Troubleshooting
Problem
You have been directed by IBM to update OpenSSL in your IBM InfoSphere Balanced Warehouse, IBM Smart Analytics System, or IBM PureData System for Operational Analytics environment.
Cause
These products ship OpenSSL as part of the operating system. The operating system vendor has released updates to OpenSSL that contain bug fixes or security-related fixes. Your IBM InfoSphere Balanced Warehouse, IBM Smart Analytics System, or IBM PureData System for Operational Analytics environment needs to be updated with the new security-related updates.
Environment
IBM InfoSphere Balanced Warehouse C3000 for Linux
IBM InfoSphere Balanced Warehouse C4000 for Linux
IBM InfoSphere Balanced Warehouse D5100
IBM Smart Analytics System 1050 for Linux
IBM Smart Analytics System 2050 for Linux
IBM Smart Analytics System 5600 V1
IBM Smart Analytics System 5600 V2
IBM Smart Analytics System 5710
IBM Smart Analytics System 7600
IBM Smart Analytics System 7700
IBM Smart Analytics System 7710
IBM PureData System for Operational Analytics A1791
Resolving The Problem
Installation instructions for the following releases:
|
| A. Verify the OpenSSL and OpenSSH packages need to be updated |
| 1. In the security bulletin that directed you to this document, use the Novell patch link in the Download Link column to determine the versions of the OpenSSL and OpenSSH packages that are required for your system. 2. Determine the OpenSSL and OpenSSH versions installed on your system. a. Issue the following command on each node in your system to determine the installed versions of the openssl packages. rpm -qa | grep openssl The command should return output similar to the following output. libopenssl0_9_8-0.9.8j-0.50.1 libopenssl0_9_8-32bit-0.9.8j-0.50.1 openssl-0.9.8j-0.50.1 openssl-certs-1.95-0.4.1 b. Issue the following command on each node to determine the installed versions of the openssh packages. rpm -qa | grep openssh The command should return output similar to the following output. openssh-6.2p2-0.9.1 openssh-askpass-6.2p2-0.9.1 3. Compare the versions contained in the Novell patch with the versions installed on your system. If a package version contained in the Novell patch is later than the version installed on your system as indicated by a higher version number, you must download and install that package. |
| B. Install the OpenSSL and OpenSSH packages |
| 1. Download the Novell patch using the link in the Download Link column of the security bulletin. 2. Use the rpm command to update the required packages. For each package that you must update, issue the following command: rpm -U <package_name>.rpm where <package_name> represents the name of the package. Note: For the IBM Smart Analytics System 5600 V1 and 5600 V2, you must update the required packages on each node. |
Installation instructions for the following releases:
|
| A. Verify the OpenSSL and OpenSSH packages need to be updated |
| 1. In the security bulletin that directed you to this document, determine the versions of the OpenSSL and the OpenSSH packages that are required for your system. 2. Run the following command on each host in your system to determine the OpenSSL and OpenSSH versions installed on your system: lslpp -la | egrep "openssl.base|openssh.base" | sort | uniq The command should return output similar to the following output. In the following output, the installed version of the OpenSSL package is 0.9.8.2400 and the installed version of the OpenSSH package is 6.0.0.6101. openssh.base.client 6.0.0.6101 COMMITTED Open Secure Shell Commands openssh.base.server 6.0.0.6101 COMMITTED Open Secure Shell Server openssl.base 0.9.8.2400 COMMITTED Open Secure Socket Layer 3. Compare the versions specified in the security bulletin with the versions installed on your system. If the versions installed on your system are either earlier than or equivalent to the versions specified in the security bulletin, you must install the later versions specified in the security bulletin. |
| B. Install the OpenSSL and OpenSSH packages |
| Restriction: Use the following installation instructions only if the security bulletin linked directly to this installation procedure. If you are installing OpenSSL or OpenSSH as part of an IBM Smart Analytics System fix pack or an IBM PureData System for Operational Analytics fix pack, use the installation instructions for the fix pack. 1. Navigate to the AIX Web Download Pack Program page using the download link in the security bulletin and log in with your IBM registration ID and password. 2. Download the OpenSSL and OpenSSH packages listed on the security bulletin. To download an OpenSSL package:
To download an OpenSSH package:
3. Copy the packages to the management host in the system and uncompress the files. a. Log in to the management host as the root user. b. Copy the OpenSSL and the OpenSSH patch files to the following directory on the management host: /BCU_share/securitypatch Note: The /BCU_share directory is exported through NFS to all of the hosts in the system. c. On the management host, issue the following commands to uncompress the OpenSSL and OpenSSH patch files: cd /BCU_share/securitypatch zcat <openSSL_file_name> | tar -xvf - zcat <openSSH_file_name> | tar -xvf - 4. Install the packages on each AIX host in the system. Install these fixes during a maintenance window because you might need to reboot each AIX host in the system after the patches are installed. a. Back up the /etc/ssh directory on each AIX host in the system. b. Verify that you can log in to the remote console for each AIX host through the Hardware Management Console (HMC). c. Use the mksysb command to create a backup image of each host. Verify that the backup image is both bootable and readable. d. On each AIX host, run the following commands to preview the OpenSSL package. During the preview, an automated prerequisite check runs and verifies that the AIX host can be updated with the patch. cd /BCU_share/securitypatch/<openSSL_file_name> installp -apYd . openssl e. On each AIX host, run the following command to install the OpenSSL package: installp -aXYd . openssl f. On each AIX host, run the following commands to preview the OpenSSH package. During the preview, an automated prerequisite check runs and verifies that the AIX host can be updated with the patch. cd /BCU_share/securitypatch/<openSSH_file_name> installp -apYd . openssh g. On each AIX host, run the following command to install the OpenSSH package: installp -aXYd . openssh h. Reboot each host where you installed the OpenSSL and the OpenSSH package. Note: The AIX security bulletin might state that you do not need to reboot the host. However, rebooting the host ensures that all processes that were running prior to the update will be restarted using the updated OpenSSL and OpenSSH packages. Alternatively, if you do not want to reboot each host, you can restart the services that are using the earlier versions of the OpenSSL and the OpenSSH packages. After you have installed the new versions of the OpenSSL and OpenSSH packages, use the following command on each host to determine if there are any processes using the earlier versions of the OpenSSL and the OpenSSH packages:
If you have enabled DSH on your system, run the following command on the management host:
Note: Enter the command on a single line. Any line breaks in the command are for display purposes only. Where:
The processes returned in the command output represent the processes that are currently using the earlier versions of the OpenSSH and the OpenSSH packages. Restart these services to ensure they are using the new versions of the OpenSSH and the OpenSSL packages. The following example shows how to use the DSH command to identify the services that are using the earlier versions of the OpenSSH and the OpenSSL packages on a system that includes six nodes (bcu001, bcu002, bcu003, bcu004, bcu005, bcustandby), where bcu001 is the management host, and the others are core warehouse hosts. dsh -n bcu001,bcu002,bcu003,bcu004,bcu005,bcustandby -r $(which ssh) 'fuser -d /usr 2>&1 | sed "s|/usr:||" | sed "s|[se]||g" | xargs -n 1 ps | grep -v PID' | sort The output returned by the command in a sample scenario: bcu001: 1900572 - A 0:00 /opt/ibm/director/cimom/bin/tier1slp bcu001: 2294266 - A 0:00 /usr/bin/cimlistener bcu001: 2556362 - A 2:35 [cimserve] bcu001: 2687438 - A 0:04 /opt/freeware/cimom/pegasus/bin/cimprovagt 0 11 16 r bcu001: 3211334 - A 0:00 /usr/sbin/sshd bcu001: 6488482 - A 0:00 /opt/freeware/cimom/pegasus/bin/cimprovagt 0 9 25 ro bcu001: 6881484 - A 0:01 sshd: root@pts/1 bcu004: 3997780 - A 0:00 /usr/bin/cimlistener bcu005: 2425010 - A 3:15 [cimserve] bcu005: 2687414 - A 0:00 /opt/freeware/cimom/pegasus/bin/cimprovagt 0 6 9 roo bcu005: 2818074 - A 0:04 /opt/freeware/cimom/pegasus/bin/cimprovagt 0 16 19 r bcu005: 2883766 - A 0:00 /usr/bin/cimlistener bcustandby: 2556354 - A 3:29 [cimserve] bcustandby: 3014876 - A 0:00 /opt/freeware/cimom/pegasus/bin/cimprovagt 0 6 9 roo bcustandby: 3408104 - A 0:05 /opt/freeware/cimom/pegasus/bin/cimprovagt 0 16 19 r bcustandby: 3539444 - A 0:00 /usr/bin/cimlistener The example output indicates that the bcu001, bcu004, bcu005, and bcustandby nodes all have processes using the earlier versions of OpenSSH and OpenSSL. These processes are related to the SSH daemon and the IBM System Director Platform Agent. Based on the sample output, the IBM Systems Director Platform Agent needs to be restarted on the bcu001, bcu004, bcu005, and bcustandby nodes. Issue the following commands on each of these nodes to restart the IBM Systems Director Platform Agent: stopsrc -s platform_agent stopsrc -s cimsys startsrc -s platform_agent Based on the example output, the SSH daemon needs to be restarted on the bcu001 node. Issue the following commands on this node to restart the SSH daemon: stopsrc -s sshd startsrc -s sshd |
Document history:
March 5, 2014:
- Updated installation instructions for IBM Smart Analytics System 7600, 7700, and 7710; and IBM PureData System for Operational Analytics A1791.
- Updated installation instructions for IBM InfoSphere Balanced Warehouse C3000 for Linux, C4000 for Linux, and D5100; and IBM Smart Analytics System 1050 for Linux, 2050 for Linux, 5600 V1, 5600 V2, and 5710
May 31, 2013: Original version published.
Related Information
[{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"9.5;9.7;10.1","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"IBM Smart Analytics System 1050","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"IBM Smart Analytics System 2050","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"IBM Smart Analytics System 5600","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"IBM Smart Analytics System 7600","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"IBM Smart Analytics System 7700","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"IBM Smart Analytics System 7710","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSFVXC","label":"InfoSphere Balanced Warehouse"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Balanced Warehouse C Class","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSFVXC","label":"InfoSphere Balanced Warehouse"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Balanced Warehouse D Class - D5100","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SSKT3D","label":"IBM Smart Analytics System"},"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Component":"IBM Smart Analytics System 5710","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21634929