Fix Readme
Abstract
The following document is the documentation for IBM Cloud Pak for Automation 20.0.3 IF002.
Including download and installation information and the list of APARs that are resolved in this interim fix.
Content
| Readme file for: | IBM Cloud Pak® Automation |
|---|---|
| Product Release: | 20.0.3 |
| Update Name: | 20.0.3 IF002 |
| Fix ID: | 20.0.3-WS-CP4A-IF002 |
| Publication Date: | 04 Feb 2021 |
| Last modified date: | 01 Mar 2021 |
Contents
Download location
Prerequisites
Components impacted
Prior to installation
Installing
Performing the necessary tasks after installation
Uninstalling
List of fixes
Known Limitations
Document change history
Prerequisites
Components impacted
Prior to installation
Installing
Performing the necessary tasks after installation
Uninstalling
List of fixes
Known Limitations
Document change history
Download location
Download 20.0.3-WS-CP4A-IF002 from Fix Central here.
Prerequisites
- Download the interim fix GitHub repository to your local machine https://github.com/icp4a/cert-kubernetes/archive/20.0.3.2.tar.gz.
- Change directory to the "cert-kubernetes" folder.
Components impacted
- Cloud Pak for Automation Operator
- Business Automation Application
- Automation Document Processing
- Business Automation Insights
- Business Automation Studio
- Business Automation Workflow
- FileNet Content Manager
- Operational Decision Management
- User Management Service
Prior to installation
If you installed any of the Cloud Pak components on a Kubernetes cluster, you can update them with the 20.0.3 IF002 by using the updated operator and the relevant container interim fixes. Details like the image: tag of the interim fix image can be found in the pattern templates on GitHub.
To deploy this interim fix as an update to a 20.0.3 deployment, follow the instructions in the Installing section. If you want to use the interim fix as a part of a new deployment or you want to upgrade a release prior to 20.0.3, refer to IBM Knowledge Center. For more information, see IBM Cloud Pak for Automation 20.0.x.
Installing
Step 1: Get access to the interim fix container images
You can access the container images in the IBM image registry with your IBMid (Option 1), or you can download the images from Fix Central (Option 2).
You can access the container images in the IBM image registry with your IBMid (Option 1), or you can download the images from Fix Central (Option 2).
Option 1: Create a pull secret for the IBM Cloud Entitled Registry
- Log in to MyIBM Container Software Library with the IBMid and password that is associated with the entitled software.
- In the Container software library tile, click "View library" and then click "Copy key" to copy the entitlement key to the clipboard.
- Log in to your Kubernetes cluster and set the context to the project/namespace for your existing deployment.
- Create a pull secret by running a kubectl create secret command.
$ kubectl create secret docker-registry admin.registrykey --docker-server=cp.icr.io --docker-username=cp --docker-password="<API_KEY_GENERATED>" --docker-email=<USER_EMAIL>
Note: The "cp.icr.io" value for the docker-server parameter is the only registry domain name that contains the images. Use "cp" for the docker-username. The docker-email must be a valid email address (associated to your IBM ID). Make sure you are copying the Entitlement Key in the docker-password field within double quotation marks. - Take a note of the secret and the server values so that you can set them to the "pullSecrets" and "repository" parameters when you update the operator for your containers.
Option 2: Download the packages from Fix Central
Note: If you connect remotely to the cluster from a Linux host/VM, then you must have Docker or Podman and the OpenShift command line interface (CLI) installed on OCP. If you have access to the master node on the OCP cluster, they are already installed. You can install Podman by running the following command.
$ yum -y install podman
$ yum -y install podman
For more information about the client-side tools you might need, see Preparing to install enterprise containers.
- Download the images per the instructions in the Download location section, and make a note of the file names.
- Log in to your Kubernetes cluster and set the context to the project/namespace for your existing deployment.
$ oc login https://<cluster-ip>:<port> -u <cluster-admin> -p <password>
$ oc project <existing deployment namespace> - When you have all of the files for the images that you want to install, run the following commands to get your access token and to make sure you can use Kubectl.
$ oc whoami -t
$ kubectl cluster-info - Check that you can run a Podman command.
$ podman ps -a
-
Get the registry route.$ oc registry info --public
If the command has no output or the output is an internal service URL, it means that the route is not enabled. To enable the registry route on the cluster run the following command.
$ oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}'
For more information about exposing routes on OCP 4.6, see Exposing the registry. Use the OCP version menu to find your specific version in the OpenShift documentation. -
Log in to the image registry by using the registry route that returns from the "oc registry info --public" command.
$ podman login $(oc registry info --public) -u $(oc whoami) -p $(oc whoami -t) --tls-verify=false
Note: If you are logged in to the cluster as "kubeadmin", the "oc whoami" command returns "kube:admin", which does not work. You must use "kubeadmin" as the login user.
$ podman login $(oc registry info --public) -u kubeadmin -p $(oc whoami -t) --tls-verify=false -
Change the permissions of the scripts/loadimages.sh script so that you can run it.
$ cd scripts
$ chmod +x loadimages.sh -
Run the loadimages.sh script to load the images into your image registry. The following example shows the input values in the command line.$ ./loadimages.sh -p <ARCHIVE> -r $(oc registry info --public)/<project-name>Where:-p The archive files location or archive file name
-r Target image registry and namespace
Note: The <project-name> variable is the name of your existing deployment. Take a note of the image registry route so that you can enter it in the upgrade script. If you want to load the images into another project that can be referenced across namespaces, then you must allow pods to reference images from that project. For example, to allow any service account in a project that is named cp4a-project to reference images in another project named cp4a-images-project, use the oc policy add-role-to-group parameter.$ oc policy add-role-to-group \ system:image-puller system:serviceaccounts:cp4a-project \ --namespace=cp4a-images-project For more information, see Allowing pods to reference images across projects.
- Check that the images are pushed correctly to the registry.
$ oc get is - If you want to use an external registry, create a registry secret:
$ oc create secret docker-registry admin.registrykey --docker-server=<registry_url> --docker-username=<your_account> --docker-password=<your_password> --docker-email=<your_email>Take a note of the secret and the server values so that you can set them to the "pullSecrets" and "repository" parameters when you update the operator for your containers.
Step 2: Update the installed operator
- Log in to your Kubernetes cluster and set the context to the project for your existing deployment.
$ oc login https://<CLUSTERIP>:<port> -u <ADMINISTRATOR> -
If the persistent volume (PV) for the operator is defined by a hostPath, provide group write permission according to the PV hostPath.path definition (/root/operator).
$ chmod -R g=u /root/operator
$ chmod g+rw /root/operator
Note: If you are using dynamic provisioning, this step is not needed as the PV is created automatically as per the Storage Class definition. -
Remove the .OPERATOR_TYPE file in case it exists from a previous deployment.
$ rm -f /<hostPath>/.OPERATOR_TYPE
Where hostPath is the value in your PV (root/operator). -
Go to the downloaded cert-kubernetes folder for the IF002 interim fix.
-
Upgrade the operator in your project by running the following command.$ ./scripts/upgradeOperator.sh -i <registry_url>/icp4a-operator:20.0.3-IF002 -p '<my_secret_name>' -a acceptWhere registry_url is the value for your internal registry or cp.icr.io/cp/cp4a for the IBM Cloud Entitled Registry. The my_secret_name is the secret that is created to access the registry, and accept means that you accept the license.Note: If you plan to use a non-admin user to install the operator, you must add the user to the "ibm-cp4a-operator" role.$ oc adm policy add-role-to-user ibm-cp4a-operator <user_name>
-
Monitor the pod until it shows a STATUS of Running:
$ oc get pods -w
Note: When started, you can monitor the operator logs with the following command:
$ oc logs -f deployment/ibm-cp4a-operator -c operator
Step 3: Update the custom resource YAML file for your deployment
Get the custom resource YAML file that you previously deployed (for example, scripts/generated-cr/ibm_cp4a_cr_final.yaml) and update the appVersion to "20.0.3.2". The operator will pull the corresponding 20.0.3.2 container images based on the value of appVersion.
Note: If you are using a new CR from the "cert-kubernetes" GitHub repository that you download from the prerequisites step above, then the appVersion is already set to "20.0.3.2".
Tip: If you use image tags in your CR in your current deployment, then the correct values of the tags can be found in the fully customizable (FC) CR pattern templates provided with the interim fix under ../cert-kubernetes/descriptors/patterns (for example, ibm_cp4a_cr_enterprise_FC_content.yaml has the corresponding image tags for the iFix along with all the parameters that can be customized for the deployment). Verify that the secret named in the CR YAML file as the imagePullSecrets is valid. Note that the secret might be expired, in which case you must re-create the secret.
Step 4: Apply the updated custom resource YAML file
- Check that all the components that you want to upgrade are configured with interim fix image tag values.
$ cat scripts/generated-cr/ibm_cp4a_cr_final.yaml -
Update the configured components by applying the custom resource.$ kubectl apply -f scripts/generated-cr/ibm_cp4a_cr_final.yaml
Step 5: Verify the updated automation containers
The operator reconciliation loop might take several minutes. When all of the pods are Running, you can access the status of your containers by running the following commands:
$ oc status
$ oc get pods -w
$ oc logs <operatorPodName> -f -c operator
$ oc get pods -w
$ oc logs <operatorPodName> -f -c operator
Performing the necessary tasks after installation
For more information, see IBM Cloud Pak for Automation 20.0.x.
Uninstalling
For more information, see IBM Cloud Pak for Automation 20.0.x.
List of Fixes
APARs are listed in tables, columns are defined as follow:
| Colunm title | Column description |
| APAR | The defect number |
| Title | A short description of the defect |
| Sec. | A mark indicates a defect related to security |
| Cont. | A mark indicates a defect specific to the cloud pak integration of the component |
| B.I. | A mark indicates the fix has a business impact. Details is found in the title column or the APAR document |
- General
- Cloud Pak for Automation Operator
- Business Automation Application
- Automation Decision Services
- Automation Document Processing
- Business Automation Insights
- Business Automation Navigator
- Business Automation Studio
- Business Automation Workflow
- Enterprise Records
- FileNet Content Manager
- Operational Decision Management
- User Management Service
General
| APAR | Title | Sec. | Cont. | B.I. |
|---|---|---|---|---|
| N/A |
Cloud Pak for Automation Operator
| APAR | Title | Sec. | Cont. | B.I. |
|---|---|---|---|---|
| JR63226 | THE IBM FILENET CONTENT MANAGER PODS DO NOT CONTAIN ANY LICENSING INFORMATION. | X | X | |
| JR63252 | WRONG UMS HOSTNAME USED DURING DEPLOYMENT | X |
Business Automation Application
| APAR | Title | Sec. | Cont. | B.I. |
|---|---|---|---|---|
| JR62944 |
SECURITY APAR - CVE-2020-4051 AND CVE-2018-6561 VULNERABILITIES WERE IDENTIFIED |
X | ||
| JR63082 |
SECURITY APAR - CVE-2020-28168 AFFECTS IBM BUSINESS AUTOMATION APPLICATION |
X | ||
| JR63097 |
SECURITY APAR - CVE-2020-7774 AFFECTS IBM BUSINESS AUTOMATION APPLICATION |
X | ||
| JR63105 |
SECURITY APAR - CVE-2021-20359 - THE PERFORMREQUEST TRACE MIGHT SHOW THE PASSWORD IN THE APPLICATION ENGINE SERVER TRACE LOG |
X | ||
| JR63164 |
YOU CAN'T CREATE A DESKTOP |
|||
| JR63170 |
APPLICATION ENGINE RESTARTS UNEXPECTEDLY |
|||
| JR63079 |
YOU RECEIVE AN ERROR USING GET AUTOMATIONSERVICEIMPORTER AND CAN'T CREATE AN AUTOMATION SERVICE |
Automation Decision Services
| APAR | Title | Sec. | Cont. | B.I. |
|---|---|---|---|---|
| N/A | X |
Automation Document Processing
| APAR | Title | Sec. | Cont. | B.I. |
|---|---|---|---|---|
| JR63275 | Chrome Viewer dialog fails to open properly | X | X | |
| JR63276 | JSON Annotations not deleted after Verify | X | X | |
| JR63277 | Commit fails with COMMIT_REVISION_MISMATCH error when local and remote Git are out of sync | X | X | |
| JR63278 | Data Extraction zone creation goes to blank page | X | X | |
| JR63281 | Project Definition updated even when versioning fails | X | X | |
| JR63282 | RabbitMQ causing Content Analyzer pod restarts | X | X | |
| JR63283 | Improved ADP Sample Data Files | X | X |
Business Automation Insights
| APAR | Title | Sec. | Cont. | B.I. |
|---|---|---|---|---|
| JR63240 |
PROVIDE DOCUMENTATION FOR THE BUSINESS AUTOMATION INSIGHTS CONVERSATIONAL ASSISTANT
|
X | X |
Business Automation Navigator
| APAR | Title | Sec. | Cont. | B.I. |
|---|---|---|---|---|
|
|
Business Automation Studio
| APAR | Title | Sec. | Cont. | B.I. |
|---|---|---|---|---|
| JR62944 |
SECURITY APAR - CVE-2020-4051 AND CVE-2018-6561 VULNERABILITIES WERE IDENTIFIED |
X | ||
| JR63082 |
SECURITY APAR - CVE-2020-28168 AFFECTS IBM BUSINESS AUTOMATION APPLICATION |
X | ||
| JR63097 |
SECURITY APAR - CVE-2020-7774 AFFECTS IBM BUSINESS AUTOMATION APPLICATION |
X | ||
| JR63170 |
APPLICATION ENGINE RESTARTS UNEXPECTEDLY |
|||
| JR63079 |
YOU RECEIVE AN ERROR USING GET AUTOMATIONSERVICEIMPORTER AND CAN'T CREATE AN AUTOMATION SERVICE |
|||
| JR63161 |
YOU CAN'T DELETE AN APP WITHOUT REPOSITORY ADMINISTRATION PERMISSION IN IBM BUSINESS AUTOMATION STUDIO |
|||
| JR63171 |
YOU CAN'T EXPAND THE CASE CONTENT OBJECT OR THE CASEINSTANCE STRUCTURE VARIABLE |
|||
| JR63207 |
RUNNING THE UPDATESYSTEMAPP COMMAND DOESN'T DELETE THE EXISTING SNAPSHOT BEFORE IMPORTING THE .TWX FILE |
|||
| JR63213 |
WHEN YOU'RE CREATING AN EXTERNAL AUTOMATION SERVICE, YOU RECEIVE AN ERROR STATING THE PROJECT WITH AN ACRONYM CAN'T BE FOUND |
Business Automation Workflow including Automation Workstream Services
| APAR | Title | Sec. | Cont. | B.I. |
|---|---|---|---|---|
| JR62944 |
SECURITY APAR - CVE-2020-4051 AND CVE-2018-6561 VULNERABILITIES WERE IDENTIFIED |
X | ||
| JR63129 |
SECURITY APAR - CVE-2021-20358 - KAFKA CONNECTION USERNAME AND PASSWORD ARE LOGGED IN CLEAR TEXT |
X | ||
| JR63131 |
YOU NOTICE SEVERAL USABILITY ISSUES IN WORKPLACE |
|||
| JR63171 |
YOU CAN'T EXPAND THE CASE CONTENT OBJECT OR THE CASEINSTANCE STRUCTURE VARIABLE |
|||
| JR63207 |
RUNNING THE UPDATESYSTEMAPP COMMAND DOESN'T DELETE THE EXISTING SNAPSHOT BEFORE IMPORTING THE .TWX FILE |
|||
| JR63210 |
IBM WORKFORCE INSIGHTS CAN'T WRITE ON A CONFIGURED ELASTICSEARCH INDEX |
Enterprise Records
| APAR | Title | Sec. | Cont. | B.I. |
|---|---|---|---|---|
|
N/A
|
FileNet Content Manager
| APAR | Title | Sec. | Cont. | B.I. |
|---|---|---|---|---|
| See Cloud Pak for Automation Operator | X |
Operational Decision Management
| APAR | Title | Sec. | Cont. | B.I. |
|---|---|---|---|---|
| RS03736 |
LDAP SYNCHRONIZATION IS SOMETIMES BLOCKED AFTER A B/G OR A MIGRATE DC SCHEMA |
|||
| RS03731 | CANNOT CLOSE A CHANGE ACTIVITY IF A RULE PACKAGE HAS BEEN MOVED AND ITS PARENT RULE PACKAGE HAS BEEN DELETED | |||
| RS03727 | NO USEFUL ERROR MESSAGE WHEN CRE SEQUENTIAL COMPILATION FAILS | |||
| RS03722 | DEPLOYING A RULESET MAY NEVER COMPLETE UNDER SOME SPECIFIC CONDITIONS | |||
| RS03717 | DECISION SERVICE REST API CHANGES VARIABLESETNAME DURING EXPORT | |||
| RS03711 | BC DEPLOYMENT FAILS WITH EXECUTION CLASS MISSING | |||
| RS03708 | NULLPOINTEREXCEPTION WHEN MERGING A RULE WITH NO DEFINTION | |||
| RS03704 | THE BUSINESS CONSOLE MAY EXPOSE THE LDAP BIND PASSWORD | |||
| RS03701 | DEPLOYMENT CONFIGURATIONS CREATED IN A SUB-PROJECT USING RULE DESIGNER CANNOT BE USED IN THE BUSINESS CONSOLE | |||
| RS03693 | UPDATING MODEL EXTENSIONS IS FAILING WHEN USING AN OLDER DATABASE SCHEMA | |||
| RS03687 | RULE DESIGNER THROWS COMPILATION ERROR IN DE WHEN USING A VARIABLE TO INITIALIZE ANOTHER VARIABLE | |||
| JR63208 | PASSWORD IS IN CLEAR IN EVENTS EMITTER | X | ||
| JR63209 | DECISION CENTER SETUP SCHEMA CREATION IS GENERATING TRANSACTION TIMEOUT ISSUES |
User Management Service
| APAR | Title | Sec. | Cont. | B.I. |
|---|---|---|---|---|
| See Cloud Pak for Automation Operator | X |
Known Limitations
For additional information, see the support page Cloud Pak for Automation Known Limitations
Document change history
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS2JQC","label":"IBM Cloud Pak for Automation"},"ARM Category":[{"code":"a8m0z0000001gWWAAY","label":"CloudPak4Automation Platform"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"20.0.3"}]
Was this topic helpful?
Document Information
Modified date:
01 March 2021
UID
ibm16406362