Fix Readme
Abstract
xxx
Content
Readme file for: 7.4.0.0-TIV-CAMRT-IF0029
Product/Component Release: 7.4.0.0
Update Name: 7.4.0.0-TIV-CAMRT-IF0029
Fix ID: 7.4.0.0-TIV-CAMRT-AIX-IF0029, 7.4.0.0-TIV-CAMRT-LINUX-IF0029, 7.4.0.0-TIV-CAMRT-WINDOWS-IF0029
Publication Date: 23 Apr 2015
Last modified date: 23 Apr 2015
Installation information
Download location
The information included in this document is published at product release time. For the latest updates on this release please refer to the on-line document: To download this update you must first login to IBM FixCentral. Once logged in, you may select from the individual download packages. HPUX and Solaris downloads are no longer provided.
http://www.ibm.com/eserver/support/fixes/
Below is a list of components, platforms, and file names that apply to this Readme file.
Product/Component Name: | Platform: | Fix: |
---|---|---|
Tivoli Composite Application Manager for Transactions | AIX | 7.4.0.0-TIV-CAMRT-AIX-IF0029 |
Product/Component Name: | Platform: | Fix: |
---|---|---|
Tivoli Composite Application Manager for Transactions | Linux | 7.4.0.0-TIV-CAMRT-LINUX-IF0029 |
Product/Component Name: | Platform: | Fix: |
---|---|---|
Tivoli Composite Application Manager for Transactions | Windows | 7.4.0.0-TIV-CAMRT-WINDOWS-IF0029 |
Prerequisites and co-requisites
This upgrade for the Robotic Response Time agents , which is part of ITCAM for Transactions: Response Time, may be applied to the following base versions.
- 7.1.0.x - AIX, Windows, Linux
- 7.2.0.x - AIX, Windows, Linux
- 7.3.0.x - AIX, Windows, Linux
- 7.4.0.x - AIX, Windows, Linux
- Supported base versions include interim fixes applied to any of the above release levels.
This patch replaces JRE 6.0 shipped with the Robotics Response Time (T6) agent, bringing them to the latest level. This remediates multiple security issues.
This patch is applicable for T6 agents:
- versions 7.4.0.x, 7.3.0.x, 7.2.0.x and 7.1.0.x
- Windows, AIX and Linux platforms.
7.1, 7.2, 7.3 and 7.4 agents all need to update java60 JRE, 7.4 and 7.3.0.1-LA2 later agents also need to disable RC4 in java70 JRE. These variations are noted in the installation steps below.
Any customisations done to the existing JREs needs to be preserved. Since these JREs are product specific (ie only used by the T6 agent), there should only be at most one customisation as instructed by IBM support; which is to enable strong encryption by updating the JRE's encryption policy (see technote in Related Material).
After the patch, the Java versions will be:
- Java 6.0 SR16 FP3+IV70681+IV71888
- Java 7.0 SR8 FP10
Related material:
The RC4 "Bar Mitzvah" Attack for SSL/TLS
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808
Details on Strong Encryption keys
http://www-01.ibm.com/support/docview.wss?uid=swg21695474
Installation information
Before Installing
Validate pre-existing java is older than ones delivered in this IFix.
The RRT Agent's javas are located in
- Windows:
- java60: $ITMHOME\tmaitm6\java60
- java70: $ITMHOME\tmaitm6\java70 - only in 7.3.0.1-LA2 and later
- Unix:
- java60: $ITMHOME/tmaitm6/java60
- java70: $ITMHOME/tmaitm6/java70 - only in 7.3.0.1-LA2 and later
Check their versions, for example
C:\ibm\itm\TMAITM6> .\java70\jre\bin\java.exe -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pwi3270sr7fp1-20140712_01(SR7 FP1))
IBM J9 VM (build 2.6, JRE 1.7.0 Windows 7 x86-32 20140627_204598 (JIT enabled, AOT enabled)
J9VM - R26_Java726_SR7_20140627_0924_B204598
JIT - r11.b06_20140409_61252.04
GC - R26_Java726_SR7_20140627_0924_B204598
J9CL - 20140627_204598)
JCL - 20140707_01 based on Oracle 7u65-b16
Installing
Notes
- If you have updated the T6 jre to use strong encryption, you must migrate the policy files to the new JREs. The two files are:
\lib\security\local_policy.jar \lib\security\US_export_policy.jar
http://www-01.ibm.com/support/docview.wss?uid=swg21245273
- Back up existing java
- Stop the T6 agent
- Backup existing java jres, for example
> c:
> cd c:\ibm\itm\tmaitm6\
> move java60 java60.old
- Replace the JREs
- Unzip/Untar the archive to the same directory, for example, after unarchiving your directory structure should be like:
c:\IBM\ITM\TMAITM6>dir java*
Volume in drive C has no label.
Volume Serial Number is 44AB-01FC
Directory of c:\IBM\ITM\TMAITM6
29/05/2013 02:02 PM <DIR> java60
12/03/2012 04:08 PM <DIR> java60.old
29/05/2013 02:04 PM <DIR> java70
0 File(s) 0 bytes
3 Dir(s) 30,808,731,648 bytes free
- Unzip/Untar the archive to the same directory, for example, after unarchiving your directory structure should be like:
- Disable RC4 in java70 JRE (this step only needs to be done for 7.4 and 7.3.0.1-LA2 and later agents)
- Open $ITMHOME\tmaitm6\java70\jre\lib\security\java.security
- Add RC4 to the list of disabled algorithm defined by jdk.tls.disabledAlgorithm:
jdk.tls.disabledAlgorithms=SSLv3, RC4
- Save the change
- Validate the update JRE version/function
- Check version number of JRE 6.0, for example
> c:
> cd c:\ibm\itm\tmaitm6
> java60\jre\bin\java.exe -version
java version "1.6.0"
Java(TM) SE Runtime Environment (build pxi3260sr16fp3ifix-20150407_01(SR16 FP3+IV70681+IV71888))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Linux x86-32 jvmxi3260sr16-20141216_227499 (JIT enabled, AOT enabled)
J9VM - 20141216_227499
JIT - r9_20140523_64469ifx3
GC - GA24_Java6_SR16_20141216_1020_B227499)
JCL - 20141216_01
> java70\jre\bin\java.exe -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pwi3270sr8fp10ifix-20150313_01(SR8 FP10+IV70681))
IBM J9 VM (build 2.6, JRE 1.7.0 Windows Server 2008 R2 x86-32 20141216_227497 (JIT enabled, AOT enabled)
J9VM - R26_Java726_SR8_20141216_0955_B227497
JIT - r11.b07_20141003_74578.05
GC - R26_Java726_SR8_20141216_0955_B227497
J9CL - 20141216_227497)
JCL - 20141217_01 based on Oracle jdk7u75-b12
- Check version number of JRE 6.0, for example
- Restart Agent and ensure RPT Script playback works.
- (Optional) Delete the backup java runtimes.
Additional information
The Secure Hash Algorithm 1 (SHA1) checksum of the images are as follows:
7.4.0.0-TIV-CAMRT-AIX-IF0029.tar 8a2b4b39efe96c89a8031aa8d45b20275bfb2ff6
7.4.0.0-TIV-CAMRT-Linux-IF0029.tar b82c436aa02f2cc07b91e0cfe1e6345b792022a1
7.4.0.0-TIV-CAMRT-Windows-IF0029.zip e8112a78a7fa24523cd122c128798b60b019fa21
List of fixes
A) APAR Content:
N/A
B) Additional Non APAR Defects:
27689 PSIRT 3058 CVSS 5.0 Record 53919 - RC4 vulnerability - Reported in 03/26/2015 X-Force Report
C) Enhancements
N/A
Document change history
Version | Date | Description of change |
1.0 | 1 Apr 2015 | Initial Version |
Was this topic helpful?
Document Information
Modified date:
29 April 2015
UID
isg400002131