IBM Netcool System Service Monitor SSM 4.0 Interim Fix 4 README Netcool/System Service Monitor 4.0.1.2 4.0.1.2-TIV-SSM-IF0004 Readme

To download this update you must first login to IBM FixCentral. Once logged in, you may select from the individual download packages.
http://www.ibm.com/eserver/support/fixes/

Below is a list of components, platforms, and file names that apply to this Readme file.

The 4.0.1.2 Interim Fix 04 patch requires the original Netcool/SSM 4.0.1 product to be installed first. Patch installers are identified by file name: ssm401-interimfix-02-04-*

For Windows Vista SP2 and Windows 2008 SP2 you must first install the following Microsoft Patch:
You cannot run an application that is signed with a SHA-256 certificate on a computer that is running Windows Vista SP2 or Windows Server 2008 SP2

4.0.1.2 Interim Fix 04 has no other prerequisites. It is a cumulative release and so contains the previously released:

• Fix Pack 1
• 4.0.1.1-TIV-SSM-IF0001
• 4.0.1.1-TIV-SSM-IF0002
• 4.0.1.1-TIV-SSM-IF0003
• Fix Pack 2
• 4.0.1.2-TIV-SSM-IF0001
• 4.0.1.2-TIV-SSM-IF0002
• 4.0.1.2-TIV-SSM-IF0003

Note that SSM patches may be installed in any order without affecting the end result. The most recent version of every component will be maintained regardless and you may uninstall any patch at a later time (see Installation information below).

Hardware and Software requirements.

Non APAR Defect alm00295041 - Can't remote install ssm with V3 Configurations

Problem Description
Remote install fails on all platforms using V3 Configurations with the following error:
KDY3209E: Failed to add v3 user itmkdyuser Could not add the new SNMP v3 user via a remote connection

Non APAR Defect alm00295075 - Can't remote uninstall ssm on windows

Problem Description
Remote uninstall fails on Windows platforms with the following error:
KDY3501E: Could not find the uninstall key with the command regedit /E uninst.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{EFDE76FA-B83A-4608-AFF0-37829C7F5186}. Could not find the required uninstall key.

Non APAR Defect alm00295526 - The transaction.oid file is missing in the oid directory

Problem Description
Trying to load the transaction subagent shows the following warning because the transaction.oid file is missing from the oid subdirectory:
Could not open script file "oid/transaction.oid"

SSM crashes on AIX

Problem Description
Note that users of SSM 4.0 on AIX 5.3 or 6.1 may encounter a crash in gethostbyname(). This is a known AIX operating system bug (APAR IZ37768) with workaround and patches available from the IBM web site:
http://www.ibm.com/support/docview.wss?uid=isg1IZ37768

SSM cores on HPUX

Problem Description
Note that users of SSM 4.0 on HPUX may encounter core files in the SSM if the installation directory where SSM is installed is copied whilst the SSM is starting.

None.

Prior to installation

Although the SSM patch installer will verify its integrity before proceeding, you may verify the integrity of the patch installer without actually installing the patch by using the -t (test) option:

Also note that on some platforms installation may fail if you have any SSM-related programs running. Make sure that you have closed all instances of the SSM console and the MIB Explorer (Windows) prior to installing the patch. The patch installer will stop and restart the ssmagent process automatically.

Installing

SSM patches are self-extracting interactive programs that will guide you through the installation process. You need only execute the installer (for your operating system) and follow the prompts:

Silent installation is achieved by adding the word silent as a parameter to the end of the above command.

Further details about advanced patch installation can be found in the Patch Installation Guide:

Performing the necessary tasks after installation

None.

Troubleshooting installation problems from the Support site

http://www.ibm.com/software/sysmgmt/products/support/NetcoolSystemServiceMonitor.html

Uninstalling if necessary

On Windows, 4.0.1.2 Interim Fix 04 may be uninstalled via Control Panel - Add or Remove Programs. Make sure you check the "Show updates" box for SSM patches to appear in the list. Also ensure that the SSM console and MIB Explorer are not running prior to uninstallation (so that previous file versions may be restored correctly), otherwise the removal process will fail.

On all platforms 4.0.1.2 Interim Fix 04 may also be uninstalled using the "patchman" tool which can be found in the SSM bin directory:

Security Bulletins

SSM 4.0.1.2 Interim Fix 04 contains fixes to the following Security Bulletins:

- Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196)
- Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3197, CVE-2015-4000)
- Security Bulletin: A vulnerability in libcURL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3237)
- Security Bulletin: A vulnerability in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2016-0800)
- Security Bulletin: Vulnerabilities in OpenSSL affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702)

SSM 4.0.1.2 Interim Fix 3 (also included in this 4.0.1.2 Interim Fix 04) contains fixes to the following Security Bulletins:

- Security Bulletin: Multiple vulnerabilities in cURL libcURL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-3144 and CVE-2015-3145)
- Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-4000)
- Security Bulletin: Vulnerabilities in OpenSSL including Logjam affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-1788, CVE-2015-1791, CVE-2015-4000)

SSM 4.0.1.2 Interim Fix 3 modified the default behaviour of the filetransfer subagent to disable the DHE & EDH ciphers. To enable the ciphers, update the INIVAR FileTransferSSLCipherSuite in init.cfg. For example to enable the DHE and/or EDH ciphers, modify init.cfg to contain:

FileTransferSSLCipherSuite=AES:3DES:DES:!EXP:DHE:EDH

SSM 4.0.1.2 Interim Fix 2 (also included in this 4.0.1.2 Interim Fix 04) contains fixes to the following Security Bulletin:

- Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-2808)

SSM 4.0.1.2 Interim Fix 2 modified the default behaviour of the filetransfer subagent to disable the EXPORT (EXP) and RC4 ciphers. To enable the EXP/RC4 ciphers, update the INIVAR FileTransferSSLCipherSuite in init.cfg. For example to enable the EXP Cipher, modify init.cfg to contain:

FileTransferSSLCipherSuite=AES:3DES:DES:EXP

SSM 4.0.1.2 Interim Fix 1 (also included in this 4.0.1.2 Interim Fix 04) contains fixes to the following 3 Security Bulletins:

- Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0206)
- Security Bulletin: Multiple vulnerabilities in cURL libcURL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2014-8150, 2014-8151)
- Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2015-0209, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289)

SSM 4.0.1.1 Interim Fix 3 (also included in this 4.0.1.2 Interim Fix 04) contains fixes to the following 4 Security Bulletins:

- Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2014-3508, CVE-2014-5139, CVE-2014-3509, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512)
- Security Bulletin: Multiple vulnerabilities in cURL libcURL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2014-3613 CVE-2014-3620)
- Security Bulletin: Vulnerability in SSLv3 affects IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2014-3566)
- Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2014-3513, CVE-2014-3567)

SSM V4.0.1.1 Interim Fix 3 (also included in this 4.0.1.2 Interim Fix 04) is a security update focused on reducing security risks in the default configuration.

The ability to use filetransfer to download from a HTTPS server using SSLv3 has been disabled by default. To enable downloading using SSLv3, add the INIVAR DisableSSLV3 to init.cfg and set it to false. For example:

DisableSSLV3=false

SSM 4.0.1.1 Interim Fix 2 (also included in this 4.0.1.2 Interim Fix 04) contains fixes to the following 2 Security Bulletins:

- Security Bulletin: IBM Tivoli Netcool System Service Monitors/Application Service Monitors is affected by the following libcURL vulnerabilities: (CVE-2014-0139, CVE-2014-0138)
- Security Bulletin: IBM Tivoli Netcool System Service Monitors/Application Service Monitors is affected by the following OpenSSL vulnerabilities: (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195 and CVE-2014-3470)

SSM 4.0.1.1 Interim Fix 1 (also included in this 4.0.1.2 Interim Fix 04) contains fixes to the following 2 Security Bulletins:

- Security Bulletin: IBM Tivoli Netcool System Service Monitors/Application Service Monitors is affected by vulnerabilities in OpenSSL (CVE-2014-0160 and CVE-2014-0076)
- Security Bulletin: IBM Tivoli Netcool System Service Monitors/Application Service Monitors is affected by vulnerabilities in OpenSSL (CVE-2013-4353, CVE-2013-6450 and CVE-2013-6449)

SSM 4.0.1 Fix Pack 1 (also included in this 4.0.1.2 Interim Fix 04) contains fixes to the following 3 Security Bulletins:

- IBM Tivoli Netcool System Service Monitors/Application Service Monitors Local Configuration file Buffer Overflow (CVE-2013-0508)
- IBM Tivoli Netcool System Service Monitors/Application Service Monitors Transaction MIB Remote Buffer Overflow due to malformed database table names (CVE-2013-0509)
- IBM Tivoli Netcool System Service Monitors/Application Service Monitors is affected by multiple OpenSSL vulnerabilities

SSM V4.0.1 Fix Pack 1 (also included in this 4.0.1.2 Interim Fix 04) is a security update focused on reducing security risks in the default configuration.

Some functionality has changed, and some subagents must now be activated using additional configuration in the agent init.cfg and agent.cfg files. Below is a list of affected components and any extra configuration required to enable previous functionality. If you do not currently use an affected component, leave it in its default, disabled state.

Updated subagents

RMON ProbeConfig Group

Support for the probeDownloadFile, probleDownloadTFTPServer, probeDownloadAction, and probleDownloadStatus objects has been removed. If download functionality is required, configure and use the File Transfer subagent.

haSubagentTable

The haSubagentTable will load subagents only from the agent bin directory.

agentInivarTable

The agentInivarTable is now read-only. It is not possible to set or change INIVARs via SNMP.

Crontab subagent

Process execution from the Crontab subagent is now disabled by default. If you specify a value in the crontabControlExecutionCommand and have not enabled process execution, the row cannot be made active. To enable process execution, add the INIVAR CrontabProcessExecute to init.cfg and set it to true. For example:

CrontabProcessExecute=true

If you do not enable the INIVAR before configuring the Crontab subagent, the following error message is displayed in the agent log file:

Crontab Execution Command has been disabled. To enable it, set CrontabProcessExecute=on in init.cfg

Process subagent

Three objects in the Process sub-agent have been updated

- psRunningState object in the psRunningTable is now read-only. You can no longer kill processes using this table or set them in a suspended state.

- psExecute and psControlActionCommand objects have been disabled unless the ProcessProcessExecute INIVAR exists and is set to true. If this INIVAR does not exist, or it is set to false, the psExecute object does not work, an SNMP error is returned and an error similar to the following example is displayed in the agent log file.

[PROCESS] Attempt to execute process with out INIVAR "ProcessProcessExecute" being enabled. Command "c:\windows\notepad.exe" will not be executed

If the required INIVAR is not enabled in the psControlActionCommand object, the control row cannot enter an active state. It will either stay notReady, or not be created if it is set up using a script. An error similar to the following example is displayed in the agent log.

[PROCESS] Attempt to set psControlActionCommand to "c:\windows\notepad.exe" without the INIVAR "ProcessProcessExecute" being enabled.

Programmable subagent

The Programmable subagent is now disabled by default. To load the subagent, set the ProgrammableAllowLoad INIVAR to true. Add the subagent load programmable command to the agent.cfg file in the Netcool/SSM config directory. If the INIVAR is not defined and set to true, the subagent does not load and the following error message is displayed in the agent log:

Programmable loading has been disabled. To enable it, set ProgrammableAllowLoad=true in init.cfg

Filetransfer subagent

The Filetransfer subagent has had several updates:

- The Filetransfer subagent does not load unless the FiletransferAllowLoad

INIVAR is set and enabled. Add the subagent load filetransfer command to the agent.cfg file in the Netcool/SSM config directory. If you try to load the subagent without first enabling the INIVAR, the following error message is displayed in the agent log:

File Transfer loading has been disabled. To enable it set FiletransferAllowLoad=true in init.cfg

- The data option in the ftFileBase object has been deprecated. You can no longer specify an arbitrary destination directory to download to.

- A new file transfer host list function enables you to create a list of allowed download hosts. There are three new console commands: fthost add , fthost list , and fthost remove .

Tip: The fthost settings are not saved when the agent is shutdown. To preserve the download list, place these commands in a separate configuration file that is executed at startup.

The syntax of these commands is as shown below:

fthost add address [mask]
fthost remove address [mask]
fthost list

where address is required and is the download server address of the host to be included. You can also specify an address range by combining the address and mask attributes. For example:

fthost add 10.1.2.44

Adds the machine 10.1.2.44 to the download list.

fthost add 10.1.4.0 255.255.255.0

Adds all addresses that start with 10.1.4 to the download list.

fthost list
ADDRESS MASK
------- ----
10.1.2.44 255.255.255.255
10.1.4.0 255.255.255.0

Lists the current download list.

fthost remove 10.1.2.44

Removes the 10.1.2.44 entry from the list.

fthost remove 10.1.4.0 255.255.255.0

Removes the 10.1.4.0 entry from the list.

If a download is attempted from a server that is not in the download list, an error similar to the following is displayed in the agent log file:

[FILETRANSFER] The specified host "10.3.3.2" is not in the allowed hosts list. The download will be failed

Note: If the fthost download list is empty, the Filetransfer subagent will be allowed to download from any server.

Oracle ASM

The Oracle ASM no longer attempts to automatically detect the location of the OCI libraries on the system, but rather requires the location to be provided to the ASM by explicitly setting the OCILibPath INIVAR to the location of the OCI Libraries. The value of this INIVAR should be the absolute path to the OCI Libraries on the system. If the OCILibPath INIVAR is not set, an error is displayed in the agent log file. For example:

[ORACLE] Inivar OCILibPath is not set unable to load Oracle Client Libraries

NTSCM subagent

The ntServicetable is now read only and you can no longer alter the service state or configuration using the ntServiceTableStartType and ntServiceTableControl objects. To change the service state of the ntServiceControlTable, define the NTServiceAllowConfig INIVAR and set it to true.

NTSCM displays the following error messages when trying to configure the ControlTable

NtService Configuration has been disabled. To enable it, set NTServiceAllowConfig=true in init.cfg

Arithmetic subagent

The ability to write strings to files on disk using the -> and ->> operators has been disabled by default. To reinstate this functionality:

1. Create the ArithmeticFileWrite INIVAR and set it to true.

2. Assign a path to the ArithmeticFileWritePath INIVAR. Only files that reside in this path may be written to. Separate multiple directories by the platform specific path separator, a colon (:) for UNIX systems, or a semicolon (;) for Windows systems.

The Arithmetic subagent displays the following error messages if the inivars are absent and trying to use -> and ->> operators:

Arithmetic File Writing has been disabled. To enable it, set ArithmeticFileWrite=on in init.cfg
Arithmetic File Writing has been disabled. To enable it, set ArithmeticFileWritePath to the list of allowable paths in init.cfg

Transaction subagent

If you have upgraded from SSM 4.0.1 to this SSM 4.0.1.2 Interim Fix 04, the Transaction subagent does not load by default. If you require this subagent, add the following load command to the agent.cfg file:

subagent load transaction

Red Hat Installation requirements

SSM 4.0.1 requires the libstdc++-32-3.2.3 compat libraries and the libstdc++ runtimes to execute on Red Hat Linux 6.x. On 64bit Red Hat systems you may have to install the 64 bit versions of these libraries as well.

Checksums

The SHA1 Checksum of the images are as follows:
SHA1(ssm401-interimfix-02-04-aix-ppc.run)= c2f848afc351096b0a1d18609cade65da65ccc21
SHA1(ssm401-interimfix-02-04-hpux-ia64.run)= 1e9f26914d2aef24ce56f823171b1e76d633f5fc
SHA1(ssm401-interimfix-02-04-linux-ppc64.run)= e05dc814e7203f867587b36ecf59edaa4378923a
SHA1(ssm401-interimfix-02-04-linux-x86_64.run)= 0f018abb5b14439f577c5e356c4017dc654c6463
SHA1(ssm401-interimfix-02-04-linux-x86.run)= 2387363f132a8494e2def9a286f380232f943019
SHA1(ssm401-interimfix-02-04-Multiplatform-DSCFiles.zip)= 60f92b4d691246a2091ad1d6e10b4688eb32c8cc
SHA1(ssm401-interimfix-02-04-solaris-sparc.run)= bf6ddef991f8e2a52d627d89c71a9548a6fbb091
SHA1(ssm401-interimfix-02-04-solaris-x86_64.run)= 16f3f58193780dd5c5e486c807c67c0d41c44484
SHA1(ssm401-interimfix-02-04-solaris-x86.run)= 5943d0192ea91981573bee74bbee10e649eb37ea
SHA1(ssm401-interimfix-02-04-win32-x86.exe)= 879c1ad2f02c552c436ce64036847029bdcd796e

Task ID	APAR	Fixed in	Release	Description
rtc27176	IV68579	4.0.1.169	IF02-01	SSM 401 AGENT CRASHES WITH CERTAIN IPMP NETWORK INTERFACE CONFIGURATION
alm00301067	IV51579	4.0.1.100	IF01-01	SSM LOGMONX AGENT MONITIORING WINDOWS EVENT LOGS CAN LOOSE TRACK OF THE CURRENT LOG POSITION. (APAR=IV51579)
alm00304624		4.0.1.97	IF01-01	Platform and PlatformDescription are reported incorrectly on Windows Domain Controllers
alm00286322		4.0.1.94	IF01-01	RFE 27484: Introduce optional temp directory to be used by installer and patcher
alm00302876	IV53821	4.0.1.94	IF01-01	THE PROCESS MIB CAN INCORRECTLY CALCULATE SAMPLES ON LINUX IF THE PROCESS HAS DIED. (APAR=IV53821)
alm00303989	IV52540	4.0.1.94	IF01-01	SSM401 UPGRADE DOES NOT KEEP VALUE OF INIT.CFG TRAPVERSION
alm00300464	IV50675	4.0.1.89	IF01-01	ON SOLARIS SYSTEMS WITH DISKS AS META DEVICES THE SSM CAN CRASH. (APAR=IV50675)
alm00301152	IV51866	4.0.1.89	IF01-01	APAR IV51866: SSM FILEMON SUBAGENT FAILS TO MONITOR FILES LARGER THAN 2 GB ON AIX
alm00297990	IV46708	4.0.1.86	IF01-01	SSM DOES NOT CORRECTLY IDENTIFY ZFS MOUNTS AS FIXED DISK ON SOLARIS (APAR=IV46708)
alm00296114	IV43877	4.0.1.83	IF01-01	ON SOLARIS THE SSM IS UNABLE TO CORRECTLY DETECT A CD/DVDW TS-T6 AS AN OPTICAL DRIVE. (APAR=IV43877)
alm00296250	IV44103	4.0.1.82	IF01-01	SSM MIBEXPLORER MIB PATH STRING MAY GET CORRUPTED AND STOP LOADING MIBS (APAR=IV44103)
alm00296109	IV42198	4.0.1.80	IF01-01	SOLARIS IFOPERSTATUS DOESN'T DETECT UNPLUGGED CABLE (APAR=IV42198)
alm00293410		4.0.1.78	FP1	Limit ability of ntServices sub-agent to control and alter windows services.
alm00293392		4.0.1.70	FP1	Secure File Transfer sub-agent
alm00293378		4.0.1.69	FP1	Secure Process sub-agent Process execution and control.
alm00293426		4.0.1.67	FP1	Limit ability of the arithmetic sub-agent to write to files.
alm00293917	IV39829	4.0.1.67	FP1	`INIT.SSMAGENT SCRIPT START` SHOULD RETURN 0 WHEN IT IS ALREADY RUNNING (APAR=IV39829)
alm00293349		4.0.1.66	FP1	Remedy RMON Probe Config Security Issues.
alm00293357		4.0.1.66	FP1	Make haSubagentTable only load libraries from the Agent Bin Directory.
alm00293364		4.0.1.66	FP1	Make AgentIniVar table Read Only
alm00293417		4.0.1.66	FP1	MIB2 ifTable should not be able to control interface status.
alm00293319		4.0.1.65	FP1	AppScan Remediate transaction/decode snprint errors
alm00293371		4.0.1.65	FP1	Secure process execution from Crontab sub-agent.
alm00293385		4.0.1.65	FP1	Stop programmable Loading by default.
alm00293399		4.0.1.65	FP1	Limit Oracle Wrapper libraries to loading OCI libraries from Specified Directory
alm00293248		4.0.1.62	FP1	BufferOverflow.FormatString Vulnerabilities need to be resolved.
alm00293158		4.0.1.61	FP1	AppScan SetSecurityDescriptorDacl Calls Should specify a ACL
alm00293272		4.0.1.61	FP1	AppScan BufferOverflow in Memcpy Calls
alm00292456		4.0.1.60	FP1	Make LoadLibrary calls on windows not use a path lookup.
alm00292348	IV38114	4.0.1.56	FP1	Upgrade to OpenSSL 1.0.1e
alm00291996		4.0.1.53	FP1	TransactionEnumTable is writeable. Make it read only.
alm00289390	IV36116	4.0.1.52	FP1	SSM INIT.SSMAGENT FAILS TO FIND ITSELF WHEN STARTED AS A SYMLINK -> RELATIVE SYMLINK -> EXE (APAR=IV36116)
alm00291523	IV38113	4.0.1.52	FP1	Buffer Overflow in hive library can crash the agent.
alm00291931	IV37604	4.0.1.52	FP1	SSM HRSTORAGEUSED PHYSICAL MEMORY IS INCORRECTLY CALCULATED ON AIX (APAR=IV37604)
alm00291971	IV38112	4.0.1.52	FP1	Transaction Sub-Agent Oracle decoder can crash when it encounters a Malformed Packet
alm00292462	IV36665	4.0.1.40	FP1	APAR IV36665: SSM FILEMON SUBAGENT CAN FAIL TO ACTIVATE ROW IF FILESYSTEM FAILS STATFS
alm00293097	IV31463	4.0.1.40	FP1	ON SOME SOLARIS SYSTEMS DISKS THE SSM CAN MARK DISK DEVICES AS DOWN INCORRECTLY. (APAR=IV31463)

Version	Date	Description of change
1.0	8 April 2016	Initial Release
2.0	12 April 2016	Fixed up checksums