IBM Support

IBM Cloud Orchestrator Fix Pack 3 (2.4.0.3) for 2.4

Download


Abstract

IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition 2.4.0.3 has been made generally available and contains fixes to version 2.4 including all predecessor fix packs

Download Description

Table of Contents
Sections Description

The Change history section provides an overview on what is new in this release with a description of any new functions or enhancements when applicable.

The How critical is this fix section provides information related to the impact of this release to allow you to assess how your environment may be affected.

The Prerequisites section provides important information to review prior to the installation of this release.

The Download package section provides the direct link to obtain the download package for installation in your environment.

The Installation instructions section provides the installation instructions necessary to apply this release into your environment.

The Known side effects section contains a link to the known problems (open defects) identified at the time of this release.

Supporting Documentation
Document Description

Click to review the detailed system requirements information for a complete list of hardware requirements, supported operating systems, prerequisites and optional supported software, with component-level details and operating system restrictions.

IBM Knowledge Center provides an entry point to product documentation. You can view, browse, and search online information related to the product.

Click to review a complete list of the defects (APARs) resolved in this release including a list of resolved defects for the entire version family.

Prerequisites

Prerequisites include:

Review the Prerequisites tab in the system requirements report for supported versions of Data Protection and Recovery, Databases and Process Management tools.

Review the Software prerequisites page in the IBM Knowledge Center to ensure your environment meets the minimum hypervisor and operating system requirements, especially if you are upgrading from a previous release of IBM Cloud Orchestrator.

Installation Instructions

This fix pack can be installed as a fresh installation or as an upgrade of an existing installation. Follow the instructions in the tabs below.


Tab navigation


Fresh installation of IBM Cloud Orchestrator


Step 1: Review the installation page in the IBM Knowledge Center.

Exceptions:

Note the following instructions about the Downloading the required image files topic in the IBM Knowledge Center:

  • In step 4, do not download the IBM Business Process Manager V8.5 packages. Instead, use the IBM Business Process Manager V8.5.6 packages that are provided in IBM Cloud Orchestrator V2.4 Fix Pack 3.

Note the following instructions about the Installing the Deployment Service topic in the IBM Knowledge Center:

  • In step 5, do not copy the IBM Business Process Manager V8.5 packages. Instead, use the IBM Business Process Manager V8.5.6 packages that are provided in IBM Cloud Orchestrator V2.4 Fix Pack 3.

Step 2: Review the information on the Post Install/Upgrade tab above.


Fresh installation of IBM Cloud Orchestrator Enterprise Edition


Step 1: Review the installation page in the IBM Knowledge Center.

Exceptions:

Note the following instructions about the Downloading the required image files topic in the IBM Knowledge Center:

  • In step 4, do not download the IBM Business Process Manager V8.5 packages. Instead, use the IBM Business Process Manager V8.5.6 packages that are provided in IBM Cloud Orchestrator V2.4 Fix Pack 3.

Note the following instructions about the Installing the Deployment Service topic in the IBM Knowledge Center:

  • In step 5, do not copy the IBM Business Process Manager V8.5 packages. Instead, use the IBM Business Process Manager V8.5.6 packages that are provided in IBM Cloud Orchestrator V2.4 Fix Pack 3.

Step 2: Review the information on the Post Install/Upgrade tab above.


Upgrade of IBM Cloud Orchestrator


The following upgrade scenarios are supported:

  • IBM Cloud Orchestrator V2.4 -> IBM Cloud Orchestrator V2.4 Fix Pack 3
  • IBM Cloud Orchestrator V2.4 Fix Pack 1 -> IBM Cloud Orchestrator V2.4 Fix Pack 3
  • IBM Cloud Orchestrator V2.4 Fix Pack 2 -> IBM Cloud Orchestrator V2.4 Fix Pack 3
  • IBM Cloud Orchestrator V2.4 Fix Pack 2 Interim Fix 1 -> IBM Cloud Orchestrator V2.4 Fix Pack 3

Step 1: Disable the fault monitor daemon (db2fmcd) process (to avoid potential problems during the upgrade)

Perform the following steps on each IBM DB2 database server of your IBM Cloud Orchestrator environment (Deployment Server, Central Server 1, etc...).

Note: Review
technote 1224009: How to disable the fault monitor daemon (db2fmcd) process for additional details.

  1. Check whether the DB2 fault monitor daemon is running:

    ps aux | grep db2fmcd
  2. If the DB2 fault monitor daemon is running, make a backup copy of the DB2 fault monitor daemon configuration file and disable the daemon:

    /opt/ibm/db2/V10.5/bin/db2fmcu -d
  3. Restart the server.
  4. Check whether the DB2 fault monitor daemon is running:

    ps aux | grep db2fmcd

Step 2: Review the Upgrading topic in the IBM Knowledge Center.

Exception:

Note the following instructions about the Downloading the required image files topic in the IBM Knowledge Center:

  • In Step 3(c), the additional fix package is also required if you are upgrading from IBM Cloud Orchestrator V2.4 Fix Pack 2.
  • In step 4, do not download the IBM Business Process Manager V8.5 packages. Instead, use the IBM Business Process Manager V8.5.6 packages that are provided in IBM Cloud Orchestrator V2.4 Fix Pack 3.

Note the following instructions about the Installing the Deployment Service topic in the IBM Knowledge Center:

  • In step 5, do not copy the IBM Business Process Manager V8.5 packages. Instead, use the IBM Business Process Manager V8.5.6 packages that are provided in IBM Cloud Orchestrator V2.4 Fix Pack 3.

Step 3: Review the information on the Post Install/Upgrade tab above.


Upgrade of IBM Cloud Orchestrator Enterprise Edition


The following upgrade scenarios are supported:

  • IBM Cloud Orchestrator Enterprise Edition V2.4 -> IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 3
  • IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 1 -> IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 3
  • IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 2 -> IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 3
  • IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 2 Interim Fix 1 -> IBM Cloud Orchestrator Enterprise Edition V2.4 Fix Pack 3

Step 1: Disable the fault monitor daemon (db2fmcd) process (to avoid potential problems during the upgrade)

Perform the following steps on each IBM DB2 database server of your IBM Cloud Orchestrator environment (Deployment Server, Central Server 1, etc...).

Note: Review
technote 1224009: How to disable the fault monitor daemon (db2fmcd) process for additional details.

  1. Check whether the DB2 fault monitor daemon is running:

    ps aux | grep db2fmcd
  2. If the DB2 fault monitor daemon is running, make a backup copy of the DB2 fault monitor daemon configuration file and disable the daemon:

    /opt/ibm/db2/V10.5/bin/db2fmcu -d
  3. Restart the server.
  4. Check whether the DB2 fault monitor daemon is running:

    ps aux | grep db2fmcd

Step 2: Review the Upgrading topic in the IBM Knowledge Center.

Exception:

Note the following instructions about the Downloading the required image files topic in the IBM Knowledge Center:

  • In Step 3(c), the additional fix package is also required if you are upgrading from IBM Cloud Orchestrator V2.4 Fix Pack 2.
  • In step 4, do not download the IBM Business Process Manager V8.5 packages. Instead, use the IBM Business Process Manager V8.5.6 packages that are provided in IBM Cloud Orchestrator V2.4 Fix Pack 3.

Note the following instructions about the Installing the Deployment Service topic in the IBM Knowledge Center:

  • In step 5, do not copy the IBM Business Process Manager V8.5 packages. Instead, use the IBM Business Process Manager V8.5.6 packages that are provided in IBM Cloud Orchestrator V2.4 Fix Pack 3.

Step 3: Review the information on the Post Install/Upgrade tab above.


Post installation information


After you install or upgrade the IBM Cloud Orchestrator or IBM Cloud Orchestrator Enterprise Edition software, complete the following tasks.

Step 1: Resolve vulnerabilities

For vulnerability details and information about fixes, review the Impact assessment section below for details.


Post upgrade information


Step 1: Complete the above tasks first.

Step 2: Disable the SSLv3 protocol

Note: This task is necessary only if upgrading to IBM Cloud Orchestrator 2.4.0.3 or IBM Cloud Orchestrator Enterprise Edition 2.4.0.3. In a fresh installation of IBM Cloud Orchestrator 2.4.0.3 or IBM Cloud Orchestrator Enterprise Edition 2.4.0.3, the SSLv3 protocol is disabled by default.

The required Workload Deployer emergency fixes are included in the 2.4.0-CSI-ICO-FP0003-WORKLOAD-DEPLOYER-efixes.tgz file.

To mitigate known security vulnerabilities in already deployed instances, disable the SSLv3 protocol as described in the Disabling SSLv3 protocol in deployed instances topic in the IBM Knowledge Center:

Note the following updates to the "Disabling the SSLv3 protocol in deployed instances" topic:

  1. The following file names are incorrect:
    • Java_Update_AIX.zip should be Java_Update_AIX_for_WorkloadDeployerPatternInstances_ICO_2.4.0.3.zip.
    • Java_Update_Linux.zip should be Java_Update_Linux_for_WorkloadDeployerPatternInstances_ICO_2.4.0.3.zip.
    • Java_Update_Windows.zip should be Java_Update_Windows_for_WorkloadDeployerPatternInstances_ICO_2.4.0.3.zip.

  2. The current topic does not mention upgrading from IBM Cloud Orchestrator (or IBM Cloud Orchestrator Enterprise Edition) V2.4 Fix Pack 2.
    • If you are upgrading from IBM Cloud Orchestrator (or IBM Cloud Orchestrator Enterprise Edition) V2.4 Fix Pack 1 or earlier, complete the steps in the topic to disable the SSLv3 protocol, which will remediate the POODLE vulnerability and update Java to the latest version.
    • If you are upgrading from IBM Cloud Orchestrator (or IBM Cloud Orchestrator Enterprise Edition) V2.4 Fix Pack 2, and you previously completed the steps in this procedure to disable the SSLv3 protocol, you should use the new efix package supplied in IBM Cloud Orchestrator V2.4 Fix Pack 3 to update Java on all deployed instances, to provide additional security fixes.

Step 3: Update the IBM Process Designer

After you upgrade your IBM Cloud Orchestrator installation, you must update the Process Designer to the same level. Review the Configuring IBM Cloud Orchestrator after upgrading from V2.4 topic in the IBM Knowledge Center for details.

Download Package

The following sections provide detailed information related to this release.

How critical is this fix?

Download's on Fix Central

Click the HTTP link below to obtain the release from Fix Central.

Image directory contents

  • 2.4.0-CSI-ICO-FP0003.tgz: IBM Cloud Orchestrator Version 2.4 Fix Pack 3 for Red Hat Enterprise Linux Multilingual
  • 2.4.0-CSI-ICO-FP0003-WORKLOAD-DEPLOYER-efixes.tgz: Workload Deployer emergency fixes for IBM Cloud Orchestrator Version 2.4 Fix Pack 3
Impact Assessment
Impact Description

Corrective

This is a maintenance release. It contains fixes for client-reported and internally found defects.

Critical

This release also contains fixes to multiple security vulnerabilities.

  • CVE-2015-0157 - IBM DB2 LUW contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by executing a specially-crafted SQL statement with the vulnerable scalar functions. This could result in a DB2 server crash; if so, the server would need to be restarted.
  • CVE-2015-1283 - Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products (Apache IHS), allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716.
  • CVE-2015-1788 - OpenSSL is vulnerable to a denial of service, caused by an error when processing an ECParameters structure over a specially crafted binary polynomial field. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
  • CVE-2015-1885 - WebSphere Application Server Full Profile and Liberty Profile could allow a remote attacker to gain elevated privileges on the system caused when OAuth grant type of password is used.
  • CVE-2015-1920 - WebSphere Application Server could allow a remote attacker to execute arbitrary code by connecting to a management port and executing a specific sequence of instructions.
  • CVE-2015-1932 - IBM WebSphere Application Server and IBM WebSphere Virtual Enterprise could allow a remote attacker to obtain information that identifies the proxy server software being used.
  • CVE-2015-1946 - IBM WebSphere Application Server 8.5 and IBM WebSphere Virtual Enterprise 7.0 could allow a local attacker to gain elevated privileges on the system cause by the user roles not being handled properly.
  • CVE-2015-2017 - IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
  • CVE-2015-2808 - The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
  • CVE-2015-3183 - Apache HTTP Server is vulnerable to HTTP request smuggling, caused by a chunk header parsing flaw in the apr_brigade_flatten() function. By sending a specially-crafted request in a malformed chunked header to the Apache HTTP server, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
  • CVE-2015-3646 - OpenStack Keystone could allow a remote attacker to obtain sensitive information, caused by the logging of the backend_argument configuration option content. An attacker with read access could exploit this vulnerability to obtain sensitive information about specific backends.
  • CVE-2015-4000 - The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT ciphersuite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic.
  • CVE-2015-7450 - The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar.
    Note: the scope of this CVE is limited to the WebLogic Server product.
  • CVE-2015-4938 - IBM WebSphere Application Server could allow a remote attacker to spoof a servlet. An attacker could exploit this vulnerability to persuade the user into entering sensitive information.
  • CVE-2015-4947 - IBM HTTP Server Administration Server could be vulnerable to a stack buffer overflow, caused by improper handling of user input. An authenticated remote attacker could overflow a buffer and execute arbitrary code on the system.
  • CVE-2015-7450 - Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java Invoker Transformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
  • CVE-2014-8917 - IBM Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
  • CVE-2014-8176 - The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.
  • CVE-2015-1789 - The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback.
  • CVE-2015-1790 - The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data.
  • CVE-2015-1791 - Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.
  • CVE-2015-1792 - The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function.
  • CVE-2015-1885 - WebSphereOauth20SP.ear in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, 8.5 Liberty Profile before 8.5.5.5, and 8.5 Full Profile before 8.5.5.6, when the OAuth grant type requires sending a password, allows remote attackers to gain privileges via unspecified vectors.
  • CVE-2015-1946 - IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.6, and WebSphere Virtual Enterprise 7.0 before 7.0.0.6 for WebSphere Application Server (WAS) 7.0 and 8.0, does not properly implement user roles, which allows local users to gain privileges via unspecified vectors.
  • CVE-2015-4734 - Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.
  • CVE-2015-4872 - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect integrity via unknown vectors related to Security.
  • CVE-2015-5006 - IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR2, 7 R1 before SR3 FP20, 7 before SR9 FP20, 6 R1 before SR8 FP15, and 6 before SR16 FP15 allow physically proximate attackers to obtain sensitive information by reading the Kerberos Credential Cache.

Test Results

Definitions

Regression: An error in the Maintenance Delivery Vehicle (MDV) that produces incorrect or unexpected behavior causing a supported feature to stop functioning as designed.
This includes:

  • Coding errors that cause a regression
  • Documentation or packaging problems that cause a regression
  • Errors reported in a new function delivered in a MDV that cause a regression

Incomplete: An error in the MDV has not regressed, but does not work as designed.
This includes:

  • Fixed APARs which did not solve the original problem but did not break anything new
  • APARs reporting documentation errors, such as readme errors, that cause problems applying an MDV but do not lead to a regression


Notes:
  • Regression and incomplete APARs are considered fix-in-error or MDV-in-error
  • Definitions above apply only to valid APARs that result in product fixes (APARs returned as working-as-designed are not assessed for being fix-in-error)
  • Issues in major releases due to new functionality do not apply in this definition

There are no known regressions to report.

Problems Solved

Defects resolved

Click the Fix List link in the table of contents above to review a list of the problems solved in this release.

Known Side Effects

Review the following list of known issues and open defects:

There are no known issues to report.

Review the Known errors and limitations section of the IBM Knowledge Center for issues related to this release.

Additional Issues:

To strengthen security and remove weak cipher suites for Apache HTTP Server, complete the following configuration changes:

  1. Log on to Central Server 2 where Apache HTTP Server is running.
  2. Edit the /etc/httpd/sites-enabled/openstack-dashboard configuration file.
  3. In the virtual host configuration section, which starts with VirtualHost *:443, find the SSLCertificateKeyFile entry.
  4. Copy and paste the following text immediately below the line that starts with the text SSLCertificateKeyFile:

    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES

  5. Save your changes.
  6. Restart Apache HTTP Server:

    service httpd restart

When you install IBM Cloud Orchestrator V2.4 Fix Pack 3, the IBM HTTP Server for WebSphere Application Server V8.5.5 software is re-installed.

If you previously replaced existing certificates to strengthen security in your environment, you must replace the certificates again after the installation of IBM Cloud Orchestrator V2.4 Fix Pack 3.

During the installation of IBM Cloud Orchestrator V2.4 Fix Pack 3, backup copies of the following files are created on Central Server 2:

IBM HTTP Server for WebSphere Application Server V8.5.5 keystore files:
  • /opt/IBM/HTTPServer/bin/key.kdb is backed up to /opt/ibm/BPM/ico/tmp/ihs_key.kdb_2.4.0-CSI-ICO-FP0003
  • /opt/IBM/HTTPServer/bin/key.p12 is backed up to /opt/ibm/BPM/ico/tmp/ihs_key.p12_2.4.0-CSI-ICO-FP0003
  • /opt/IBM/HTTPServer/bin/key.rdb is backed up to /opt/ibm/BPM/ico/tmp/ihs_key.rdb_2.4.0-CSI-ICO-FP0003
  • /opt/IBM/HTTPServer/bin/key.sth is backed up to /opt/ibm/BPM/ico/tmp/ihs_key.sth_2.4.0-CSI-ICO-FP0003

IBM WebSphere Application Server Network Deployment V8.5.5 keystore and truststore files:
  • /opt/ibm/BPM/v8.5/profiles/DmgrProfile/config/cells/PCCell1/key.p12 is backed up to /opt/ibm/BPM/ico/tmp/bpm_dmgr_key.p12_2.4.0-CSI-ICO-FP0003
  • /opt/ibm/BPM/v8.5/profiles/DmgrProfile/config/cells/PCCell1/trust.p12 is backed up to /opt/ibm/BPM/ico/tmp/bpm_dmgr_trust.p12_2.4.0-CSI-ICO-FP0003
  • /opt/ibm/BPM/v8.5/profiles/Node1Profile/config/cells/PCCell1/key.p12 is backed up to /opt/ibm/BPM/ico/tmp/bpm_node_key.p12_2.4.0-CSI-ICO-FP0003
  • /opt/ibm/BPM/v8.5/profiles/Node1Profile/config/cells/PCCell1/trust.p12 is backed up to /opt/ibm/BPM/ico/tmp/bpm_node_trust.p12_2.4.0-CSI-ICO-FP0003

In some situations, when you create a job by using the Deployment Service wizard, the Deployment Service fails to execute the job. If the job passed all the prerequisite checks, the job is created successfully but is not run. In such cases, you can quit the Deployment Service wizard and run the job manually.

  1. To check whether the job was created successfully, run the following command:

    ds job-list


  2. If the status of the job is CREATED, run the job manually as follows:

    ds job-execute job_id

Cloning a virtual image is not supported. If you click PATTERNS > Pattern Design > Virtual Images, select an image, and click the clone icon, the action fails.


In the Simplified Chinese and Traditional Chinese translations of the catalogTool.sh file, the description of the export parameter is mistranslated (it refers to "import" instead of "export").


Before you can use the BPM2VMW toolkit to automate the VMware vCenter, you must complete the following steps:

  1. Download the following (publicly available) libraries and store them in the /opt/ibm/BPM/v8.5/BPM/Lombardi/lib directory on IBM Cloud Orchestrator Central Server 2.

    These files are required for all versions on VMware.

    Click HERE to download the following files from VIjava, an official project on sourceforge.
    • vijava55b20130927.jar
    • dom4j-1.6.1.jar

      Note: In a high-availability installation, repeat this step on the secondary Central Server 2.
  2. Restart the IBM Business Process Manager server:

    service bpm restart

For Public Cloud Gateway installations only: In a multiple-NIC environment, you must complete additional post configuration steps to ensure that the Public Cloud Gateway can communicate with OpenStack Keystone. Otherwise, the pcg.log file includes the following error:

Unable to generate admin token org.apache.http.conn.HttpHostConnectException: Connection to URL refused

Solution:

  1. Log on to Central Server 2 (where the Public Cloud Gateway is running) as a root user.
  2. Change directory to the /etc/keystone directory.
  3. Open the keystone.conf file.
  4. Search for the bind_host = entry and note the specified IP address.
  5. Change directory to the /opt/ibm/pcg/etc directory.
  6. Edit the config.json file to ensure that the following entries specify the same IP address as noted in step 4:
    • service_url
    • admin_url
  7. Save the updated config.json file.
  8. Change directory to the /opt/ibm/pcg directory.
  9. Open the startServer.sh file.
  10. Ensure that IP_ADDRESS entry specifies the same IP address as noted in step 4.
  11. Save the updated startServer.sh file.

For IBM Cloud Orchestrator Enterprise Edition installations only: The installation of IBM SmartCloud Cost Management might fail with the following error:

package ibm-java-x86_64-sdk-7.0-7.0.x86_64 is already installed

Solution:

  1. Install Java by running the following command:

    rpm -iv --replacepkgs ibm-java-x86_64-sdk-7.0-7.0.x86_64.rpm


  2. Run the sccm_install.sh script again.

For high-availability installations only: After you download the SA_MP_v4.1_Lnx.tar file, you must rename the file to SA_MP_4.1_Linux.tar or the installation will fail.


For high-availability deployments only: During the installation of a high-availability topology, a default "host =" entry is incorrectly added to the /etc/nova/nova.conf file.

Solution:

  • Remove the default "host =" entry.

Explanation:

The "host =" entry is required only for the following configurations (in both high-availability and non-high-availability deployments):
  • Connecting to multiple clusters
  • Connecting to different datastores in the same cluster
  • Connecting to multiple vCenters
    • For such configurations in a non-high-availability deployment, you add a new "host =" entry as described in the documentation, so that the /etc/nova/nova.conf file contains only one "host =" entry.
    • For such configurations in a high-availability deployment, you should first delete any default "host =" entries, and then add a new "host =" entry as described in the documentation, so that the /etc/nova/nova.conf file contains only one "host =" entry.

      For all other configurations, ensure that the /etc/nova/nova.conf file does not contain any "host =" entry.


The following items are not currently documented in the Knowledge Center:

In the Software prerequisites topic:

  • The following item should be added to the list of notes under Table 2 "Host and guest operating systems supported by the standard installation":

    "IBM Cloud Orchestrator supports several different versions of VMware vCenter Server. Functionality that is supported on one vCenter Server version might not work on another vCenter Server version. For example, a template that uses a feature that is provided in vCenter Server V5.5 (such as using extra specifications to define Storage Policy Based Management (SPBM) rules to control disk placement) might not work with vCenter Server V5.1. Check the VMware documentation to confirm what functionality is supported in each vCenter Server version."

In the Configuring OpenStack to support linked clones topic:

  1. The first sentence should be changed as follows:

    "By default, IBM Cloud Orchestrator uses linked clones for VMware virtual images that are imported directly into the OpenStack Glance image repository; that is, for images that are not present as templates in vCenter and therefore are not registered in Glance by the discovery process."

  2. The note should be changed as follows:

    "Important: If you manually delete (in vCenter) a linked-clone virtual machine, including the base VMDK disk in the _base folder, all other linked clones of the same image no longer work because the parent disk is deleted from the _base folder.
    If you use IBM Cloud Orchestrator to delete the linked-clone virtual machine, the _base folder disk is not deleted and the other linked clones continue to work."

Open defects

Review the following list of open defects for IBM Cloud Orchestrator on the IBM Support Portal.

Change History

What's new

The following new features or functions have been included in this release:

  • Role access configuration for the menu entries Assigned resources, Patterns.
  • Provide ability to create custom landing pages and to show as mainpage.

For information about the new features and enhancements, review the What is new in this release topic in the IBM Knowledge Center.

Click the link in the Download Options column:

On
[{"DNLabel":"ICO 2.4 fixes","DNDate":"11 Dec 2015","DNLang":"English","DNSize":"1","DNPlat":{"label":"Linux","code":"PF016"},"DNURL":"http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/IBM+SmartCloud+Orchestrator&release=2.4.0&platform=All&function=all&source=fc","DNURL_FTP":" ","DDURL":null}]

Technical Support








Follow IBM Cloud Tech Support on Twitter | devWorks Blog

Review the IBM Cloud Support BLOG article Enhance your IBM Cloud Support Experience for a complete list of the different support offerings along with a brief description on the best way to use each resource to improve your experience using IBM Cloud products and services.


Forums | Communities | Documentation | Contacting Support | Helpful Hints


[{"Product":{"code":"SS4KMC","label":"IBM SmartCloud Orchestrator"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Installation","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"2.4.0.3","Edition":"Enterprise;Standard","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
IT08314;IT08940;IT08985;IT09260;IT09484;IT09772;IT09813;IT09998;IT10047;IT10233;IT10600;IT10645;IT11077;IT11081;IT11335;IT11654;IT11757;IT12166;IT12412;SE62330;SE62589;SE62900;SE63003;SE63023;ZZ00279;ZZ00313;ZZ00315;ZZ00328;ZZ00341;ZZ00342;ZZ00349;ZZ00368;ZZ00375;ZZ00378;ZZ00379;ZZ00380;ZZ00385;ZZ00386;ZZ00388;ZZ00394;ZZ00396;ZZ00399;ZZ00401;ZZ00402;ZZ00403;ZZ00404;ZZ00405;ZZ00407;ZZ00408;ZZ00410;ZZ00411;ZZ00412;ZZ00413;ZZ00416;ZZ00417;ZZ00418;ZZ00419;ZZ00420;ZZ00421;ZZ00424;ZZ00426;ZZ00429;ZZ00432;ZZ00434;ZZ00435;ZZ00436;ZZ00439;ZZ00446;ZZ00448;ZZ00449;ZZ00451;ZZ00454;ZZ00456;ZZ00458;ZZ00460;ZZ00461;ZZ00464;ZZ00468;ZZ00470;ZZ00471;ZZ00474;ZZ00476;ZZ00477;ZZ00481;ZZ00483;ZZ00486;ZZ00489;ZZ00288;ZZ00290;ZZ00291;ZZ00296;ZZ00303;ZZ00307;ZZ00308;ZZ00309;ZZ00310;ZZ00311;ZZ00319;ZZ00320;ZZ00323;ZZ00324;IT06033;IT06086;IT06144;IT06322;IT06359;IT06488;IT06604;IT06954;IT07223;IT07315;IT07431;IT07489;IT07809;IT07836;IT07961;IT08046;IT08186;SE61056;SE61576;ZZ00259;ZZ00266;ZZ00294;ZZ00300;ZZ00312;ZZ00322;ZZ00340;ZZ00343;ZZ00344;ZZ00345;ZZ00346;ZZ00347;ZZ00348;ZZ00350;ZZ00351;ZZ00352;ZZ00353;ZZ00354;ZZ00358;ZZ00360;ZZ00361;ZZ00362;ZZ00363;ZZ00364;ZZ00366;ZZ00367;ZZ00371;ZZ00376;ZZ00377;ZZ00383;ZZ00389;ZZ00392;ZZ00393

Document Information

Modified date:
05 April 2019

UID

swg24040281