IBM Support

Readme for Cloud Pak for Business Automation 21.0.2 IF008

Fix Readme


Abstract

The following document is for IBM Cloud Pak for Business Automation 21.0.2 IF008. It includes the CASE package download, installation information, and the list of APARs that are resolved in this interim fix.

Content

Readme file for: IBM Cloud Pak® for Business Automation
Product Release: 21.0.2
Update Name: 21.0.2 IF008
Fix ID: 21.0.2-WS-CP4BA-IF008
Publication Date: 23 February 2022
Last modified date: 6 April 2022

Contents

Prerequisites and supersedes

  • Supersedes all prior interim fixes for CP4BA 21.0.2.
  • Common Services 3.15.1 fixpack is now available. The update addresses Automation Base custom resource (CR) failure, which prevented Cloud Paks that use Kafka from installing when using IBM Automation Foundation 1.3.3 and Common Services 3.15.

Components impacted

Before installation

  1. Ensure you take regular backups of any databases associated with the environment.
  2. Required when using Business Automation Insights
    If Business Automation Insights is deployed, prune the Business Automation Insights deployment and jobs before you apply the updated custom resource YAML file.
    $ oc delete Deployment,Job -l \
    > 'app.kubernetes.io/name=ibm-business-automation-insights'
    Tip: For Flink event processing to resume from its previous state, make sure that savepoints are created before the upgrade and specified in the updated CR. For more information see, Restarting from a checkpoint or savepoint

Installing the interim fix

Cloud Pak for Business Automation 21.0.2 interim fixes are released to the v21.2 operator channel. If your environment has access to IBM entitled registry and has an automatic v21.2 channel subscription then enterprise installations are upgraded automatically. This upgrade generally occurs when the interim fix is released. Once the operator is upgraded, it triggers rolling updates for all the pods it manages to ensure they are updated to the appropriate version to match the operator.
Important: If you used any individual image tag settings in your CP4BA CR, it could prevent the operator from updating the images to the appropriate version. Ensure you remove any of these settings for an enterprise installation when you upgrade.
The CASE package associated with this interim fix is ibm-cp-automation-3.1.8.tgz.

Depending on the current setup and state of your existing environment, there are various manual actions that might be required. The following scenarios cover what actions might be needed for a particular setup.
  • Scenario 1: You are using a demo installation.
    Actions: Demo environments do not support upgrades. Although you can use the interim fix content, install a new demo environment and use the CASE package from this interim fix.
  • Scenario 2: Your installation is version 21.0.1.x or earlier.
    Actions: If you are using a version before 21.0.2, then you must upgrade first. To upgrade your environment, follow the "Upgrading automation containers" instructions.
    When you perform the upgrade, you can substitute the CASE package from this interim fix for the 21.0.2 CASE package while you follow the instructions.
  • Scenario 3: You are using an air gapped environment.
    Actions: To upgrade a 21.0.2 air gapped environment, you must first mirror all the new images to your internal registry. Follow the steps in "Setting up a mirror image registry" although be sure to use the CASE package from this interim fix.
    Once the images are mirrored, the automatic channel subscription completes the upgrade.
  • Scenario 4: Your v21.2 channel subscription is set to manual.
    Actions: If your channel subscription is set to manual, then you must approve any operator upgrades.
      a. Select the CP4BA operator from the OCP web console under Operators>Installed Operators.
      b. Go to the subscription tab for the operator.
      c. Trigger the operator update.
    Once the operator is updated, it triggers the upgrade of the other CP4BA images.

Performing the necessary tasks after installation

  1. Required when using Business Automation Insights
    You must update the IBM Automation Foundation operators to the v1.3 channel to ensure Business Automation Insights can be updated and continue to work and to address log4j vulnerability (CVE-2021-44228) for all IBM Automation Foundation components. For more information on how to upgrade channels, see the Upgrade the IBM Automation Foundation Core and IBM Automation Foundation subscriptions to the v1.1 channel section.

    When using Business Automation Insights and upgrading from an IBM Automation Foundation version prior to 1.3, the operator will fail to become ready after the upgrade and kafka/zookeeper pods will show SSL errors. To resolve the issue, follow the "To renew the leaf certificates for Kafka" instructions in Changes to CA certificate and key does not automatically rotate Kafka leaf certificates.
  2. Review the installation
    It is recommended that you review the CR yaml status section and operator logs after the upgrade to ensure there are no failures preventing your pods from upgrading.
    oc get icp4acluster -o yaml > CP4BAconfig.yaml
    oc logs deployment/ibm-cp4a-operator -c operator > operator.log
    If you are interested in verifying the expected image digest for a particular image, then you can review the ibm-cp-automation\inventory\cp4aOperatorSdk\resources.yaml file in the CASE package. This file has a listing of the images managed by the CP4BA operator and their expected digest for this particular interim fix level.
  3. Required when using Workflow Process Service
    1. Follow the step 2 of section "3. Running your environment" in Installing Workflow Process Service to login to the entitled registry with your entitlement key.
    2. Back up your database backup, docker-compose.yml and folder for docker volumes “production_workflow_runtime_data” and “production_workflow_runtime_logs”.
    3. (Optional) Push the images to your docker registry. Log in to your docker registry, and push the docker images into your docker registry using the following commands:
      docker login <server>
      docker tag cp.icr.io/cp/cp4a/workflow-ps/workflow-ps-server:21.0.2-IF008 \
      > <server>/workflow-ps-server:21.0.2-IF008
      docker tag cp.icr.io/cp/cp4a/workflow-ps/workflow-ps-authoring:21.0.2-IF008 \
      > <server>/workflow-ps-authoring:21.0.2-IF008
      docker push <server>/workflow-ps-server:21.0.2-IF008
      docker push <server>/workflow-ps-authoring:21.0.2-IF008
      Where <server> is the host of the docker image registry that you want to use to pull the images. For example myregistry.local:5000 or localhost:8080 for a self-hosted registry.
    4. Run docker-compose down command to stop the Workflow Process Server container.
    5. Update the image url's tags in docker-compose.yml.
      <server>/workflow-ps-server:21.0.2-IF008
      <server>/workflow-ps-authoring:21.0.2-IF008
    6. Run docker-compose up command to start the Workflow Process Server container
    For more detail on Workflow Process Service refer to Installing Workflow Process Service .
    Troubleshooting: If you are using a Docker Desktop version 4.3.0 or greater, you might get an out of memory error when you start the server. For more details and possible resolution to this issue, and other troubleshooting guidance, refer to Troubleshooting Workflow Process Service.
  4. Required when using Operational Decision Manager
    You must update your Rule Designer:
    • Open Eclipse 
    • Open menu Help > Check for Updates
    • select IBM Operational Decision Manager for Developers v8.10.x - Rule Designer 8.10.5.1
    • Proceed with installation.

Uninstalling

There is no procedure to uninstall the interim fix.

List of Fixes

APARs fixed by this interim fix are listed in the following tables. Fixes from previous interim fixes are also included in this interim fix. Consult the Related links section for fix information of previous interim fixes.
The columns are defined as follows: 
Column title Column description
APAR The defect number
Title A short description of the defect
Sec. A mark indicates a defect related to security
Cont. A mark indicates a defect specific to the Cloud Pak integration of the component
B.I. A mark indicates the fix has a business impact. Details are found in the title column or the APAR document
General
APAR Title Sec. Cont. B.I.
N/A
Cloud Pak for Business Automation delivers container images that include operating system level and other open source libraries. Vulnerabilities (CVEs) for these libraries are published regularly.
This interim fix includes fixes for these libraries to address:
CVE-2022-21271, CVE-2022-20612, CVE-2021-44832, CVE-2021-23555, CVE-2022-21248, 
CVE-2022-21277, CVE-2022-21282, CVE-2022-21283, CVE-2022-21291, CVE-2022-21293, 
CVE-2022-21294, CVE-2022-21296, CVE-2022-21299, CVE-2022-21305, CVE-2022-21340, 
CVE-2022-21341, CVE-2022-21360, CVE-2022-21365, CVE-2022-21366, CVE-2019-10746, 
CVE-2021-34429, PRISMA-2021-0041
 
Previous interim fixes will have included fixes which are also addressed with this interim fix. Consult the Related links section for readmes of previous interim fixes, at the bottom of this document.
X X
Cloud Pak for Business Automation Operator
APAR Title Sec. Cont. B.I.
JR64597
ICP4ADEPLOY-BAN-EXT-TLS-SECRET GETS INCORRECTLY UPDATED WITH EACH OPERATOR RECONCILE LOOP
X
Automation Document Processing
APAR Title Sec. Cont. B.I.
JR64639 CLASSIFIER MODEL GIVES INCORRECT RESULTS AFTER UPGRADE X X
JR64640 DOCUMENT STUCK IN FINALIZING AFTER CHANGING THE DOCUMENT TYPE X X
Automation Decision Services
APAR Title Sec. Cont. B.I.
N/A N/A
APAR Title Sec. Cont. B.I.
N/A N/A
Business Automation Insights
APAR Title Sec. Cont. B.I.
N/A N/A
Business Automation Navigator
APAR Title Sec. Cont. B.I.
N/A N/A
Business Automation Studio
APAR Title Sec. Cont. B.I.
JR64497 SECURIT APAR - LUCENE-9981 DENIAL OF SERVICE VULNERABILITY MAY  AFFECT IBM BAW X
Business Automation Workflow including Automation Workstream Services
APAR Title Sec. Cont. B.I.
REMOVE REFERENCE TO LOG4J FROM 21.0.2 AND 21.0.3 X
JR64565 MULTIPLE LOG4J VULNERABILITIES IN IBM PROCESS FEDERATION SERVER X
JR64417 TIME VALUES OF A PROCESS INSTANCE ARE SHOWN INCORRECTLY IN THE WORKPLACE INSTANCE DETAILS UI PAGE
JR64501 THE HIDDEN DIVS CONTAINING VALIDATION MESSAGES FOR ACCESSIBILITY ARE NOT REMOVED WHEN SETVALID IS CALLED MORE THAN ONCE
Enterprise Records
APAR Title Sec. Cont. B.I.
N/A
N/A
FileNet Content Manager
APAR Title Sec. Cont. B.I.
N/A N/A
Operational Decision Management
APAR Title Sec. Cont. B.I.
RS03802 DECISION CENTER MAY BECOME SLOW AFTER EDITING RULES   
RS03873 RESTORING A BASELINE OR SNAPSHOT MAY CREATE A NEW VERSION OF A RULE WITH A WRONG VERSION NUMBER
RS03874 CVE-2021-44228 LOG4J VULNERABILITY X
RS03860 ERRONEOUS FRENCH TRANSLATION OF RES STATISTICS "MIN. TIME"
User Management Service
APAR Title Sec. Cont. B.I.
N/A N/A

Known Limitations

Document change history

  • 23 February 2022: Initial publish.
  • 6 April 2022: Added JR64497 to Business Automation Studio fix list table.
  • [{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS2JQC","label":"IBM Cloud Pak for Automation"},"ARM Category":[{"code":"a8m0z0000001gWWAAY","label":"CloudPak4Automation Platform"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

    Document Information

    Modified date:
    06 April 2022

    UID

    ibm16557060