Fix Readme
Abstract
This document contains guidance for installation of the IBM InfoSphere Information Server 11.7.1.3 Service Pack 2 upgrade package available on IBM Fix Central.
Content
Table of Contents
1) Introduction
2) Using a password or passwordless SSH for installation
3) Downloads and pre-Upgrade steps
4) Installation of 11.7.1.3 Service Pack 2
4.1. Instructions for upgrading Information Server in GUI mode of the Update Installer
4.2. Instructions for upgrading Information Server in Console mode of the Update Installer
5) Post upgrade actions
1) Introduction
The IBM InfoSphere Information Server 11.7.1.3 Service Pack 2 ispkg image is available for upgrading of Information Server version 11.7.1.3 installations. The steps for installing Information Server 11.7.1.3 Service Pack 2 depend on whether the Microservices tier is installed.
Requirements for installing 11.7.1.3 Service Pack 2:
- You must install Information Server version 11.7.1.3.
- If you have a Microservices tier, it must be at version 11.7.1.3 and all pods must be up and running.
Depending on when you installed 11.7.1.3, more steps might be required before you can install 11.7.1.3 Service Pack 2. You can determine this in one of two ways:
- Looking at the name of the file that you downloaded for 11.7.1.3:
- Original version: fixpack_FP3_IS1171_linux64_11710-11712.tar.gz
- Latest version: fixpack_FP3_Respin1_IS1171_linux64_11710-11712.tar.gz
- Looking at the description of 11.7.1.3 in the PatchManifest.xml file on your system (about line 6 in the file):
- Original version: Description description="Information Server 11.7.1 FixPack 3 (fixpack.is_11_7_1_3.linux64.b134.211020-2005)"/>
- Latest version: <Description description="Information Server 11.7.1 FixPack 3 (fixpack.is_11_7_1_3.linux64.b135.211201-0526)"/>
2) Using a password or passwordless SSH for installation
During the installation of Information Server 11.7.1.3 Service Pack 2, you can continue to use your current setup; no changes are needed to facilitate the installation.
However, you might want to take advantage of newly added features in the installer:
See the next section for details.
2.2) Installation modes available while upgrading the Microservices tier
You have four installation modes to choose from, during upgrade of the Microservices tier:
In this case, you do not have to set up passwordless SSH from the Information Server host to the master node.
However, for a multiple nodes environment, you must set up passwordless SSH for the root user from the master node to the worker nodes.
The specified nonroot user must have sudo privilege with NOPASSWD enabled.
In this case, you do not have to set up passwordless SSH from the user running the installation on the Information Server host to the master node.
For a multiple nodes environment:
ii. You must set up passwordless SSH for the specified nonroot user from the master node to the worker nodes.
You must set up passwordless SSH from the user running the installation on the Information Server host to the master node.
For a multiple nodes environment, passwordless SSH must also be set up for the root user from the master node to the worker nodes.
The specified nonroot user must have sudo privilege with NOPASSWD enabled.
You must set up passwordless SSH from the user running the installation on the Information Server host to the master node.
For a multiple nodes environment:
i. The specified nonroot user must be set up in the same manner on all nodes.
ii. Passwordless SSH must also be set up for the specified nonroot user from the master node to the worker nodes.
a. If the file /root/.ssh/id_rsa.pub does not exist, create the SSH Keys with the following command:
> ssh-keygen -f /root/.ssh/id_rsa -q -N ""
b. Copy the SSH public key to the Microservices Tier node with the following command:
> ssh-copy-id -i /root/.ssh/id_rsa.pub root@<enterprise search="" node="">
c. Validate the root passwordless SSH connection to the Microservices Tier node with the following command:
> ssh root@<enterprise search="" node=""> hostname
A nonroot user with sudo privileges can be set up for passwordless SSH in the same manner.
3) Downloads and pre-upgrade steps
Update the Update Installer to the latest (11.7.1.098 or later):
Note: Update Installer 11.7.1.098 is only intended for installing 11.7.1.3 Service Pack 1 and Service Pack 2.
3.1.1) On the Information Server host, download the Update Installer from
https://www.ibm.com/support/pages/node/6538668
3.1.2) In the document, Updating IBM InfoSphere Information Server, Version 11.7, and installing additional products, under Version 11.7, click the link installing_fixes_fixpacks_updates117.html.
3.1.3) See section “Installing a new version of the Update Installer before installing an update, fix, or patch” for the steps to extract the new Update Installer and run updateImage.sh.
If you used the default directory for Information Server, the Update Installer is installed in /opt/IBM/InformationServer/Updates/bin.
3.2) Download the 11.7.1.3 Service Pack 2 images
You must download the following images from IBM Fix Central depending on your installation choices.
For more information on locating the images, see the Download document.
3.2.1) On the Information Server host, download, and extract the Information Server 11.7.1.3 Service Pack 2 ispkg image from IBM Fix Central.
For example, servicepack_11.7.1.3_SP2_linux64_11713.tar.gz
Note:
1. Set your umask to 022 before the image is extracted.
2. Unpack the file to get the ispkg and readme files.
3.2.2) On the Microservices tier, download the ISES Image for Information Server 11.7.1.3 Service Pack 2 from IBM Fix Central. Do not extract the file.
For Service Pack 1, servicepack_11.7.1.3_SP2_microservices_11713.tar.gz
$ cd <IIS_INSTALL_LOCATION>/ASBServer/bin
$ ./iisAdmin.sh -set -key com.ibm.iis.ug.installed.version -value 11713
4) Installation of 11.7.1.3 Service Pack 2
4.1) Instructions for upgrading Information Server in GUI mode of the Update Installer
4.1.1) Login to the Information Server host. Change directory to <IS_HOME>/Updates/bin
For example, cd /opt/IBM/InformationServer/Updates/bin
4.1.2) Verify that the Update Installer version is 11.7.1.098 or later:
./installUpdates -version
4.1.3) Initiate the Service Pack install with the following command:
./installUpdates
This command launches the Update Installer in GUI mode.
4.1.4) Provide information as required in each panel to complete the installation.
Click Login.
4.1.5) Review the System requirements, Release Notes, and Planning information.
Click Next.
4.1.6) The Update Installer displays the Information Server installation directory.
Click Next.
4.1.7) If you do not have a Microservices tier, skip forward to step 4.1.8.
Note: Information on adding a Microservices tier to 11.7.1.3 Service Pack 2 can be found in technote 6241456.
4.1.7.1) You can choose whether to upgrade the Microservices tier during the installation of 11.7.1.3 Service Pack 2.
Note the following requirements for upgrade:
1. The Microservices tier must be at version 11.7.1.3.
2. All pods must be up and running.
You can check the status of the pods by running the following command:
kubectl get pods --all-namespaces
4.1.7.2) If you do not want to upgrade the Microservices tier now, check the "Skip patching of Information Server microservices tier" checkbox.
Click Next and skip forward to step 4.1.8.
Information on later upgrading your Microservices tier to 11.7.1.3 Service Pack 2 can be found in technote 6241456.
4.1.7.3) To upgrade the Microservices tier
a. Deselect the "Skip patching of Information Server microservices tier" checkbox.
b. Specify a fully qualified domain name for the Master Node Host.
c. Specify the same User as was used during the initial installation of the Microservices tier.
d. See section 2.2 for more information on "Authenticate with a password".
e. If you specify a nonroot user, in /etc/security/limits.conf, the hard and soft setting of nofile and nproc for the specified user must be 10240.
Also, umask must be set to 022 in ~/.bashrc.
Click Next.
4.1.8) In the list of "Packages to be installed", select the 11.7.1.3 Service Pack 2 ispkg file you downloaded from IBM Fix Central.
Click Next.
4.1.9) If you have a Microservices tier, provide your existing credentials for Kafka and Solr (for example, solruser, solrpwd etc). The Update Installer creates the specified users in Kafka and Solr; they do not have to be an operating system user, Information Server user, or LDAP user.
Later, you can use the specified values for maintenance actions such as accessing the Solr web UI.
Click Next.
4.1.10) Provide the location of Information Server, the Administrator user name, and password. Accept the certificate and click Next.
4.1.11) On the System Requirements Check page, confirm that all system requirements passed, and then click Next.
4.1.12) If you have a Microservices tier, examine the results from system requirement checks of the Microservices tier. If all is good, click Next.
4.1.13) Review the Preinstallation Summary and click the Install button to start the installation.
4.1.14) Click the Finish button after the installation completes.
4.1.15) Click “Advanced” followed by "Accept the Risk and Continue".
4.1.16) The Launchpad is displayed.
4.1.16.1) If you do not have a Microservices tier, the Information Server Launchpad is displayed.
4.1.16.2) If you have a Microservices tier, the Information Server (Microservices) Launchpad is displayed.
4.2) Instructions for upgrading Information Server in Console mode of the Update Installer
1. The Microservices tier must be at version 11.7.1.3 before installation of Service Pack 2.
2. The validation checks performed by the Update Installer in Console mode are not as extensive as the checks performed when the Update Installer is in GUI mode.
4.2.1) Login to the Information Server host. Change directory to <IS_HOME>/Updates/bin
For example, cd /opt/IBM/InformationServer/Updates/bin
4.2.2) Verify that the Update Installer version is 11.7.1.098 or later:
./installUpdates -version
If you need to update the Update Installer, see step 3.1.
4.2.3) Run the Update Installer to upgrade Information Server.
For example,
installUpdates -i /opt/IBM/InformationServer/ -p /opt/Builds/ISPKG/<ispkg_file_name>.ispkg -verbose -console -properties <property_file_name>
where
<ispkg_file_name> is the ispkg file you downloaded from IBM Fix Central
For example, servicepack_11.7.1.3_SP2_linux64_11713.tar.gz
<property_file_name> is the name of the property file wherein you specify values for the various properties that control the upgrade of the Microservices tier.
Sample property file
The Update Installer prompts you for the Information Server administrator user ID and password, and the WebSphere Administrator user ID and password.
5) Post upgrade actions
a. kubectl edit Ingress iis-server
ingress.kubernetes.io/configuration-snippet: |
proxy_redirect "https://$host:<IIS services tier port>/" "https://$host/";
proxy_redirect "https://<Microservices tier short host name>:<IIS services tier port>" "https://<Microservices tier short host name>/";
proxy_redirect "https://<Microservices tier host name alias>:<IIS services tier port>" "https://<Microservices tier host name alias>/";
proxy_redirect "https://<Microservices tier IP address>:<IIS services tier port>" "https://<Microservices tier IP address>/";
a. kubectl edit Ingress iis-redirect
ingress.kubernetes.io/configuration-snippet: |
proxy_redirect "https://$host:<IIS services tier port>/" "https://<IIS services tier short host name>:<IIS services tier port>/";
proxy_redirect "https://<Microservices tier short host name>:<IIS services tier port>" "https://<IIS services tier short host name>:<IIS services tier port>/";
proxy_redirect "https://<Microservices tier host name alias>:<IIS services tier port>" "https://<IIS services tier host name alias>:<IIS services tier port>/";
proxy_redirect "https://<Microservices tier IP address>:<IIS services tier port>" "https://<IIS services tier IP address>:<IIS services tier port>/";
Ensure that the newly added proxy_redirect lines are properly aligned with the prior proxy_redirect line as consumption of the file contents is sensitive to the formatting.
kubectl delete pods -l app=ingress-nginx -n kube-system
kubectl get pods -l app=ingress-nginx -n kube-system
On the Information Server host:
1. Add a host alias property:
$ ./iisAdmin.sh -set -key com.ibm.iis.ug.host.aliases -value
<Microservices tier long host name>,<Microservices tier short host name>,<Microservices tier alias name>,<Microservices tier IP address>
$ ./iisAdmin.sh -d -key com.ibm.iis.ug.host.aliases
On the Browser host:
Add an entry in the hosts file
UNIX: /etc/hosts
Windows: <Drive>:\Windows\System32\drivers\etc\host on Windows)
with IP address, long host name, short host name, and alias name as follows:
<Microservices tier IP address> <Microservices tier long host name> <Microservices tier short host name> <Microservices tier alias name>
5.2) Apply mitigation for log4j 1.x vulnerabilities
Service Pack 2 remediates the vulnerability in log4j 2.x by upgrading to a later version of the library.
There are other vulnerable classes in log4j 1.x jars: JMSAppender and SocketServer. These classes can be removed by running a script that is provided with the security bulletin. Ensure that you use version 1.1 or later of the script.
To find and remediate the classes in log4j 1.x, add the “-log4j-version 1” flag to the commands that you execute.
For example,
a. The following command finds instances of the log4j 1.x classes:
./iis-log4j-mitigation.sh -install-dir /opt/IBM/InformationServer -log4j-version 1
b. Add the -remove option, and run the command again to remove the classes from the located instances.
See the security bulletin for details of the steps required to run the script and perform the mitigation.
5.3) (Optional) Backup and purge the Backup folder within the Updates and _uninstall folders
The Update installer uses the Updates/Backup folder within your Information Server location to keep copies of files that are replaced during patch installs. The files in this folder are only used to roll back a patch installation; they are not needed while Information Server is used.
Likewise, the _uninstall/Backup folder contains files that are only used when Information Server components are uninstalled.
For log4j related patches, the prior vulnerable versions of log4j could be present in these folders. If you want to remove such files from the system, take a backup of these folders and then purge the folders.
An appropriate backup of the Updates/Backup folder must be restored before any subsequent patch rollback action. Likewise, an appropriate backup of the _uninstall/Backup folder must be restored before any subsequent uninstall action.
5.4) Remove older versions of log4j
The installation of the Service pack upgrades the log4j version to 2.17.0. Prior versions of log4j are removed during installation but a few locations were not cleaned up. They can be cleaned up by using the following steps:
Windows:
DEL <IIS_INSTALL_LOCATION>\Server\DSWLM\dist\lib\log4j-api-2.13.3.jar
DEL <IIS_INSTALL_LOCATION>\Server\DSWLM\dist\lib\log4j-core-2.13.3.jar
DEL <IIS_INSTALL_LOCATION>\Server\DSWLM\dist\lib\log4j-api-2.16.0.jar
DEL <IIS_INSTALL_LOCATION>\Server\DSWLM\dist\lib\log4j-core-2.16.0.jar
DEL <IIS_INSTALL_LOCATION>\Server\PXEngine\java\log4j-api-2.13.3.jar
DEL <IIS_INSTALL_LOCATION>\Server\PXEngine\java\log4j-core-2.13.3.jar
DEL <IIS_INSTALL_LOCATION>\Server\PXEngine\java\log4j-core-2.16.0.jar
DEL <IIS_INSTALL_LOCATION>\Server\PXEngine\java\log4j-api-2.16.0.jar
Restart DataStage Engine.
On the Services tier:
DEL <IIS_INSTALL_LOCATION>\shared-open-source\solr\install\server\lib\ext\log4j*2.16*
DEL <IIS_INSTALL_LOCATION>\shared-open-source\solr\install\contrib\prometheus-exporter\lib\log4j*2.16*
DEL <IIS_INSTALL_LOCATION>\shared-open-source\solr\install\licenses\log4j*2.13*
You can run a health check to check the status of solr after the removal:
1. Change directory to <IIS_INSTALL_LOCATION>\Clients\istools\cli
2. Run the following command:
istool.bat solr healthCheck -c dqecExceptionSets -u isadmin -p <ISADMIN_PASSWORD>
UNIX:
rm -f <IIS_INSTALL_LOCATION>/Server/DSWLM/dist/lib/log4j-api-2.13.3.jar
rm -f <IIS_INSTALL_LOCATION>/Server/DSWLM/dist/lib/log4j-core-2.13.3.jar
rm -f <IIS_INSTALL_LOCATION>/Server/DSWLM/dist/lib/log4j-api-2.16.0.jar
rm -f <IIS_INSTALL_LOCATION>/Server/DSWLM/dist/lib/log4j-core-2.16.0.jar
rm -f <IIS_INSTALL_LOCATION>/Server/PXEngine/java/log4j-api-2.13.3.jar
rm -f <IIS_INSTALL_LOCATION>/Server/PXEngine/java/log4j-core-2.13.3.jar
rm -f <IIS_INSTALL_LOCATION>/Server/PXEngine/java/log4j-core-2.16.0.jar
rm -f <IIS_INSTALL_LOCATION>/Server/PXEngine/java/log4j-api-2.16.0.jar
Restart DataStage Engine.
On the Services tier:
rm -f <IIS_INSTALL_LOCATION>/shared-open-source/solr/install/server/lib/ext/log4j*2.16*
rm -f <IIS_INSTALL_LOCATION>/shared-open-source/solr/install/contrib/prometheus-exporter/lib/log4j*2.16*
rm -f <IIS_INSTALL_LOCATION>/shared-open-source/solr/install/licenses/log4j*2.13*
You can run a health check to check the status of solr after the removal:
1. Change directory to <IIS_INSTALL_LOCATION>/Clients/istools/cli
2. Run the following command:
istool.sh solr healthCheck -c dqecExceptionSets -u isadmin -p <ISADMIN_PASSWORD>
rm -f <IIS_INSTALL_LOCATION>/ASBNode/odf/odf-iis-oozie-rest.zip
Change History:
19 January 2022: Initial publication
20 January 2022: One more cleanup step needed for odf-iis-oozie-rest.zip
25 January 2022: Added commands in section 5.4 to clean up Solr licenses sha1 files
02 February 2022: Solr and Kafka credentials are only for microservices tier
03 May 2022: Updates/backup and _uninstall/Backup folders must be purged; not the entire Updates & _uninstall folders
Was this topic helpful?
Document Information
Modified date:
03 May 2022
UID
ibm16540026