may select from the individual download packages.

Below is a list of components, platforms, and file names that apply to this Readme file.

Fix Download for AIX

Product/Component Name: Platform: Fix:
Netcool/System Service Monitor AIX
Netcool/System Service Monitor AIX

Fix Download for HPUX

Product/Component Name: Platform: Fix:
Netcool/System Service Monitor HPUX 64-bit, IA64
Netcool/System Service Monitor HPUX 64-bit, IA64

Fix Download for Linux

Product/Component Name: Platform: Fix:
Netcool/System Service Monitor Linux pSeries
Netcool/System Service Monitor Linux 32-bit,x86
Linux 64-bit,x86_64
Netcool/System Service Monitor Linux 64-bit,x86_64
Netcool/System Service Monitor Linux pSeries
Linux 32-bit,x86
Linux 64-bit,x86_64

Fix Download for Solaris

Product/Component Name: Platform: Fix:
Netcool/System Service Monitor Solaris 32-bit,SPARC
Netcool/System Service Monitor Solaris 64-bit,x86
Netcool/System Service Monitor Solaris 32-bit,SPARC
Solaris 64-bit,x86

Fix Download for Windows

Product/Component Name: Platform: Fix:
Netcool/System Service Monitor Windows
Netcool/System Service Monitor Windows

Prerequisites and co-requisites

Known issues

Non APAR Defect alm00295041 - Can't remote install ssm with V3 Configurations

Problem Description
Remote install fails on all platforms using V3 Configurations with the following error:
KDY3209E: Failed to add v3 user itmkdyuser Could not add the new SNMP v3 user via a remote connection

Non APAR Defect alm00295075 - Can't remote uninstall ssm on windows

Problem Description
Remote uninstall fails on Windows platforms with the following error:
KDY3501E: Could not find the uninstall key with the command regedit /E uninst.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{EFDE76FA-B83A-4608-AFF0-37829C7F5186}. Could not find the required uninstall key.

Non APAR Defect alm00295526 - The transaction.oid file is missing in the oid directory

Problem Description
Trying to load the transaction subagent shows the following warning because the transaction.oid file is missing from the oid subdirectory:
Could not open script file "oid/transaction.oid"

SSM crashes on AIX

Problem Description
Note that users of SSM 4.0 on AIX 5.3 or 6.1 may encounter a crash in gethostbyname(). This is a known AIX operating system bug (APAR IZ37768) with workaround and patches available from the IBM web site:

SSM cores on HPUX

Problem Description
Note that users of SSM 4.0 on HPUX may encounter core files in the SSM if the installation directory where SSM is installed is copied whilst the SSM is starting.

Known limitations


Installation information

Prior to installation

Although the SSM patch installer will verify its integrity before proceeding, you may verify the integrity of the patch installer without actually installing the patch by using the -t (test) option:

UNIX/Linux: ./ -t
Windows: ssm401-fixpack1-win32-x86.exe -t

Also note that on some platforms installation may fail if you have any SSM-related programs running. Make sure that you have closed all instances of the SSM console and the MIB Explorer (Windows) prior to installing the patch. The patch installer will stop and restart the ssmagent process automatically.


SSM patches are self-extracting interactive programs that will guide you through the installation process. You need only execute the installer (for your operating system) and follow the prompts:

UNIX/Linux: ./
Windows: ssm401-fixpack1-win32-x86.exe
Silent installation is achieved by adding the word silent as a parameter to the end of the above command.

Further details about advanced patch installation can be found in the Patch Installation Guide:

Performing the necessary tasks after installation


Troubleshooting installation problems from the Support site

Uninstalling if necessary

On Windows, Fix Pack 1 may be uninstalled via Control Panel - Add or Remove Programs. Make sure you check the "Show updates" box for SSM patches to appear in the list. Also ensure that the SSM console and MIB Explorer are not running prior to uninstallation (so that previous file versions may be restored correctly), otherwise the removal process will fail.

On all platforms Fix Pack 1 may also be uninstalled using the "patchman" tool which can be found in the SSM bin directory:

patchman -r "Fixpack 1"

Additional information

Security Bulletins

SSM 4.0.1 FP1 contains fixes to the following 3 Security Bulletins:

- IBM Tivoli Netcool System Service Monitors/Application Service Monitors Local Configuration file Buffer Overflow (CVE-2013-0508)
- IBM Tivoli Netcool System Service Monitors/Application Service Monitors Transaction MIB Remote Buffer Overflow due to malformed database table names (CVE-2013-0509)
- IBM Tivoli Netcool System Service Monitors/Application Service Monitors is affected by multiple OpenSSL vulnerabilities

Netcool/SSM V4.0.1 FP1 is a security update focused on reducing security risks in the default configuration.

Some functionality has changed, and some subagents must now be activated using additional configuration in the agent init.cfg and agent.cfg files. Below is a list of affected components and any extra configuration required to enable previous functionality. If you do not currently use an affected component, leave it in its default, disabled state.

Updated subagents

RMON ProbeConfig Group

Support for the probeDownloadFile, probleDownloadTFTPServer, probeDownloadAction, and probleDownloadStatus objects has been removed. If download functionality is required, configure and use the File Transfer subagent.


The haSubagentTable will load subagents only from the agent bin directory.


The agentInivarTable is now read-only. It is not possible to set or change INIVARs via SNMP.

Crontab subagent

Process execution from the Crontab subagent is now disabled by default. If you specify a value in the crontabControlExecutionCommand and have not enabled process execution, the row cannot be made active. To enable process execution, add the INIVAR CrontabProcessExecute to init.cfg and set it to true. For example:


If you do not enable the INIVAR before configuring the Crontab subagent, the following error message is displayed in the agent log file:

Crontab Execution Command has been disabled. To enable it, set CrontabProcessExecute=on in init.cfg

Process subagent

Three objects in the Process sub-agent have been updated

- psRunningState object in the psRunningTable is now read-only. You can no longer kill processes using this table or set them in a suspended state.

- psExecute and psControlActionCommand objects have been disabled unless the ProcessProcessExecute INIVAR exists and is set to true. If this INIVAR does not exist, or it is set to false, the psExecute object does not work, an SNMP error is returned and an error similar to the following example is displayed in the agent log file.

[PROCESS] Attempt to execute process with out INIVAR "ProcessProcessExecute" being enabled. Command "c:\windows\notepad.exe" will not be executed

If the required INIVAR is not enabled in the psControlActionCommand object, the control row cannot enter an active state. It will either stay notReady, or not be created if it is set up using a script. An error similar to the following example is displayed in the agent log.

[PROCESS] Attempt to set psControlActionCommand to "c:\windows\notepad.exe" without the INIVAR "ProcessProcessExecute" being enabled.

Programmable subagent

The Programmable subagent is now disabled by default. To load the subagent, set the ProgrammableAllowLoad INIVAR to true. Add the subagent load programmable command to the agent.cfg file in the Netcool/SSM config directory. If the INIVAR is not defined and set to true, the subagent does not load and the following error message is displayed in the agent log:

Programmable loading has been disabled. To enable it, set ProgrammableAllowLoad=true in init.cfg

Filetransfer subagent

The Filetransfer subagent has had several updates:

- The Filetransfer subagent does not load unless the FiletransferAllowLoad

INIVAR is set and enabled. Add the subagent load filetransfer command to the agent.cfg file in the Netcool/SSM config directory. If you try to load the subagent without first enabling the INIVAR, the following error message is displayed in the agent log:

File Transfer loading has been disabled. To enable it set FiletransferAllowLoad=true in init.cfg

- The data option in the ftFileBase object has been deprecated. You can no longer specify an arbitrary destination directory to download to.

- A new file transfer host list function enables you to create a list of allowed download hosts. There are three new console commands: fthost add , fthost list , and fthost remove .

Tip: The fthost settings are not saved when the agent is shutdown. To preserve the download list, place these commands in a separate configuration file that is executed at startup.

The syntax of these commands is as shown below:

fthost add address [mask]
fthost remove address [mask]
fthost list

where address is required and is the download server address of the host to be included. You can also specify an address range by combining the address and mask attributes. For example:

fthost add

Adds the machine to the download list.

fthost add

Adds all addresses that start with 10.1.4 to the download list.

fthost list
------- ----

Lists the current download list.

fthost remove

Removes the entry from the list.

fthost remove

Removes the entry from the list.

If a download is attempted from a server that is not in the download list, an error similar to the following is displayed in the agent log file:

[FILETRANSFER] The specified host "" is not in the allowed hosts list. The download will be failed

Note: If the fthost download list is empty, the Filetransfer subagent will be allowed to download from any server.

Oracle ASM

The Oracle ASM no longer attempts to automatically detect the location of the OCI libraries on the system, but rather requires the location to be provided to the ASM by explicitly setting the OCILibPath INIVAR to the location of the OCI Libraries. The value of this INIVAR should be the absolute path to the OCI Libraries on the system. If the OCILibPath INIVAR is not set, an error is displayed in the agent log file. For example:

[ORACLE] Inivar OCILibPath is not set unable to load Oracle Client Libraries

NTSCM subagent

The ntServicetable is now read only and you can no longer alter the service state or configuration using the ntServiceTableStartType and ntServiceTableControl objects. To change the service state of the ntServiceControlTable, define the NTServiceAllowConfig INIVAR and set it to true.

NTSCM displays the following error messages when trying to configure the ControlTable

NtService Configuration has been disabled. To enable it, set NTServiceAllowConfig=true in init.cfg

Arithmetic subagent

The ability to write strings to files on disk using the -> and ->> operators has been disabled by default. To reinstate this functionality:

1. Create the ArithmeticFileWrite INIVAR and set it to true.

2. Assign a path to the ArithmeticFileWritePath INIVAR. Only files that reside in this path may be written to. Separate multiple directories by the platform specific path separator, a colon (:) for UNIX systems, or a semicolon (;) for Windows systems.

The Arithmetic subagent displays the following error messages if the inivars are absent and trying to use -> and ->> operators:

Arithmetic File Writing has been disabled. To enable it, set ArithmeticFileWrite=on in init.cfg
Arithmetic File Writing has been disabled. To enable it, set ArithmeticFileWritePath to the list of allowable paths in init.cfg

Transaction subagent

If you have upgraded from SSM 4.0.1 to SSM 4.0.1 FP1, the Transaction subagent does not load by default. If you require this subagent, add the following load command to the agent.cfg file:

subagent load transaction

Red Hat Installation requirements

SSM 4.0.1 requires the libstdc++-32-3.2.3 compat libraries and the libstdc++ runtimes to execute on Red Hat Linux 6.x. On 64bit Red Hat systems you may have to install the 64 bit versions of these libraries as well.


The SHA1 Checksum of the images are as follows:
SHA1( 57d3abb8cf5b6836cd9e0ba9f3375c15e5519bc4
SHA1( 4253455f3f266cac38d3095dacdbbdaf606a5cd6
SHA1( 6df3c2ff757053804f15b4798cef3154a8bb5178
SHA1( 8a487d6e7915ee7b54c82311ad929c1fdb82336e
SHA1( 11b9162b98dcff2de819b7b91cb033183ada9c4e
SHA1( 11e9f564a3246877ce55fd45594241dd69030b1a
SHA1( ac81995f31fdd78d86d9a5ec90d9f103a518417a
SHA1( 60d0b38906ba5ccf081520429da25a7233902050
SHA1(ssm401-fixpack1-win32-x86.exe)= ebd3fa522817daa7a9eca2d6a29880dd1282a56a

List of fixes

Task ID APAR Fixed in Release Description
alm00293410 FP1 Limit ability of ntServices sub-agent to control and alter windows services.
alm00293392 FP1 Secure File Transfer sub-agent
alm00293378 FP1 Secure Process sub-agent Process execution and control.
alm00293426 FP1 Limit ability of the arithmetic sub-agent to write to files.
alm00293349 FP1 Remedy RMON Probe Config Security Issues.
alm00293357 FP1 Make haSubagentTable only load libraries from the Agent Bin Directory.
alm00293364 FP1 Make AgentIniVar table Read Only
alm00293417 FP1 MIB2 ifTable should not be able to control interface status.
alm00293319 FP1 AppScan Remediate transaction/decode snprint errors
alm00293371 FP1 Secure process execution from Crontab sub-agent.
alm00293385 FP1 Stop programmable Loading by default.
alm00293399 FP1 Limit Oracle Wrapper libraries to loading OCI libraries from Specified Directory
alm00293248 FP1 BufferOverflow.FormatString Vulnerabilities need to be resolved.
alm00293158 FP1 AppScan SetSecurityDescriptorDacl Calls Should specify a ACL
alm00293272 FP1 AppScan BufferOverflow in Memcpy Calls
alm00292456 FP1 Make LoadLibrary calls on windows not use a path lookup.
alm00292348 IV38114 FP1 Upgrade to OpenSSL 1.0.1e
alm00291996 FP1 TransactionEnumTable is writeable. Make it read only.
alm00291523 IV38113 FP1 Buffer Overflow in hive library can crash the agent.
alm00291971 IV38112 FP1 Transaction Sub-Agent Oracle decoder can crash when it encounters a Malformed Packet

Document change history

Version Date Description of change
0.1 29 May 2013 Pending Release
1.0 31 May 2013 Initial Release
1.1 17 June 2013 Added Security Bulletin Links

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSGNTH","label":"Netcool\/System Service Monitor"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
17 June 2013