Tivoli Netcool/OMNIbus 7.4.0 Fix Pack 2, 7.4.0-TIV-NCOMNIbus-FP0002

Download Description

The following defect solutions are included in this fix pack:

IV26844
A reference to a row variable in a subselect clause is permitted
only if the row variable is on a different nesting level.
The following example is NOT allowed:
create or replace procedure test1()
begin
for each row status_row in alerts.status where status_row.Identifier not in
(select status_row.Identifier from alerts.test_tab )
begin
....
end;
end;
The following example IS allowed:
create or replace procedure test1()
begin
for each row t_group in catalog.trigger_groups
begin
for each row trig in catalog.trigger_stats where
trig.TriggerName in ( select TriggerName from catalog.triggers where GroupName = t_group.GroupName )
begin
...
end;
end;
end;


IV40455
SP800-131 enhanced encryption settings are now supported. To
configure this encryption, add settings to the
$NCHOME/etc/security/fips.conf file on UNIX, or the
%NCHOME%\ini\security\fips.conf file on Windows.

The fips.conf file activates FIPS 140-2 mode, so you must
configure FIPS 140-2 mode before you can configure SP800-131
enhanced encryption. If you are using Java components, you must
also configure the JRE for FIPS 140-2 mode. Search the Tivoli
Netcool/OMNIbus Installation and Deployment Guide or the
information center for "Configuring the JRE for FIPS 140-2 mode"
for instructions.

To configure SP800-131, add the following parameters to the
fips.conf file:

SP800_131MODE=TRUE
TLS12_ONLY=TRUE
SHA2_CERTIFICATES_ONLY=TRUE
STRICT_CERTIFICATE_CHECK=TRUE

These parameters have the following effects:

SP800_131MODE: Enables TLS 1.2. For Java components, this setting
also enables JSSE2 SP800-131 support, unless it is overridden by
the STRICT_CERTIFICATE_CHECK parameter.
TLS12_ONLY: Disables all protocols except TLS 1.2. Do not use
this setting unless the SP800_131MODE parameter is also enabled.
SHA2_CERTIFICATES_ONLY: Enables TLS 1.2 Signature and Hash
Algorithm Restrictions. Only server certificates that meet the
restrictions are accepted. This parameter has no effect on Java
components unless the STRICT_CERTIFICATE_CHECK parameter is also
set.
STRICT_CERTIFICATE_CHECK: Enforces TLS 1.2 Signature and Hash
Algorithm Restrictions on all certificates in the chain. Do not
use this parameter unless the SP800_131MODE and
SHA2_CERTIFICATES_ONLY parameters are also set. If Java components
will be used this setting must not be used unless
SP800_131MODE, TLS12_ONLY and SHA2_CERTIFICATES_ONLY are all set.

If the SHA2_CERTIFICATES_ONLY or STRICT_CERTIFICATE_CHECK
parameters are set, or if both are set, use the -size and
-sig_alg options when you run the nc_gskcmd command-line utility
to generate and sign certificates. For example, if you run
nc_gskcmd with the "-cert -create" or the "-certreq -create"
command-line options, also use "-size 2048 -sig_alg
SHA512_WITH_RSA". If you run nc_gskcmd with the "-cert -sign"
command-line options, also use "-sig_alg SHA512_WITH_RSA".


IV39389
When the environment variable TZ is set to "localtime" on Solaris
11 servers, the local time zone cannot be detected correctly by
Netcool/OMNIbus applications. This causes problems for some
time-sensitive functions, such as the datetotime and timetodate
functions used in rules file processing, and the to_char,
to_time, and to_date SQL functions.
This problem has been fixed.


IV33495
When the ObjectServer MaxLogFileSize property is set to a value
greater than 2 GB, the log file is not rotated but instead grows
indefinitely. This problem has been fixed.


IV34550
The SQL interactive interface on UNIX (nco_sql) did not prompt
for a password when running SQL commands from a file and when the
-nosecure option was also used.
In the following example, no password prompt appears and the
nco_sql connection fails:
nco_sql -server NCOMS -user root -nosecure < sample.sql
A new -input option has been added to nco_sql to allow the
password prompt to appear, and the connection to succeed, when
running SQL commands from a file using the -nosecure option.
This option can also be used when the -nosecure option is not
used, instead of the old file input syntax (< sample.sql).
The new way to execute this command is:
nco_sql -server NCOMS -user root -nosecure -input sample.sql


IV36482
The UPGRADE.SH script that is used to manually migrate data from
a previous Tivoli Netcool/OMNIbus installation is incorrect for
zLinux. The architecture variable check is incorrectly set to
linuxs390 instead of to linux2s390.
This problem has been resolved.


IV37018
A port scan by a Qualsys scanner can cause the ObjectServer to
terminate. This problem has been fixed.


IV37451
A deadlock can cause the ObjectServer to hang. This problem can
occur if an array bound error occurs during a subselect in a FOR
EACH ROW loop. This problem has been resolved.


IV35936
Netcool MIB Manager is slow to populate the Device Association
window after the Create Device button is clicked. This problem
has been resolved.


IV37316
For locales with multi-byte character sets, such as ja_JP.sjis,
probe application names specified by the probe Name property are
not populated in the ObjectServer. This problem has been fixed.


IV38671
The GSKit component used by Tivoli Netcool/OMNIbus is upgraded to
version 8.0.14.27. This is done to address a potential security
problem that is fixed in this version of GSKit.


IV40456
Resolution of RFE 31686: HTTP support library (libnhttpd) has a
JSON configuration file (${OMNIHOME}/etc/libnhttpd.json) that
allows a user to manage and change the response settings of the
HTTP interface. From this configuration file a user can assign a
MIME type to a given file extension. If a file of that type is
served from the HTTP interface when file serving is enabled, the
HTTP header "Content-Type" will be assigned the MIME type
assigned to it in the configuration file. A user can also set in
the configuration file a set of user defined HTTP headers that
should always be returned in all HTTP response from the
interface. It is also possible from this file to override some of
the Cross-Origin Resource Sharing (CORS) standard HTTP headers
such as "Access-Control-Allow-Headers" and
"Access-Control-Expose-Headers" to enabled additional HTTP
headers in the response, if required.


IV38627
When enabled, the escalate_off, flash_not_ack, and
mail_on_critical triggers must be members of the primary_only
trigger group so that they execute only on the acting primary
server in a failover configuration setup.
For newly initiated servers, this problem has been resolved in
nco_dbinit.
For existing servers, if the three triggers are enabled, move
them to the primary_only trigger group by connecting to the
server and executing the following SQL commands:
alter trigger escalate_off set group primary_only;
alter trigger flash_not_ack set group primary_only;
alter trigger mail_on_critical set group primary_only;
go


IV37335
The Netcool/OMNIbus Tivoli EIF and TSRM gateways can hang on
start-up. This problem has been resolved.


IV39542
The ObjectServer can terminate unexpectedly when multiple clients
attempt to log on concurrently while it is starting up. The
following message is written to log:
OpenServer - Fatal Connect Error: 16382/15/0E-IPC005-001 mutex is
already created
This is caused by a timing window in the initialization code and
does not occur after a log-on has completed.
This problem has been resolved.


IV39993
After updating the RawCapture property via the nco_http
interface, the property gets updated, the .cap file is created,
but no data is written to file. This problem has been resolved.


IV35914
The nnm7 probe (nco_p_nnm7) core dumps. The core file analysis
shows that the problem is due to NRCToString() in libnetcool.
This problem has been resolved.


IV37676
The JRE for Tivoli Netcool/OMNIbus V7.3.1 and V7.4.0 was updated
to IBM JRE 6.0 SR13 FP1 to address possible security issues.


IV40655
The RDF/XML response payload to either the Event, Journal or
Detail query capability now provides the members resource
reference list in a "Collection" resource instance, rather than
within the "ResponseInfo" resource instance. This is required for
compliance with version 2 of the OSLC core specification. This is
now the default response representation as the previous one was
in error. If the previous incorrect format is required for the
provision of backward compatibility and a migration pathway to
the corrected format set the ObjectServer property
NRestOS.OSLCRDFMsgFormat to a string value of MIGRATION. This
will result in the OSLC interface generating the members resource
reference list n both the "ResponseInfo" resource and a
"Collection" resource instance. This format provides both the old
and new formats at the same time. It is recommended that the
older format is migrated from as soon as possible as there is a
performance cost in generating the migration message format.
In addition to this format change, the URI parameter
oslc.properties is now supported on resource and query URIs.


IV40873
The ObjectServer can be configured to authenticate with LDAP
servers. When a user logs into the ObjectServer, the current
behaviour is to generate a distinguished name (DN) using a
provided template and bind directly to the LDAP server. The bind
validates the user's password.

This APAR provides an LDAP Search option. It issues a query to
the LDAP server to obtain the distinguished name. It uses the
returned distinguished name to bind and validate the password.
This provides more flexibility. For example, it enables the
ObjectServer to authenticate users against users in multiple
organisational units (OU) and allows the use of sAMAccountName
on Microsoft Active Directory.

LDAP search is configured and activated using the parameters
'LDAPSearchBase' and 'LDAPSearchFilter' in the ldap.props
properties file.

LDAPSearchBase specifies the base distinguished name that an
LDAP search starts from. For example:
LDAPSearchBase: "ou=Tivoli,ou=SWG,o=ibm"

To specify that multiple DNs are searched, separate each DN with
two semicolons (;;).

LDAPSearchFilter specifies a filter for an LDAP search.
For example:
LDAPSearchFilter: "(cn=%s)"

When a user logs in, the ObjectServer replaces the %s in
LDAPSearchFilter with the User Name and issues a query to the
LDAP server.

The LDAP search function can be used to search on the
sAMAccountName when connecting to Microsoft Active Directory. An
example of a query for this is:
LDAPSearchFilter:
'(&(objectCategory=person)(objectClass=user)(sAMAccountName=%s))'

Sample queries can be found in a new version of the
$OMNIHOME/etc/ldap.props file applied by this APAR. If your
original ldap.props was modified since installation, it will not be
updated by this APAR. In this case, the new sample properties file
is available in the $OMNIHOME/etc/default directory.

See the following sections in the Information Center for a
detailed explanation on configuring for LDAP Search.

- Configuring Tivoli Netcool/OMNIbus to use LDAP for external
authentication
- LDAP properties
- LDAP examples


IV41237
Probes can crash when creating internal ProbeWatch events (such as
ProbeWatch Heartbeat events if enabled). This problem has been
resolved.


IV33104
Netcool/OMNIbus v7.3.1 FP5 : LDAP does not authenticate when
using SSL as expected on AIX 6.1. Problem has been fixed.


IV36066
When executing an external procedure its executing correctly but
in the PA log the following message appears:
"Error: Failed to find the specified group 668 for process launch."
This problem has been resolved.


IV43447
In OMNIbus environments using ITNM and the Service Affecting
Events (SAE), running the SAE triggers on the Display
ObjectServer will result in any SAE events that were generated at
the aggregation layer being deleted at the display layer. The sae
trigger group should only be enabled at the Aggregation layer.


IV40305
This APAR addresses internally identified defects against
Netcool MIB Manager, including:

The MIB Manager command-line option values for the -exportscope
option have been changed to no longer contain spaces and no longer
require quoting. The -filetype and -exportscope options are now
compatible. The command line values for the -exportscope option
have been changed to the following: ALL|TRAPS|OBJECTS.

Launching the MIB Manager command line interface on Windows
operating systems no longer opens a second terminal window.

Logging has been fixed to ensure that all appropriate messages are
logged to the MIB Manager log file when using the command line
interface.

Launching the MIB Manager command line interface without any options
will output help information.

Fixed a problem where MIB Manager would sometimes fail to display
the OID Tree.

Added syntax error checking for command line options mismatch.

The logging level NONE was added to the -messagelevel description
that is printed by the -help option.