Updating OpenSSL in an IBM InfoSphere Balanced Warehouse, an IBM Smart Analytics System, or an IBM PureData System for Operational Analytics environment

Technote (troubleshooting)


Problem(Abstract)

You have been directed by IBM to update OpenSSL in your IBM InfoSphere Balanced Warehouse, IBM Smart Analytics System, or IBM PureData System for Operational Analytics environment.

Cause

These products ship OpenSSL as part of the operating system. The operating system vendor has released updates to OpenSSL that contain bug fixes or security-related fixes. Your IBM InfoSphere Balanced Warehouse, IBM Smart Analytics System, or IBM PureData System for Operational Analytics environment needs to be updated with the new security-related updates.

Environment

IBM InfoSphere Balanced Warehouse C3000 for Linux
IBM InfoSphere Balanced Warehouse C4000 for Linux
IBM InfoSphere Balanced Warehouse D5100
IBM Smart Analytics System 1050 for Linux
IBM Smart Analytics System 2050 for Linux
IBM Smart Analytics System 5600 V1
IBM Smart Analytics System 5600 V2
IBM Smart Analytics System 5710
IBM Smart Analytics System 7600
IBM Smart Analytics System 7700
IBM Smart Analytics System 7710
IBM PureData System for Operational Analytics A1791


Resolving the problem

Installation instructions for the following releases:
  • IBM InfoSphere Balanced Warehouse C3000 for Linux, C4000 for Linux, and D5100
  • IBM Smart Analytics System 1050 for Linux, 2050 for Linux, 5600 V1, 5600 V2, and 5710
A. Verify the OpenSSL and OpenSSH packages need to be updated
1. In the security bulletin that directed you to this document, use the Novell patch link in the Download Link column to determine the versions of the OpenSSL and OpenSSH packages that are required for your system.

2. Determine the OpenSSL and OpenSSH versions installed on your system.

a. Issue the following command on each node in your system to determine the installed versions of the openssl packages.
rpm -qa | grep openssl

The command should return output similar to the following output.
libopenssl0_9_8-0.9.8j-0.50.1
libopenssl0_9_8-32bit-0.9.8j-0.50.1
openssl-0.9.8j-0.50.1
openssl-certs-1.95-0.4.1

b. Issue the following command on each node to determine the installed versions of the openssh packages.
rpm -qa | grep openssh

The command should return output similar to the following output.
openssh-6.2p2-0.9.1
openssh-askpass-6.2p2-0.9.1

3. Compare the versions contained in the Novell patch with the versions installed on your system. If a package version contained in the Novell patch is later than the version installed on your system as indicated by a higher version number, you must download and install that package.
B. Install the OpenSSL and OpenSSH packages
1. Download the Novell patch using the link in the Download Link column of the security bulletin.

2. Use the rpm command to update the required packages. For each package that you must update, issue the following command:
rpm -U <package_name>.rpm

where <package_name> represents the name of the package.

Note: For the IBM Smart Analytics System 5600 V1 and 5600 V2, you must update the required packages on each node.

Installation instructions for the following releases:
  • IBM Smart Analytics System 7600, 7700, and 7710
  • IBM PureData System for Operational Analytics A1791
A. Verify the OpenSSL and OpenSSH packages need to be updated
1. In the security bulletin that directed you to this document, determine the versions of the OpenSSL and the OpenSSH packages that are required for your system.

2. Run the following command on each host in your system to determine the OpenSSL and OpenSSH versions installed on your system:
lslpp -la | egrep "openssl.base|openssh.base" | sort | uniq

The command should return output similar to the following output. In the following output, the installed version of the OpenSSL package is 0.9.8.2400 and the installed version of the OpenSSH package is 6.0.0.6101.
openssh.base.client  6.0.0.6101  COMMITTED  Open Secure Shell Commands
openssh.base.server  6.0.0.6101  COMMITTED  Open Secure Shell Server
openssl.base         0.9.8.2400  COMMITTED  Open Secure Socket Layer

3. Compare the versions specified in the security bulletin with the versions installed on your system. If the versions installed on your system are either earlier than or equivalent to the versions specified in the security bulletin, you must install the later versions specified in the security bulletin.
B. Install the OpenSSL and OpenSSH packages
Restriction: Use the following installation instructions only if the security bulletin linked directly to this installation procedure. If you are installing OpenSSL or OpenSSH as part of an IBM Smart Analytics System fix pack or an IBM PureData System for Operational Analytics fix pack, use the installation instructions for the fix pack.

1. Navigate to the AIX Web Download Pack Program page using the download link in the security bulletin and log in with your IBM registration ID and password.

2. Download the OpenSSL and OpenSSH packages listed on the security bulletin.

To download an OpenSSL package:
    1. Select the OpenSSL radio button and click Continue.
    2. Identify the correct OpenSSL package and select the OpenSSL Images checkbox.
    3. Click Download now. The Download Director will download the files to a temporary directory.

To download an OpenSSH package:
    1. Select the OpenSSH radio button and click Continue.
    2. Identify the correct OpenSSH package and select the OpenSSH Image checkbox.
    3. Click Download now. The Download Director will download the files to a temporary directory.

3. Copy the packages to the management host in the system and uncompress the files.

a. Log in to the management host as the root user.

b. Copy the OpenSSL and the OpenSSH patch files to the following directory on the management host:

/BCU_share/securitypatch

Note: The /BCU_share directory is exported through NFS to all of the hosts in the system.

c. On the management host, issue the following commands to uncompress the OpenSSL and OpenSSH patch files:

cd /BCU_share/securitypatch
zcat <openSSL_file_name> | tar -xvf -
zcat <openSSH_file_name> | tar -xvf -


4. Install the packages on each AIX host in the system. Install these fixes during a maintenance window because you might need to reboot each AIX host in the system after the patches are installed.

a. Back up the /etc/ssh directory on each AIX host in the system.

b. Verify that you can log in to the remote console for each AIX host through the Hardware Management Console (HMC).

c. Use the mksysb command to create a backup image of each host. Verify that the backup image is both bootable and readable.

d. On each AIX host, run the following commands to preview the OpenSSL package. During the preview, an automated prerequisite check runs and verifies that the AIX host can be updated with the patch.

cd /BCU_share/securitypatch/<openSSL_file_name>
installp -apYd . openssl

e. On each AIX host, run the following command to install the OpenSSL package:

installp -aXYd . openssl

f. On each AIX host, run the following commands to preview the OpenSSH package. During the preview, an automated prerequisite check runs and verifies that the AIX host can be updated with the patch.

cd /BCU_share/securitypatch/<openSSH_file_name>
installp -apYd . openssh

g. On each AIX host, run the following command to install the OpenSSH package:

installp -aXYd . openssh

h. Reboot each host where you installed the OpenSSL and the OpenSSH package.

Note: The AIX security bulletin might state that you do not need to reboot the host. However, rebooting the host ensures that all processes that were running prior to the update will be restarted using the updated OpenSSL and OpenSSH packages.

Alternatively, if you do not want to reboot each host, you can restart the services that are using the earlier versions of the OpenSSL and the OpenSSH packages. After you have installed the new versions of the OpenSSL and OpenSSH packages, use the following command on each host to determine if there are any processes using the earlier versions of the OpenSSL and the OpenSSH packages:
    fuser -d /usr

If you have enabled DSH on your system, run the following command on the management host:
    dsh -n < nodelist >  -r $(which ssh) 'fuser -d /usr 2>&1 | sed "s|/usr:||" | sed "s|[se]||g" | xargs -n 1 ps | grep -v PID' | sort

Note: Enter the command on a single line. Any line breaks in the command are for display purposes only.

Where:
  • fuser -d /usr returns all the PIDs accessing files that have been delinked from the /usr file system
  • <nodelist> is a comma-separated list of host names
  • $(which ssh) is the full path to the SSH command
  • sed "s|/usr:||" removes the /usr: output from the fuser command
  • sed "s|[se]||g" removes the s or e prefix on the PIDs returned from the fuser command
  • xargs -n 1 ps runs ps <PID> for each PID returned from the fuser command
  • grep -v PID removes the unwanted output from the ps command
  • sort sorts the output from the DSH command so you can see all of the output from the same host

The processes returned in the command output represent the processes that are currently using the earlier versions of the OpenSSH and the OpenSSH packages. Restart these services to ensure they are using the new versions of the OpenSSH and the OpenSSL packages.

The following example shows how to use the DSH command to identify the services that are using the earlier versions of the OpenSSH and the OpenSSL packages on a system that includes six nodes (bcu001, bcu002, bcu003, bcu004, bcu005, bcustandby), where bcu001 is the management host, and the others are core warehouse hosts.

dsh -n bcu001,bcu002,bcu003,bcu004,bcu005,bcustandby -r $(which ssh) 'fuser -d /usr 2>&1 | sed "s|/usr:||" | sed "s|[se]||g" | xargs -n 1 ps | grep -v PID' | sort

The output returned by the command in a sample scenario:
bcu001:  1900572      - A     0:00 /opt/ibm/director/cimom/bin/tier1slp
bcu001:  2294266      - A     0:00 /usr/bin/cimlistener
bcu001:  2556362      - A     2:35 [cimserve]
bcu001:  2687438      - A     0:04 /opt/freeware/cimom/pegasus/bin/cimprovagt 0 11 16 r
bcu001:  3211334      - A     0:00 /usr/sbin/sshd
bcu001:  6488482      - A     0:00 /opt/freeware/cimom/pegasus/bin/cimprovagt 0 9 25 ro
bcu001:  6881484      - A     0:01 sshd: root@pts/1
bcu004:   3997780      - A     0:00 /usr/bin/cimlistener
bcu005:  2425010      - A     3:15 [cimserve]
bcu005:  2687414      - A     0:00 /opt/freeware/cimom/pegasus/bin/cimprovagt 0 6 9 roo
bcu005:  2818074      - A     0:04 /opt/freeware/cimom/pegasus/bin/cimprovagt 0 16 19 r
bcu005:  2883766      - A     0:00 /usr/bin/cimlistener
bcustandby:  2556354      - A     3:29 [cimserve]
bcustandby:  3014876      - A     0:00 /opt/freeware/cimom/pegasus/bin/cimprovagt 0 6 9 roo
bcustandby:  3408104      - A     0:05 /opt/freeware/cimom/pegasus/bin/cimprovagt 0 16 19 r
bcustandby:  3539444      - A     0:00 /usr/bin/cimlistener

The example output indicates that the bcu001, bcu004, bcu005, and bcustandby nodes all have processes using the earlier versions of OpenSSH and OpenSSL. These processes are related to the SSH daemon and the IBM System Director Platform Agent.


Based on the sample output, the IBM Systems Director Platform Agent needs to be restarted on the bcu001, bcu004, bcu005, and bcustandby nodes. Issue the following commands on each of these nodes to restart the IBM Systems Director Platform Agent:

stopsrc -s platform_agent
stopsrc -s cimsys

startsrc -s platform_agent


Based on the example output, the SSH daemon needs to be restarted on the bcu001 node. Issue the following commands on this node to restart the SSH daemon:

stopsrc -s sshd
startsrc -s sshd


Document history:
March 5, 2014:
- Updated installation instructions for IBM Smart Analytics System 7600, 7700, and 7710; and IBM PureData System for Operational Analytics A1791.
- Updated installation instructions for IBM InfoSphere Balanced Warehouse C3000 for Linux, C4000 for Linux, and D5100; and IBM Smart Analytics System 1050 for Linux, 2050 for Linux, 5600 V1, 5600 V2, and 5710

May 31, 2013: Original version published.

Related information

Restarting the Platform Agent

Cross reference information
Segment Product Component Platform Version Edition
Information Management IBM Smart Analytics System IBM Smart Analytics System 1050
Information Management IBM Smart Analytics System IBM Smart Analytics System 2050
Information Management IBM Smart Analytics System IBM Smart Analytics System 5600
Information Management IBM Smart Analytics System IBM Smart Analytics System 7600
Information Management IBM Smart Analytics System IBM Smart Analytics System 7700
Information Management IBM Smart Analytics System IBM Smart Analytics System 7710
Information Management InfoSphere Balanced Warehouse Balanced Warehouse C Class
Information Management InfoSphere Balanced Warehouse Balanced Warehouse D Class - D5100
Information Management IBM Smart Analytics System IBM Smart Analytics System 5710

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Smart Analytics System

Software version:

9.5, 9.7, 10.1

Operating system(s):

AIX 6.1, Linux

Reference #:

1634929

Modified date:

2014-03-05

Translate my page

Machine Translation

Content navigation