Critical updates for IBM WebSphere DataPower SOA appliances

Flash (Alert)


Abstract

This document lists the critical updates, HIPER (Highly Pervasive) APAR fixes which should be applied to IBM WebSphere DataPower SOA appliances.

Content

This document is kept current to provide you with the latest information. You can monitor for updates to this document using My Notifications. Important support information is also posted on Twitter.
This document describes Critical Actions you should take to mitigate or prevent problem. and Critical Updates (including HIPER APARs which are APARs where the problem is Highly Pervasive) along with circumventions where possible.

Table of contents:

Part 1. Critical Actions

Part 2. Critical Updates




Critical Actions



Important: Create a privileged user id as a back up for the "admin" user id. This will allow you to reset the "admin" user id's password in case that password is lost or forgotten, or in case the "admin" id is locked out.

In order to increase the security features of the appliance, the lockout duration feature was added. APAR IC65339 reports a problem where the "admin" id is locked out when an incorrect password is entered multiple times for this id. The "admin" is continues to be locked out after the lock out duration has expired. Another privileged user id can reset the "admin" id's password regardless if the APAR fix is applied or not.

See: "admin" password lost or forgotten for IBM WebSphere DataPower SOA Appliances




Critical Updates


Important:

04/06/2014: Critical updates: Apply fix packs.

APAR Description Resolution
IC98330 Symptom: SSL CLOSURES MIGHT CAUSE A DATAPOWER APPLIANCE TO TEMPORARILY BE UNRESPONSIVE.

Users Affected: Customers noting that the appliance is no responding temporarily to any traffic. For example, all transactions and user interaction might stall for several seconds.

Circumvention: Apply fix packs 5.0.0.13, 6.0.0.5, or 6.0.1.1
Fixpacks:

5.0.0.x
6.0.0.x
6.0.1.x
IC99305 Symptom: 9235 APPLIANCE MIGHT INCORRECTLY REPORT THE FAILURE OF TWO POWER SUPPLIES.

Users Affected
: Customers receiving messages regarding the intermittent reporting of two power supplies on 9235 appliances.

Circumvention: Apply fix packs higher than 5.0.0.13 or 6.0.0.5.
Fixpacks:

5.0.0.x
6.0.0.x
03/05/2014: Critical updates: Apply fix packs.

APAR Description Resolution
IC95229 Symptom: CLICKING "RAID BATTERY BACKUP STATUS" IN WEBGUI LEADS TO A RESTART

Users Affected: Customers who Click on "RAID Battery Backup Status" in the WebGUI leads to a restart while using DataPower firmware levels 6.0.0.0 to 6.0.0.2.

Circumvention: Apply fix pack 6.0.0.3, or 6.0.1.0.
Fixpacks:

6.0.0.x
6.0.1.x
02/05/2014: Critical updates: Apply fix packs.

APAR Description Resolution
IC97930 Symptom: HIGH LATENCY MIGHT OCCUR ON 5.0.0.0 OR LATER FIRMWARE

Users Affected: Customers wishing to address performance concerns.

Circumvention: Apply fix pack 5.0.0.12, 6.0.0.4, or 6.0.1.1.
Fixpacks:

5.0.0.x
6.0.0.x
6.0.1.x
IC97354 Symptom: A DATAPOWER APPLIANCE'S DNS CONFIGURATION SET TO ROUND ROBIN DOES NOT HONOR THE TIME TO LIVE (TTL) SETTING

Users Affected
: Only configurations using DNS with round-robin algorithm are affected

Circumvention: Apply fix pack 5.0.0.12, 6.0.0.4, or 6.0.1.0
Fixpacks:

5.0.0.x
6.0.0.x
6.0.1.x
08/30/2013: Critical updates: Apply fix packs.

APAR Description Resolution
IC91969 Symptom: RESTART MIGHT OCCUR DURING SHOW DOCUMENT-* AFTER A HANG ON GET REQUEST FOR MULTI-PROTOCOL GATEWAY WITH DOCUMENT CACHE POLICY.

Users Affected: Critical for users running the 5.0.0.x or 4.0.2.x firmware on DataPower appliances and using the document cache

Circumvention: Apply fix pack 4.0.2.14, 5.0.0.9, 6.0.0.0 or newer.
Fixpacks:

6.0.0.x
5.0.0.x
4.0.2.x
IC92257 Symptom: WHEN A DATAPOWER APPLIANCE IS UNDER HEAVY WORKLOAD, A RACE CONDITION EXISTS THAT MIGHT RESULT IN AN APPLIANCE RESTART.

Users Affected
: Critical for users running the 5.0.0.x firmware on DataPower appliances.

Circumvention: Apply fix pack 5.0.0.9 and 6.0.0.0 or newer
Fixpacks:


6.0.0.x
5.0.0.x
IC91444 Symptom: A RESTART MIGHT OCCUR UNDER CERTAIN CONDITIONS LOADING A DOMAIN CONTAINING SLM PEERING OBJECTS.

Users Affected
: Critical for users running the 5.0.0.x or 4.0.2.x firmware on DataPower appliances and using SLM policies.

Circumvention: Apply fix pack 4.0.2.14, 5.0.0.9, 6.0.0.0 or newer.
Fixpacks:

6.0.0.x
5.0.0.x
4.0.2.x
IC92190 Symptom: SUSTAINED HIGH CPU IS SEEN DUE TO SSL CHURNING.

Users Affected
: Critical for users running the 5.0.0.x firmware on DataPower appliances using SSL

Circumvention: Apply fix pack 5.0.0.9 and 6.0.0.0 or newer
6.0.0.x
5.0.0.x
08/09/2013: Critical updates: Apply fix packs.

APAR Description Resolution
IC94606 Symptom: REINIT COMMAND REMOVES INACTIVE LICENSES.

Users Affected: Critical for those users running the 6.0.0.0 firmware on DataPower appliances that were purchased through PPA.

Circumvention: Apply fix pack 6.0.0.1 or newer.
Fixpacks:

6.0.0.x
IC93979 Symptom: GLOBALIZATION FILES MISSING IN XG45 SOFTWARE IMAGES

Users Affected
: Critical for users running 6.0.0.0 images for 7198 physical appliances and virtual XG45 appliances.

Circumvention: Apply fix pack 6.0.0.1 or newer.
Fixpacks:

6.0.0.x
IC94513 Symptom: A DATAPOWER APPLIANCE MIGHT HANG AFTER REMOVING A FRONT-SIDE HANDLER.

Users Affected
: Critical for those users running the 6.0.0.0 firmware on DataPower appliances.

Circumvention: Apply fix pack 6.0.0.1 or newer.
Fixpacks:

6.0.0.x

05/31/2013: Critical updates: Apply fix packs.

APAR Description Resolution
IC91206 Symptom: 9235 WITH XG3NG OR XG4NG RUNNING v5.0.0.0-5.0.0.6, AN UNEXPECTED RESTART MAY OCCUR WHEN USING ETH1 OR ETH2

Users Affected
: Critical for users running 9235 and DP 5.0.

Circumvention: Apply fix pack 5.0.0.8 or newer.
Fixpacks:

5.0.0.x
IC90458 Symptom: HIGH LATENCY MAY BE OBSERVED DURING DNS FIRST ALIVE RESOLUTION

Users Affected
: Critical for users running with DNS First Alive on 401, 402, or 500.

Circumvention: Apply fix pack 4.0.1.17, 4.0.2.13, 5.0.0.8 or newer.
Fixpacks:

5.0.0.x
4.0.2.x
4.0.1.x
IC90924 Symptom: APPLICATION OPTIMIZATION (AO) SELF BALANCING INCREASED LATENCY AND SENDING ICMP FRAGMENTATION REQUIRED

Users Affected
: Critical for users running DP 5.0 and AO Self-Balancing.

Circumvention: Apply fix pack 5.0.0.8 or newer.
Fixpacks:

5.0.0.x
IC91091 Symptom: THE BACKSIDE MQ QUEUE MANAGER OBJECT ON DATAPOWER SHOWS AN "UP" STATUS EVEN IF THERE IS A NETWORK ERROR.

Users Affected: Critical for users running DP 5.0 and using MQ.

Circumvention: Apply fix pack 5.0.0.8 or newer.
Fixpacks:

5.0.0.x


10/03/2012: Critical updates: Apply fix packs.

APAR Description Resolution
IC81933 Symptom: CRYPTO ENGINE HSM2 RUNTIME ERROR CODE 6 ON MACHINE TYPE 7199 / 7198 WITH HSM

Users Affected: Those with m/t 7199 or m/t 7198 appliances with the HSM feature installed and running 4.0.2 (This does not affect other releases )

Circumvention: Apply fix pack 4.0.2.6 or newer.
Fixpacks:

4.0.2.x

04/05/2012: Critical updates: Apply fix packs.

APAR Description Resolution
IC81486 Symptom: Possible SSL Connection hangs or failures using 4.0.1 or 4.0.2

Users Affected: Those with SSL configurations running 4.0.1 or 4.0.2 without this fix. (This does not affect 3.8.2 firmware users)

Circumvention: Apply fix packs.
Fixpacks:

4.0.2.x
4.0.1.x
IC81912 Symptom: Message "Not permitting connection due to Normal throttling"is presented and intermittent connection rejections may occur unexpectedly.

Users Affected: Those using the memory throttler. This problem is more likely to be seen when using 4.0.1 or 4.0.2.

Circumvention: Apply fix packs.
Fixpacks:

4.0.2.x
4.0.1.x
3.8.2.x

03/31/2012 Critical updates for M/T 9235: Apply fix pack 3.8.1.20, 3.8.2.11, and 4.0.1.8 and 4.0.2.4 fix packs or newer

APAR Description Resolution
IC80983 Symptom: M/T 9235 restarts

Users Affected: Those with M/T 9235 appliances which restart. See IBM WebSphere DataPower M/T 9235 appliance may restart due to Baseboard Management Controller (BMC) communications loss

Circumvention: Apply fix packs
Fixpacks:

4.0.2.x
4.0.1.x
3.8.2.x
3.8.1.x

12/06/11 Critical updates: Apply fix pack 4.0.1.4, 4.0.2.1 or a newer fix pack to appliances running 4.0.1.3 and 4.0.2.0 with SSL enabled front side handlers.

APAR Description Resolution
IC78949 Symptom: SSL handshake failures on incoming connections to SSL enabled front side handlers can cause unpredictable failures in other
transactions on the appliance. Click on APAR IC78949 for more details.

Users Affected: Affected are users of SSL-enabled HTTPS, IMS Connect, Stateless Raw XML, and Stateful Raw XML handlers using 4.0.1.0 through 4.0.1.3 and version 4.0.2.0, customers using services with certain SSL-enabled handlers might see unpredictable failures in other transactions on the appliance.

Circumvention: Apply fix pack 4.0.1.4 and 4.0.2.1, or newer fix pack.
Fixpacks:

4.0.1.x
4.0.2.x

4/29/11 Critical updates: Apply fix pack 3.8.1.9 or newer to appliances with HSM feature.

APAR Description Resolution
IC72366 Symptom: IBM WebSphere DataPower appliance with the HSM feature running 3.8.1 may restart.

Users Affected: All WebSphere DataPower Appliances with the HSM feature running firmware 3.8.1

Circumvention: Apply fix pack 3.8.1.9 or newer.
Fixpacks:

XS40 3.8.1.x

XI50 and XI50B version 3.8.1.x

01/01/10 Critical update: Apply 3.8.0.1 or newer to all appliances to avoid system outages. All users are affected.


The following critical updates and HIPER APARs (APARs where the problem is Highly Pervasive) are included. If you cannot upgrade quickly, review the problem, and circumventions. This firmware update is on Fix Central. See DataPower Knowledge Collection on firmware updates.

(note updated on 7/19/12 to point to supported firmware levels).

APAR Description Resolution
IC64790 Symptom: A recently discovered vulnerability in the renegotiation feature of the SSL and TLS protocols allows an attacker to inject an arbitrary string into the SSL session. This vulnerability is commonly referred to as the SSL Man-in-the-Middle (MITM) attack or CVE-2009-3555. For more information see: Are DataPower appliances affected by the SSL Man-in-the-Middle attack (CVE-2009-3555)?

Users Affected: All WebSphere DataPower users.

Circumvention: Apply fix pack as soon as possible or see this technote for circumvention: Are DataPower appliances affected by the SSL Man-in-the-Middle attack (CVE-2009-3555)?
Fixed in fix packs starting at:
IC63771 Symptom: In some cases a firmware crash could lead to the temporary file system to be completely used. This would require a reboot to recover the appliance or the appliance to be completely unresponsive.

Users Affected: All WebSphere DataPower users.

Circumvention: None. Apply fix pack as soon as possible.

Recovery:
  1. Reboot the appliance if the appliance will allow a connection via the serial port.
  2. Safely power off and power on the appliance.
  3. Contact IBM Support if appliance is not responding. Refer to specifics in Contacting IBM WebSphere DataPower SOA Appliance Support.
Fixed in this fix packs starting at:
IC64923 Symptom: When parsing large xml files, the performance of the SQL injection filter decreases and becomes very slow. If you are using an SQL injection filter and would like to parse large xml files, you will recognize that the performance of this SQL injection filter will decrease.

Users Affected: All WebSphere DataPower ODBC Users.

Circumvention: None, apply fixpack as soon as possible.

Recovery:
  1. Contact IBM Support if appliance is not responding. Refer to specifics in Contacting IBM WebSphere DataPower SOA Appliance Support
Fixed in this fix packs starting at:
IC61470 Symptom: The appliance stops responding to network traffic. When you connect with serial cable, you can enter the admin id, and the password for the admin id. After entering password, the appliance hangs for a moment, then prompts you to enter a user id again. You may also experience the symptoms as noted in APAR IC61429 also listed a a critical update in this package.

Users Affected: Appliances where the log targets write to the local appliance raid volumes.
Models: 9235/9004 with the optional hard drives: XI50 (9235-4BX, 9235-4CX, 9235-4DX, 9235-4FX ) , XS40 (9235-3BX, 9235-3DX), XB60 (9235-62x), and XM70 (9235-6BX)
Running firmware: 3.7.1, 3.7.2, 3.7.3 or B2B and LLM at 1.0 or 3.7.3

Circumvention: Options to try:
  • Change the appliance's configuration to not write to the local appliance raid volumes. Change the targets to use back-end servers as log targets.
  • Change the configuration o f the log targets to reduce the maximum log file size to 2MB and increase the rotation limit to the maximum allowed value as stated in the product publications, see the IBM WebSphere DataPower Library for our production publications.

Recovery:
Try the following steps:
  1. Follow all safety precautions listed in the documents linked from:
    Removing and Replacing Parts provided by IBM Level 2 for IBM WebSphere DataPower SOA Appliances: 9003/7993 and 9004/9235.
  2. Power off the appliance
  3. Unplug all electrical connections
  4. Remove hard drive tray per the instruction in the 9235 book referenced in Removing and Replacing Parts provided by IBM Level 2 for IBM WebSphere DataPower SOA Appliances: 9003/7993 and 9004/9235. .
  5. Do not replace the hard drive tray
  6. Plug in all electrical connections
  7. Power on the appliance
  8. Log in to the appliance, change all log targets so they do not write to the appliance.
  9. Save configuration
  10. Power off the appliance
  11. Unplug all electrical connections
  12. Replace hard drive tray per the instruction in the 9235 book referenced in Removing and Replacing Parts provided by IBM Level 2 for IBM WebSphere DataPower SOA Appliances: 9003/7993 and 9004/9235.
  13. Plug in all electrical connections
  14. Power on the appliance
  15. Contact IBM Support if problem remains. Refer to specifics in Contacting IBM WebSphere DataPower SOA Appliance Support.
Fixed in this fix packs starting at:
IC61429 Symptom: The appliance does not respond to the network. When you connect with serial cable you can enter your user id and password. After login you can enter only enter one CLI command. When "show filesystem" is entered as the one command, the output shows zero crypto space available.

Users Affected: Appliance configured to connect to a IBM DB2 V9 or higher version database on a back-end server or computer.
Models: 9235/9004 or 7993/9003 all XI50, XB60, and XM70
Running firmware: 3.7.1, 3.7.2, 3.7.3 or B2B and LLM at 1.0 or 3.7.3

Circumvention: Don't connect or configure to IBM DB2 V9 or higher database.

Recovery:
  1. Contact IBM Support if appliance is not responding. Refer to specifics in Contacting IBM WebSphere DataPower SOA Appliance Support.
Fixed in this fix packs starting at:
IC61427 Symptom: System does not respond.
On connection with serial cable, you can log in but only enter one CLI command. When "show filesystem" is entered as the one command, the output shows zero crypto space available.

Users Affected: All appliances showing zero crypto space as output from "show filesystem" command
Models: ALL 9235/9004 , 7993/9003 , or 7993/9002
Running firmware: 3.7.1, 3.7.2, 3.7.3, or B2B and LLM at 1.0 or 3.7.3

Circumvention: None

Recovery:
  1. Contact IBM Support if appliance is not responding. Refer to specifics in Contacting IBM WebSphere DataPower SOA Appliance Support
Fixed in this fix packs starting at:

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere DataPower SOA Appliances
General

Software version:

3.8.2, 4.0.1, 4.0.2, 5.0.0, 6.0.0, 6.0.1

Operating system(s):

Firmware

Reference #:

1390112

Modified date:

2014-02-07

Translate my page

Machine Translation

Content navigation