News
Abstract
This document is being provided as an active compilation of known issues or concerns with an upgrade to the latest release that are encountered in the field.
Content
10.0.8
See Critical changes in this release and What's new in this release in the documentation.
Due to a change in package signature and verification, upgrades from versions before 10.0.4.0 first require the installation of isva-signing.fixpack to enable uploading the new firmware package file. The isva-signing.fixpack is available from Fix Central within 10.0.5-ISS-ISVA-FP0000. The isva-signing.fixpack allows appliances at versions before 10.0.4.0 to validate and install new upgrade packages for version 10.0.5.0 and newer. If you are upgrading from a version before 10.0.4.0, you do not need to upgrade to the 10.0.6 firmware level as an intermediate step, but you do need to apply the isva-signing.fixpack. If you upgrade from version 10.0.4.0 or newer, do not install isva-signing.fixpack.
Upgrades on existing appliances at version 10.0.4 require the Advanced Tuning Parameter (ATP) sys.direct.update.allowed=true. Create the ATP at https://appliance_lmi_hostname/adv_params
For 10.0.6.0+ use /updates/available in the LMI to check for new updates. The "Download Firmware Update" button will navigate directly the the 10.0.8.0 Fix Central download page,
**NOTE**
- Before upgrading the firmware the Glowroot extension at https://appliance_lmi_hostname/extensions must be disabled. Set "LMI Server Monitoring = Disabled" and "Runtime Server Monitoring = Disabled". Do not reenable after the upgrade. We are investigating.
========
10.0.8 also includes an upgrade to Java version 17 for the LMI and Runtime Application Server. Java 17 now is stricter as far as enforcing the rules for hostnames in the SNI it receives for connections...
Because of this, if you are using hostnames with characters that are not part of the official RFC specifications (for example using an underscore ( _ ) character as part of the hostname, then when this hostname is received by the LMI or Runtime Application Server as the SNI on the TLS connection, it will get rejected and the connection will fail and log an exception in the logs containing "Illegal server name" and
Caused by: java.lang.IllegalArgumentException: The encoded server name value is invalid
at java.base/javax.net.ssl.SNIHostName.<init>(Unknown Source)
... 26 more
Caused by: java.lang.IllegalArgumentException: Contains non-LDH ASCII characters
at java.base/java.net.IDN.toASCIIInternal(Unknown Source)
at java.base/java.net.IDN.toASCII(Unknown Source)
at java.base/javax.net.ssl.SNIHostName.<init>(Unknown Source)
... 26 more
Caused by: java.lang.IllegalArgumentException: Contains non-LDH ASCII characters
at java.base/java.net.IDN.toASCIIInternal(Unknown Source)
at java.base/java.net.IDN.toASCII(Unknown Source)
You must switch to hostnames which confirm to RFC 1123 and RFC 952.
10.0.7
See Critical changes in this release and What's new in this release in the documentation.
Due to a change in package signature and verification, upgrades from versions before 10.0.4.0 first require the installation of isva-signing.fixpack to enable uploading the new firmware package file. The isva-signing.fixpack is available from Fix Central within 10.0.5-ISS-ISVA-FP0000. The isva-signing.fixpack allows appliances at versions before 10.0.4.0 to validate and install new upgrade packages for version 10.0.5.0 and newer. If you are upgrading from a version before 10.0.4.0, you do not need to upgrade to the 10.0.6 firmware level as an intermediate step, but you do need to apply the isva-signing.fixpack. If you upgrade from version 10.0.4.0 or newer, do not install isva-signing.fixpack.
Upgrades on existing appliances at version 10.0.4 require the Advanced Tuning Parameter (ATP) sys.direct.update.allowed=true. Create the ATP at https://appliance_lmi_hostname/adv_params
For 10.0.6.0 use /updates/available in the LMI to check for new updates. The "Download Firmware Update" button will navigate directly the the 10.0.7.0 Fix Central download page,
**NOTE**
- Upgrading to 10.0.7 may cause Reverse Proxy instances with SPNEGO to fail when restarted. Open a support case and ask for DT258624_10070.fixpack.
- The AAC/Federation Runtime /metrics endpoint may not start. Open a support case and ask for updt_liberty_metrics.fixpack.
- Container Infrastructure
The convenience OpenLDAP container that is shipped with prior releases is no longer updated or maintained. The container deployment of IBM Security Verify Directory can be used as a comparable alternative.
-
See IBM Security Verify Access v10.0.7 - WebSEAL Transformation Rule Extensions HTTP Transformation enhancements.
10.0.6
See Critical changes in this release and What's new in this release in the documentation.
Due to a change in package signature and verification, upgrades from versions before 10.0.4.0 first require the installation of isva-signing.fixpack to enable uploading the new firmware package file. The isva-signing.fixpack is available from Fix Central within 10.0.5-ISS-ISVA-FP0000. The isva-signing.fixpack allows appliances at versions before 10.0.4.0 to validate and install new upgrade packages for version 10.0.5.0 and newer. If you are upgrading from a version before 10.0.4.0, you do not need to upgrade to the 10.0.5 firmware level as an intermediate step, but you do need to apply the isva-signing.fixpack. If you upgrade from version 10.0.4.0 or newer, do not install isva-signing.fixpack.
Upgrades on existing appliances at version 10.0.4 require the Advanced Tuning Parameter (ATP) sys.direct.update.allowed=true. Create the ATP at https://appliance_lmi_hostname/adv_params
The online automatic update service is concluded. The 10.0.6 version is not available to download automatically by using "Available Updates" in the LMI.
The online automatic update service is concluded. The 10.0.6 version is not available to download automatically by using "Available Updates" in the LMI.
See Critical changes in this release and What's new in this release in the documentation.
Upgrades on existing appliances prior to 10.0.4 require a fix pack to be installed before the PKG is uploaded. See IBM Security Access Manager & Security Verify Access Upgrade Paths for details.
Upgrades on existing appliances at version 10.0.4 require the Advanced Tuning Parameter (ATP) sys.direct.update.allowed=true. Create the ATP at https://appliance_lmi_hostname/adv_params
The online automatic update service is concluded. The 10.0.5 version is not available to download automatically by using "Available Updates" in the LMI. This feature was removed in 10.0.5.
The container images are not being uploaded to Docker Hub (as ibmcom is leaving Docker Hub) but instead to IBM Cloud Container Registry. The most authoritative index of available images is at IBM Security Verify Access Containers.
The documentation notes, "The Policy Directory Java™ library (PD.jar) has been updated to support both IBM® Java 1.8 and OpenJDK 11." There are problems in the 10.0.5 PD.jar, so use the 10.0.2.0 PD.jar level with IBM Java 1.8. If you do not have a 10.0.2.0 environment available, contact Support to obtain this file.
There is a problem with the dbupdate9 scripts for DB2. The cluster_config_db2_update_202210191.sql file has a hardcoded instance name at line 45, "REORG TABLE DB2INST1.ISAM_AUDIT_HANDLERS;". The work-around is to remove the instance name.
10.0.4
See Critical changes in this release and What's new in this release in the documentation.
Java APIs
The 10.0.3 version changed to OpenJDK 11 from IBM JVM 8. The PDJRTE APIs do not support OpenJDK yet. Existing deployments that use IBM JVM 8 for APIs and Policy Server version 10.0.4.0 it is recommended to move up to at least pdjrte-10.0.2.0.zip. This file is available for download in the LMI at https://appliance_lmi_hostname/isam/downloads -> isva -> pdjrte-10.0.2.0.zip. If you do not have a 10.0.2.0 environment available, contact Support to obtain this file.
10.0.3
SSL Certificate Replication across the cluster:
In ISVA 10.0.3, the product changed from using the IBM proprietary kdb format for key databases to the standard pkcs12 (p12) format. The upgrade automatically converts the files from kdb to p12. However, when the ISVA cluster configured to replicate the key databases from the primary master to the other cluster nodes, this replication can cause issues with cluster members not yet upgraded. The replication causes cluster members, not yet upgraded, to fail since the replication removes the kdb files and replaces them with p12 files. Upgrading the cluster members as soon as possible resolves this problem.
With 10.0.3.1 a change was implemented to make this transition a bit more forgiving. Once the primary master is upgraded, it replicates both the new p12 files and the old kdb files to the nodes so that the nodes not yet upgraded continue to function.
However, once you make any changes to the key database, at that point the kdb key database is removed from the primary master and the rest of the cluster.
The admin needs to be aware that once the primary master is upgraded to 10.0.3.1, they cannot make any changes to any key database that is being used by a cluster member not yet upgraded.
As documented, https://www.ibm.com/docs/en/sva/10.0.3?topic=overview-upgrading-current-version, the primary master must always be upgraded first to avoid problems in the cluster. With this keystore change, the upgrade order is even more important. If SSL keystore replication is enabled and you start the upgrade on the primary, this WILL break that node. Always start with the primary master.
Upgrading from 10.0.2.0:
APAR IJ36986 (UPGRADE: UNABLE TO MOUNT UPGRADE PACKAGE) addressed in 10.0.3.1 does not fix previous versions. A fix pack must be installed on 10.0.2.0 prior to attempting the upgrade. Contact Support for the fix pack.
Use of URL macro with LRR:
The URL macro gets expanded to an absolute URL instead of a relative URL like it did in previous versions. This APAR is fixed in IJ36413 and IJ41545 in 10.0.4.0_IF1. Contact Support for a fix pack specific to 10.0.3.1. Future versions use the option
[server]
allow-url-macro-to-be-relative = true
allow-url-macro-to-be-relative = true
Certificate label settings are now case-sensitive
TLS settings pointing to a certificate label are now case-sensitive. For example, the WRP config file uses,
[ssl]
webseal-cert-keyfile-label = frontend_label
to specify the cert to use for front end traffic. If the label in the keystore is actually FRONTEND_LABEL, WebSEAL starts but does not respond to any requests.
[ssl]
webseal-cert-keyfile-label = frontend_label
to specify the cert to use for front end traffic. If the label in the keystore is actually FRONTEND_LABEL, WebSEAL starts but does not respond to any requests.
Federation SSO flows require complete certificate chains
With the change to OpenJDK, Federation now requires the full CA certificate chain entries for signing and encrypting keys. In previous versions, only the key was required in the keystore. Contact Support for a fix pack specific to 10.0.3.1 that can be used to revert the behavior in IJ38991.
Java APIs
The new pdjrte-10.0.3.1.zip is designed for use with OpenJDK 11. It does not work with IBM JVM 8. Existing deployments that use IBM JVM 8 for Java APIs and Policy Server version 10.0.3.1 it is recommended to move up to at least pdjrte-10.0.2.0.zip. If you do not have a 10.0.2.0 environment available, contact Support to obtain this file.
Federation SAML flows that use WS-Trust for identity mapping
Federation flows that use an external WS-Trust server for Identity Mapping can fail. Contact Support for a fix pack specific to 10.0.3.1.
GENERAL BEST PRACTICE
- Review What's new in this release (https://www.ibm.com/docs/en/sva/10.0.8?topic=overview-whats-new-in-this-release)
- Review Critical changes in this release (https://www.ibm.com/docs/en/sva/10.0.8?topic=critical-changes-in-this-release)
- Review the upgrade readme file
- Verify supported upgrade path (https://www.ibm.com/support/pages/node/6340107)
- Review all reported APARs fixed (Known Issues fixed by IBM Security Verify Access version 10.0.8)
- Create and download snapshots and complete support files before the upgrade
- Clean up logs, rolled over logs, snapshots, and support files, they get copied over to the new active partition that causes the upgrade to take longer to complete
- Review Software Product Compatibility Reports to ensure related software such as databases are supported (https://www.ibm.com/software/reports/compatibility/clarity/index.html) (Compatibility Report for 10.0.8.0)
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSRGTL","label":"IBM Security Verify Access"},"ARM Category":[{"code":"a8m0z000000cxuHAAQ","label":"Security Verify Access"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0.3;10.0.4;10.0.5;10.0.6;10.0.7;10.0.8"}]
Product Synonym
ISAM;ISVA;IBM Security Access Manager;IBM Security Verify Access
Was this topic helpful?
Document Information
Modified date:
08 August 2024
UID
ibm16557516