IBM Support

IBM Security Key Lifecycle Manager Version 4.0.0 - Fix Pack 4 README

Fix Readme


Abstract

Readme file for IBM Security Key Lifecycle Manager for Version 4.0.0 Fix Pack 4 (4.0.0.4) including installation-related instructions, prerequisites and corequisites, and a list of fixes.

Content


List of features and fixes

Features included in IBM Security Key Lifecycle Manager Version 4.0.0.4

None

 

Internal fixes included in IBM Security Key Lifecycle Manager Version 4.0.0.4

  • Security fixes

APAR fixes included in Version 4.0.0.4

APAR No.

Sev.

Abstract

IJ30604

1

The Update Owner REST Service does not work in SKLM 4.0.0.3 Swagger UI.

IJ30654

1

The Kmt_key_group is not removed before the restore operation.

IJ35237

2

The sklmconfig.properties file of the master server might get corrupted after replication.

IJ36284

3

The CTGKS0006E/CTGKP5012E messages are displayed on the SKLM UI after applying fix pack 3 and rebooting the SKLM server.


Download instructions

  1. Go to IBM Fix Central home page: http://www.ibm.com/support/fixcentral/
  2. In the Product selector field, type IBM Security Key Lifecycle Manager, and select the product name when it appears.
  3. From the Installed Version list, select 4.0.0.
  4. From the Platform list, select the appropriate platform, and click Continue.
  5. On the Identify Fixes page, ensure that the Browse for Fixes is selected, and click Continue.
  6. On the Select Fixes page, select fix pack 4.0.0-ISS-SKLM-FP0004, and click Continue.
    You might be prompted to Sign In.  If you do not have an ID, click the Register now link and follow the registration steps.
  7. On the Download options page, select a download method (default is Download using Download Director).
  8. Select the associated files and README for fix pack: 4.0.0-ISS-SKLM-FP0004 and click Download now.

Supported platforms

See IBM Security Key Lifecycle Manager Support Matrix.


Fix pack files per platform for IBM Security Key Lifecycle Manager

Product/Component name

Platform

File name

Command

Checksum

IBM Security Key Lifecycle Manager version 4.0.0 Fix Pack - 4.0.0-ISS-SKLM-FP0004

AIX

4.0.0-ISS-SKLM-FP0004-AIX.tar.gz

md5sum FileName.tar.gz

For example (UNIX/Linux): md5sum 4.0.0-ISS-SKLM-FP0004-zLinux.tar.gz


Sample output
3d0f1ff857c77f6511ce417a855c1892 4.0.0-ISS-SKLM-FP0004-zLinux.tar.gz

f83e29d50fc07888ff5f78e86c187437

IBM Security Key Lifecycle Manager version 4.0.0 Fix Pack - 4.0.0-ISS-SKLM-FP0004

Linux

4.0.0-ISS-SKLM-FP0004-Linux.tar.gz

3d0f1ff857c77f6511ce417a855c1892

IBM Security Key Lifecycle Manager version 4.0.0 Fix Pack - 4.0.0-ISS-SKLM-FP0004

zLinux (IBM Z)

4.0.0-ISS-SKLM-FP0004-zLinux.tar.gz

e27326961e3d25d6a50f125c0c92798f

IBM Security Key Lifecycle Manager version 4.0.0 Fix Pack - 4.0.0-ISS-SKLM-FP0004

Linux PPC

4.0.0-ISS-SKLM-FP0004-LinuxPPC.tar.gz

106fa63c02dce78d97056ee495f2ce89

IBM Security Key Lifecycle Manager version 4.0.0 Fix Pack - 4.0.0-ISS-SKLM-FP0004

Windows

4.0.0-ISS-SKLM-FP0004-Windows.zip

certutil -hashfile FileName.zip md5

For example (Windows): certutil -hashfile 4.0.0-ISS-SKLM-FP0004-Windows.zip md5


Sample output
MD5 hash of file 4.0.0-ISS-SKLM-FP0004-Windows.zip: 277bcd7277a58b9182697997d762b45d
CertUtil: -hashfile command completed successfully.

277bcd7277a58b9182697997d762b45d

 

Prerequisites

  • Ensure that IBM Security Key Lifecycle Manager, Version 4.0 GA (4.0.0.0), fix pack 1 (4.0.0.1), fix pack 2 (4.0.0.2), or fix pack 3 (4.0.0.3) is already installed.
  • Ensure that /tmp directory does not contain KLMPrev.properties. If present, rename or remove this file before you start applying fix pack.
    Also, ensure that the /tmp directory has all the permissions and does not have noexec set.
  • Ensure that IBM Security Key Lifecycle Manager is not in use.
  • Ensure that umask is set to 0022.
  • Back up the IBM Security Key Lifecycle Manager server. For instructions, see Configuring backup and restore.
  • Back up the WebSphere Application Server files. For instructions, see the following table:

S.No.

Instruction

Windows Commands

UNIX/Linux Commands

1.

Windows - Open command line.

Linux / AIX - Open a ksh or bash shell.

Click Start > Run, type cmd, and click OK.

If your default shell is not ksh or bash, run "exec ksh" or "exec bash".

2.

Stop WebSphere Application Server.

WAS_HOME\bin\stopServer.bat server1 -username WAS_ADMIN -password WAS_PASSWORD

WAS_HOME/bin/stopServer.sh server1 -username WAS_ADMIN -password WAS_PASSWORD

3.

Make a temporary directory.

mkdir WAS_BACKUP_DIRECTORY
For example: mkdir C:\wasbackup

mkdir WAS_BACKUP_DIRECTORY
For example: mkdir /tmp/wasbackup

4.

Change directory to the temporary directory.

cd C:\wasbackup

cd /tmp/wasbackup

5.

Copy or archive the files from the directory where WebSphere Application Server is installed.

xcopy /y /e /d WAS_HOME C:\wasbackup

tar -cvf wasbackup.tar WAS_HOME/*

6.

Start WebSphere Application Server.

WAS_HOME\bin\startServer.bat server1

WAS_HOME/bin/startServer.sh server1

 


Known limitations

  • Rollback of installed fix pack is not supported.

Known issues and workaround

  • SKLM UI might be inaccessible on the previous versions of Internet Explorer (IE). This fix pack has been tested on IE 11. For more information about the supported browsers, see the Support Matrix.
  • On Google Chrome, in the Configuration > Audit and Debug page, the Debug log files text appears twice. This doesn't affect the functionality and you can proceed with the download.
  • (Applicable for RHEL 7.x) After system reboot, Db2 does not start automatically. 

    Workaround: Start Db2 manually. To do so, complete these steps:

    1. Log in as the root user and open a terminal window.
    2. Stop WebSphere Application Server.
      <WAS_HOME>/bin/stopServer.sh server1 -username wasadmin -password WAS_Password
      For example:
      /opt/IBM/WebSphere/AppServer/bin/stopServer.sh server1 -username wasadmin -password WAS_Password
    3. Stop and start Db2.
      su - sklmdb40
      db2stop force
      db2start
    4. Start WebSphere Application Server.
      <WAS_HOME>bin/startServer.sh server1 
      For example,
      /opt/IBM/WebSphere/AppServer/bin/startServer.sh server1 

Installing the fix pack on IBM Security Key Lifecycle Manager

Installing a fix pack involves the following steps:

1. Complete the prerequisites.

2. Prepare to install the fix pack.

3. Install the fix pack.

4. Complete the post fix-pack installation tasks.


Prepare to install the fix pack

  1. Open the command line.
  2. Create a temporary directory to extract the fix pack installer files.
    Windows
    mkdir C:\sklminstall_windowsfp
    UNIX/Linux
    mkdir /sklminstall_linuxfp
  3. Change directory to this temporary directory.
    Windows
    cd C:\sklminstall_windowsfp
    UNIX/Linux
    cd /sklminstall_linuxfp
  4. Download the fix pack installer files into the directory. See Download Instructions.
  5. Extract the downloaded files.
    For example:

    Windows: 4.0.0-ISS-SKLM-FP0004-Windows.zip [Right-click and extract all]

    UNIX/Linux: tar -xvf 4.0.0-ISS-SKLM-FP0004-Linux.tar.gz

    Note: Use the platform-specific file.

For more information, see IBM Security Key Lifecycle Manager Version 4.0.0 Fix Packs.

Installing the fix pack by using the graphical user interface

S. No.

Instruction

Steps

1. 

Stop WebSphere Application Server, update Java SDK, and then start Installation Manager in GUI mode.

Windows

  1. Open a command line, and change the directory to the directory where you extracted the installer files.
    For example:

    C:\sklminstall_windowsfp
  2. Run the following command:
    updateSKLM.bat IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD

For example:
updateSKLM.bat "C:\Program Files\IBM\Installation Manager" "C:\Program Files\IBM\WebSphere\AppServer" wasadmin wasadminpwd

UNIX/Linux

  1. Open a command line, and change the directory to the directory where you extracted the installer files.
    For example:

    /sklminstall_linuxfp
  2. Run the following commands:

chmod +x ./updateSKLM.sh

./updateSKLM.sh IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD

For example:
updateSKLM.sh /opt/IBM/InstallationManager /opt/IBM/WebSphere/AppServer wasadmin wasadminpwd

2.

Select the IBM Security Key Lifecycle Manager, Version 4.0.0 software package group.

1. Select the base offering software package group (IBM Security Key Lifecycle Manager, Version 4.0.0).

2. Click Next.

3. In the Update Packages pane, select Version 4.0.0.4, and click Next.

3.

Provide credentials for
WebSphere Application Server admin user
(default: wasadmin)
SKLM admin user
(default: SKLMAdmin) and Db2 user
(default: sklmdb40).

  1. In the Update Packages Configuration for IBM Security Key Lifecycle Manager v4.0.0.4 pane:
    • Enter Username and Password for Application Server Administrator.
    • Enter Username and Password for IBM Security Key Lifecycle Manager Application Administrator.
    • Enter Username and Password for IBM Db2 user.
  2. Click Validate Credentials.
    Validation might take few minutes. Wait until the Next button is enabled.
  3. Click Next.
4.

Complete the final step.

In the Update Packages > Summary pane, review the software packages that you want to install, and click Update.
After Installation Manager successfully updates the fix pack for the services that you select, a message is displayed.


Installing the fix pack silently

S. No.

Instruction

Steps

1. 

Start the Installation Manager utility to encrypt the passwords for users as required.

  1. Open a command line.
  2. Change the directory to the IM_INSTALL_LOCATION/eclipse/tools directory.

Windows

Run the following command to generate an encrypted password:
imcl.exe encryptString password_to_encrypt

UNIX/LINUX

Run the following command to generate an encrypted password:
./imcl encryptString password_to_encrypt

2.

Back up the response file.

Rename the original response file to create a backup of the file: 
SKLM_Silent_Update_platform_Resp.xml
For example: SKLM_Silent_Update_platform_Resp_original.xml

The response file is located in the /sklm directory, which is within the directory where the fix pack is extracted.

3.

Edit the response file.

Windows

Edit the response file SKLM_Silent_Update_platform_Resp.xml.

  1. Edit the repository location to point to the current location of the installer.
    Sample:

    <repository location='C:\sklminstall_windowsfp\sklm'/>

  2. Edit WASAdmin username and password (Password needs to be encrypted).
    Sample:

    <data key='user.WAS_ADMIN_ID,com.ibm.sklm40.win>value='wasadmin'/>
    <data key='user.WAS_ADMIN_PASSWORD,com.ibm.sklm40.win>
    value='e9PjN93MeQxwnSs9VXJFMw=='/>


  3. Edit SKLMAdmin username and password (Password need to be encrypted).
    Sample:

    <data key='user.SKLM_ADMIN_ID,com.ibm.sklm40.win>value='SKLMAdmin'/>
    <data key='user.SKLM_ADMIN_PASSWORD,com.ibm.sklm40.win>
    value='9YTRJMRIydDSdfhaHPs1ag=='/>


  4. Edit Db2 username and password (Password need to be encrypted).
    Sample:

    <data key='user.DB2_ADMIN_PWD,com.ibm.sklm40.db2.win.ofng' value='sklmdb40'/>
    <datadata key='user.CONFIRM_PASSWORD,com.ibm.sklm40.db2.win.ofng' value='QTh/0AiFvrljhs9gnOYkGA=='/>


UNIX/Linux

Edit the response file: SKLM_Silent_Update_platform_Resp.xml

  1. Edit the repository location to point to the current location of the installer.
    Sample for Linux:

    <repository location='/sklminstall_linuxfp/sklm'/>

  2. Edit WASAdmin username and password (Password needs to be encrypted).
    Sample:

    <data key='user.WAS_ADMIN_ID,com.ibm.sklm40.linux>value='wasadmin'/>
    <data key='user.WAS_ADMIN_PASSWORD,com.ibm.sklm.Linux>
    value='e9PjN93MeQxwnSs9VXJFMw=='/>


  3. Edit SKLMAdmin username and password (Password needs to be encrypted).
    Sample:

    <data key='user.SKLM_ADMIN_ID,com.ibm.sklm40.linux>value='SKLMAdmin'/>
    <data key='user.SKLM_ADMIN_PASSWORD,com.ibm.sklm40.linux>
    value='9YTRJMRIydDSdfhaHPs1ag=='/>


  4. Edit the username and password of the Db2 user (Password need to be encrypted).
    Sample:

    <data key='user.DB2_ADMIN_ID,com.ibm.sklm40.db2.lin.ofng'
    value='sklmdb40'/> <data key='user.DB2_ADMIN_PWD,com.ibm.sklm40.db2.lin.ofng' value='QTh/0AiFvrljhs9gnOYkGA=='/>

4.

Install the fix pack.

Windows

  1. Open a command line, and change directory to the directory where the installer files are extracted.

    For example: C:\sklminstall_windowsfp

    For example: /sklminstall_linuxfp

  2. Run the following command:

silent_updateSKLM.bat IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD

For example:

silent_updateSKLM.bat "C:\Program Files\IBM\Installation Manager" "C:\Program Files \IBM\WebSphere\AppServer" wasadmin wasadminpwd

UNIX/Linux

  1. Open a command line, and change the directory to the repository directory.
    For example:
    /sklminstall_linuxfp
     
  2. Run the following commands:

chmod +x ./silent_updateSKLM.sh

./silent_updateSKLM.sh IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD

For example:

./silent_updateSKLM.sh /opt/IBM/InstallationManager /opt/IBM/WebSphere/AppServer wasadmin wasadminpwd

 

Installing the fix pack on a Multi-Master is set up



Prerequisites 

If the original primary master server is acting as a standby master server, promote it to primary and then, install the fix pack. Otherwise, the database updates are not applied to the cluster.
To promote a master server to primary, see Promote to primary. 

To install the fix pack
  1. Stop WebSphere Application Server on all the master servers, in any sequence.
    • Open a command line.
    • Go to the WAS_HOME\bin directory.
      Windows

      C:\Program Files\IBM\WebSphere\AppServer\bin
      Linux
      /opt/IBM/WebSphere/AppServer/bin
       
    • Stop the IBM Security Key Lifecycle Manager server.
      Windows
      stopServer.bat server1 -username wasadmin -password mypwd
      Linux
      ./stopServer.sh server1 -username wasadmin -password mypwd 
  2. Stop Agent on all the master servers, in any sequence.
    • Open a command line.
    • Go to the SKLM_INSTALL_HOME\agent directory.
      Windows
      C:\Program Files\IBM\SKLMV40\agent
      Linux
      /opt/IBM/SKLMV40/agent
    • Stop the Agent.
      Windows
      stopAgent.bat WAS_HOME
      For example: stopAgent.bat "C:\Program Files\IBM\WebSphere\AppServer"
      Linux
      ./stopAgent.sh WAS_HOME
      For example: ./stopAgent.sh /opt/IBM/WebSphere/AppServer
       
  3. Apply fix pack on each master server and verify the installation.
    Complete this step in the following sequence:
    • Primary master server
    • Principal standby master server
    • Auxiliary standby master servers
    • Non-HADR master servers

      For steps to install the fix pack, see Installing the fix pack.
      To verify the installation:
      • Log in to IBM Security Key Lifecycle Manager and check the version number.
      • Ensure that the master server is running and available for use.

Post fix-pack installation

  1. Use one of the following methods to verify the installation.
    • Using graphical user interface:
      a. Log in to the graphical user interface.
      b. On the Welcome page header bar, click the Help (?) icon.
      c. Click About.
      The page displays the version details.
    • Using REST interface:
      Run the Version Info REST Service For more information, see Swagger UI
    • Using command line:
      • Windows
        a. Open the command line.
        b. Run the command: cd WAS_HOME\bin
        c. Run the command:
          wsadmin -lang jython -username sklmadminUserID -password sklmadminPassword
            For example: wsadmin.bat -lang jython -username sklmadmin -password sklmpassword
        d. At the wsadmin> prompt, type: print AdminTask.tklmVersionInfo()
      • UNIX/Linux
        a. Run the commands:
        cd WAS_HOME/bin/
        ./wsadmin.sh -lang jython -username sklmadminUserID -password sklmadminPassword

        For example: ./wsadmin.sh -lang jython -username sklmadmin -password sklmpassword
        b. At the wsadmin> prompt, type:
         print AdminTask.tklmVersionInfo()
          Check the output of the tklmVersionInfo command:
        IBM Security Key Lifecycle Manager Version : 4.0.0.4
        IBM Security Key Lifecycle Manager Build Level : 202203241205
        Embedded WAS Version : 9.0.5.0
        DB2 Version : 11.1.4.4
        Java Version : JRE 1.8.0_211 IBM J9 VM 2.9
        Operating System Version : Linux:3.10.0-1160.42.2.el7.x86_64:amd64
        Agent Version : 1.0
         
  2. Back up the IBM Security Key Lifecycle Manager server. For more information, see Configuring backup and restore.

Uninstalling the fix pack

Important: The following steps uninstall the entire product package, including IBM Security Key Lifecycle Manager, IBM Db2, and WebSphere Application Server, and all your data is lost. Take a backup before uninstalling.

Uninstalling IBM Security Key Lifecycle Manager with the fix pack by using the graphical user interface

S. No.

Instruction

Steps

1. 

Complete the prerequisites

Stop the WebSphere Application Server.

2. 

Uninstall IBM Security Key Lifecycle Manager. 

Windows

  1. Browse to IM_INSTALL_LOCATION\eclipse and double-click IBMIM to start IBM Installation Manager in GUI mode.
  2. In IBM Installation Manager, click Uninstall. The Uninstall Packages window opens.
  3. Select the check boxes to uninstall IBM Security Key Lifecycle Manager, Db2, and the WebSphere Application Server.
  4. Click Next. Type the WebSphere Application Server Administrator user ID and the password.
  5. Click Next. The Summary pane opens.
  6. Review the software packages to be uninstalled and their installation directories, and click Uninstall.
  7. Verify the uninstallation summary and the log files that are at C:\ProgramData\IBM\InstallationManager\logs\sklmLogs\ .

    After you uninstall IBM Security Key Lifecycle Manager, delete the WebSphere and Db2 installation directories, if not already removed. For default installation, these directories are C:\Program Files\IBM\WebSphere and C:\Program Files\IBM\DB2SKLMV40.

Unix/Linux

  1. Browse to IM_INSTALL_LOCATION/eclipse and run IBMIM.
  2. In IBM Installation Manager, click Uninstall. The Uninstall Packages window opens.
  3. Select the check boxes to uninstall IBM Security Key Lifecycle Manager, Db2, and the WebSphere Application Server.
  4. Click Next. Type the WebSphere Application Server Administrator user ID and the password.
  5. Click Next. The summary pane opens.
  6. Review the software packages to be uninstalled and their installation directories.
  7. Click Uninstall.
  8. Verify the uninstallation summary and the log files that are at /var/ibm/InstallationManager/logs/native/ .

    After you uninstall IBM Security Key Lifecycle Manager, delete the /opt/IBM/WebSphere and /opt/IBM/DB2SKLMV40 directories if not already removed.

Uninstalling IBM Security Key Lifecycle Manager with the fix pack silently

S. No.

Instruction

Steps

1. 

Edit the silent response file.

1.      Go to the directory that contains the installer files.
For example:
Windows:

C:\sklminstall_windowsfp
Linux:
/sklminstall_linuxfp

2.     Back up the original response file SKLM_Uninstall_platform_Resp.xml by renaming it to SKLM_Uninstall_platform_Resp_original.xml.

3.     Edit the silent response file SKLM_Uninstall_platform_Resp.xml.
Edit
WASAdmin username and password (password needs to be encrypted).
Windows 
Sample:

<data key='user.WAS_ADMIN_ID,com.ibm.sklm40.win' value='wasadmin'/>
<data key='user.WAS_ADMIN_PASSWORD,com.ibm.sklm40.win' value='e9PjN93MeQxwnSs9VXJFMw==>


UNIX/Linux
Sample:

<data key='user.WAS_ADMIN_ID,com.ibm.sklm40.linux' value='wasadmin'/>
<data key='user.WAS_ADMIN_PASSWORD,com.ibm.sklm40.linux' value='e9PjN93MeQxwnSs9VXJFMw=='/>

2.

Uninstall IBM Security Key Lifecycle Manager.

Windows

  1. Open a command line.
  2. Change the directory to IM_INSTALL_LOCATION\eclipse\tools directory.
  3. Run the following command:
    imcl.exe -input PATH_TO_UNINSTALL_RESPONSE_FILE -silent
    For example:
    imcl.exe -input "C:\sklminstall_windowsfp\SKLM_Uninstall_Win_Resp.xml" -silent

  4. Verify the uninstallation summary and the log files that are at C:\ProgramData\IBM\InstallationManager\logs\sklmLogs\ .

    After you uninstall IBM Security Key Lifecycle Manager, delete the WebSphere and Db2 installation directories, if not already removed. For default installation, these directories are C:\Program Files\IBM\WebSphere and C:\Program Files\IBM\DB2SKLMV40.

UNIX/Linux

  1. Open a command line.
  2. Change the directory to IM_INSTALL_LOCATION\eclipse\tools directory.
  3. Run the following command:
    ./imcl -input PATH_TO_UNINSTALL_RESPONSE_FILE -silent
    For example:
    ./imcl -input /sklminstall_linuxfp/SKLM_Uninstall_Linux_Resp.xml -silent
  4. Verify the uninstallation summary and the log files that are at /var/ibm/InstallationManager/logs/native/ .

    After you uninstall IBM Security Key Lifecycle Manager, delete the /opt/IBM/WebSphere and /opt/IBM/DB2SKLMV40 directories if not already removed.

Where:

PATH_TO_UNINSTALL_RESPONSE_FILE refers to the uninstallation response file provided or bundled with the fix pack installer.

platform refers to the operating system where the fix pack is being installed or uninstalled. For example: SKLM_Uninstall_platform_Resp.xml on Linux will be SKLM_Uninstall_Linux_Resp.xml


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSWPVP","label":"IBM Security Key Lifecycle Manager"},"ARM Category":[{"code":"a8m0z000000cvdzAAA","label":"SKLM-\u003EINSTALL-\u003EFIXPACK"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.0.0"}]

Document Information

Modified date:
31 March 2022

UID

ibm16566683