IBM Netcool System Service Monitor SSM 4.0 Fix Pack 1 README Netcool/System Service Monitor 4.0.1 4.0.1-TIV-SSM-FP0001 Readme

To download this update you must first login to IBM FixCentral. Once logged in, you may select from the individual download packages.
http://www.ibm.com/eserver/support/fixes/

Below is a list of components, platforms, and file names that apply to this Readme file.

Hardware and Software requirements.

Non APAR Defect alm00295041 - Can't remote install ssm with V3 Configurations

Problem Description
Remote install fails on all platforms using V3 Configurations with the following error:
KDY3209E: Failed to add v3 user itmkdyuser Could not add the new SNMP v3 user via a remote connection

Non APAR Defect alm00295075 - Can't remote uninstall ssm on windows

Problem Description
Remote uninstall fails on Windows platforms with the following error:
KDY3501E: Could not find the uninstall key with the command regedit /E uninst.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{EFDE76FA-B83A-4608-AFF0-37829C7F5186}. Could not find the required uninstall key.

Non APAR Defect alm00295526 - The transaction.oid file is missing in the oid directory

Problem Description
Trying to load the transaction subagent shows the following warning because the transaction.oid file is missing from the oid subdirectory:
Could not open script file "oid/transaction.oid"

SSM crashes on AIX

Problem Description
Note that users of SSM 4.0 on AIX 5.3 or 6.1 may encounter a crash in gethostbyname(). This is a known AIX operating system bug (APAR IZ37768) with workaround and patches available from the IBM web site:
http://www.ibm.com/support/docview.wss?uid=isg1IZ37768

SSM cores on HPUX

Problem Description
Note that users of SSM 4.0 on HPUX may encounter core files in the SSM if the installation directory where SSM is installed is copied whilst the SSM is starting.

None.

Prior to installation

Although the SSM patch installer will verify its integrity before proceeding, you may verify the integrity of the patch installer without actually installing the patch by using the -t (test) option:

Also note that on some platforms installation may fail if you have any SSM-related programs running. Make sure that you have closed all instances of the SSM console and the MIB Explorer (Windows) prior to installing the patch. The patch installer will stop and restart the ssmagent process automatically.

Installing

SSM patches are self-extracting interactive programs that will guide you through the installation process. You need only execute the installer (for your operating system) and follow the prompts:

Silent installation is achieved by adding the word silent as a parameter to the end of the above command.

Further details about advanced patch installation can be found in the Patch Installation Guide:

Performing the necessary tasks after installation

None.

Troubleshooting installation problems from the Support site

http://www.ibm.com/software/sysmgmt/products/support/NetcoolSystemServiceMonitor.html

Uninstalling if necessary

On Windows, Fix Pack 1 may be uninstalled via Control Panel - Add or Remove Programs. Make sure you check the "Show updates" box for SSM patches to appear in the list. Also ensure that the SSM console and MIB Explorer are not running prior to uninstallation (so that previous file versions may be restored correctly), otherwise the removal process will fail.

On all platforms Fix Pack 1 may also be uninstalled using the "patchman" tool which can be found in the SSM bin directory:

Security Bulletins

SSM 4.0.1 FP1 contains fixes to the following 3 Security Bulletins:

- IBM Tivoli Netcool System Service Monitors/Application Service Monitors Local Configuration file Buffer Overflow (CVE-2013-0508)
- IBM Tivoli Netcool System Service Monitors/Application Service Monitors Transaction MIB Remote Buffer Overflow due to malformed database table names (CVE-2013-0509)
- IBM Tivoli Netcool System Service Monitors/Application Service Monitors is affected by multiple OpenSSL vulnerabilities

Netcool/SSM V4.0.1 FP1 is a security update focused on reducing security risks in the default configuration.

Some functionality has changed, and some subagents must now be activated using additional configuration in the agent init.cfg and agent.cfg files. Below is a list of affected components and any extra configuration required to enable previous functionality. If you do not currently use an affected component, leave it in its default, disabled state.

Updated subagents

RMON ProbeConfig Group

Support for the probeDownloadFile, probleDownloadTFTPServer, probeDownloadAction, and probleDownloadStatus objects has been removed. If download functionality is required, configure and use the File Transfer subagent.

haSubagentTable

The haSubagentTable will load subagents only from the agent bin directory.

agentInivarTable

The agentInivarTable is now read-only. It is not possible to set or change INIVARs via SNMP.

Crontab subagent

Process execution from the Crontab subagent is now disabled by default. If you specify a value in the crontabControlExecutionCommand and have not enabled process execution, the row cannot be made active. To enable process execution, add the INIVAR CrontabProcessExecute to init.cfg and set it to true. For example:

CrontabProcessExecute=true

If you do not enable the INIVAR before configuring the Crontab subagent, the following error message is displayed in the agent log file:

Crontab Execution Command has been disabled. To enable it, set CrontabProcessExecute=on in init.cfg

Process subagent

Three objects in the Process sub-agent have been updated

- psRunningState object in the psRunningTable is now read-only. You can no longer kill processes using this table or set them in a suspended state.

- psExecute and psControlActionCommand objects have been disabled unless the ProcessProcessExecute INIVAR exists and is set to true. If this INIVAR does not exist, or it is set to false, the psExecute object does not work, an SNMP error is returned and an error similar to the following example is displayed in the agent log file.

[PROCESS] Attempt to execute process with out INIVAR "ProcessProcessExecute" being enabled. Command "c:\windows\notepad.exe" will not be executed

If the required INIVAR is not enabled in the psControlActionCommand object, the control row cannot enter an active state. It will either stay notReady, or not be created if it is set up using a script. An error similar to the following example is displayed in the agent log.

[PROCESS] Attempt to set psControlActionCommand to "c:\windows\notepad.exe" without the INIVAR "ProcessProcessExecute" being enabled.

Programmable subagent

The Programmable subagent is now disabled by default. To load the subagent, set the ProgrammableAllowLoad INIVAR to true. Add the subagent load programmable command to the agent.cfg file in the Netcool/SSM config directory. If the INIVAR is not defined and set to true, the subagent does not load and the following error message is displayed in the agent log:

Programmable loading has been disabled. To enable it, set ProgrammableAllowLoad=true in init.cfg

Filetransfer subagent

The Filetransfer subagent has had several updates:

- The Filetransfer subagent does not load unless the FiletransferAllowLoad

INIVAR is set and enabled. Add the subagent load filetransfer command to the agent.cfg file in the Netcool/SSM config directory. If you try to load the subagent without first enabling the INIVAR, the following error message is displayed in the agent log:

File Transfer loading has been disabled. To enable it set FiletransferAllowLoad=true in init.cfg

- The data option in the ftFileBase object has been deprecated. You can no longer specify an arbitrary destination directory to download to.

- A new file transfer host list function enables you to create a list of allowed download hosts. There are three new console commands: fthost add , fthost list , and fthost remove .

Tip: The fthost settings are not saved when the agent is shutdown. To preserve the download list, place these commands in a separate configuration file that is executed at startup.

The syntax of these commands is as shown below:

fthost add address [mask]
fthost remove address [mask]
fthost list

where address is required and is the download server address of the host to be included. You can also specify an address range by combining the address and mask attributes. For example:

fthost add 10.1.2.44

Adds the machine 10.1.2.44 to the download list.

fthost add 10.1.4.0 255.255.255.0

Adds all addresses that start with 10.1.4 to the download list.

fthost list
ADDRESS MASK
------- ----
10.1.2.44 255.255.255.255
10.1.4.0 255.255.255.0

Lists the current download list.

fthost remove 10.1.2.44

Removes the 10.1.2.44 entry from the list.

fthost remove 10.1.4.0 255.255.255.0

Removes the 10.1.4.0 entry from the list.

If a download is attempted from a server that is not in the download list, an error similar to the following is displayed in the agent log file:

[FILETRANSFER] The specified host "10.3.3.2" is not in the allowed hosts list. The download will be failed

Note: If the fthost download list is empty, the Filetransfer subagent will be allowed to download from any server.

Oracle ASM

The Oracle ASM no longer attempts to automatically detect the location of the OCI libraries on the system, but rather requires the location to be provided to the ASM by explicitly setting the OCILibPath INIVAR to the location of the OCI Libraries. The value of this INIVAR should be the absolute path to the OCI Libraries on the system. If the OCILibPath INIVAR is not set, an error is displayed in the agent log file. For example:

[ORACLE] Inivar OCILibPath is not set unable to load Oracle Client Libraries

NTSCM subagent

The ntServicetable is now read only and you can no longer alter the service state or configuration using the ntServiceTableStartType and ntServiceTableControl objects. To change the service state of the ntServiceControlTable, define the NTServiceAllowConfig INIVAR and set it to true.

NTSCM displays the following error messages when trying to configure the ControlTable

NtService Configuration has been disabled. To enable it, set NTServiceAllowConfig=true in init.cfg

Arithmetic subagent

The ability to write strings to files on disk using the -> and ->> operators has been disabled by default. To reinstate this functionality:

1. Create the ArithmeticFileWrite INIVAR and set it to true.

2. Assign a path to the ArithmeticFileWritePath INIVAR. Only files that reside in this path may be written to. Separate multiple directories by the platform specific path separator, a colon (:) for UNIX systems, or a semicolon (;) for Windows systems.

The Arithmetic subagent displays the following error messages if the inivars are absent and trying to use -> and ->> operators:

Arithmetic File Writing has been disabled. To enable it, set ArithmeticFileWrite=on in init.cfg
Arithmetic File Writing has been disabled. To enable it, set ArithmeticFileWritePath to the list of allowable paths in init.cfg

Transaction subagent

If you have upgraded from SSM 4.0.1 to SSM 4.0.1 FP1, the Transaction subagent does not load by default. If you require this subagent, add the following load command to the agent.cfg file:

subagent load transaction

Red Hat Installation requirements

SSM 4.0.1 requires the libstdc++-32-3.2.3 compat libraries and the libstdc++ runtimes to execute on Red Hat Linux 6.x. On 64bit Red Hat systems you may have to install the 64 bit versions of these libraries as well.

Checksums

The SHA1 Checksum of the images are as follows:
SHA1(ssm401-fixpack1-aix-ppc.run)= 57d3abb8cf5b6836cd9e0ba9f3375c15e5519bc4
SHA1(ssm401-fixpack1-hpux-ia64.run)= 4253455f3f266cac38d3095dacdbbdaf606a5cd6
SHA1(ssm401-fixpack1-linux-ppc64.run)= 6df3c2ff757053804f15b4798cef3154a8bb5178
SHA1(ssm401-fixpack1-linux-x86_64.run)= 8a487d6e7915ee7b54c82311ad929c1fdb82336e
SHA1(ssm401-fixpack1-linux-x86.run)= 11b9162b98dcff2de819b7b91cb033183ada9c4e
SHA1(ssm401-fixpack1-Multiplatform-DSCFiles.zip)= 11e9f564a3246877ce55fd45594241dd69030b1a
SHA1(ssm401-fixpack1-solaris-sparc.run)= ac81995f31fdd78d86d9a5ec90d9f103a518417a
SHA1(ssm401-fixpack1-solaris-x86.run)= 60d0b38906ba5ccf081520429da25a7233902050
SHA1(ssm401-fixpack1-win32-x86.exe)= ebd3fa522817daa7a9eca2d6a29880dd1282a56a

Task ID	APAR	Fixed in	Release	Description
alm00293410		4.0.1.78	FP1	Limit ability of ntServices sub-agent to control and alter windows services.
alm00293392		4.0.1.70	FP1	Secure File Transfer sub-agent
alm00293378		4.0.1.69	FP1	Secure Process sub-agent Process execution and control.
alm00293426		4.0.1.67	FP1	Limit ability of the arithmetic sub-agent to write to files.
alm00293917	IV39829	4.0.1.67	FP1	`INIT.SSMAGENT SCRIPT START` SHOULD RETURN 0 WHEN IT IS ALREADY RUNNING (APAR=IV39829)
alm00293349		4.0.1.66	FP1	Remedy RMON Probe Config Security Issues.
alm00293357		4.0.1.66	FP1	Make haSubagentTable only load libraries from the Agent Bin Directory.
alm00293364		4.0.1.66	FP1	Make AgentIniVar table Read Only
alm00293417		4.0.1.66	FP1	MIB2 ifTable should not be able to control interface status.
alm00293319		4.0.1.65	FP1	AppScan Remediate transaction/decode snprint errors
alm00293371		4.0.1.65	FP1	Secure process execution from Crontab sub-agent.
alm00293385		4.0.1.65	FP1	Stop programmable Loading by default.
alm00293399		4.0.1.65	FP1	Limit Oracle Wrapper libraries to loading OCI libraries from Specified Directory
alm00293248		4.0.1.62	FP1	BufferOverflow.FormatString Vulnerabilities need to be resolved.
alm00293158		4.0.1.61	FP1	AppScan SetSecurityDescriptorDacl Calls Should specify a ACL
alm00293272		4.0.1.61	FP1	AppScan BufferOverflow in Memcpy Calls
alm00292456		4.0.1.60	FP1	Make LoadLibrary calls on windows not use a path lookup.
alm00292348	IV38114	4.0.1.56	FP1	Upgrade to OpenSSL 1.0.1e
alm00291996		4.0.1.53	FP1	TransactionEnumTable is writeable. Make it read only.
alm00289390	IV36116	4.0.1.52	FP1	SSM INIT.SSMAGENT FAILS TO FIND ITSELF WHEN STARTED AS A SYMLINK -> RELATIVE SYMLINK -> EXE (APAR=IV36116)
alm00291523	IV38113	4.0.1.52	FP1	Buffer Overflow in hive library can crash the agent.
alm00291931	IV37604	4.0.1.52	FP1	SSM HRSTORAGEUSED PHYSICAL MEMORY IS INCORRECTLY CALCULATED ON AIX (APAR=IV37604)
alm00291971	IV38112	4.0.1.52	FP1	Transaction Sub-Agent Oracle decoder can crash when it encounters a Malformed Packet
alm00292462	IV36665	4.0.1.40	FP1	APAR IV36665: SSM FILEMON SUBAGENT CAN FAIL TO ACTIVATE ROW IF FILESYSTEM FAILS STATFS
alm00293097	IV31463	4.0.1.40	FP1	ON SOME SOLARIS SYSTEMS DISKS THE SSM CAN MARK DISK DEVICES AS DOWN INCORRECTLY. (APAR=IV31463)

Version	Date	Description of change
0.1	29 May 2013	Pending Release
1.0	31 May 2013	Initial Release
1.1	17 June 2013	Added Security Bulletin Links