IBM Support

Readme for IBM Business Automation Insights 24.0.0 IF004

Fix Readme


Abstract

This readme is for IBM Business Automation Insights 24.0.0 IF004 released to resolve security vulnerabilities, as well as other defects. It includes information about the download, installation, and other information about interim fixes for the V.R.M release.

Content

Readme file for IBM Business Automation Insights
Product release 24.0.0
Publication date 30 July 2025

Contents

Prerequisites and superseding fixes

  • Each interim fix typically supersedes all other previous interim fixes shipped for 24.0.0
  • Business Automation Insights includes container images that include operating system level and other open source libraries. Vulnerabilities (CVEs) for these libraries are published regularly. These interim fixes include fixes for these libraries.

Components impacted

  • Business Automation Insights

Before installation

  1. Ensure you take regular backups of any databases associated with the environment.
  2. Ensure your operators are in a healthy state, before upgrading.
    If one or more operators are failing, then it can prevent the system from completing an upgrade.
    It is recommended to check a few of the important CR statuses to ensure there are not failures and the statuses appear ready for the various installed components. Check the status of the following CRs when they exist:
  3. oc get insightsengine -o yaml
  4. Remove any image settings in CRs
    If you used any individual image tag settings in your CRs, it could prevent the operator from updating the images to the appropriate version. Ensure you remove any of these settings when you upgrade. This doesn't apply to starter installation as it requires a new install.

Installing 24.0.0 IF004

 
This interim fix contains the following version of Business Automation Insights and Cloud Pak Foundational Services (CPFS):
  • Business Automation Insights 24.0.0 IF004
  • Cloud Pak Foundational Services 4.6.16
Note:  This interim fix only supports the Cloud Pak Foundational Services listed above. It is important that you deploy or upgrade Business Automation Insights using the catalog sources in this readme document (the same catalog sources are also in the referenced CASE package).  If you have other Cloud Paks installed on the same OCP cluster, be sure to check the compatibility of the Cloud Pak Foundational Services versions, listed above, with other Cloud Paks' specifications.
 
Important interim fix details:
  • CASE Package: ibm-ba-insights-24.0.4.tgz
  • CASE Package mirror file (IBM-Pak steps): bai-case-to-be-mirrored-24.0.4.txt
  • Cloud Pak Foundational Services channel: v4.6.16
Business Automation Insights 24.0.0 IF004 is released to the v24.0 operator channel. Once the operators are upgraded, it triggers rolling updates for all the pods it manages to ensure they are updated to the appropriate version to match the operator.
Step 1: Download the installation and upgrade scripts.
  • Download the 24.0.0 IF004 branch by using the following git clone command.
git clone -b 24.0.0-IF004 https://github.com/icp4a/cert-kubernetes-bai.git
 
Step 2:  Perform the installation or update the existing deployment
 
Depending on the current setup and state of your existing environment, there are various upgrade actions that need to be taken. The following scenarios cover what actions might be needed for a particular setup.
  
  • Scenario 1: You are installing a Production deployment
    Actions: 
    You can use this interim fix content to perform a Production deployment.  To deploy a Production deployment using the content of this interim fix, please see Installing a Business Automation Insights production environment  and use the CASE package from this interim fix.
    Note: If you have an existing Cloud Pak Foundation Services instance installed in the cluster or in the namespace where BAI is being installed, then it is not supported.  The Production deployment of BAI is only supported when deploying into a new namespace without CPFS.
  • Scenario 2:  Your installed Production deployment is 24.0.0 GA and is online.
    Warning:
    For a Business Automation Insights deployment, it is recommended to create BAI savepoints before starting the upgrade process to this interim fix. For Flink event processing to resume from its previous state, savepoints are required to be created before the upgrade and specified in the updated CR. BAI savepoints can be created by following the below steps.
    • Retrieve the name of the InsightsEngines custom resource file 
      INSIGHTS_ENGINE_CR=$(kubectl get insightsengines.bai.ibm.com --no-headers --ignore-not-found -n <BAI-Namespace> -o name)
    • Retrieve and export the below details.
      export MANAGEMENT_URL=$(kubectl get ${INSIGHTS_ENGINE_CR} --no-headers --ignore-not-found -n <BAI Namespace> -o jsonpath='{.status.components.management.endpoints[?(@.scope=="External")].uri}')
export MANAGEMENT_AUTH_SECRET=$(kubectl get ${INSIGHTS_ENGINE_CR} --no-headers --ignore-not-found -n <BAI Namespace> -o jsonpath='{.status.components.management.endpoints[?(@.scope=="External")].authentication.secret.secretName}')
export MANAGEMENT_USERNAME=$(kubectl get secret ${MANAGEMENT_AUTH_SECRET} --no-headers --ignore-not-found -n <BAI Namespace> -o jsonpath='{.data.username}' | base64 -d)
export MANAGEMENT_PASSWORD=$(kubectl get secret ${MANAGEMENT_AUTH_SECRET} --no-headers --ignore-not-found -n <BAI Namespace> -o jsonpath='{.data.password}' | base64 -d)
    • Create BAI savepoints and store them in a temporary file called bai.json. 
      curl -X POST -k -u ${MANAGEMENT_USERNAME}:${MANAGEMENT_PASSWORD} "${MANAGEMENT_URL}/api/v1/processing/jobs/savepoints" -o ./bai.json
    • Scale down the Insights Engine Operator. 
      oc scale --replicas=0 deployment ibm-bai-insights-engine-operator
    • Retrieve the recovery path locations for each BAI component for which BAI savepoints are created from ./bai.json and update the bai_configuration section of the custom resource file. For Example: If there is a BAI savepoint being created for navigator component, then the updated custom resource file should have the below configuration. 
      bai_configuration:
      navigator:
        recovery_path: /mnt/pv/savepoints/dba/bai-navigator/savepoint-fb88f4-42027046b73b
      ... 
      # Add recovery_path for all other components
    • Once the upgrade has been completed, make sure to remove all instances of the recovery_path parameters from the updated custom resource file.
    Actions: 
    Perform the following steps and then the upgrade of operators and deployments will start.
    1. Upgrade the IBM Business Automation Insights operators using one of two methods. 
      • Option 1: Running the operator upgrade script from the case package. 
        ./scripts/bai-deployment.sh -m upgradeOperator -n <project_name>
      • Option 2: Manually deploy the catalog source and update the CPFS channels using the CPFS upgrade script.
        1. Apply the new catalog sources. 
          oc apply -f ./descriptors/op-olm/catalog_source.yaml
        2. Update the cert manager and license service channels to the appropriate level with this script: 
          ./scripts/cpfs/installer_scripts/cp3pt0-deployment/setup_singleton.sh --enable-licensing --cert-manager-source ibm-cert-manager-catalog --licensing-source ibm-licensing-catalog --license-accept -v 1 -c v4.2
        3. Update the channels to the appropriate levels for the rest of the CPFS subscriptions. 
          ./scripts/cpfs/installer_scripts/cp3pt0-deployment/setup_tenant.sh --operator-namespace <BAI Namespace> -s ibm-cs-install-catalog-v4-6-9 -c v4.6 --license-accept -v 1
          Note: Be sure to replace the namespace with the appropriate BAI namespace.
    2. Wait for the operators to complete their upgrades.
      By default all subscriptions are set to automatic, but if you have any subscriptions set to manual then you need to approve any pending InstallPlans.
      Use the below command to see the current status of the install plans. 
      oc get installPlan
      The upgrade will be blocked, if any of the needed InstallPlans are not approved. It is not recommended to set subscriptions to manual as this makes the upgrade more error prone.
    3. Check the status of the upgrades by running the following scripts:
      1. Run the script in [upgradeOperatorStatus] mode to check that the upgrade of the BAI operator and its dependencies is successful. 
        ./scripts/bai-deployment.sh -m upgradeOperatorStatus -n <project_name>
        Warning: The script will scale the BAI deployments down to zero. You must execute the upgradeDeploymentStatus command to scale them back up.
      2. Run the script in [upgradeDeploymentStatus] mode to check that the upgrade of the BAI deployment is successful. 
        ./scripts/bai-deployment.sh -m upgradeDeploymentStatus -n <project_name>
  • Scenario 3: You are installing offline/airgap Production deployment
    Warning: If you have an existing Cloud Pak Foundation Services instance installed at the cluster scoped level or in the namespace where BAI is being installed, then it is not supported. The Production deployment of BAI is only supported when deploying into a new namespace without CPFs.
    Note: As prerequisites for this scenario, you must follow steps here to set up the bastion host to mirror images to the registry and further to set up the private registry. The mirroring of images can be completed using "oc mirror" for the mirroring images process. 
    Actions:
    1. To deploy an airgap/offline Production deployment, find mirror file bai-case-to-be-mirrored-24.0.0-IF004.txt for this interim fix from the branch that you cloned above under the scripts/airgap directory. Execute this command from your bastion host to download the CASE files.
      Execute this command from your bastion host to download the CASE files. 
      oc ibm-pak get -c file://(absolute path to file)/bai-case-to-be-mirrored-24.0.0-IF004.txt
      The absolute path to file needs to be a path starting from "/". For example, "/opt".
    2. Mirror the images associated with the new bai-case-to-be-mirrored-24.0.0-IF004.txt mirror file.  
      export CASE_NAME=ibm-ba-insights
export CASE_VERSION=24.0.4
export CASE_INVENTORY_SETUP=baiOperatorSetup
export TARGET_REGISTRY=<target-registry>
export NAMESPACE=<bai_namespace_name>
      Follow the instructions for either mirroring option in Mirroring images to the private registry using the new CASE version associated with this interim fix.
    3. Login to the cluster and go to namespace for the operator from the bastion host. 
      oc login https://<CLUSTERIP>:<port> -u <ADMINISTRATOR>
oc project ${NAMESPACE}
    4. From your bastion host, install the catalog sources and operators using the steps listed in Installing the Business Automation Insights catalog and operator instances in an off-line cluster.
  • Scenario 4:  Your installed Production deployment is 24.0.0 GA and using airgap/offline.
    Note: As prerequisites for this scenario, you must follow steps here to set up the bastion host to mirror images to the registry and further to set up the private registry
    Warning:
    For a Business Automation Insights deployment, it is recommended to create BAI savepoints before starting the upgrade process to this interim fix. For Flink event processing to resume from its previous state, savepoints are required to be created before the upgrade and specified in the updated CR. BAI savepoints can be created by following the below steps.
    • Retrieve the name of the InsightsEngines custom resource file 
      INSIGHTS_ENGINE_CR=$(kubectl get insightsengines.bai.ibm.com --no-headers --ignore-not-found -n <BAI-Namespace> -o name)
    • Retrieve and export the below details.
      export MANAGEMENT_URL=$(kubectl get ${INSIGHTS_ENGINE_CR} --no-headers --ignore-not-found -n <BAI Namespace> -o jsonpath='{.status.components.management.endpoints[?(@.scope=="External")].uri}')
export MANAGEMENT_AUTH_SECRET=$(kubectl get ${INSIGHTS_ENGINE_CR} --no-headers --ignore-not-found -n <BAI Namespace> -o jsonpath='{.status.components.management.endpoints[?(@.scope=="External")].authentication.secret.secretName}')
export MANAGEMENT_USERNAME=$(kubectl get secret ${MANAGEMENT_AUTH_SECRET} --no-headers --ignore-not-found -n <BAI Namespace> -o jsonpath='{.data.username}' | base64 -d)
export MANAGEMENT_PASSWORD=$(kubectl get secret ${MANAGEMENT_AUTH_SECRET} --no-headers --ignore-not-found -n <BAI Namespace> -o jsonpath='{.data.password}' | base64 -d)
    • Create BAI savepoints and store them in a temporary file called bai.json. 
      curl -X POST -k -u ${MANAGEMENT_USERNAME}:${MANAGEMENT_PASSWORD} "${MANAGEMENT_URL}/api/v1/processing/jobs/savepoints" -o ./bai.json
    • Scale down the Insights Engine Operator. 
      oc scale --replicas=0 deployment ibm-bai-insights-engine-operator
    • Retrieve the recovery path locations for each BAI component for which BAI savepoints are created from ./bai.json and update the bai_configuration section of the custom resource file. For Example: If there is a BAI savepoint being created for navigator component, then the updated custom resource file should have the below configuration.
    • bai_configuration:
      navigator:
        recovery_path: /mnt/pv/savepoints/dba/bai-navigator/savepoint-fb88f4-42027046b73b
      ... 
      # Add recovery_path for all other components
    • Once the upgrade has been completed, make sure to remove all instances of the recovery_path parameters from the updated custom resource file.
    Actions: 
    Perform the following steps and then the upgrade of operators and deployments will start. 
    1. Find mirror file  bai-case-to-be-mirrored-24.0.0-IF004.txt for this interim fix from the branch that you cloned above under the scripts/airgap directory. Execute this command from your bastion host to download the CASE files: 
      oc ibm-pak get -c file://(absolute path to file)/bai-case-to-be-mirrored-24.0.0-IF004.yaml
      The (absolute path to file) needs to be a path starting from "/". For example, "/opt"
    2. Mirror the images associated with the new bai-case-to-be-mirrored-24.0.0-IF004.txt mirror file.  
      export CASE_NAME=ibm-ba-insights
export CASE_VERSION=24.0.4
export CASE_INVENTORY_SETUP=baiOperatorSetup
export TARGET_REGISTRY=<target-registry>
export NAMESPACE=<bai_namespace_name>
      Follow the instructions for either mirroring option in Mirroring images to the private registry using the new CASE version associated with this interim fix.
    3. From the branch that you cloned above navigate to the scripts directory and perform the following steps to upgrade the BAI operators.
      Warning: 
      The script with the upgradeOperator option will scale the BAI Operators down to zero. You must execute the script with the upgradeDeploymentStatus mode to scale them back up. 
      Actions:
      Run the bai-deployment.sh script with the upgradeOperator option to upgrade the IBM Cloud Pak foundational services/BAI operators:
      ./scripts/bai-deployment.sh -m upgradeOperator -n <BAI Namespace>
    4. Wait for the operators to complete their upgrades.
      By default all subscriptions are set to automatic, but if you have any subscriptions set to manual then you need to approve any pending InstallPlans.
      Use the below command to see the current status of the install plans.
      oc get installPlan
      The upgrade will be blocked, if any of the needed InstallPlans are not approved. It is not recommended to set subscriptions to manual as this makes the upgrade more error prone.
    5. You can use the following scripts to check the status of the upgrades.
      • Warning:
        The script will scale the BAI deployments down to zero. You must execute the bai-deployment.sh script with upgradeDeploymentStatus option to scale them back up.
      • Actions:
        [OPTIONAL] Run the bai-deployment.sh script with upgradeOperatorStatus option to check that the upgrade of the BAI operator and its dependencies is successful:
      ./scripts/bai-deployment.sh -m upgradeOperatorStatus -n <BAI Namespace>
      Note: Make sure you replace the namespace with the appropriate BAI namespace.
    6. Start up the upgraded BAI Operators.
      Run the bai-deployment.sh script with upgradeDeploymentStatus option to check that the upgrade of the BAI deployment is successful: 
      ./scripts/bai-deployment.sh -m upgradeDeploymentStatus -n <BAI Namespace>

Performing the necessary tasks after installation

Known Issue with upgrade on some Openshift clusters:

  • When upgrading from 24.0.0 to 24.0.0 IF004 the Flink job pods failed with 502 Bad Gateway error.
    • Cause: This issue reported on some Openshift clusters with "no cipher suites in common" had problems with missing cipher suites, hence Flink was denying a handshake with it.
    • Workaround: 
      • Update the FlinkDeployment CR on the cluster by adding the "security.ssl.algorithms" under the  flinkConfiguration section with below.
security.ssl.algorithms: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
For example:
1. ie_cr=$(oc get FlinkDeployment --no-headers | awk {'print $1'})
2. kubectl patch flinkdeployment $ie_cr -n <namespace> --type='json' -p='[{"op": "add", "path": "/spec/flinkConfiguration/security.ssl.algorithms", "value": "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}]'

Uninstalling

For example, ordered or un-ordered list. If there are no steps that can be taken, then state "There is no procedure to uninstall the interim fix."

List of fixes

The following lists of resolved Known Issues are specific to Business Automation Insights. Fixes that have been identified as correcting security vulnerabilities are indicated with an X mark.
24.0.0 IF004
Known Issue Security Behavior change Title
N/A

Back to top

Document change history

30 July 2025: Added  24.0.0 IF004

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSHDI1U","label":"IBM Business Automation Insights"},"ARM Category":[{"code":"a8m50000000L1SIAA0","label":"Business Console-\u003ESecurity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
31 July 2025

UID

ibm17239159

Page Feedback