Fix Readme
Abstract
Readme file for: 7.4.0.1-TIV-CAMRT-IF0052
Product/Component Release: 7.4.0.1
Update Name: 7.4.0.1-TIV-CAMRT-IF0052
Fix ID: 7.4.0.1-TIV-CAMRT-AIX-IF0052, 7.4.0.1-TIV-CAMRT-LINUX-IF0052, 7.4.0.1-TIV-CAMRT-WINDOWS-IF0052
Publication Date: 1 Apr 2021
Last modified date: 1 Apr 2021
Description: This IFIX contains java update for IBM SDK, Java Technology Edition Quarterly CPU - Jan 2021 - Includes Oracle Jan 2021 CPU plus CVE-2020-27221.
Content
Download location
Below is a list of components, platforms, and file names that apply to this Readme file.
Product/Component Name: | Platform: | Fix: |
---|---|---|
Tivoli Composite Application Manager for Transactions | AIX | 7.4.0.1-TIV-CAMRT-AIX-IF0052 |
Product/Component Name: | Platform: | Fix: |
---|---|---|
Tivoli Composite Application Manager for Transactions | Linux | 7.4.0.1-TIV-CAMRT-LINUX-IF0052 |
Product/Component Name: | Platform: | Fix: |
---|---|---|
Tivoli Composite Application Manager for Transactions | Windows |
Prerequisites and co-requisites
This upgrade for the Robotic Response Time agents , which is part of ITCAM for Transactions: Response Time, may be applied to the following base versions. It must be applied to a machine on which Robotic Response Time agent has been installed.
- 7.4.0.1 - AIX, Linux, Windows
- 7.4.0.2 - AIX, Linux, Windows
- Supported base versions include interim fixes applied to any of the above release levels.
- This interim fix is a quarterly SDK update. The update replaces the Java SDK without changing the product version. This interim fix may be applied to versions 7.4.0.1 and 7.4.0.2.
This patch replaces the two JREs shipped with the Robotic Response Time (T6) agent, bringing them to the latest level. This remediates multiple security issues.
This patch is applicable for T6 agents:
- version 7.4.0.1
- version 7.4.0.2
- Windows, AIX and Linux platforms.
The T6's JREs are only used when playing back Rational Performance Tester (RPT) scripts, thus not available on Solaris and HPUX (RPT playback is not supported on Solaris and HPUX). 7.4 agent needs to update java 80 and java 70 JREs. These variations are noted in the installation steps below. Any customisations done to the existing JREs need to be preserved. Since these JREs are product specific (ie only used by the T6 agent), there can only be at most one customisation as instructed by IBM support, which is to enable strong encryption by updating the JRE's encryption policy (see technote in Installing ).
This patch only includes java70 and java80 updates. After the patch, the Java versions will be:
- Java 7.0 SR10 FP80
- Java 8.0 SR06 FP26
Related material:
This interim fix is a cumulative JAVA upgrade for JAVA PSIRT. Updates in these releases are included in this upgrade.
- 7.4.0.1 - IF0005
- 7.4.0.1 - IF0007
- 7.4.0.1 - IF0009
- 7.4.0.1 - IF0012
- 7.4.0.1 - IF0015
- 7.4.0.1 - IF0018
- 7.4.0.1 - IF0021
- 7.4.0.1 - IF0024
- 7.4.0.1 - IF0027
- 7.4.0.1 - IF0030
- 7.4.0.1 - IF0032
- 7.4.0.1 - IF0033
- 7.4.0.1 - IF0034
- 7.4.0.1 - IF0039
- 7.4.0.1 - IF0041
- 7.4.0.1 - IF0047
- 7.4.0.1 - IF0049
- 7.4.0.1 - IF0050
- 7.4.0.1 - IF0051
IBM Java SDK Security Bulletin
https://www.ibm.com/support/pages/node/6414721
Installation information
Before Installing
Validate pre-existing java70 and java80 are older than ones delivered in this IFix.
The RRT Agent's javas are located in
- Windows:
- java70: $ITMHOME\tmaitm6\java70
- java80: $ITMHOME\tmaitm6\java80 - only in 7.4.0.1-IF8 and later
- Unix:
- java70: $ITMHOME/tmaitm6/java70
- java80: $ITMHOME/tmaitm6/java80 - only in 7.4.0.1-IF8 and later
Check the versions, for example
C:\ibm\itm\TMAITM6> .\java80\jre\bin\java.exe -version
java version "1.8.0_151"
Java(TM) SE Runtime Environment (build 8.0.5.7 - pwi3280sr5fp7-20171216_01(SR5 FP7)) IBM J9 VM (build 2.9, JRE 1.8.0 Windows Server 2008 R2 x86-32 20171215_373586 (JIT enabled, AOT enabled)
OpenJ9 - 5aa401f
OMR - 101e793
IBM - b4a79bf)
JCL - 20171214_01 based on Oracle jdk8u151-b12
Installing
Notes
- If you have updated the T6 JRE to use strong encryption, you must manually backup the policy files and copy them to the new JREs. The two files are:
\lib\security\local_policy.jar \lib\security\US_export_policy.jar
https://www.ibm.com/support/pages/node/85585
See Technote - Does the RRT agent support TLS 1.1/1.2 and 256-bit ciphers?
https://www.ibm.com/support/pages/node/529695
- Back up existing java70 and java80
- Stop the T6 agent
- Backup existing java JREs, for example
> On Windows - cd c:\IBM\ITM\tmaitm6\
> On Linux or Unix - cd /opt/IBM/ITM/tmaitm6
> move java70 java70.old
> move java80 java80.old - only in 7.4.0.1-IF8 and later.
- Replace the JREs
- Unzip/Untar the archive to the same directory, for example, after unarchiving your directory structure is:
Windows - c:\IBM\ITM\TMAITM6>dir java*Volume in drive C has no label.
Volume Serial Number is 44AB-01FC
Directory of c:\IBM\ITM\TMAITM6
........
29/05/2013 02:04 PM <DIR> java70
13/02/2013 02:14 PM <DIR> java70.old
28/08/2016 07:08 PM <DIR> java80
28/08/2016 07:17 PM <DIR> java80.old0 File(s) 0 bytes
4 Dir(s) 40,808,731,648 bytes free
Linux or Unix - /opt/IBM/ITM/tmaitm6>ls -dl java*........
drwxr-xr-x 4 root root 4096 Feb 2 01:10 java70
drwxr-xr-x 4 root root 4096 Sep 19 14:20 java70.bak
drwxr-xr-x 4 root root 4096 Feb 2 01:10 java80
drwxr-xr-x 4 root root 4096 Sep 19 14:20 java80.bak - If applicable, copy the following unrestricted policy files from the "java70.old" and "java80.old" directories to the new "java70" and "java80" directories:
Windows :java70.old\lib\security\local_policy.jar to java70\lib\security
java70.old\lib\security\US_export_policy.jar to java70\lib\security
java80.old\lib\security\local_policy.jar to java80\lib\security
java80.old\lib\security\US_export_policy.jar to java80\lib\security
Linux or Unix :java70.bak/lib/security/local_policy.jar to java70/lib/security
java70.bak/lib/security/US_export_policy.jar to java70/lib/security
java80.bak/lib/security/local_policy.jar to java80/lib/security
java80.bak/lib/security/US_export_policy.jar to java80/lib/security
- Unzip/Untar the archive to the same directory, for example, after unarchiving your directory structure is:
- Validate the updated JRE version/function
- Check version number of JRE 7.0, for example
>java70\jre\bin>java.exe -versionjava version "1.7.0"
Java(TM) SE Runtime Environment (build pwi3270sr10fp80-20210111_01(SR10 FP80))
IBM J9 VM (build 2.6, JRE 1.7.0 Windows Server 2016 x86-32 20201228_462617 (JIT enabled, AOT enabled)
J9VM - R26_Java726_SR10_20201228_1559_B462617
JIT - r11_20201228_462617
GC - R26_Java726_SR10_20201228_1559_B462617
J9CL - 20201228_462617)
JCL - 20210108_01 based on Oracle jdk7u291-b09
>java80\jre\bin>java.exe -versionjava version "1.8.0_281"
Java(TM) SE Runtime Environment (build 8.0.6.26 - pwi3280sr6fp26-20210216_01(SR6 FP26))
IBM J9 VM (build 2.9, JRE 1.8.0 Windows Server 2019 x86-32-Bit 20210216_465732 (JIT enabled, AOT enabled)
OpenJ9 - e5f4f96
OMR - 999051a
IBM - 358762e)
JCL - 20210108_01 based on Oracle jdk8u281-b09
- Check version number of JRE 7.0, for example
- Restart Agent and ensure RPT Script playback works.
- (Optional) Delete the backup java runtimes.
Additional information
The Secure Hash Algorithm 256(SHA256) checksum of the images are as follows:
7.4.0.1-TIV-CAMRT-AIX-IF0052.tar - 59C2986F5F3E51C28EDCE564CA15BFB4FA9C31D4F7B57BC7207A9FB5748DA0C5
7.4.0.1-TIV-CAMRT-Linux-IF0052.tar - 529BB00E6530AE0706B569DBA28FD79EF4ACAECD5C296270C2771D2337CCF9D6
7.4.0.1-TIV-CAMRT-Windows-IF0052.zip - A6F7BEAD358717594316A4A17BC08887234D7B1E5034D06A41D9517AC2DE955B
List of fixes
A) APAR Content:
N/A
B) Additional Non APAR Defects:
Defect 31855:PSIRT PVR0257887 IBM SDK, Java Technology Edition Quarterly CPU - Jan 2021 plus one additional vulnerability
C) Enhancements
N/A
Document change history
Version | Date | Description of change |
1.0 | 30 Mar 2021 | Initial Version |
Was this topic helpful?
Document Information
Modified date:
08 April 2021
UID
ibm16437889