Fix Readme
Abstract
Readme file for: 7.4.0.1-TIV-CAMRT-IF0060
Product - Component Release: 7.4.0.1
Update Name: 7.4.0.1-TIV-CAMRT-IF0060
Fix ID: 7.4.0.1-TIV-CAMRT-AIX-IF0060, 7.4.0.1-TIV-CAMRT-LINUX-IF0060, 7.4.0.1-TIV-CAMRT-WINDOWS-IF0060
Publication Date: 22 Sept 2022
Last modified date: 29 Sept 2022
Description: This interim fix contains IBM Java XML vulnerability CVE-2022-21299, deferred from Oracle Jan 2022 CPU.
Content
Download location
The following is list of components, platforms, and file names that apply to this readme file.
Fix Download for AIX
| Product - Component Name: | Platform: | Fix: |
|---|---|---|
| Tivoli Composite Application Manager for Transactions | AIX | 7.4.0.1-TIV-CAMRT-AIX-IF0060 |
Fix Download for Linux
| Product - Component Name: | Platform: | Fix: |
|---|---|---|
| Tivoli Composite Application Manager for Transactions | Linux | 7.4.0.1-TIV-CAMRT-LINUX-IF0060 |
Fix Download for Windows
| Product - Component Name: | Platform: | Fix: |
|---|---|---|
| Tivoli Composite Application Manager for Transactions | Windows |
Prerequisites and co-requisites
This upgrade for the Robotic Response Time agents, which is part of ITCAM for Transactions: Response Time, can be applied to the following base versions. It must be applied to a machine on which Robotic Response Time agent is being installed.
- 7.4.0.1 - AIX, Linux, Windows
- 7.4.0.2 - AIX, Linux, Windows
- Supported base versions include interim fixes that were applied to 7.4.0.1 and 7.4.0.2 versions.
- This interim fix is a quarterly SDK update. The update replaces the Java SDK without changing the product version. This interim fix can be applied to versions 7.4.0.1 and 7.4.0.2.
This patch replaces the two JREs that were shipped with the Robotic Response Time (T6) agent, bringing them to the latest level. This remediates multiple security issues.
This patch is applicable to the following T6 agents:
- Version 7.4.0.1
- Version 7.4.0.2
- Windows, AIX, and Linux platforms.
The T6's JREs are only used when playing back Rational Performance Tester (RPT) scripts, thus the JREs are not available on Solaris and HPUX (RPT playback is not supported on Solaris and HPUX). 7.4 agent needs to update Java 80 and Java 70 JREs. These variations are noted in the installation steps below. Any customizations done to the existing JREs need to be preserved. Since these JREs are product-specific (that is, the JREs are used by the T6 agent only), there can only be at most one customization as instructed by IBM support, which is to enable strong encryption by updating the JRE's encryption policy (see the technote in the Installing section).
This patch only includes Java70 and Java80 updates. After the patch, the Java versions will be as follows:
- Java 7.0 SR11 FP10
- Java 8.0 SR07 FP10
Related material:
This interim fix is a cumulative Java upgrade for Java PSIRT. Updates implemented in the following releases are included in this upgrade.
- 7.4.0.1 - IF0005
- 7.4.0.1 - IF0007
- 7.4.0.1 - IF0009
- 7.4.0.1 - IF0012
- 7.4.0.1 - IF0015
- 7.4.0.1 - IF0018
- 7.4.0.1 - IF0021
- 7.4.0.1 - IF0024
- 7.4.0.1 - IF0027
- 7.4.0.1 - IF0030
- 7.4.0.1 - IF0032
- 7.4.0.1 - IF0033
- 7.4.0.1 - IF0034
- 7.4.0.1 - IF0039
- 7.4.0.1 - IF0041
- 7.4.0.1 - IF0047
- 7.4.0.1 - IF0049
- 7.4.0.1 - IF0050
- 7.4.0.1 - IF0051
- 7.4.0.1 - IF0052
- 7.4.0.1 - IF0055
- 7.4.0.1 - IF0056
- 7.4.0.1 - IF0057
- 7.4.0.1 - IF0058
Installation information
Before Installing
Validate pre-existing Java70 and Java80 are older than the ones delivered in this interim fix.
The RRT Agent's Javas are located at:
- Windows:
- Java70: $ITMHOME\tmaitm6\java70
- Java80: $ITMHOME\tmaitm6\java80 - only in 7.4.0.1-IF8 and later
- Unix:
- Java70: $ITMHOME/tmaitm6/java70
- Java80: $ITMHOME/tmaitm6/java80 - only in 7.4.0.1-IF8 and later
Check the versions, for example
C:\ibm\itm\TMAITM6> .\java80\jre\bin\java.exe -version
java version "1.8.0_321"
Java(TM) SE Runtime Environment (build 8.0.7.5 - pwi3280sr7fp5-20220208_01(SR7 FP5))
IBM J9 VM (build 2.9, JRE 1.8.0 Windows Server 2016 x86-32-Bit 20220104_19630 (JIT enabled, AOT enabled)
OpenJ9 - 2d4c7d9
OMR - 59845b7
IBM - 3c151c1)
JCL - 20220120_01 based on Oracle jdk8u321-b07
Installing
Note:
- \lib\security\local_policy.jar
- \lib\security\US_export_policy.jar
https://www.ibm.com/support/pages/node/85585
See technote - Does the RRT agent support TLS 1.1/1.2 and 256-bit ciphers?
https://www.ibm.com/support/pages/node/529695
- Back up existing Java70 and Java80
- Stop the T6 agent
- Backup the existing Java JREs, for example
> On Windows - cd c:\IBM\ITM\tmaitm6\
> On Linux or Unix - cd /opt/IBM/ITM/tmaitm6
> move java70 java70.old
> move java80 java80.old - only in 7.4.0.1-IF8 and later.
- Replace the JREs
- Extract the archive to the same directory, for example, after unarchiving your directory structure is:
Windows - c:\IBM\ITM\TMAITM6>dir java*Volume in drive C has no label.
Volume Serial Number is 48DC-C1ED
Directory of C:\IBM\ITM\TMAITM6
09/19/2022 02:57 PM <DIR> java70
09/19/2022 03:38 PM <DIR> java70.old
09/19/2022 02:57 PM <DIR> java80
09/19/2022 03:43 PM <DIR> java80.old
0 File(s) 0 bytes
4 Dir(s) 6,670,835,712 bytes free
Linux or Unix - /opt/IBM/ITM/tmaitm6>ls -dl java*
........
drwxr-xr-x 4 root root 4096 Feb 2 01:10 java70
drwxr-xr-x 4 root root 4096 Sep 19 14:20 java70.bak
drwxr-xr-x 4 root root 4096 Feb 2 01:10 java80
drwxr-xr-x 4 root root 4096 Sep 19 14:20 java80.bak -
If applicable, copy the following unrestricted policy files from the "java70.old" and "java80.old" directories to the new "java70" and "java80" directories:
Windows:
java70.old\lib\security\local_policy.jar to java70\lib\security
java70.old\lib\security\US_export_policy.jar to java70\lib\securityjava80.old\lib\security\local_policy.jar to java80\lib\security
java80.old\lib\security\US_export_policy.jar to java80\lib\security
Linux or Unix:
java70.bak/lib/security/local_policy.jar to java70/lib/security
java70.bak/lib/security/US_export_policy.jar to java70/lib/securityjava80.bak/lib/security/local_policy.jar to java80/lib/security
java80.bak/lib/security/US_export_policy.jar to java80/lib/security
- Extract the archive to the same directory, for example, after unarchiving your directory structure is:
- Validate the updated JRE version
- Check version number of JRE 7.0, for example
java version "1.7.0"
Java(TM) SE Runtime Environment (build pwi3270sr11fp10-20220327_01(SR11 FP10))
IBM J9 VM (build 2.6, JRE 1.7.0 Windows Server 2016 x86-32 20220324_025597 (JIT enabled, AOT enabled)
J9VM - R26_Java726_SR11_20220324_1551_B25597
JIT - r11_20220324_25597
GC - R26_Java726_SR11_20220324_1551_B25597
J9CL - 20220324_25597)
JCL - 20220325_01 based on Oracle jdk7u341-b08>java80\jre\bin>java -version
java version "1.8.0_331"
Java(TM) SE Runtime Environment (build 8.0.7.10 - pwi3280sr7fp10-20220505_01(SR7 FP10))
IBM J9 VM (build 2.9, JRE 1.8.0 Windows Server 2016 x86-32-Bit 20220427_27745 (JIT enabled, AOT enabled)
OpenJ9 - b15041a
OMR - 3671a9f
IBM - 1b0232b)
JCL - 20220504_01 based on Oracle jdk8u331-b09
- Check version number of JRE 7.0, for example
- Restart Agent and ensure Rational Performance Tester Script playback works.
- (Optional) Delete the backup Java runtimes.
Additional information
The Secure Hash Algorithm 256(SHA256) checksums of the images are as follows:
7.4.0.1-TIV-CAMRT-AIX-IF0060.tar -
c6122729045aff7c7bf11630a84f2de3e86425c0
7.4.0.1-TIV-CAMRT-Linux-IF0060.tar -
fbf2bc340a33067dc3313e1921d36a66349d25bc
7.4.0.1-TIV-CAMRT-Windows-IF0060.zip -
8fa73203bb17f1c0a2c335c0f94963d19e38af85
List of fixes
A) APAR Content:
N/A
B) Additional Non-APAR Defects:
Defect 32021: PSIRT PVR0362687 IBM Java XML vulnerability CVE-2022-21299, deferred from Oracle Jan 2022 CPU
C) Enhancements
N/A
Document change history
| Version | Date | Description of change |
| 1.0 | 29 Sept 2022 | Initial Version |
Was this topic helpful?
Document Information
Modified date:
15 November 2022
UID
ibm16695791