IBM Support

IBM Security Guardium Key Lifecycle Manager Version 4.2 - Fix Pack 2 README

Fix Readme


Abstract

Readme file for IBM Security Guardium Key Lifecycle Manager for distributed and containerized platforms, Version 4.2 Fix Pack 2 (4.2.0.2) including installation instructions, prerequisites and corequisites, and a list of fixes.

Content

Features and fixes
Features
None
Internal fixes

This release includes the fixes for the following issues:

  • Security fixes: Following CVEs have been fixed - CVE-2023-47702, CVE-2023-47703, CVE-2023-47704, CVE-2023-47706, CVE-2023-47705, CVE-2023-47707.
  • IBM Security Guardium Key Lifecycle Manager now includes enhanced support for Key Management Interoperability Protocol (KMIP) 3.0 profile.
  • Multi-master configuration - Improved prerequisite checks around required kernel parameter value on non-Windows operating systems.
  • Multi-master configuration - Improvement and bug fixes around manual takeover.

For more information, see Known issues in IBM Security Guardium Key Lifecycle Manager, Version 4.2.

APAR fixes included in Version 4.2.0.2

APAR No.

Sev.

Abstract

DT245246

3

data.synchronizing.backup.password.obf property on a migrated system does not work.

DT220194

2

SKLM 4.2 Fails to install on server where number is first character of domain name.

DT246299

3

DB2 Community license is installed on Windows 4.2 when it should be Standard edition.

DT202868

3

XIV failing when sending GKLM empty string for unique identifier.[APAR is originally opened for GKLM 4.1.1]

DT210787

3

DB2 Connection pool exhausted by KMIP LOCATE requests.[APAR is originally opened for GKLM 4.1.1]

DT211686

3

Duplicate alias during NetApp concurrent key register request.[APAR is originally opened for GKLM 4.1.1]

DT245492

3

Unable to authenticate with LDAP user.[APAR is originally opened for GKLM 4.1.1]
 

APAR fixes included in Version 4.2.0.1

None
Upgraded middleware
  • WebSphere Application Server Liberty 23.0.0.9
  • IBM SDK Java Technology Edition 8.0.8.10
Download instructions
  1. Go to IBM Fix Central home page: http://www.ibm.com/support/fixcentral/
  2. In the Product selector field, type IBM Security Key Lifecycle Manager, and select the product name when it appears.
  3. From the Installed Version list, select IBM Security Guardium Key Lifecycle Manager 4.2 version.
  4. From the Platform list, select the appropriate platform, and click Continue.
  5. On the Identify Fixes page, ensure that the Browse for Fixes is selected, and click Continue.
  6. On the Select Fixes page, select fix pack 4.2.0-ISS-GKLM-FP0002, and click Continue.
    You might be prompted to Sign In.  If you do not have an ID, click the Register now link and follow the registration steps.
  7. On the Download options page, select a download method (default is Download using Download Director).
  8. Select the associated files and README for fix pack: 4.2.0-ISS-GKLM-FP0002 and click Download now.

Back to top

Fix pack files checksum

Fix pack files checksum for IBM Security Guardium Key Lifecycle Manager traditional

Product/Component name

Platform

File name

Command

Checksum

IBM Security Guardium Key Lifecycle Manager 4.2.0.2

AIX

4.2.0-ISS-GKLM-FP0002-AIX.tar.gz

 md5sum FileName.tar.gz

For example (UNIX/Linux): md5sum 4.2.0-ISS-GKLM-FP0002-AIX.tar.gz

Sample output
16a86b4b96d2f5363bad1d31092c3a3c 4.2.0-ISS-GKLM-FP0002-AIX.tar.gz

16a86b4b96d2f5363bad1d31092c3a3c

IBM Security Guardium Key Lifecycle Manager 4.2.0.2

Linux

4.2.0-ISS-GKLM-FP0002-Linux.tar.gz

8232bd2a3c7e184289be40b7441b6c48

IBM Security Guardium Key Lifecycle Manager 4.2.0.2

zLinux (IBM Z)

4.2.0-ISS-GKLM-FP0002-zLinux.tar.gz

639e80a7c97ad06ecac104fda30cc525

IBM Security Guardium Key Lifecycle Manager 4.2.0.2

Linux PPC

4.2.0-ISS-GKLM-FP0002-LinuxPPC.tar.gz

f2ae38b959d971804c2cdde33d650005

IBM Security Guardium Key Lifecycle Manager 4.2.0.2

Windows

4.2.0-ISS-GKLM-FP0002-Windows.zip

 certutil -hashfile FileName.zip md5

For example (Windows): certutil -hashfile 4.2.0-ISS-GKLM-FP0002-Windows.zip md5

Sample output
MD5 hash of file 4.2.0-ISS-GKLM-FP0002-Windows.zip: 9f4dbb8cae4987ae11904b29786bf08a
CertUtil: -hashfile command completed successfully.

9f4dbb8cae4987ae11904b29786bf08a
 
Fix pack files checksum for IBM Security Guardium Key Lifecycle Manager container

Product/Component name

Platform

File name

Command

Checksum

IBM Security Guardium Key Lifecycle Manager 4.2.0.2

Linux PPC

sklm4202-ppc64le.tar

 md5sum FileName.tar.gz

For example (UNIX/Linux): md5sum sklm4202-ppc64le.tar

Sample output
51de94016e32130477e70fc715af615d sklm4202-ppc64le.tar

51de94016e32130477e70fc715af615d

IBM Security Guardium Key Lifecycle Manager 4.2.0.2

zLinux (IBM Z)

sklm4202-s390x.tar

b1d867f2ec898466dc0fb8133346c524

IBM Security Guardium Key Lifecycle Manager 4.2.0.2

x86_64

sklm4202-x86_64.tar

44c29bb46d08785c6d5cf4c25beb7361

Back to top

Known limitations and issues

Known limitations

  • Rollback of installed fix pack is not supported.
  • Unable to apply FP if 42GA is enabled with TLSv1.3.
    Workaround: Enable TLSv1.2 and then apply FP.

Known issues

  • (Applicable for Windows) In an LDAP or OIDC configured setup, GKLM 4.2.0.2 UI becomes inaccessible after you disable file-based authentication and restart the server. The following error is displayed after the server restart:
    An error occurred while processing request.
    Workaround:
    1. Locate the server.xml file and open it for editing. You can find server.xml at the following location:
      WAS_HOME\usr\servers\defaultServer\
      For example,
      C:\Program Files\IBM\WebSphere\Liberty\usr\servers\defaultServer\
    2. Add the following element in the server.xml file after </featureManager>:
      <authentication id="Basic" cacheEnabled="false" />
    3. Restart the server. For instructions, see Restarting the IBM Security Guardium Key Lifecycle Manager server.

Back to top

Installation instructions
Prerequisites
Applicable to all operating systems and platforms
  • Ensure that IBM Security Guardium Key Lifecycle Manager, Version 4.2 GA (4.2.0) or 4.2 Fix Pack 1 (4.2.0.1) is already installed.
  • Ensure that IBM Security Guardium Key Lifecycle Manager is not in use.
  • Back up the IBM Security Guardium Key Lifecycle Manager server. For instructions, see Configuring backup and restore.
  • Ensure that /tmp directory does not contain klmPrev.properties. If it is present, rename or remove this file before you start applying the fix pack. Also, ensure that the /tmp directory has all the permissions and does not have noexec set.
  • Ensure that umask is set to 0022.
  • Back up the WebSphere Liberty files.
    1. Open a command line.
    2. Stop WebSphere Liberty.
      • Windows 
        WAS_HOME\bin\stopServer.bat
      • Linux 
        WAS_HOME/bin/stopServer.sh
    3. Make a temporary directory.
      • Windows 
        mkdir WAS_BACKUP_DIRECTORY
        For example: mkdir C:\wasbackup
      • Linux 
        mkdir WAS_BACKUP_DIRECTORY
        For example: mkdir /tmp/wasbackup
    4. Change directory to the temporary directory.
      • Windows 
        cd C:\wasbackup
      • Linux 
        cd /tmp/wasbackup
    5. Copy or archive the files from the directory where WebSphere Liberty is installed.
      • Windows 
        xcopy /y /e /d WAS_HOME C:\wasbackup
      • Linux 
        tar -cvf wasbackup.tar WAS_HOME/*
    6. Start WebSphere Liberty.
      • Windows 
        WAS_HOME\bin\startServer.bat
      • Linux 
        WAS_HOME/bin/startServer.sh
Applicable to Linux/Ubuntu/AIX
  • On Ubuntu, run the following command as root user:

    ln -s DB_INSTANCE_HOME/gklm42properties/ $HOME/gklm42properties

    Where, DB_INSTANCE_HOME is the directory that contains the Db2 database instance for IBM Security Guardium Key Lifecycle Manager.

    For example,

    ln -s /home/klmdb42/gklm42properties/ $HOME/gklm42properties

  • On Linux for System z server, ensure that gtk 2 libraries are installed. Also, add the following parameter in the IM_INSTALL_DIR/eclipse/IBMIM.ini file. Add the following properties just before "--launcher.appendVmargs" in IBMIM.ini file.
    --launcher.GTK_version
    2
Installation steps
Depending on your setup, see the relevant section:

Installing the fix pack on GKLM traditional

You can use one of the following modes to install a fix pack:

Graphical mode

Complete the following instructions:
  1. Download the fix pack installer files. For instructions, see Download instructions.
  2. Extract the installer files to a folder of your choice.
  3. Open a command line.
  4. Change the directory to the directory where you extracted the fix pack installer files.
  5. Run the following command to launch the Installation Manager:

    • Windows

      updateSKLM.bat IM_INSTALL_LOCATION WAS_HOME
      For example:
      updateSKLM.bat "C:\Program Files\IBM\Installation Manager" "C:\Program Files\IBM\WebSphere\Liberty"

    • Linux

      chmod +x ./updateSKLM.sh

./updateSKLM.sh IM_INSTALL_DIR WAS_HOME
      For example:
      ./updateSKLM.sh /opt/IBM/InstallationManager /opt/IBM/WebSphere/Liberty
  6. In the Update Packages pane, select the Update all packages (mandatory) with recommended updates and recommended fixes checkbox. Click Next.
  7. Read the license agreement carefully. If okay, accept the license agreement. Click Next.
  8. In the WebSphere Liberty configuration window, do not select the checkbox to connect to the online IBM WebSphere Liberty Repository. Click Next.
  9. Installation Manager fetches the assets and lists all the fixes and features to be installed. Click Next.
  10. In the Update Packages Configuration for IBM Security Guardium Key Lifecycle Manager v4.2.0.2 pane:
    • Enter Username and Password for IBM Security Guardium Key Lifecycle Manager Application Administrator.
    • Enter Username and Password for IBM Db2 user.
  11. Click Validate Credentials. Validation might take few minutes. Wait until the Next button is enabled. Click Next.
  12. In the Update Packages > Summary pane, review the software packages that you want to install, and click Update. After Installation Manager successfully updates the fix pack for the services that you select, a message is displayed.

Silent mode

Complete the following instructions:
  1. Download the fix pack installer files. For instructions, see Download instructions.
  2. Go to the directory where you extracted the fix pack installation files.
  3. Open the /sklm directory, which is within the directory where the fix pack is extracted. It contains the response file (SKLM_Silent_Update_platform_Resp.xml) that we need to edit for the installation.
  4. Locate the response file. Create a backup of the response file: 
    For example: SKLM_Silent_Update_platform_Resp_original.xml. 
  5. Open the response file for editing. Edit the relevant elements of the response file SKLM_Silent_Update_platform_Resp.xml.
  6. Edit the repository location to point to the current location of the installer.
    • Windows 
      <repository location='C:\sklminstall_windowsfp\wasfp\repository.config'/>
<repository location='C:\sklminstall_windowsfp\sklmwasfp\repository.config'/>
    • Linux 
      <repository location='/sklminstall_linuxfp/wasfp/repository.config'/>
<repository location='/sklminstall_linuxfp/sklm/repository.config'/>
  7. Edit GKLM Administrator username and password. The password must be encrypted. To encrypt the password, see Encrypting a password.
    • Windows 
      <data key='user.SKLM_ADMIN_USER,com.ibm.gklm42.win' value='SKLMAdmin'/>
<data key='user.SKLM_ADMIN_PASSWORD,com.ibm.gklm42.win' value='9YTRJMRIydDSdfhaHPs1ag=='/>
    • Linux 
      <data key='user.SKLM_ADMIN_USER,com.ibm.gklm42.linux' value='SKLMAdmin'/>
<data key='user.SKLM_ADMIN_PASSWORD,com.ibm.gklm42.linux' value='9YTRJMRIydDSdfhaHPs1ag=='/>
  8. Edit Db2 username and password. The password must be encrypted. To encrypt the password, see Encrypting a password.
    • Windows
      <data key='user.DB_ADMIN_USER,com.ibm.gklm42.win' value='klmdb42'/>
<data key='user.DB_ADMIN_PASSWORD,com.ibm.gklm42.win' value='QTh/0AiFvrljhs9gnOYkGA=='/>
    • Linux 
      <data key='user.DB_ADMIN_USER,com.ibm.gklm42.linux' value='klmdb42'/>
<data key='user.DB_ADMIN_PASSWORD,com.ibm.gklm42.linux' value='9YTRJMRIydDSdfhaHPs1ag=='/>
  9. Open a command line, and change directory to the directory where the installer files are extracted.
  10. Run the following command:
    • Windows 
      silent_updateSKLM.bat IM_INSTALL_DIR WAS_HOME
      For example:
      silent_updateSKLM.bat "C:\Program Files\IBM\Installation Manager" "C:\Program Files\IBM\WebSphere\Liberty"
    • Linux 
      chmod +x ./silent_updateSKLM.sh
./silent_updateSKLM.sh IM_INSTALL_DIR WAS_HOME
      For example: 
      chmod +x ./silent_updateSKLM.sh
./silent_updateSKLM.sh /opt/IBM/InstallationManager /opt/IBM/WebSphere/Liberty
Encrypting a password
Generate an encrypted password. To do so, follow these steps:
  1. Open a command line.
  2. Change directory to the IM_INSTALL_DIR/eclipse/tools directory.
  3. Run the following command: imcl.exe encryptString password_to_encrypt
  4. An encrypted password is generated.

Installing the fix pack on a Multi-Master setup


Prerequisites 

If the original primary master server is acting as a standby master server, promote it to primary and then, install the fix pack. Otherwise, the database updates are not applied to the cluster.

To promote a master server to primary, see Promote to primary. 

To install the fix pack
  1. Stop WebSphere Liberty on all the master servers, in any sequence.
    1. Open a command line.
    2. Go to the WAS_HOME\bin directory.
      Windows
      C:\Program Files\IBM\WebSphere\Liberty\bin
      Linux
      /opt/IBM/WebSphere/Liberty/bin
  2. Stop the IBM Security Guardium Key Lifecycle Manager server.
    Windows
    stopServer.bat
    Linux
    ./stopServer.sh
  3. Stop Agent on all the master servers, in any sequence.
    1. Open a command line.
    2. Go to the GKLM_INSTALL_HOME\agent directory.
      Windows
      C:\Program Files\IBM\GKLMV42\agent
      Linux
      /opt/IBM/GKLMV42/agent
    3. Stop the Agent.
      Windows
      stopAgent.bat WAS_HOME
      For example: stopAgent.bat "C:\Program Files\IBM\WebSphere\Liberty"
      Linux
      ./stopAgent.sh WAS_HOME
      For example: ./stopAgent.sh /opt/IBM/WebSphere/Liberty
       
  4. Apply fix pack on each master server and verify the installation.
    Complete this step in the following sequence:
    • Primary master server
    • Principal standby master server
    • Auxiliary standby master servers
  5. For steps to install the fix pack, see Installing the fix pack.
    • To verify the installation:
    • Log in to IBM Security Guardium Key Lifecycle Manager and check the version number.
    • Ensure that the master server is running and available for use.
Installing the fix pack on GKLM container

Depending on your platform, see the relevant section:

Installing on a Kubernetes cluster

Install IBM Security Guardium Key Lifecycle Manager container V4.2.0.2 (target).

In the Helm charts, ensure that you configure the same database and volume details that were referenced by the earlier container (source).

For more information, see Install on a Kubernetes cluster.

Installing on a Red Hat OpenShift Container Platform cluster

Install IBM Security Guardium Key Lifecycle Manager container V4.2.0.2 (target).

In the Helm charts, ensure that you configure the same database and volume details that were referenced by the earlier container (source).

For more information, see Install on a Red Hat OpenShift Container Platform cluster.

Back to top

Post fix-pack installation activities

  1. Run the following scripts.
    • On Windows:
      1. Log in as the administrator user and open the Db2 command prompt.
      2. Run the following commands: 
        cd C:\Program Files\IBM\DB2GKLMV42\BIN
db2 connect to klmdb42 user <Db2_USER> using <Db2_PASSWORD>
db2 -td# -vf  C:\gklm42properties\scripts\gklmsql-fp.db2
    • On Linux:
      1. Log in as the Db2 user and open a terminal.
      2. Run the following commands: 
        su - klmdb42
db2 connect to klmdb42 user <Db2_user> using <Db2_password>
/opt/IBM/DB2GKLMV42/bin/db2 -td# -vf /home/klmdb42/gklm42properties/scripts/gklmsql-fp.db2
    • Note: In case you are getting this warning:- "KLMDB42.KMT_EVENT_TYPE" from having duplicate values for the index key" , you can ignore it as this means values are already present in table.
  2. Use one of the following methods to verify the installation.
    • Using graphical user interface:
      a. Log in to the graphical user interface.
      b. On the Welcome page header bar, click the Help (?) icon.
      c. Click About.
      The page displays the version details.
    • Using REST interface:
      Run the Version Info REST Service.  For more information, see Swagger UI
      For IBM Security Guardium Key Lifecycle Manager Traditional:
      IBM Security Guardium Key Lifecycle Manager Version: 4.2.0.2
IBM Security Guardium Key Lifecycle Manager Build Level: 202311081004
Liberty WAS Version: 23.0.0.9
Database Version: DB2/LINUXX8664 SQL110580
Java Version: JRE 1.8.0_381 IBM J9 VM 2.9
Operating System Version: Linux:4.12.14-122.136-default:amd64
Agent Version: 2.0
License Status: Trial Version expires in 90 days (18 Feb 2024)
      For IBM Security Guardium Key Lifecycle Manager Container:
      IBM Security Guardium Key Lifecycle Manager Version: 4.2.0.2
IBM Security Guardium Key Lifecycle Manager Build Level: 202311081706
Liberty WAS Version: 23.0.0.9
Database Version: PostgreSQL 16.1 (Debian 16.1-1.pgdg120+1)
Java Version: JRE 1.8.0_381 IBM J9 VM 2.9
Operating System Version: Linux:4.18.0-425.19.2.el8_7.x86_64:amd64
Image Tag: 4.2.0.2
License Status: Trial Version expires in 90 days (Feb 18 2024)
  3. Back up the IBM Security Guardium Key Lifecycle Manager server. For more information, see Configuring backup and restore.

Back to top

Uninstalling the fix pack

Important: The following steps uninstall the entire product package, including IBM Security Guardium Key Lifecycle Manager, IBM Db2, and WebSphere Liberty, and all your data is lost. Take a backup before uninstalling.

Uninstalling IBM Security Guardium Key Lifecycle Manager with the fix pack by using the graphical user interface

 

Uninstalling IBM Security Guardium Key Lifecycle Manager with the fix pack silently

 

Back to top

Copyright and trademark information

http://www.ibm.com/legal/copytrade.shtml

Notices

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.

THIRD-PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND INFORMATION

The license agreement for this product refers you to this file for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. The relevant terms and conditions, notices and other information are provided or referenced below. Please note that any non-English version of the licenses below is unofficial and is provided to you for your convenience only. The English version of the licenses below, provided as part of the English version of this file, is the official version.

Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions:

  • the Excluded Components are provided on an "AS IS" basis.

  • IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS, INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

  • IBM will not be liable to you or indemnify you for any claims related to the Excluded Components.

  • IBM will not be liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages with respect to the Excluded Components.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTJE47","label":"IBM Security Guardium Key Lifecycle Manager"},"ARM Category":[{"code":"a8m0z000000cvdzAAA","label":"SKLM-\u003EINSTALL-\u003EFIXPACK"},{"code":"a8m0z000000cvdzAAA","label":"SKLM-\u003EINSTALL-\u003EFIXPACK"},{"code":"a8m0z000000cvdzAAA","label":"SKLM-\u003EINSTALL-\u003EFIXPACK"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.2.0"}]

Document Information

Modified date:
22 February 2024

UID

ibm17071276

Page Feedback