IBM Security Key Lifecycle Manager Version 4.0.0

Fix Readme

Abstract

Readme file for IBM Security Key Lifecycle Manager for distributed and containerized platforms, Version 4.0.0 Fix Pack 5 (4.0.0.5) including installation instructions, prerequisites and corequisites, and a list of fixes.

Content

Features and fixes
Download instructions
Fix pack files checksum
Known limitations and issues
Installation instructions
Post fix-pack installation activities
Uninstall

Features and fixes

Features

None

Internal fixes

None

APAR fixes

The following APARs reported in other source versions are included in version 4.0.0.5:

APAR No.	Sev.	Abstract	Reported source version
IJ37936	3	MAXIMUM.KEYCERT.EXPIRATION.PERIOD.IN.YEARS CAN CAUSE ITEMS NOT TO DISPLAY	4.1.0.1
IJ39961	1	OLD KEYS HAVE MIXED CASES FOR ALIAS AND NAME CAUSING SEARCHES BY NAMETYPE TO FAIL RESULTING IN KEYS NOT BEING SERVED	4.1.1.4
IJ41021	2	REGULAR EXPRESSION WHERE IT IS NOT ABLE TO DIFFERENTIATE _ AND . . ALLOWING DUPLICATE RECORDS	4.1.0.4
IJ41113	3	UNABLE TO IMPORT CERTS WITH WHITESPACES AS SEPARATOR IN THE LABEL MY NEW CERT	4.1.1
IJ42218	3	GARBLED CHARACTERS IN DEVICE SERIAL CTGKM0645E THE DEVICE !IQ CANNOT BE FOUND.	4.1.1
IJ43519	3	UNABLE TO CREATE CSR IN 4.1.1 DUE TO COMMA IN ORGANIZATION NAME	4.1.1
IJ44475	3	GUI SEARCH ON CLIENT NAME DISPLAYS TEST_XXX FOR CLIENT NAMES UNDER THE ATTRIBUTE NAME COLUMN.	4.1.1.6
IJ44382	2	EXTREME NUMBER OF KEYS CAUSE DB2 QUERY SLOWDOWN	4.1.1

APAR fixes included in Version 4.0.0.4

APAR No.	Sev.	Abstract
IJ30604	1	The Update Owner REST Service does not work in SKLM 4.0.0.3 Swagger UI.
IJ30654	1	The Kmt_key_group is not removed before the restore operation.
IJ35237	2	The sklmconfig.properties file of the master server might get corrupted after replication.
IJ36284	3	The CTGKS0006E/CTGKP5012E messages are displayed on the SKLM UI after applying fix pack 3 and rebooting the SKLM server.

APAR fixes included in Version 4.0.0.3

APAR No.	Sev.	Abstract
IJ28186	3	CTGKM3506E CANNOT FIND THE FILE $(SKLM_DATA)/$(SKLM_DATA)/KMIP_SELF_SIGNED_CERT.PEM.
IJ28430	1	UNABLE TO TURN OFF INCREMENTAL BACKUPS IN 4.0.0.2
IJ28461	3	THE 'DAILY REPLICATION TIME' SETTING CANNOT BE SAVED FROM GUI
IJ28676	2	MODIFY OWNER OR PARTNER CERT DOES NOT WORK IN P2P DEVICE GROUP IN SKLM 4002
IJ28624	1	DO NOT PERFORM BACKUP/RESTORE IF TKLM.ENCRYPTION.KEYSIZE ISNT SET
IJ30291	1	SKLMCONFIG.PROPERTIES GETS TRUNCATED WITH REPLICATION ENABLED

APAR fixes included in Version 4.0.0.2

APAR No.	Sev.	Abstract
IJ25479	2	UNABLE TO INSTALL DB2 UNIVERSAL FIX PACK ON SKLM 4.0 INSTALL
IJ25514	2	IBM SECURITY KEY LIFECYCLE MANAGER V4.0 CLIENT CERTIFICATE NAME GETTING CHANGED ON CLONE POST INCREMENTAL REPLICATION
IJ25992	1	SWAGGER DOES NOT HAVE ALL SKLM REST API COMMANDS
IJ26317	2	CROSS MIGRATION FROM 3.0 FP TO 4.0 GIVES SQL PREPARED STATEMEMENT EXCEPTION AND UNIQUE KEY CONSTRAINT EXCEPTION
IJ26100	2	PROBLEMS OCCUR WHEN PERFORMING EKM 2.1 TO SKLM 4.0 MIGRATION

APAR fixes included in Version 4.0.0.1

APAR No.	Sev.	Abstract
IJ23015	2	IBM SECURITY KEY LIFECYCLE MANAGER V4.0 PASSWORD POLICY VIOLATION FUNCTION DOES NOT WORK IN JAPANESE ENVIONMENT

Download instructions

Go to IBM Fix Central home page: http://www.ibm.com/support/fixcentral/
In the Product selector field, type IBM Security Key Lifecycle Manager, and select the product name when it appears.
From the Installed Version list, select the installed IBM Security Key Lifecycle Manager version.
From the Platform list, select the appropriate platform, and click Continue.
On the Identify Fixes page, ensure that the Browse for Fixes is selected, and click Continue.
On the Select Fixes page, select fix pack 4.0.0-ISS-GKLM-FP0005, and click Continue.
You might be prompted to Sign In. If you do not have an ID, click the Register now link and follow the registration steps.
On the Download options page, select a download method (default is Download using Download Director).
Select the associated files and README for fix pack: 4.0.0-ISS-GKLM-FP0005 and click Download now.

Fix pack files checksum

Product/Component name	Platform	File name	Command	Checksum
IBM Security Key Lifecycle Manager 4.0.0.5	AIX	4.0.0-ISS-GKLM-FP0005-AIX.tar.gz	md5sum FileName.tar.gz For example (UNIX/Linux): md5sum 4.0.0-ISS-GKLM-FP0005-AIX.tar.gz Sample output 8faabf9b1372fd99d496d773250489e0	8faabf9b1372fd99d496d773250489e0
IBM Security Key Lifecycle Manager 4.0.0.5	Linux	4.0.0-ISS-GKLM-FP0005-Linux.tar.gz		733653815fb7600b35aa9d276b94f925
IBM Security Key Lifecycle Manager 4.0.0.5	zLinux (IBM Z)	4.0.0-ISS-GKLM-FP0005-zLinux.tar.gz		a44cc754c9ecbd57f02fb28c7c3c39cc
IBM Security Key Lifecycle Manager 4.0.0.5	Linux PPC	4.0.0-ISS-GKLM-FP0005-LinuxPPC.tar.gz		3d7ac27d6d69c861c01082246604ab4e
IBM Security Key Lifecycle Manager 4.0.0.5	Windows	4.0.0-ISS-GKLM-FP0005-Windows.zip	certutil -hashfile FileName.zip md5 For example (Windows): certutil -hashfile 4.0.0-ISS-GKLM-FP0005-Windows.zip md5 Sample output MD5 hash of file 4.0.0-ISS-GKLM-FP0005-Windows.zip: c27f53c0743634463f2f1cf0cee96348 CertUtil: -hashfile command completed successfully.	c27f53c0743634463f2f1cf0cee96348

Known limitations and issues

Known limitations

Rollback of installed fix pack is not supported.

Known issues

SKLM UI might be inaccessible on the previous versions of Internet Explorer (IE). This fix pack has been tested on IE 11. For more information about the supported browsers, see the Support Matrix.
On Google Chrome, in the Configuration > Audit and Debug page, the Debug log files text appears twice. This doesn't affect the functionality and you can proceed with the download.
(Applicable for RHEL 7.x) After system reboot, Db2 does not start automatically.

Workaround: Start Db2 manually. To do so, complete these steps:
1. Log in as the root user and open a terminal window.
2. Stop WebSphere Application Server.
```
<WAS_HOME>/bin/stopServer.sh server1 -username wasadmin -password WAS_Password
```
  For example:
```
/opt/IBM/WebSphere/AppServer/bin/stopServer.sh server1 -username wasadmin -password WAS_Password
```
3. Stop and start Db2.
```
su - sklmdb40
db2stop force
db2start
```
4. Start WebSphere Application Server.
```
<WAS_HOME>bin/startServer.sh server1 
```
  For example,
```
/opt/IBM/WebSphere/AppServer/bin/startServer.sh server1 
```

For more information, see Known issues in IBM Security Key Lifecycle Manager, Version 4.0.

Installation instructions

Prerequisites

Ensure that IBM Security Key Lifecycle Manager, Version 4.0 GA (4.0.0.0), fix pack 1 (4.0.0.1), fix pack 2 (4.0.0.2), fix pack 3 (4.0.0.3), or fix pack 4 (4.0.0.4) is already installed.
Ensure that /tmp directory does not contain KLMPrev.properties. If present, rename or remove this file before you start applying fix pack.
Also, ensure that the /tmp directory has all the permissions and does not have noexec set.
Ensure that IBM Security Key Lifecycle Manager is not in use.
Ensure that umask is set to 0022.
Back up the IBM Security Key Lifecycle Manager server. For instructions, see Configuring backup and restore.
Back up the WebSphere Application Server files. For instructions, see the following table:
1. Open a command line.
2. Stop WebSphere Application Server.
  - Windows
```
WAS_HOME\bin\stopServer.bat server1 -username WAS_ADMIN -password WAS_PASSWORD
```
  - Linux
```
WAS_HOME/bin/stopServer.sh server1 -username WAS_ADMIN -password WAS_PASSWORD
```
3. Make a temporary directory.
  - Windows
```
mkdir WAS_BACKUP_DIRECTORY
```
    For example: mkdir C:\wasbackup
  - Linux
```
mkdir WAS_BACKUP_DIRECTORY
```
    For example: mkdir /tmp/wasbackup
4. Change directory to the temporary directory.
  - Windows
```
cd C:\wasbackup
```
  - Linux
```
cd /tmp/wasbackup
```
5. Copy or archive the files from the directory where WebSphere Application Server is installed.
  - Windows
```
xcopy /y /e /d WAS_HOME C:\wasbackup
```
  - Linux
```
tar -cvf wasbackup.tar WAS_HOME/*
```
6. Start WebSphere Application Server.
  - Windows
```
WAS_HOME\bin\startServer.bat server1
```
  - Linux
```
WAS_HOME/bin/startServer.sh server1
```

Installation steps

Depending on your setup, see the relevant section:

Installing on a standalone GKLM traditional server
Installing on a Multi-master setup
Installing on GKLM container

Installing the fix pack on GKLM traditional

You can use one of the following modes to install a fix pack:

Graphical mode (interactive)
Silent mode (non-interactive)

Graphical mode

Video tutorial: GKLM fix pack installation in UI mode (securitylearningacademy.com)

Complete the following instructions:

Download the fix pack installer files. For instructions, see Download instructions.
Extract the installer files to a folder of your choice.
Open a command line.
Change the directory to the directory where you extracted the fix pack installer files.

Run the following command to launch the Installation Manager:

Windows

updateSKLM.bat IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD

For example:

updateSKLM.bat "C:\Program Files\IBM\Installation Manager" "C:\Program Files\IBM\WebSphere\AppServer" wasadmin wasadminpwd

Linux

chmod +x ./updateSKLM.sh

./updateSKLM.sh IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD

For example:

./updateSKLM.sh /opt/IBM/InstallationManager /opt/IBM/WebSphere/AppServer wasadmin wasadminpwd

Select the base offering software package group (IBM Security Key Lifecycle Manager, Version 4.0.0). Click Next.
In the Update Packages pane, select Version 4.0.0.5, and click Next.
Installation Manager fetches the assets and lists all the fixes and features to be installed. Click Next.
In the Update Packages Configuration for IBM Security Key Lifecycle Manager v4.0.0.5 pane:
- Enter Username and Password for Application Server Administrator.
- Enter Username and Password for IBM Security Key Lifecycle Manager Application Administrator.
- Enter Username and Password for IBM Db2 user.
Click Validate Credentials. Validation might take few minutes. Wait until the Next button is enabled. Click Next.
In the Update Packages > Summary pane, review the software packages that you want to install, and click Update. After Installation Manager successfully updates the fix pack for the services that you select, a message is displayed.

Silent mode

Video tutorial: Installing a GKLM fix pack in Silent Mode (securitylearningacademy.com)

Complete the following instructions:

Download the fix pack installer files. For instructions, see Download instructions.
Go to the directory where you extracted the fix pack installation files.
Open the /sklm directory, which is within the directory where the fix pack is extracted. It contains the response file (SKLM_Silent_Update_platform_Resp.xml) that we need to edit for the installation.
Locate the response file. Create a backup of the response file:
For example: SKLM_Silent_Update_platform_Resp_original.xml.
Open the response file for editing. Edit the relevant elements of the response file SKLM_Silent_Update_platform_Resp.xml.

Edit the repository location to point to the current location of the installer.

Windows

<repository location='C:\sklminstall_windowsfp\wasfp\repository.config'/>
<repository location='C:\sklminstall_windowsfp\sklmwasfp\repository.config'/>

Linux

<repository location='/sklminstall_linuxfp/wasfp/repository.config'/>
<repository location='/sklminstall_linuxfp/sklm/repository.config'/>

Edit WASAdmin username and password. The password must be encrypted. To encrypt the password, see Encrypting a password.

Windows

<data key='user.WAS_ADMIN_ID,com.ibm.sklm40.win' value='wasadmin'/>
<data key='user.WAS_ADMIN_PASSWORD,com.ibm.sklm40.win' value='e9PjN93MeQxwnSs9VXJFMw=='/>

Linux

<data key='user.WAS_ADMIN_ID,com.ibm.sklm40.linux' value='wasadmin'/>
<data key='user.WAS_ADMIN_PASSWORD,com.ibm.sklm.Linux' value='e9PjN93MeQxwnSs9VXJFMw=='/>

Edit SKLMAdmin username and password. The password must be encrypted. To encrypt the password, see Encrypting a password.

Windows

<data key='user.SKLM_ADMIN_ID,com.ibm.sklm40.win' value='SKLMAdmin'/>
<data key='user.SKLM_ADMIN_PASSWORD,com.ibm.sklm40.win' value='9YTRJMRIydDSdfhaHPs1ag=='/>

Linux

<data key='user.SKLM_ADMIN_ID,com.ibm.sklm40.linux' value='SKLMAdmin'/>
<data key='user.SKLM_ADMIN_PASSWORD,com.ibm.sklm40.linux' value='9YTRJMRIydDSdfhaHPs1ag=='/>

Edit Db2 username and password. The password must be encrypted. To encrypt the password, see Encrypting a password.

Windows

<data key='user.DB2_ADMIN_PWD,com.ibm.sklm40.db2.win.ofng' value='sklmdb40'/>
<data key='user.CONFIRM_PASSWORD,com.ibm.sklm40.db2.win.ofng' value='QTh/0AiFvrljhs9gnOYkGA=='/>

Linux

<data key='user.DB2_ADMIN_ID,com.ibm.sklm40.db2.lin.ofng' value='sklmdb40'/> 
<data key='user.DB2_ADMIN_PWD,com.ibm.sklm40.db2.lin.ofng' value='QTh/0AiFvrljhs9gnOYkGA=='/>

Open a command line, and change directory to the directory where the installer files are extracted.

Run the following command:

Windows

silent_updateSKLM.bat IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD

For example:

silent_updateSKLM.bat "C:\Program Files\IBM\Installation Manager" "C:\Program Files \IBM\WebSphere\AppServer" wasadmin wasadminpwd

Linux

chmod +x ./silent_updateSKLM.sh
./silent_updateSKLM.sh IM_INSTALL_LOCATION WAS_HOME WAS_ADMIN WAS_PASSWORD

For example:

chmod +x ./silent_updateSKLM.sh
./silent_updateSKLM.sh /opt/IBM/InstallationManager /opt/IBM/WebSphere/AppServer wasadmin wasadminpwd

Encrypting a password

Generate an encrypted password. To do so, follow these steps:

Open a command line.
Change directory to the IM_INSTALL_DIR/eclipse/tools directory.
Run the following command: imcl.exe encryptString password_to_encrypt
An encrypted password is generated.

Installing the fix pack on a Multi-Master setup

Prerequisites

If the original primary master server is acting as a standby master server, promote it to primary and then, install the fix pack. Otherwise, the database updates are not applied to the cluster.

To promote a master server to primary, see Promote to primary.

To install the fix pack

Stop WebSphere Application Server on all the master servers, in any sequence.
1. Open a command line.
2. Go to the WAS_HOME\bin directory.
  Windows
  C:\Program Files\IBM\WebSphere\AppServer\bin
  Linux
  /opt/IBM/WebSphere/AppServer/bin
3. Stop the IBM Security Key Lifecycle Manager server.
  Windows
  stopServer.bat server1 -username wasadmin -password mypwd
  Linux
  ./stopServer.sh server1 -username wasadmin -password mypwd
Stop Agent on all the master servers, in any sequence.
1. Open a command line.
2. Go to the GKLM_INSTALL_HOME\agent directory.
  Windows
  C:\Program Files\IBM\SKLMV40\agent
  Linux
  /opt/IBM/SKLMV40/agent
3. Stop the Agent.
  Windows
  stopAgent.bat WAS_HOME
  For example: stopAgent.bat "C:\Program Files\IBM\WebSphere\AppServer"
  Linux
  ./stopAgent.sh WAS_HOME
  For example: ./stopAgent.sh /opt/IBM/WebSphere/AppServer
Apply fix pack on each master server and verify the installation.
Complete this step in the following sequence:
- Primary master server
- Principal standby master server
- Auxiliary standby master servers
- Non-HADR master servers
  
  For steps to install the fix pack, see Installing the fix pack.
To verify the installation:
- Log in to IBM Security Key Lifecycle Manager and check the version number.
- Ensure that the master server is running and available for use.

Post fix-pack installation activities

For IPP communication over SSL, set the TransportListener.ssl.clientauthentication property to 2. To update the property, you can use the Update Config Property REST Service. For example, you can send the following HTTP request:
```
PUT https://localhost:<port>/SKLM/rest/v1/configProperties { "TransportListener.ssl.clientauthentication" : "2"}
```
Use one of the following methods to verify the installation.
- Using graphical user interface:
  a. Log in to the graphical user interface.
  b. On the Welcome page header bar, click the Help (?) icon.
  c. Click About.
  The page displays the version details.
- Using REST interface:
  Run the Version Info REST Service. For more information, see Swagger UI.
```
IBM Security Key Lifecycle Manager Version : 4.0.0.5
IBM Security Key Lifecycle Manager Build Level : 202305081442
Embedded WAS Version : 9.0.5.0
DB2 Version : 11.1.4.4
Java Version : JRE 1.8.0_211 IBM J9 VM 2.9
Operating System Version : AIX:7.2:ppc64
Agent Version : 1.0
```
Back up the IBM Security Key Lifecycle Manager server. For more information, see Configuring backup and restore.
Only applicable on Windows: Complete the following steps to fix the intermittent database crash issue.
1. Go to the C:\Windows\System32\drivers\etc\ directory and open services file in edit mode.
2. Remove duplicate entry for the Db2 service:
  DB2_db2_instance_name db2_port/tcp
  For example: DB2_sklmdb40 60000/tcp
3. Save the services file and close it.

Uninstalling the fix pack

Important: The following steps uninstall the entire product package, including IBM Security Key Lifecycle Manager, IBM Db2, and WebSphere Application Server, and all your data is lost. Take a backup before uninstalling.

Uninstalling IBM Security Key Lifecycle Manager with the fix pack by using the graphical user interface

See GUI uninstall on Windows.

See GUI uninstall on Linux.

Uninstalling IBM Security Key Lifecycle Manager with the fix pack silently

See Silent uninstall on Windows.

See Silent uninstall on Linux.

Notices

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.

THIRD-PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND INFORMATION

The license agreement for this product refers you to this file for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. The relevant terms and conditions, notices and other information are provided or referenced below. Please note that any non-English version of the licenses below is unofficial and is provided to you for your convenience only. The English version of the licenses below, provided as part of the English version of this file, is the official version.

Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions:

the Excluded Components are provided on an "AS IS" basis.
IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IBM will not be liable to you or indemnify you for any claims related to the Excluded Components.
IBM will not be liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages with respect to the Excluded Components.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSWPVP","label":"IBM Security Key Lifecycle Manager"},"ARM Category":[{"code":"a8m0z000000cvdzAAA","label":"SKLM-\u003EINSTALL-\u003EFIXPACK"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.0.0"}]

Tips

IBM Security Key Lifecycle Manager Version 4.0.0 - Fix Pack 5 README

Fix Readme

Abstract

Content

Graphical mode

Silent mode

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?