Fix Readme
Abstract
xxx
Content
Readme file for: 4.0.1-TIV-SSM-FP0001
Product/Component Release: 4.0.1
Update Name: 4.0.1-TIV-SSM-FP0001
Fix ID: 4.0.1-TIV-SSM-AIX-PPC-FP0001, 4.0.1-TIV-SSM-HPUX-IA64-FP0001, 4.0.1-TIV-SSM-LINUX-PPC-FP0001, 4.0.1-TIV-SSM-LINUX-X86-FP0001, 4.0.1-TIV-SSM-LINUX-X86_64-FP0001, 4.0.1-TIV-SSM-SOLARIS-SPARC-FP0001, 4.0.1-TIV-SSM-SOLARIS-X86-FP0001, 4.0.1-TIV-SSM-WIN32-X86-FP0001, 4.0.1-TIV-SSM-MULTIPLATFORM-FP0001-DSCFiles
Publication Date: 17 Jun 2013
Last modified date: 17 Jun 2013
Installation information
Download location
To download this update you must first login to IBM FixCentral. Once logged in, you may select from the individual download packages.
http://www.ibm.com/eserver/support/fixes/
Below is a list of components, platforms, and file names that apply to this Readme file.
Product/Component Name: | Platform: | Fix: |
---|---|---|
Netcool/System Service Monitor | AIX | 4.0.1-TIV-SSM-AIX-PPC-FP0001 |
Netcool/System Service Monitor | AIX | 4.0.1-TIV-SSM-MULTIPLATFORM-FP0001-DSCFiles |
Product/Component Name: | Platform: | Fix: |
---|---|---|
Netcool/System Service Monitor | HPUX 64-bit, IA64 | 4.0.1-TIV-SSM-HPUX-IA64-FP0001 |
Netcool/System Service Monitor | HPUX 64-bit, IA64 | 4.0.1-TIV-SSM-MULTIPLATFORM-FP0001-DSCFiles |
Product/Component Name: | Platform: | Fix: |
---|---|---|
Netcool/System Service Monitor | Linux pSeries | 4.0.1-TIV-SSM-LINUX-PPC-FP0001 |
Netcool/System Service Monitor | Linux 32-bit,x86 Linux 64-bit,x86_64 | 4.0.1-TIV-SSM-LINUX-X86-FP0001 |
Netcool/System Service Monitor | Linux 64-bit,x86_64 | 4.0.1-TIV-SSM-LINUX-X86_64-FP0001 |
Netcool/System Service Monitor | Linux pSeries Linux 32-bit,x86 Linux 64-bit,x86_64 | 4.0.1-TIV-SSM-MULTIPLATFORM-FP0001-DSCFiles |
Product/Component Name: | Platform: | Fix: |
---|---|---|
Netcool/System Service Monitor | Solaris 32-bit,SPARC | 4.0.1-TIV-SSM-SOLARIS-SPARC-FP0001 |
Netcool/System Service Monitor | Solaris 64-bit,x86 | 4.0.1-TIV-SSM-SOLARIS-X86-FP0001 |
Netcool/System Service Monitor | Solaris 32-bit,SPARC Solaris 64-bit,x86 | 4.0.1-TIV-SSM-MULTIPLATFORM-FP0001-DSCFiles |
Product/Component Name: | Platform: | Fix: |
---|---|---|
Netcool/System Service Monitor | Windows | 4.0.1-TIV-SSM-WIN32-X86-FP0001 |
Netcool/System Service Monitor | Windows | 4.0.1-TIV-SSM-MULTIPLATFORM-FP0001-DSCFiles |
Prerequisites and co-requisites
Known issues
Non APAR Defect alm00295041 - Can't remote install ssm with V3 Configurations
Problem DescriptionKDY3209E: Failed to add v3 user itmkdyuser Could not add the new SNMP v3 user via a remote connection
Non APAR Defect alm00295075 - Can't remote uninstall ssm on windows
Problem DescriptionKDY3501E: Could not find the uninstall key with the command regedit /E uninst.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{EFDE76FA-B83A-4608-AFF0-37829C7F5186}. Could not find the required uninstall key.
Non APAR Defect alm00295526 - The transaction.oid file is missing in the oid directory
Problem DescriptionCould not open script file "oid/transaction.oid"
SSM crashes on AIX
Problem Descriptionhttp://www.ibm.com/support/docview.wss?uid=isg1IZ37768
SSM cores on HPUX
Problem Description
Known limitations
None.
Installation information
Prior to installation
Although the SSM patch installer will verify its integrity before proceeding, you may verify the integrity of the patch installer without actually installing the patch by using the -t (test) option:
Windows: ssm401-fixpack1-win32-x86.exe -t
Also note that on some platforms installation may fail if you have any SSM-related programs running. Make sure that you have closed all instances of the SSM console and the MIB Explorer (Windows) prior to installing the patch. The patch installer will stop and restart the ssmagent process automatically.
Installing
SSM patches are self-extracting interactive programs that will guide you through the installation process. You need only execute the installer (for your operating system) and follow the prompts:
Windows: ssm401-fixpack1-win32-x86.exe
Further details about advanced patch installation can be found in the Patch Installation Guide:
Performing the necessary tasks after installation
None.
Troubleshooting installation problems from the Support site
http://www.ibm.com/software/sysmgmt/products/support/NetcoolSystemServiceMonitor.html
Uninstalling if necessary
On Windows, Fix Pack 1 may be uninstalled via Control Panel - Add or Remove Programs. Make sure you check the "Show updates" box for SSM patches to appear in the list. Also ensure that the SSM console and MIB Explorer are not running prior to uninstallation (so that previous file versions may be restored correctly), otherwise the removal process will fail.
On all platforms Fix Pack 1 may also be uninstalled using the "patchman" tool which can be found in the SSM bin directory:
Additional information
Security Bulletins
SSM 4.0.1 FP1 contains fixes to the following 3 Security Bulletins:
- IBM Tivoli Netcool System Service Monitors/Application Service Monitors Local Configuration file Buffer Overflow (CVE-2013-0508)- IBM Tivoli Netcool System Service Monitors/Application Service Monitors Transaction MIB Remote Buffer Overflow due to malformed database table names (CVE-2013-0509)
- IBM Tivoli Netcool System Service Monitors/Application Service Monitors is affected by multiple OpenSSL vulnerabilities
Netcool/SSM V4.0.1 FP1 is a security update focused on reducing security risks in the default configuration.
Some functionality has changed, and some subagents must now be activated using additional configuration in the agent init.cfg and agent.cfg files. Below is a list of affected components and any extra configuration required to enable previous functionality. If you do not currently use an affected component, leave it in its default, disabled state.
Updated subagents
RMON ProbeConfig Group
Support for the probeDownloadFile, probleDownloadTFTPServer, probeDownloadAction, and probleDownloadStatus objects has been removed. If download functionality is required, configure and use the File Transfer subagent.
haSubagentTable
The haSubagentTable will load subagents only from the agent bin directory.
agentInivarTable
The agentInivarTable is now read-only. It is not possible to set or change INIVARs via SNMP.
Crontab subagent
Process execution from the Crontab subagent is now disabled by default. If you specify a value in the crontabControlExecutionCommand and have not enabled process execution, the row cannot be made active. To enable process execution, add the INIVAR CrontabProcessExecute to init.cfg and set it to true. For example:
CrontabProcessExecute=true
If you do not enable the INIVAR before configuring the Crontab subagent, the following error message is displayed in the agent log file:
Crontab Execution Command has been disabled. To enable it, set CrontabProcessExecute=on in init.cfg
Process subagent
Three objects in the Process sub-agent have been updated
- psRunningState object in the psRunningTable is now read-only. You can no longer kill processes using this table or set them in a suspended state.
- psExecute and psControlActionCommand objects have been disabled unless the ProcessProcessExecute INIVAR exists and is set to true. If this INIVAR does not exist, or it is set to false, the psExecute object does not work, an SNMP error is returned and an error similar to the following example is displayed in the agent log file.
[PROCESS] Attempt to execute process with out INIVAR "ProcessProcessExecute" being enabled. Command "c:\windows\notepad.exe" will not be executed
If the required INIVAR is not enabled in the psControlActionCommand object, the control row cannot enter an active state. It will either stay notReady, or not be created if it is set up using a script. An error similar to the following example is displayed in the agent log.
[PROCESS] Attempt to set psControlActionCommand to "c:\windows\notepad.exe" without the INIVAR "ProcessProcessExecute" being enabled.
Programmable subagent
The Programmable subagent is now disabled by default. To load the subagent, set the ProgrammableAllowLoad INIVAR to true. Add the subagent load programmable command to the agent.cfg file in the Netcool/SSM config directory. If the INIVAR is not defined and set to true, the subagent does not load and the following error message is displayed in the agent log:
Programmable loading has been disabled. To enable it, set ProgrammableAllowLoad=true in init.cfg
Filetransfer subagent
The Filetransfer subagent has had several updates:
- The Filetransfer subagent does not load unless the FiletransferAllowLoad
INIVAR is set and enabled. Add the subagent load filetransfer command to the agent.cfg file in the Netcool/SSM config directory. If you try to load the subagent without first enabling the INIVAR, the following error message is displayed in the agent log:
File Transfer loading has been disabled. To enable it set FiletransferAllowLoad=true in init.cfg
- The data option in the ftFileBase object has been deprecated. You can no longer specify an arbitrary destination directory to download to.
- A new file transfer host list function enables you to create a list of allowed download hosts. There are three new console commands: fthost add , fthost list , and fthost remove .
Tip: The fthost settings are not saved when the agent is shutdown. To preserve the download list, place these commands in a separate configuration file that is executed at startup.
The syntax of these commands is as shown below:
fthost add address [mask]
fthost remove address [mask]
fthost list
where address is required and is the download server address of the host to be included. You can also specify an address range by combining the address and mask attributes. For example:
fthost add 10.1.2.44
Adds the machine 10.1.2.44 to the download list.
fthost add 10.1.4.0 255.255.255.0
Adds all addresses that start with 10.1.4 to the download list.
fthost list
ADDRESS MASK
------- ----
10.1.2.44 255.255.255.255
10.1.4.0 255.255.255.0
Lists the current download list.
fthost remove 10.1.2.44
Removes the 10.1.2.44 entry from the list.
fthost remove 10.1.4.0 255.255.255.0
Removes the 10.1.4.0 entry from the list.
If a download is attempted from a server that is not in the download list, an error similar to the following is displayed in the agent log file:
[FILETRANSFER] The specified host "10.3.3.2" is not in the allowed hosts list. The download will be failed
Note: If the fthost download list is empty, the Filetransfer subagent will be allowed to download from any server.
Oracle ASM
The Oracle ASM no longer attempts to automatically detect the location of the OCI libraries on the system, but rather requires the location to be provided to the ASM by explicitly setting the OCILibPath INIVAR to the location of the OCI Libraries. The value of this INIVAR should be the absolute path to the OCI Libraries on the system. If the OCILibPath INIVAR is not set, an error is displayed in the agent log file. For example:
[ORACLE] Inivar OCILibPath is not set unable to load Oracle Client Libraries
NTSCM subagent
The ntServicetable is now read only and you can no longer alter the service state or configuration using the ntServiceTableStartType and ntServiceTableControl objects. To change the service state of the ntServiceControlTable, define the NTServiceAllowConfig INIVAR and set it to true.
NTSCM displays the following error messages when trying to configure the ControlTable
NtService Configuration has been disabled. To enable it, set NTServiceAllowConfig=true in init.cfg
Arithmetic subagent
The ability to write strings to files on disk using the -> and ->> operators has been disabled by default. To reinstate this functionality:
1. Create the ArithmeticFileWrite INIVAR and set it to true.
2. Assign a path to the ArithmeticFileWritePath INIVAR. Only files that reside in this path may be written to. Separate multiple directories by the platform specific path separator, a colon (:) for UNIX systems, or a semicolon (;) for Windows systems.
The Arithmetic subagent displays the following error messages if the inivars are absent and trying to use -> and ->> operators:
Arithmetic File Writing has been disabled. To enable it, set ArithmeticFileWrite=on in init.cfg
Arithmetic File Writing has been disabled. To enable it, set ArithmeticFileWritePath to the list of allowable paths in init.cfg
Transaction subagent
If you have upgraded from SSM 4.0.1 to SSM 4.0.1 FP1, the Transaction subagent does not load by default. If you require this subagent, add the following load command to the agent.cfg file:
subagent load transaction
Red Hat Installation requirements
SSM 4.0.1 requires the libstdc++-32-3.2.3 compat libraries and the libstdc++ runtimes to execute on Red Hat Linux 6.x. On 64bit Red Hat systems you may have to install the 64 bit versions of these libraries as well.
Checksums
The SHA1 Checksum of the images are as follows:SHA1(ssm401-fixpack1-aix-ppc.run)= 57d3abb8cf5b6836cd9e0ba9f3375c15e5519bc4
SHA1(ssm401-fixpack1-hpux-ia64.run)= 4253455f3f266cac38d3095dacdbbdaf606a5cd6
SHA1(ssm401-fixpack1-linux-ppc64.run)= 6df3c2ff757053804f15b4798cef3154a8bb5178
SHA1(ssm401-fixpack1-linux-x86_64.run)= 8a487d6e7915ee7b54c82311ad929c1fdb82336e
SHA1(ssm401-fixpack1-linux-x86.run)= 11b9162b98dcff2de819b7b91cb033183ada9c4e
SHA1(ssm401-fixpack1-Multiplatform-DSCFiles.zip)= 11e9f564a3246877ce55fd45594241dd69030b1a
SHA1(ssm401-fixpack1-solaris-sparc.run)= ac81995f31fdd78d86d9a5ec90d9f103a518417a
SHA1(ssm401-fixpack1-solaris-x86.run)= 60d0b38906ba5ccf081520429da25a7233902050
SHA1(ssm401-fixpack1-win32-x86.exe)= ebd3fa522817daa7a9eca2d6a29880dd1282a56a
List of fixes
Task ID | APAR | Fixed in | Release | Description |
alm00293410 | 4.0.1.78 | FP1 | Limit ability of ntServices sub-agent to control and alter windows services. | |
alm00293392 | 4.0.1.70 | FP1 | Secure File Transfer sub-agent | |
alm00293378 | 4.0.1.69 | FP1 | Secure Process sub-agent Process execution and control. | |
alm00293426 | 4.0.1.67 | FP1 | Limit ability of the arithmetic sub-agent to write to files. | |
alm00293917 | IV39829 | 4.0.1.67 | FP1 | `INIT.SSMAGENT SCRIPT START` SHOULD RETURN 0 WHEN IT IS ALREADY RUNNING (APAR=IV39829) |
alm00293349 | 4.0.1.66 | FP1 | Remedy RMON Probe Config Security Issues. | |
alm00293357 | 4.0.1.66 | FP1 | Make haSubagentTable only load libraries from the Agent Bin Directory. | |
alm00293364 | 4.0.1.66 | FP1 | Make AgentIniVar table Read Only | |
alm00293417 | 4.0.1.66 | FP1 | MIB2 ifTable should not be able to control interface status. | |
alm00293319 | 4.0.1.65 | FP1 | AppScan Remediate transaction/decode snprint errors | |
alm00293371 | 4.0.1.65 | FP1 | Secure process execution from Crontab sub-agent. | |
alm00293385 | 4.0.1.65 | FP1 | Stop programmable Loading by default. | |
alm00293399 | 4.0.1.65 | FP1 | Limit Oracle Wrapper libraries to loading OCI libraries from Specified Directory | |
alm00293248 | 4.0.1.62 | FP1 | BufferOverflow.FormatString Vulnerabilities need to be resolved. | |
alm00293158 | 4.0.1.61 | FP1 | AppScan SetSecurityDescriptorDacl Calls Should specify a ACL | |
alm00293272 | 4.0.1.61 | FP1 | AppScan BufferOverflow in Memcpy Calls | |
alm00292456 | 4.0.1.60 | FP1 | Make LoadLibrary calls on windows not use a path lookup. | |
alm00292348 | IV38114 | 4.0.1.56 | FP1 | Upgrade to OpenSSL 1.0.1e |
alm00291996 | 4.0.1.53 | FP1 | TransactionEnumTable is writeable. Make it read only. | |
alm00289390 | IV36116 | 4.0.1.52 | FP1 | SSM INIT.SSMAGENT FAILS TO FIND ITSELF WHEN STARTED AS A SYMLINK -> RELATIVE SYMLINK -> EXE (APAR=IV36116) |
alm00291523 | IV38113 | 4.0.1.52 | FP1 | Buffer Overflow in hive library can crash the agent. |
alm00291931 | IV37604 | 4.0.1.52 | FP1 | SSM HRSTORAGEUSED PHYSICAL MEMORY IS INCORRECTLY CALCULATED ON AIX (APAR=IV37604) |
alm00291971 | IV38112 | 4.0.1.52 | FP1 | Transaction Sub-Agent Oracle decoder can crash when it encounters a Malformed Packet |
alm00292462 | IV36665 | 4.0.1.40 | FP1 | APAR IV36665: SSM FILEMON SUBAGENT CAN FAIL TO ACTIVATE ROW IF FILESYSTEM FAILS STATFS |
alm00293097 | IV31463 | 4.0.1.40 | FP1 | ON SOME SOLARIS SYSTEMS DISKS THE SSM CAN MARK DISK DEVICES AS DOWN INCORRECTLY. (APAR=IV31463) |
Document change history
Version | Date | Description of change |
0.1 | 29 May 2013 | Pending Release |
1.0 | 31 May 2013 | Initial Release |
1.1 | 17 June 2013 | Added Security Bulletin Links |
Was this topic helpful?
Document Information
Modified date:
17 June 2013
UID
isg400001530