IBM Support

Readme for Cloud Pak for Automation 20.0.2 IF001

Fix Readme


Abstract

The following document is the documentation for IBM Cloud Pak for Automation 20.0.2 IF001.
Including download and installation information and the list of APARs that are resolved in this interim fix.

Content

Readme file for: IBM Cloud Pak® Automation
Product Release: 20.0.2
Update Name: 20.0.2 IF001
Fix ID: 20.0.2-WS-CP4A-IF001
Publication Date: 25 Sep 2020
Last modified date: 08 Oct 2020

Contents

Download location

Download 20.0.2-WS-CP4A-IF001 from Fix Central here.

Prerequisites

Components impacted

  • All containerized components.

Prior to installation

If you installed any of the Cloud Pak components on a Kubernetes cluster, you can update them with the 20.0.2 IF001 by using the updated operator and the relevant container interim fixes. Details like the image: tag of the interim fix image can be found in the pattern templates on GitHub.
To deploy this interim fix as an update to a 20.0.2 deployment, follow the instructions in the Installing section. If you want to use the interim fix as a part of a new deployment or you want to upgrade a release prior to 20.0.2, refer to IBM Knowledge Center. For more information, see IBM Cloud Pak for Automation 20.0.x.

Installing

Step 1: Get access to the interim fix container images
You can access the container images in the IBM image registry with your IBMid (Option 1), or you can download the images from Fix Central (Option 2).
Option 1: Create a pull secret for the IBM Cloud Entitled Registry
  1. Log in to MyIBM Container Software Library with the IBMid and password that is associated with the entitled software.
  2. In the Container software library tile, click "View library" and then click "Copy key" to copy the entitlement key to the clipboard.
  3. Log in to your Kubernetes cluster and set the context to the project/namespace for your existing deployment.
  4. Create a pull secret by running a kubectl create secret command.
    $ kubectl create secret docker-registry admin.registrykey --docker-server=cp.icr.io --docker-username=cp --docker-password="<API_KEY_GENERATED>" --docker-email=<USER_EMAIL>
    Note: The "cp.icr.io" value for the docker-server parameter is the only registry domain name that contains the images. Use "cp" for the docker-username. The docker-email must be a valid email address (associated to your IBM ID). Make sure you are copying the Entitlement Key in the docker-password field within double quotation marks.
  5. Take a note of the secret and the server values so that you can set them to the "pullSecrets" and "repository" parameters when you update the operator for your containers.
Option 2: Download the packages from Fix Central
  1. Download the images per the instructions in the Download location section, and make a note of the file names.
  2. Log in to your Kubernetes cluster and set the context to the project/namespace for your existing deployment.
  3. Check that you can run a Docker or Podman command.
    For OpenShift 3.11:
    $ docker ps
    For OpenShift 4.3+:
    $ podman ps
  4. Log in to the Docker registry with a token.
    For OpenShift 3.11:
    $ docker login $(oc registry info) -u <ADMINISTRATOR> -p $(oc whoami -t)
    You can also log in to an external Docker registry by using the following command:
    $ docker login <registry_url> -u <your_account>
    For OpenShift 4.3+:
    $ podman login $(oc registry info) -u <ADMINISTRATOR> -p $(oc whoami -t) –tls-verify=false
  5. Run a kubectl command to make sure that you have access to Kubernetes.
    $ kubectl cluster-info
  6. Change the permissions of the scripts/loadimages.sh script so that you can run it.
    $ cd scripts
    $ chmod +x loadimages.sh
  7. Run the loadimages.sh script to load the images into your image registry. The following example shows the input values in the command line.
    ./loadimages.sh -p <ARCHIVE> -r $(oc registry info)/<project-name>
    Where:
    -p  The archive files location or archive file name
    -r  Target image registry and namespace
  8. Check that the images are pushed correctly to the registry.
    $ oc get is
  9. If you want to use an external registry, create a registry secret:
    $ oc create secret docker-registry admin.registrykey --docker-server=<registry_url> --docker-username=<your_account> --docker-password=<your_password> --docker-email=<your_email>
    Take a note of the secret and the server values so that you can set them to the "pullSecrets" and "repository" parameters when you update the operator for your containers.
Step 2: Update the installed operator
  1. Log in to your Kubernetes cluster and set the context to the project for your existing deployment.
    $ oc login https://<CLUSTERIP>:<port> -u <ADMINISTRATOR>
  2. If the persistent volume (PV) for the operator is defined by a hostPath, provide group write permission according to the PV hostPath.path definition (/root/operator).
    $ chmod -R g=u /root/operator
    $ chmod g+rw /root/operator
    Note: If you are using dynamic provisioning, this step is not needed as the PV is created automatically as per the Storage Class definition.
  3. Remove the .OPERATOR_TYPE file in case it exists from a previous deployment.
    $ rm -f /<hostPath>/.OPERATOR_TYPE
    Where hostPath is the value in your PV (root/operator).
  4. Go to the downloaded cert-kubernetes.git for the IF001 interim fix.
  5. Upgrade the operator in your project by running the following command.
    $ ./scripts/upgradeOperator.sh -i <registry_url>/icp4a-operator:20.0.2-IF001 -p '<my_secret_name>' -a accept
    Where registry_url is the value for your internal registry or cp.icr.io/cp/cp4a for the IBM Cloud Entitled Registry. The my_secret_name is the secret that is created to access the registry, and accept means that you accept the license.
    Note: If you plan to use a non-admin user to install the operator, you must add the user to the "ibm-cp4a-operator" role.
    $ oc adm policy add-role-to-user ibm-cp4a-operator <user_name>
  6. Monitor the pod until it shows a STATUS of Running:
    $ oc get pods -w
    Note: When started, you can monitor the operator logs with the following command:
    $ oc logs -f deployment/ibm-cp4a-operator -c operator
Step 3: Update the custom resource YAML file for your deployment
Get the custom resource YAML file that you previously deployed (e.g., ../scripts/generated-cr/ibm_cp4a_cr_final.yaml) and edit it to update each component:
  1. Update the release and appVersion is 20.0.2.1.
  2. If you are using the enterprise CR YAML file for your existing deployment, then the Operator will deploy the updated 20.0.2.1 containers based on the value of appVersion updated above.
  3. If you are using the fully customizable CRs (e.g., ibm_cp4a_cr_enterprise_FC_content.yaml), then in the sections for each of the components that are included in your deployment, modify the component.image.tag configuration parameter to reflect the value for the new images. For example, to update the image for Content Platform Engine (CPE) use the following tag:
    cpe:
        image:
        ## The default repository is the IBM Entitled Registry.
        repository: cp.icr.io/cp/cp4a/fncm/cpe
        tag: ga-555-p8cpe-if002
    Tip: The values of the tags for a given interim fix can be found in the readme file that is provided with that interim fix. Verify that the secret named in the CR YAML file as the imagePullSecrets is valid. Note that the secret might be expired, in which case you must re-create the secret.
    Repeat this step for each component that you want to update.
Step 4: Apply the updated custom resource YAML file
  1. Check that all the components that you want to upgrade are configured with interim fix image tag values.
    $ cat ../scripts/generated-cr/ibm_cp4a_cr_final.yaml
  2. Update the configured components by applying the custom resource.
    $ kubectl apply -f ../scripts/generated-cr/ibm_cp4a_cr_final.yaml
Step 5: Verify the updated automation containers
The operator reconciliation loop might take several minutes. When all of the pods are Running, you can access the status of your containers by running the following commands:
$ oc status
$ oc get pods -w
$ oc logs <operatorPodName> -f -c operator
 

Performing the necessary tasks after installation

For more information, see IBM Cloud Pak for Automation 20.0.x.

Uninstalling

For more information, see IBM Cloud Pak for Automation 20.0.x.

List of Fixes

APARs are listed in tables, columns are defined as follow: 
Colunm title Column description
APAR The defect number
Title A short description of the defect
Sec. A mark indicates a defect related to security
Cont. A mark indicates a defect specific to the cloud pak integration of the component
B.I. A mark indicates the fix has a business impact. Details is found in the title column or the APAR document
General
APAR Title Sec. Cont. B.I.
JR62832
SECURITY FIXES :  CVE-2020-7656, CVE-2020-2830, CVE-2020-2781, CVE-2020-2800, CVE-2020-2757, CVE-2020-2756, CVE-2020-2755, CVE-2020-2754, CVE-2020-4516, CVE-2020-14583, CVE-2020-14593, CVE-2020-14621, CVE-2020-14556, CVE-2020-14581, CVE-2020-14579, CVE-2020-14578, CVE-2020-14577,  CVE-2019-17639, CVE-2020-4698, CVE-2020-8172, CVE-2020-8174, CVE-2020-11080, CVE-2020-4557
For details see:
 X
Cloud Pak for Automation Operator
APAR Title Sec. Cont. B.I.
JR62688 ALPINE CONTAINER IMAGE IS HARDCODED IN OPERATOR DEPLOYMENT PLAYBOOK X
JR62833 VARIOUS ISSUES WITH OPERATOR AND SCRIPTS X
APAR Title Sec. Cont. B.I.
N/A N/A

Back to top

Automation Decision Services
APAR Title Sec. Cont. B.I.
JR62812  ADS NOT WORKING WHEN USING AN EXTERNAL MONGODB WITH UNTRUSTED CERTIFICATE X
JR62821 VISUALISATION AND USAGE OF WATSON ML PREDICTIVE MODELS IN ADS DO ES NOT WORK X

Back to top

Automation Digital Worker
Title APAR Sec. Cont. B.I.
N/A N/A

Back to top

Automation Workstream Services
APAR Title Sec. Cont. B.I.
See Business Automation Workflow

Back to top

Business Automation Content Analyzer
APAR Title Sec. Cont. B.I.
JR62857 Some special characters in key class names break functionality X
JR62858 Missing completedPages in json response X
JR62859 Negative value of completedPages in json response X
JR62860 Some documents return segmentation error X
JR62861 For some deployments, API yaml URL on Swagger page is incorrect X
JR62862 Documents page polling prevents session from timing out X X
JR62863 Session cookie connect.sid doesn’t have httpOnly attribute X X
JR62864 Address all issues reported by Vulnerability Scans X X
JR62865 Update base images to include latest security fixes X X
JR62866 Celery log files not updating properly X
JR62867 Undeploy doesn't remove config map X
JR62868 Failed to deploy ACA enterprise pattern if Db2 is SSL enabled X X
JR62869 Parameters under `ca_configuration` should take precedence X

Back to top

Business Automation Insights
APAR Title Sec. Cont. B.I.
JR62381 AN AUTHENTICATION ERROR MIGHT OCCUR IN THE IBM WORKFLOW BPMN EMITTER WHEN SASL SCRAM IS USED
JR62651

AMBIGUOUS DOCUMENTATION OF KIBANA MULTITENANCY

 X
JR62611

IMPROVE DOCUMENTATION ON REQUIRED NETWORKING POLICIES

 X

Back to top

Business Automation Navigator
APAR Title Sec. Cont. B.I.
IO27833 DOCUMENT TITLE FIELD IF MADE REQUIRED IN AN ENTRY TEMPLATE, IS GRAYED OUT WHEN MULTIPLE FILES ARE SELECTED TO BE ADDED. X
IO27843 VIEWER WINDOW POSITION IS NOT CONSISTENT WHEN USING EXTERNAL MONITOR. X
IO27854 ADD DOCUMENT DOES NOT WORK CORRECTLY WHEN USING FILE TYPE FILTERS WITH ENTRY TEMPLATES. X
IO27857
NON-ENGLISH (I.E. EXTENDED) CHARACTERS IN DOCUMENT TITLE ARE GARBLED AFTER SAVING A DOCUMENT USING MICROSOFT OFFICE ONLINE.
 X
IO27866 PLUGIN REQUEST FILTER MAY NOT BE INVOKED IF GETREQUESTFILTERS() METHOD RETURNS NULL. X
IO27881 CHROME DISPLAYS VISIBLE HORIZONTAL SCROLLBAR ON THE "ADD DOCUMENT" FUNCTION. X
IO27923 DOWNLOAD OF TIFF FILES IN IBM CONTENT NAVIGATOR CONTAINER FAILS WITH CIWEB1059 ERROR. X
IO27924 WHEN OPENING MULTI-PART (MULTIPART) DOCUMENTS, A BLANK PAGE MAY BE DISPLAYED. X
IO27931 CREATING A LINK TO AN EXTERNAL DOCUMENT IMPROPERLY ENCODES THE URL. X
IO27939 ACCESS TO A DESKTOP FAILS WHEN MULTIPLE IBM CONTENT NAVIGATOR CONTAINER PODS ARE USED WITH SAML SINGLE SIGN-ON. X
IO27940 ROLES DEFINED IN THE DEFAULT INSTANCE SECURITY AT THE CLASS LEVEL ARE NOT BEING ADDED TO DOCUMENTS. X
IO27941 FOLDERS ARE NOT ALWAYS SORTED WHEN SORTING USING SORTABLE SYSTEM PROPERTIES THOUGH DOCUMENTS CAN ALWAYS BE SORTED USING THEM. X
IO27942 ONDEMAND HTML VIEWER CANNOT BE USED ON ORACLE WEBLOGIC APPLICATION SERVER. X
IO27943 WHEN USING CHROME BROWSER, HELP ICON OF PROPERTIES LIST IN AN ENTRY TEMPLATE IS NOT DISPLAYED IN CORRECT POSITION. X
IO27946 PERMANENT REDACTION MODE IS NOT AVAILABLE WHEN THE MIME TYPE CONTAINS PARAMETERS. X
IO27957 CHECKIN ACTION ON A DOCSIGN-SIGNED DOCUMENT FAILS TO BE COMPLETED. X
IO27958 NAVIGATING BETWEEN DOCUMENTS USING THE LEFT AND RIGHT ARROW KEYS DOES NOT WORK IN FILMSTRIP VIEW. X
IO27964 IBM DAEJA VIEWONE VIRTUAL VIEWER DISPLAYS A BLANK DOCUMENT WHEN THE LOCALE IS SET TO ARABIC OR HEBREW. X
IO27969 WORK ITEM REMAINS LOCKED AFTER CLOSING STEP PROCESSOR. X
IO27978 SELECTING AN ITEM TYPE IN THE CLASS FILTER DROP DOWN OF WORK FEATURE DISPLAYS DOCUMENT ATTRIBUTES FROM ITEM TYPE SUBSET. X
IO27960 UNABLE TO DO 'DOWNLOAD AS PDF' ACTION ON AN AFP FILE USING THE AFP2PDF VIEWER.
IO27963 INTERMITTENT ERROR WHEN LOADING A DEPENDENT PLUGIN IN THE BROWSER.
IO27987 CANNOT SORT RESULTS FROM AN ALL-CLASSES CM8 SEARCH THAT RETURNS MORE THAN 200 ITEMS.
IO27991 WHEN USING INTERNET EXPLORER, SHAKING OCCURS WHEN CLICKING ON A FOLDER HAVING A LONG NAME.
IO27992 UNABLE TO EXPORT MORE THEN 1800 SEARCH RESULTSH.
IO27995 ONDEMAND HTML VIEWER LAUNCHES FROM ONLY ONE LOAD BALANCER URL, WHEN MULTIPLE LOAD BALANCERS ARE USED.
IO28007 READ-ONLY USERS GET AN ERROR MESSAGE WHEN VIEWING A DOCUMENT.
IO28009 ALL THE COLUMNS ARE JUMBLED TOGETHER WHEN EXPORTING AN MICROSOFT EXCEL FILE AS PDF.
IO28013 EDIT SERVICE ASKS FOR CREDENTIALS AND ALSO CRASHES WHEN OPENING A DOCUMENT.
IO28016 EDIT SERVICE CLIENT FAILS TO LAUNCH IN IE BROWSER AFTER ENABLING CUSTOM URL IN ADMINISTRATION DESKTOP.
IO28019 TEXT ANNOTATIONS MIGRATED FROM IBM CONTENT MANAGER (CM8) DO NOT DISPLAY ACCURATELY IN DAEJA VIEWONE VIRTUAL VIEWER.

Back to top

Business Automation Studio
APAR Title Sec. Cont. B.I.
JR62563 DECIMAL FIELD IS EMPTIED IF A VALUE WITH DECIMALS IS ENTERED AND THE LANGUAGE USES A COMMA SEPARATOR INSTEAD OF A DECIMAL
JR62578 WEB IBM PROCESS DESIGNER ALLOWS ONLY UP TO 64 CHARACTERS IN THE ENVIRONMENT VARIABLE DEFAULT VALUE FIELD X

Back to top

Business Automation Workflow
APAR Title Sec. Cont. B.I.
JR62327 SECURITY APAR CVE-2020-4516 - SECURITY VULNERABILITY IN MANAGED ASSET API X
JR62354 SECURITY APAR - MULTIPLE VULNERABILITIES IN JQUERY MIGHT AFFECT DEPRECATED PORTAL X
JR62436 SECURITY APAR - CVE-2020-4557 - STORED XSS (A3 - CROSS-SITE SCRIPTING) X
JR62656 SECURITY APAR - CVE-2020-4698 - CROSS-SITE SCRIPTING VULNERABILITY AFFECTS THE PRCOESS INSTANCE DETAIL PAGE X
JR62388 A CASE SOLUTION CREATED FROM A BASE TEMPLATE HAS UNRESOLVED TASK IMPLEMENTATIONS IN PROCESSES
JR62410 THE "ORG.APACHE.CXF.*=ALL:COM.IBM.WS.JAXWS.*=ALL" LIBERTY JAX-WS TRACE STRING DOESN'T WORK AS EXPECTED
JR62413 WEB PROCESS INSPECTOR MIGHT CAUSE UNINTENTIONAL ACTIONS ON INSTANCES WHEN "SELECT ALL INSTANCES" OPTION IS SELECTED
JR62453 RESPONSIVE DOCUMENT LIST VIEW CAN'T RETRIEVE DOCUMENTS WHEN "ASSOCIATE WITH PROCESS INSTANCE" IS SELECTED
JR62480 YOU RECEIVE A CLASSNOTFOUNDEXCEPTION
JR62497 YOU MIGHT SEE AN AUTHENTICATION ERROR IN THE IBM WORKFLOW CASE EVENT EMITTER WHEN USING SASL SCRAM IS USED
JR62563 DECIMAL FIELD IS EMPTIED IF A VALUE WITH DECIMALS IS ENTERED AND THE LANGUAGE USES A COMMA SEPARATOR INSTEAD OF A DECIMAL
JR62564 YOU CAN'T USE THE MAIL SESSION CONFIGURED IN IBM WEBSPHERE APPLICATION SERVER

Back to top

Enterprise Records
APAR Title Sec. Cont. B.I.
DOCUMENT TITLE FIELD IF MADE REQUIRED IN AN ENTRY TEMPLATE, IS GRAYED OUT WHEN MULTIPLE FILES ARE SELECTED TO BE ADDED.
 X

Back to top

FileNet Content Manager
APAR Title Sec. Cont. B.I.
PJ46194 CONTENT_CA_SKIP_FAILED ERROR OCCURS WHEN RETRIEVING FILES GREATER THAN 1 MB FROM AN ICOS DEVICE USING WSI. X
PJ46203 WEBSPHERE LTPA SSO FAILS FROM TRADITIONAL WEBSPHERE APPLICATION SERVER (TWAS) CONTENT PLATFORM ENGINE (CPE) CLIENT TO CPE SERVER ON LIBERTY. X
PJ46206 A FILE HANDLE AND MEMORY LEAK OCCURS WHEN USING PROCESS ENGINE (PE) CUSTOM COMPONENT QUEUES IN APACHE AXIX2. X
PJ46165 CENTRA FCP FPPOOL CLOSE CAUSE CRASH IN CUSTOMER ENVIRONMENT. X X
PJ46176 ADMINISTRATION CONSOLE FOR CONTENT PLATFORM ENGINE (ACCE) SHOWS WRONG QUEUE SWEEP ITEMS. X X
USER UNABLE TO LOG INTO PROCESS ENGINE (PE) VWTOOL WHERE A PRINCIPAL ANONYMOUS ERROR IS RETURNED. X
PJ46211 ADMINISTRATION CONSOLE FOR CONTENT PLATFORM ENGINE (ACCE) LEGACY WORKFLOW SYSTEM'S ADAPTER'S CONFIGURE USER INTERFACE (UI) MAY DISPLAY INCORRECT OBJECT STORE. X X
PJ46219 S3 STORAGE CONFIGURATION PARAMETERS ARE DEFINED AS STATIC, MIGHT CAUSE ISSUES IN CERTAIN SITUATIONS. X
PJ46228 E_BAD_PARAMETER EXCEPTION CAUSED BY INVALID BINARY ID IN CONTENT SEARCH SERVICES (CSS) SEARCH RESULT SET. X
PJ46232 PROCESS ENGINE (PE) WEB SERVICES (PEWS) CLIENT AUTHENTICATION ISSUE WHEN USING BEARER TOKEN INSTEAD OF USERNAME - METHOD DOES NOT EXIST WSIAUTHENTICATOR ERROR. X X
PJ46246 CONTENT ENGINE (CE) THUMBNAIL IBMFNTHB PROCESSES CAN BE ORPHANED (NOT TERMINATED) DURING CPE SHUTDOWN. X
PJ46249 ADMINISTRATION CONSOLE FOR CONTENT PLATFORM ENGINE (ACCE) DOCUMENT NAME WITH CHINESE/ARABIC CHARACTERS GETS CORRUPTED WHEN DOWNLOAD DOCUMENT NAME. X
PJ46287 OPTION TO RETRY CONTENT SEARCH SERVICES (CSS) CONTENT-BASED RETRIEVAL QUERY IQQQ0020E JAVA.IO.EOFEXCEPTION ERROR FOR CSS SERVER SOCKET TIMEOUT. X
PJ46214 CONTENT SEARCH SERVICES (CSS) TEXT EXTRACTOR: OIT INSUFFICIENT MEMORY ERROR (30) RETURNED FOR LARGE PDF DOCUMENTS. X
PJ46228 CONTENT SEARCH SERVICES (CSS) CHECKCSSINDEX TOOL: ID NOT FOUND ERROR OCCURS DURING EDM PROCESSING OF RESULTS. X

Back to top

Operational Decision Management
APAR Title Sec. Cont. B.I.
JR62740

NO DOCUMENTATION ON HOW TO AUTOMATICALLY CREATE ODM ROUTES WITH OPERATOR

 X
JR62807 DECISIONS PATTERN: UNABLE TO SPECIFY KAFKA CONFIGURATION WHICH DOESN'T HAVE A SERVER CERTIFICATE X
JR62808 IMPROVE RUNTIME PERFORMANCE WHEN USING UMS. BASIC AUTH IS SUPPORTED IN ADDITION TO OPENID X
JR62809 ODM DEPLOYMENT ON ROKS FAILS DUE TO DENY ALL NETWORK POLICY X
JR62810 HIDE CREDENTIALS FROM OPERATOR LOG X X
JR62811  [ODM] LDAPS CERTIFICATE SHOULD BE IMPORTED ALSO WHEN USING UMS X
JR62821 VISUALIZATION AND USAGE OF WATSON ML PREDICTIVE MODELS IN ADS DOES NOT WORK X
RS03638

REST API USING JSON SERIALIZE NULL VALUES IN RESPONSE WHEN FIELDS ARE DECORATED WITH @XMLELEMENT ANNOTATION

Back to top

User Management Service
APAR Title Sec. Cont. B.I.
JR62744 UMS ROUTES ARE REMOVED FROM OTHER ENVIRONMENTS IN ADDITION TO OCP X

Back to top

Document change history

  • 25 Sep 2020: first publish.
  • 29 Sep 2020: Include reference to security bulletin and CVE numbers in APAR JR62832.
  • 5 Oct 2020:  Add additional APARs into BAW, BAS and BAI tables.
  • 8 Oct 2020:  Precisions about PV permissions in Installation step 2 

    • [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS2JQC","label":"IBM Cloud Pak for Automation"},"ARM Category":[{"code":"a8m0z0000001gWWAAY","label":"CloudPak4Automation Platform"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"20.0.2"}]

    Document Information

    Modified date:
    08 October 2020

    UID

    ibm16333583

    Page Feedback