Fix Readme
Abstract
Readme file for IBM Security Guardium Key Lifecycle Manager for Distributed and Containerized Platforms, Version 4.1.1 Fix Pack 8 (4.1.1.8) including installation-related instructions, prerequisites and corequisites, and a list of fixes.
Websphere Liberty version shipped with this fixpack is 23.0.0.12 and WebSphere SDK Java Technology Edition is 8.0.8.15.
Content
Download instructions
Supported platforms
Prerequisites
Known limitations
Installation information
Variable definitions
Installing the fix pack on IBM Security Guardium Key Lifecycle Manager traditional
Uninstalling the fix pack
Installing the fix pack on IBM Security Guardium Key Lifecycle Manager container
Post fix-pack installation
Features included in Guardium Key Lifecycle Manager Traditional Version 4.1.1.8
- Security fixes: Following CVEs have been fixed - CVE-2023-47702, CVE-2023-47703, CVE-2023-47704, CVE-2023-47706, CVE-2023-47705 and CVE-2023-47707
- Internal defect fixes:
- Multi-master configuration - Improved prerequisite checks around required kernel parameter value on non-Windows operating systems.
- Fixes around connection leak and memory leak issue.
- Fixes around fallback mechanism for HSM.
- Fixes around audit log messages in case of replication.
- Upgraded middleware versions:
- WebSphere Application Server Liberty 23.0.0.12 and WebSphere SDK Java Technology Edition is 8.0.8.15
For more information, see IBM Security Guardium Key Lifecycle Manager Version 4.1.1 Fix Packs.
APAR fixes included in Version 4.1.1.8
APAR No. |
Sev. |
Abstract |
3 |
XIV system failing to connect during test. |
|
2 |
Database in read-only mode. |
|
3 |
SGKLM server hung and Netapp volumes went down. |
|
3 |
Backup and restore issue in GKLM 4.1.1.4 container when KMT_DEVAUDIT having more than 1 lakh records. |
|
3 |
Unable to authenticate with LDAP user. |
APAR fixes included in Version 4.1.1.7
APAR No. |
Sev. |
Abstract |
3 |
Unable to import CA signed certification when CSR is having whitespace in name. |
|
2 |
Must use domain user as GKLM admin user while installing GKLM as domain user. |
|
3 |
Device serial number is coming as garbled character in case of IPP in GKLM debug log. |
|
3 |
Unable to add LDAP user having comma in their CN. |
|
3 |
Unable to create CSR in GKLM 4.1.1 due to comman in organization name. |
|
2 |
Higher number of keys cause Db2 query slowdown. |
|
3 |
NAME attribute is not set when KMIP create request is send without key name. |
APAR fixes included in Version 4.1.1.6
None
For more information, see IBM Security Guardium Key Lifecycle Manager Version 4.1.1.6 readme.
APAR fixes included in Version 4.1.1.5
APAR No. |
Sev. |
Abstract |
3 |
AFTER APPLYING FIX PACK 3, INSTALLATION MANAGER STILL HAS LOG4J FILES AT VULNERABLE LEVEL |
|
2 |
OLD KEYS HAVE MIXED CASES FOR ALIAS AND NAME CAUSING SEARCHES BY |
|
2 |
AFTER UPGRADING FROM 4104 TO 4114 A9000 SYSTEMS NO LONGER RECEIVE KEYS |
For more information, see IBM Security Guardium Key Lifecycle Manager Version 4.1.1.5 readme.
APAR fixes included in Version 4.1.1.4
APAR No. |
Sev. |
Abstract |
3 |
Failure attempting to list more than 2000 keys in an LTO group. |
|
3 |
Enable partial label search for certificate alias for 3592 device group. |
|
2 |
Changes in GKLM 4.1.1.2 cause KMIP exchanges to fail that previously worked. |
|
2 |
GKLM 4.1.1 restore fails when using enableHighScaleBackup parameter in SKLMConfig.properties file. |
|
3 |
GKLM GUI loading issue on Internet Explorer after applying the GKLM 4.1.1.3 fix pack. |
|
3 |
Restore of a backup fails with the error CTGKM0904W stating that a backup task is already in progress due to a Db2 field that has locked the backup. |
For more information, see IBM Security Guardium Key Lifecycle Manager Version 4.1.1.4 readme.
APAR fixes included in Version 4.1.1.3
None
For more information, see IBM Security Guardium Key Lifecycle Manager Version 4.1.1.3 readme.
APAR fixes included in Version 4.1.1.2
None
For more information, see IBM Security Guardium Key Lifecycle Manager Version 4.1.1.2 readme.
APAR fixes included in Version 4.1.1.1
None
For more information, see IBM Security Guardium Key Lifecycle Manager Version 4.1.1.1 readme.
Download instructions
- Go to IBM Fix Central home page: http://www.ibm.com/support/fixcentral/
- In the Product selector field, type IBM Security Key Lifecycle Manager, and select the product name when it appears.
- From the Installed Version list, select 4.1.1.
- From the Platform list, select the appropriate platform, and click Continue.
- On the Identify Fixes page, ensure that the Browse for Fixes is selected, and click Continue.
- On the Select Fixes page, select fix pack 4.1.1-ISS-GKLM-FP0008, and click Continue.
You might be prompted to Sign In. If you do not have an ID, click the Register now link and follow the registration steps. - On the Download options page, select a download method (default is Download using Download Director).
- Select the associated files and README for fix pack: 4.1.1-ISS-GKLM-FP0008 and click Download now.
Supported platforms
See IBM Security Guardium Key Lifecycle Manager Support Matrix.
Fix pack files per platform for IBM Security Guardium Key Lifecycle Manager Traditional
Product/Component name |
Platform |
File name |
Command |
Checksum |
IBM Security Guardium Key Lifecycle Manager version 4.1.1 Fix Pack - 4.1.1-ISS-GKLM-FP0008 |
AIX |
4.1.1-ISS-GKLM-FP0008-AIX.tar.gz |
md5sum FileName.tar.gz
For example (UNIX/Linux): md5sum 4.1.1-ISS-GKLM-FP0008-AIX.tar.gz |
29a7481681c1c5cb2fb1e76ee8350288 |
IBM Security Guardium Key Lifecycle Manager version 4.1.1 Fix Pack - 4.1.1-ISS-GKLM-FP0008 |
Linux |
4.1.1-ISS-GKLM-FP0008-Linux.tar.gz |
f3d18ab02178f20097c6d34972de6666 |
|
IBM Security Guardium Key Lifecycle Manager version 4.1.1 Fix Pack - 4.1.1-ISS-GKLM-FP0008 |
zLinux (IBM Z) |
4.1.1-ISS-GKLM-FP0008-zLinux.tar.gz |
81d5d813f1482d103afd7b7efc1e31db |
|
IBM Security Guardium Key Lifecycle Manager version 4.1.1 Fix Pack - 4.1.1-ISS-GKLM-FP0008 |
Linux PPC |
4.1.1-ISS-GKLM-FP0008-LinuxPPC.tar.gz |
5187c4cc9c53ac7e6de239b1d47c1df2 |
|
IBM Security Guardium Key Lifecycle Manager version 4.1.1 Fix Pack - 4.1.1-ISS-GKLM-FP0008 |
Windows |
4.1.1-ISS-GKLM-FP0008-Windows.zip |
certutil -hashfile FileName.zip md5
For example (Windows): certutil -hashfile 4.1.1-ISS-GKLM-FP0008-Windows.zip md5 |
84cae70d99240436a562928a18177080 |
Fix pack files for IBM Security Guardium Key Lifecycle Manager container
Product/Component name |
Platform |
File name |
Command |
Checksum |
IBM Security Guardium Key Lifecycle Manager version 4.1.1 Fix Pack - 4.1.1-ISS-GKLM-FP0008 |
Linux PPC |
sklm4118-ppc64le.tar |
md5sum FileName.tar.gz
For example (UNIX/Linux): md5sum sklm4118-ppc64le.tar |
407044be1acb0170c000a935e51f39db |
IBM Security Guardium Key Lifecycle Manager version 4.1.1 Fix Pack - 4.1.1-ISS-GKLM-FP0008 |
zLinux (IBM Z) |
sklm4118-s390x.tar |
6267b66b2327285efae1f01f9e738f84 |
|
IBM Security Guardium Key Lifecycle Manager version 4.1.1 Fix Pack - 4.1.1-ISS-GKLM-FP0008 |
x86_64 |
sklm4118-x86_64.tar |
7dbd6fdbb579475804af8130bc8de6ac |
Prerequisites for IBM Security Guardium Key Lifecycle Manager Traditional
- Ensure that IBM Security Guardium Key Lifecycle Manager, Version 4.1.1 GA (4.1.1), fix pack 1 (4.1.1.1), fix pack 2 (4.1.1.2), fix pack 3 (4.1.1.3), fix pack 4 (4.1.1.4), fix pack 5 (4.1.1.5), fix pack 6 (4.1.1.6) or fix pack 7 (4.1.1.7) is already installed is already installed.
- Ensure that IBM Security Guardium Key Lifecycle Manager is not in use.
- Back up the IBM Security Guardium Key Lifecycle Manager server. For instructions, see Configuring backup and restore.
- Ensure that the /tmp directory has all the permissions and does not have noexec set.
- On Linux for System z server, ensure that gtk 2 libraries are installed. Also, add the following parameter in the IM_INSTALL_DIR/eclipse/IBMIM.ini file. Add the following properties just before "--launcher.appendVmargs" in IBMIM.ini file.
--launcher.GTK_version
2 - On AIX, complete the following steps before you install the fix pack:
- Log in as a Db2 user and launch a terminal window.
- Run the following commands:
su - <db2 user>
db2 connect to <db name> user <root> using <root password>
db2 grant secadm on database to user <db2 user>
-
On Windows, if you are installing the fix pack as a non-system admin user (for example, domain user), complete the following steps before you install the fix pack:
- Log in as a Db2 user and launch the Db2 command prompt.
- Run the following commands:
db2 connect to <db name> user <administrator> using <administrator password>
db2 grant secadm on database to user <db2 user>
- Ensure that umask is set to 0022.
- Back up the WebSphere Liberty files. For instructions, see the following table:
S.No. |
Instruction |
Windows Commands |
UNIX/Linux Commands |
1. |
Windows - Open command line. Linux / AIX - Open a ksh or bash shell. |
Click Start > Run, type cmd, and click OK. |
If your default shell is not ksh or bash, run "exec ksh" or "exec bash". |
2. |
Stop WebSphere Liberty. |
WAS_HOME\bin\server.bat stop |
WAS_HOME/bin/server.sh stop |
3. |
Make a temporary directory. |
mkdir WAS_BACKUP_DIRECTORY |
mkdir WAS_BACKUP_DIRECTORY |
4. |
Change directory to the temporary directory. |
cd C:\wasbackup |
cd /tmp/wasbackup |
5. |
Copy or archive the files from the directory where WebSphere Liberty is installed. |
xcopy /y /e /d WAS_HOME C:\wasbackup |
tar -cvf wasbackup.tar WAS_HOME/* |
6. |
Start WebSphere Liberty. |
WAS_HOME\bin\server.bat start |
WAS_HOME/bin/server.sh start |
- Rollback of installed fix pack is not supported.
- Use this certificate for UI access checkbox gets unchecked post saving it. There is no functional impact. Certificate is added to Websphere Liberty truststore.
- Only applicable for Linux for System z platform: After you apply the fix pack, the graphical user interface of Guardium Key Lifecycle Manager does not start.
Workaround: The graphical user interface will be accessible.- Stop WebSphere Liberty.
- Stop Db2.
- Start Db2.
- Start WebSphere Liberty.
- Unable to apply FP if GKLM is enabled with TLSv1.3.
Workaround: Enable TLSv1.2 and then apply FP.
- (Applicable for Windows) In an LDAP or OIDC configured setup, GKLM UI becomes inaccessible after you disable file-based authentication and restart the server. The following error is displayed after the server restart:
An error occurred while processing request.Workaround:
- Locate the server.xml file and open it for editing. You can find server.xml at the following location:
WAS_HOME\usr\servers\defaultServer\For example,C:\Program Files\IBM\WebSphere\Liberty\usr\servers\defaultServer\
- Add the following element in the server.xml file after </featureManager>:
<authentication id="Basic" cacheEnabled="false" />
- Restart the server. For instructions, see Restarting the IBM Security Key Lifecycle Manager server.
- Locate the server.xml file and open it for editing. You can find server.xml at the following location:
- (Applicable for Ubuntu) The installation of GKLM might fail with a invalid Db2 password error in both GUI and silent fix pack installation modes.
Workaround:
- Log in as the root user and open a terminal window.
- Run the following command:
ln -s {db2_inst_home}/gklm411properties/ $HOME/gklm411propertiesFor example,ln -s /home/klmdb411/gklm411properties/ $HOME/gklm411properties
- Install GKLM 4.1.1.8. For instructions, see Installing the fix pack on IBM Security Guardium Key Lifecycle Manager traditional.
Installing the fix pack on IBM Security Guardium Key Lifecycle Manager traditional
Installing a fix pack involves the following steps:
1. Complete the prerequisites.
2. Prepare to install the fix pack.
3. Install the fix pack.
4. Complete the post fix-pack installation tasks.
Prepare to install the fix pack
- Open the command line.
- Create a temporary directory to extract the fix pack installer files.
Windows
mkdir C:\sklminstall_windowsfp
UNIX/Linux
mkdir /sklminstall_linuxfp - Change directory to this temporary directory.
Windows
cd C:\sklminstall_windowsfp
UNIX/Linux
cd /sklminstall_linuxfp - Download the fix pack installer files into the directory. See Download Instructions.
- Extract the downloaded files.
For example:Windows: 4.1.1-ISS-GKLM-FP0008-Windows.zip [Right-click and extract all]
UNIX/Linux: tar -xvf 4.1.1-ISS-GKLM-FP0008-Linux.tar.gz
Note: Use the platform-specific file.
Installing the fix pack by using the graphical user interface
S. No. |
Instruction |
Steps |
1. |
Start Installation Manager in GUI mode. |
Windows
For example: UNIX/Linux
chmod +x ./updateSKLM.sh ./updateSKLM.sh IM_INSTALL_LOCATION WAS_INSTALL_LOCATION For example: |
2. |
Select Websphere Liberty package group and IBM Security Guardium Key Lifecycle Manager, Version 4.1.1 software package group. |
1. Select the Update all packages (mandatory) with recommended updates and recommended fixes checkbox to select the IBM Security Guardium Key Lifecycle Manager, Version 4.1.1 software package group and Websphere Liberty package group. 2. Click Next. |
3. |
Accept license agreement. |
1. Read license agreement carefully. If you are ok, accept license agreement. 2. Click Next. |
4. |
Configuration for IBM Websphere Liberty |
1. Enter the update option for Websphere Liberty. Do not select checkbox to connect to online IBM Websphere Liberty Repository. 2. Click Next. |
5. |
Provide credentials for SKLM admin user |
|
6. |
Complete the final step. |
In the Update Packages > Summary pane, review the software packages that you want to install, and click Update. |
Installing the fix pack silently
S. No. |
Instruction |
Steps |
1. |
Start the Installation Manager utility to encrypt the passwords for users as required. |
Windows Run the following command to generate an encrypted password: UNIX/LINUX Run the following command to generate an encrypted password: |
2. |
Back up the response file. |
Rename the original response file to create a backup of the file: |
3. |
Edit the response file. |
Windows Edit the response file SKLM_Silent_Update_platform_Resp.xml.
UNIX/Linux Edit the response file: SKLM_Silent_Update_platform_Resp.xml
|
4. |
Install the fix pack. |
Windows
silent_updateSKLM.bat IM_INSTALL_LOCATION WAS_INSTALL_LOCATION For example: silent_updateSKLM.bat "C:\Program Files\IBM\Installation Manager" "C:\Program Files\IBM\WebSphere\Liberty" UNIX/Linux
chmod +x ./silent_updateSKLM.sh ./silent_updateSKLM.sh IM_INSTALL_LOCATION WAS_INSTALL_LOCATION For example: ./silent_updateSKLM.sh /opt/IBM/InstallationManager /opt/IBM/WebSphere/Liberty |
Installing the fix pack when a Multi-Master environment is set up
Prerequisites
To install the fix pack
- Stop WebSphere Liberty on all the master servers, in any sequence.
- Open a command line.
- Go to the WAS_HOME\bin directory.
Windows
C:\Program Files\IBM\WebSphere\Liberty\bin
Linux
/opt/IBM/WebSphere/Liberty/bin
- Stop the IBM Security Guardium Key Lifecycle Manager server.
Windows
server.bat stop
Linux
./server.sh stop
- Stop Agent on all the master servers, in any sequence.
- Open a command line.
- Go to the GKLM_INSTALL_HOME\agent directory.
Windows
C:\Program Files\IBM\GKLMV411\agent
Linux
/opt/IBM/GKLMV411/agent - Stop the Agent.
Windows
stopAgent.bat WAS_HOME
For example: stopAgent.bat "C:\Program Files\IBM\WebSphere\Liberty"
Linux
./stopAgent.sh WAS_HOME
For example: ./stopAgent.sh /opt/IBM/WebSphere/Liberty
- Apply fix pack on each master server and verify the installation.
Complete this step in the following sequence:- Primary master server
- Principal standby master server
- Auxiliary standby master servers
- Non-HADR master servers
For steps to install the fix pack, see Installing the fix pack.
To verify the installation:- Log in to IBM Security Guardium Key Lifecycle Manager and check the version number.
- Ensure that the master server is running and available for use.
- Run the following scripts.
- On Windows:
- Log in as the administrator user and open the Db2 command prompt.
- Run the following commands:
cd C:\Program Files\IBM\DB2GKLMV411\BIN db2 connect to klmdb411 user <Db2_USER> using <Db2_PASSWORD> db2 -td# -vf C:\gklm411properties\scripts\gklmsql-fp.db2
- On Linux:
- Log in as the Db2 user and open a terminal.
- Run the following commands:
su - klmdb411 db2 connect to klmdb411 user <Db2_user> using <Db2_password> /opt/IBM/DB2GKLMV411/bin/db2 -td# -vf /home/klmdb411/gklm411properties/scripts/gklmsql-fp.db2
- On Windows:
- Use one of the following methods to verify the installation.
- Using graphical user interface:
a. Log in to the graphical user interface.
b. On the Welcome page header bar, click the Help (?) icon.
c. Click About.
The page displays the version details. - Using REST interface:
Run the Version Info REST Service. For more information, see Swagger UI.For IBM Security Guardium Key Lifecycle Manager Traditional:IBM Security Guardium Key Lifecycle Manager Version: 4.1.1.8 IBM Security Guardium Key Lifecycle Manager Build Level: 202401121021 Liberty WAS Version: 23.0.0.12 Database Version: DB2/LINUXZ64 SQL110560 Java Version: JRE 1.8.0_391 IBM J9 VM 2.9 Operating System Version: Linux:5.14.21-150500.55.39-default:s390xAIX:7.2:ppc64 Agent Version: 2.0
For IBM Security Guardium Key Lifecycle Manager Container:IBM Security Guardium Key Lifecycle Manager Version: 4.1.1.8 IBM Security Guardium Key Lifecycle Manager Build Level: 202401112356 Liberty WAS Version: 23.0.0.12 Database Version: PostgreSQL 16.1 (Debian 16.1-1.pgdg120+1) Java Version: JRE 1.8.0_391 IBM J9 VM 2.9 Operating System Version: Linux:3.10.0-1160.105.1.el7.x86_64:amd64 Image Tag: 4.1.1.8
- Using graphical user interface:
- Back up the IBM Security Guardium Key Lifecycle Manager server. For more information, see Configuring backup and restore.
Important: The following steps uninstall the entire product package, including IBM Security Guardium Key Lifecycle Manager, IBM Db2, and WebSphere Liberty, and all your data is lost. Take a backup before uninstalling.
Uninstalling IBM Security Guardium Key Lifecycle Manager with the fix pack by using the graphical user interface
Uninstalling IBM Security Guardium Key Lifecycle Manager with the fix pack silently
During installation you can provide encrypted string as environment variable for passwords by using the following command:
echo "Ch@ngemypa55word" | openssl rsautl -encrypt -inkey sklm_public -pubin | base64 -w 0
Where, sklm_public key is available at the build location (IBM Fix Central).
Copy the output of this command as environment variable for container installation.
Depending on your platform, see the relevant section:
Installing on a Kubernetes cluster
Install IBM Security Guardium Key Lifecycle Manager container V4.1.1.8 (target).
In the Helm charts, ensure that you configure the same database and volume details that were referenced by the earlier container (source).
For more information, see Install on a Kubernetes cluster.
Installing on a Red Hat OpenShift Container Platform cluster
Install IBM Security Guardium Key Lifecycle Manager container V4.1.1.8 (target).
In the Helm charts, ensure that you configure the same database and volume details that were referenced by the earlier container (source).
For more information, see Install on a Red Hat OpenShift Container Platform cluster.
http://www.ibm.com/legal/copytrade.shtml
Notices
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
THIRD-PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND INFORMATION
The license agreement for this product refers you to this file for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. The relevant terms and conditions, notices and other information are provided or referenced below. Please note that any non-English version of the licenses below is unofficial and is provided to you for your convenience only. The English version of the licenses below, provided as part of the English version of this file, is the official version.
Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions:
-
the Excluded Components are provided on an "AS IS" basis.
-
IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
-
IBM will not be liable to you or indemnify you for any claims related to the Excluded Components.
-
IBM will not be liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages with respect to the Excluded Components.
End of Document
Was this topic helpful?
Document Information
Modified date:
22 January 2024
UID
ibm17107267