IBM Support

April 2016 IBM Systems Director JRE Update

 Technote

Update: This JRE update is replaced by the "January 2017 IBM Systems Director JRE Update " which also includes several other security fixes. It is recommended that the January 2017 update be applied instead of this one.
It can be accessed from the following link: Database 'IBM eServer OnDemand Knowledgebase', View 'All Documents', Document 'January 2017 IBM Systems Director JRE Update'


This April 2016 IBM Systems Director (ISD) Java Runtime Environment (JRE) update contains the most current security fixes to date for the ISD server and Common Agent Services (CAS) agent, if applicable (see Note). This Technote supersedes the document published previously (Technote 767946525 - October 2015 IBM Systems Director JRE Update http://www-01.ibm.com/support/docview.wss?uid=nas70eeef6a3978ba51f86257f3b0065fb61 )

Note: If the fix package does not contain both ISD server and CAS component's JRE fixes, this means that this update does not apply to the component with the missing files. The previous JRE update that contains the fixes would be the most current available for that component.

List of all fixes included with this update:

o IBM SDK April Java Technology Edition Quaterly CPU (CVE list here:
http://www.ibm.com/developerworks/java/jdk/alerts/ #IBM_Security_Update_April_2016
o IBM SDK, October Java Technology Edition Quarterly CPU (CVE list here: http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_October_20_2015_CPU
o IBM SDK, July Java Technology Edition Quarterly CPU - Includes Oracle July 2015 CPU + CVE-2015-1931, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625
o IBM SDK, June Java CPU (LogJam (CVE-2015-4000), FREAK (CVE-2015-0204), RC4 Bar Mitzvah (CVE-2015-2808), POODLE (CVE-2014-3566))
o IBM SDK, April Java CPU (CVE-2015-0480 CVE-2015-2808 CVE-2015-1916 CVE-2015-1914 CVE-2015-0192 )
o IBM SDK, January Java CPU (CVE-2014-6587, CVE-2014-6593, CVE-2015-0410 )
o Other included fixes (CVE-2014-6512, CVE-2014-6457)

Prerequisites, notes, and assumptions:
o IBM Systems Director server and CAS agents must first be upgraded to version 6.3.5 or higher before this patch is applied. See the POODLE Technote in Step 1 below for details.
o It is advisable to test these procedures in a lab environment prior to rolling them into production as this will help eliminate any misunderstandings or misconfigurations.
o It is strongly recommended that backups are performed before applying this complex Technote.
o It is recommended that this document be read and understood completely before attempting to apply the fixes.

Important considerations before patching:
To protect against the above-mentioned vulnerabilities, all 6.3.x IBM Systems Director servers and Common Agent Services (CAS) systems must be updated to version 6.3.5 or later and must also have their JREs updated. Even if you have previously upgraded your system JREs, you must apply the newest JREs described in this Technote in order to ensure the most current protection.


Details

Follow the instructions below to apply the fix:

Step 1: Apply Patching prerequisites:
In order to apply this patch, both the ISD server and CAS agents should be updated to at least version 6.3.5 using the POODLE Technote (link below). While following the POODLE Technote, it is possible to substitute the JREs described within this Technote as they are newer. It is possible these new updates do not include a new JRE for some of the components; for example, the package could ship with a new CAS JRE but not an ISD server JRE. If this is the case, the previous JRE shipped for that component is the most current (for example, the July JRE update or possibly the POODLE JREs). It is still okay to apply the POODLE JREs first and then the updated JREs described in this Technote as two separate steps, and may be preferable given the complexities involved with this update.

See the 732521668 POODLE Technote here for details:
http://www-01.ibm.com/support/docview.wss?uid=nas7b80574214546ff9b86257dd90065690f


Step 2: Download the patch from the following URL:
Download the patch for IBM Systems Director 6.3.5, 6.3.6 & 6.3.7:

http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FDirector%2FSystemsDirector&fixids=SysDir6_3_5_0_6_3_6_0_6_3_7_0_IT15389


Step 3: Update the IBM Systems Director server JRE:
After extracting the patch, go to/extract the ISD Server directory/archive for your respective release and import the JRE that is appropriate for your ISD platform and your release, and apply it using Update Manager.

Quickpath : Left Web GUI Pane-->Release Management-->Updates-->Acquire Updates->Import updates from the file system-->Browse-->Choose the JRE and import it. Left Web GUI Pane-->Release Management-->Updates-->Show and Install updates-->Choose ISD server OS MEP-->Choose the ISD JRE update-->Install

Note: Refer to the SMCLI documentation, if it is desired to import this package from the command line.


Step 4: Update the CAS agent JRE for both the local and remote CAS:
After extracting the patch, go to/extract the CAS Agent directo ry/archive for your respective release and choose the CAS agent JRE that is appropriate for your platform. Install it with Update Manager.

Quickpath: Left Web GUI Pane-->Release Management-->Updates-->Acquire Updates->Import updates from the file system-->Browse-->Choose the JRE and import it.

Left Web GUI Pane-->Release Management-->Updates-->Show and Install updates-->Choose CAS agent OS MEP-->Choose the CAS JRE update-->Install

If the above method does not list the JRE Fix , try this path.
Left Web GUI Pane-->Release Management-->Updates-->Show and Install updates-->Choose CAS agent OS MEP-->Click link "Show all installable updates..." -->Choose the CAS JRE update-->Install

Step 5: Restart:
Restart the ISD service to ensure the updates are active.


Step 6: (Optional)
At installation ISD's root and CAS certificates are generated and verified using the MD5withRSA signature algorithm. MD5 is considered weak these days so it may not be desirable. As of the APRIL 2016 JRE update it is possible to change the certificates so they are based the stronger SHA2withRSA signature algorithm. WARNING : Accomplishing this requires resetting the Agent Manager and rediscovering all endpoints. This is a *very* big task if your environment has a large number of systems. If you would, however, like to upgrade the signature algorithm, here are the steps:
1. Use ISD's web GUI (inventory) or CLI (smcli lssys ) to determine the IP addresses of all the CAS endpoints being managed so they can be used in the steps later.
2. Stop the ISD server service.
3. Modify <Install_root>/jre/lib/security/java.security then add MD5 to jdk.certpath.disabledAlgorithms and also add MD5withRSA to jdk.tls.disabledAlgorithms.
4. Reset Agent Manager:

For AIX or Linux:
o /opt/ibm/director/bin/recoverEnv.sh
o /opt/ibm/director/bin/configAgtMgr.sh

For Windows:
o <installPath>\bin\recoverEnv
o <installPath>\bin\cfgserver -am
5. Start the ISD server service.
6. Without using ISD server, manually access each remote CAS agent and run this command from its command line:

o For Linux: <agent_install_root>/agent/runtime/agent/toolkit/bin/configure.sh -amhost <am_ip> -passwd <am_password> -force
o For Windows: <agent_install_root>\agent\runtime\agent\toolkit\bin\configure.bat -amhost <am_ip> -passwd <am_password> -force
7. From a command prompt on the ISD server, run smcli discover -i <agent IP> to find the CAS endpoints where <agent IP> are the IPs that were recorded in Step 6.1.


Finishing up: Confirm that the fixes were applied properly.


1. Check CAS agent JRE version.

a. Run the following command:
(Windows) <CAS agent install location>\agent\_jvm\jre\bin\java.exe -version
(Linux/Unix) <CAS agent install location>/agent/_jvm/jre/bin/java -version

b. Verify that the Java version has these details: Java(TM) SE Runtime Environment (Java 1.7 SR9 FP20)
2. Check ISD server JRE version.

a. Run the following command:
(Windows) <ISD install location>\lwi\conf\javaHome.bat to determine the location of <Java home>
<Java home>\bin\java.exe -version
(Linux/Unix) <ISD install location>/jre/bin/java>/jre/bin/java -version

b. Verify that the Java version has these details: Java(TM) SE Runtime Environment (Java 1.7 SR9 FP40)

    Known issues
    1. This fix includes an iFix for Windows 2012 R2 and may, under some circumstances, result in the ISD server failing to start. To resolve this, you should do the following:

    a. After installing the iFix,
    Edit C:\Program Files\IBM\Director\lwi\runtime\nonstop\eclipse\plugins\com.ibm.tivoli.cas.agent.nonstop_8.1.1.5-LWI\META-INF\MANIFEST.MF and add to the end of the "Bundle-NativeCode:" section the following line (The pattern that exists for the OS' listed there should already be followed):
    ;osname="Windows Server 2012 R2";osname="Windows Server 2012


    b. Restart ISD.





    Product:
    IBM Systems Director
    Release:
    6.3.7; 6.3.6; 6.3.5
    Function Area:
    Configuration
    Subfunctional Area:
    General - All Platforms



    IBM Systems Management Support Page

      IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010,2011, 2012, 2013, 2014, 2015, 2016, 2017 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

    Document information

    More support for: IBM Systems Director

    Software version: 6.3.7, 6.3.6, 6.3.5

    Reference #: 785241054

    Modified date: 23 October 2017