Troubleshooting
Problem
CIMOM server certificate information.
Resolving The Problem
CIMOM server is required by ESA for collecting Inventory and it is a prerequisite product for ESA to work properly. Information is found on the Pre-activation checklist at IBM Knowledge Center.
5770UME V1R3M0 is supported on IBM i V6R1 and V7R1.
5770UME V1R4M0 is supported on IBM i V6R1 and higher (Recommended)
The 5722-UME V1R2M0 that shipped with IBM i 6.1 will be updated to 5770-UME when 5770-UME is installed.
Check the following PTFs for 5770UME R140 on system:
PTF ID
|
R720
|
R730
|
R740 | R750 | Description |
SI51024 Superseded by SI69385 |
C4101720 | C6085730 | C9151740 | C2104750 | Implement new metrics to support SQL data via Collection Service, disk unit instance enhancement and bug fix |
C4101720
|
C6085730
|
C9151740 | C2104750 | Ship the translated dat files | |
C5135720
|
C6085730
|
C9151740 | C2104750 | Enable new feature to support setting CIM server job's default start priority by QIBM_CIM_DEFAULT_PRIORITY's | |
C5310720
|
C6085730
|
C9151740 | C2104750 | Fix the issue that UME1.4 cannot be installed successfully on v7r3m0 | |
C5310720
|
C6085730
|
C9151740 | C2104750 | Fix the issue that ENDTCPSVR giving errors because of CIMOM server | |
SI56797 Superseded by SI69385 |
C5310720 | C6085730 | C9151740 | C2104750 | FIX POODLE VULNERABILITY ISSUE |
SI57742 Superseded by SI69385 |
C5310720 | C6085730 | C9151740 | C2104750 | Fix the issue that Timestamp retrieved is incorrect |
SI59193 Superseded by SI69385 |
C6127720 | C6085730 | C9151740 | C2104750 | To fix the potential risk of SLOTH, we are disabling MD5 in this fix |
C7068720
|
C7061730
|
C9151740 | C2104750 | Disable the default configuration of 3DES | |
C8249720
|
C8242730
|
C9151740 | C2104750 | Change to OpenSSL SHA512withRSA algorithm in order to support TLSv1.2 enablement for NIST in ESA | |
C8249720 | C8242730 | C9151740 | C2104750 | 3 NEW IBM I SYSTEM METRICS | |
SI62640 Superseded by SI69385 |
C8249720 | C8242730 | C9151740 | C2104750 | Remove PTF check-in QUME_StorageExtentProvider |
SI63556 (Note1) Superseded by SI69385 |
C9297720 | C9311730 | C9151740 | C2104750 | gettimeofday() API can't retrieve DST info - CAN'T RETREIVE METRIC DATA FROM COLLECTION SERVICES |
SI67856 (Note2) Superseded by SI69385 |
NONE | NONE | C3313740 | C3306750 | DISABLE TLSv1.0 |
SI69385 (Note3) Superseded by SI77271 |
NONE | NONE | C3313740 | C3306750 | Upgrade CIMOM to enable TLSv1.3 and fix CRIME attack |
SI77271 (Note3) Superseded by SI73543 |
NONE | NONE | C3313740 | C3306750 | DISABLE TLSv1.1 |
SI73543 (Note3) | NONE | NONE | C3313740 | C3306750 | Firmware information can't be retrieved. |
PTF for errors found in QUMECIMOM job:
Licensed Program Product | R730 | R740 | Description |
5770SS1 | SI75293 | SI75294 | API QtocLstNetIfc might incorrectly receive messages MCH6902 and C2M1212, and QtocRtvNetIfcDta has a potential memory leak. |
Note 1:
End Collection Services, clear the active collection library, and restart Collection Services. (Don't save any data)
To see what the active collection library is, run CFGPFRCOL from the green screen and hit F4. It is displayed in the second field, "Collection library"
Note 2:
This PTF Disable TLSv1.0 for CIM server.Note 3:
Review information in APAR SE73824 for download instructions of the PTF.
SPECIAL INSTRUCTIONS:
SI69385 depends on 5733SC1 PTF SI71746, which upgrades OPENSSL to 1.1.1d.
SI69385 only works on V7R2M0 and higher IBM i OS version. Do not try to apply this PTF to V7R1M0 or lower IBM i OS version.
2. Install this CIMOM PTF SI69385.
3. This CIMOM PTF set disreq PTFs SI71746(5733SC1). After applying SI69385, double check to make sure that SI71746 is already installed on the system before startup CIMOM.
And check OPENSSL version by steps:
i. CALL QP2TERM
ii. openssl version --> Make sure that OPENSSL version is 1.1.1d or higher.
It is also recommended to review and apply the additional PTFs from the QUMEPRVAGT job not ending document since it is a CIMOM job related to prevent extra issues.
CIMOM Server Certificate:
ESA invokes CIM API to implement the part of Inventory collection. For the connection between ESA and CIM server, a current certificate with validity period is needed. ESA is the CIM client.
To check the current validity period of the CIMOM Server certificate:
From the IBM i command line:
STRQSH
Press <ENTER>
Copy/paste or type the following:
openssl x509 -in /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/servercert.pem -noout -text
And press <ENTER>
Look for the section titled VALIDITY. This is the time period in which the self-signed certificate assigned for the CIMOM Server is valid. Also shows additional information related to the certificate.
Renew CIMOM certificate:
There are two ways to get a self-signed certificate and a private key if they expired: CIM Self-signed certificate or create and SSL certificate from DCM.
Note: Self-signed certificate is recommended. Instructions also include customized steps to create a self-signed certificate that will cover most of the needs.
- CIM Self-signed certificate:
- Create a new self-signed certificate with the DEFAULT information
From the IBM i command line:
ENDTCPSVR SERVER(*CIMOM)
RMVDIR DIR('/QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore') SUBTREE(*ALL)
STRTCPSVR SERVER(*CIMOM)
Note:
Without PTF SI60516, the certificate is SHA1 by default, and customers can use Digital Certificate Manager (DCM) to create their own certificate by using SHA2 or higher.
If PTF SI60516 is on system, the certificate is SHA512 by default, and customers can create their own certificate that uses SHA2. But we suggest customers use SHA512 by default (much safer), not SHA2.
- Create a new self-signed certificate with the CUSTOMIZED
1) Customize the information in the /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/csr.conf file.
WRKLNK '/QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/csr.conf'
Select option 2 = Edit
Edit the "CN=" information to customize the common name of the certificate. You can also modify the "C=", "ST=", "L=", "O=", "OU=", and "emailAddress=" values if you would like, but do not remove or edit any of the other information in the csr.conf file.
Press F3=Save/Exit twice to save your changes.
************Beginning of data**************
[ req ]
distinguished_name= req_distinguished_name
prompt= no
[ req_distinguished_name ]
C=US
ST=Minnesota
L=Rochester
O=IBM
OU=IBM i
CN=NAME_CERTIFICATE
emailAddress=.
************End of Data********************
2) Follow these instructions to generate a new self-signed cert by using the information in the csr.conf file.
From the IBM i command line:
ENDTCPSVR SERVER(*CIMOM)
CALL QP2TERM
Type:
openssl req -x509 -newkey rsa:2048 -sha512 -days 730 -config /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/csr.conf -keyout /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/key.pem -passout pass:default -out /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/req.pem
Note:
You can customize the key type, key length, and key algorithm by modifying the -newkey rsa and -sha values. -newkey rsa can be 2048,4096,8192. -sha can be 256,512. You can also customize the validity period by modifying the -days value. Depending on your OpenSSL version, these values might change. If the parameter is not supported, its report an error.
Type each of the below:
openssl rsa -in /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/key.pem -passin pass:default -out /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/key_nopass.pem
mv /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/servercert.pem /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/servercert.pem.old
mv /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/serverkey.pem /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/serverkey.pem.old
mv /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/req.pem /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/servercert.pem
mv /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/key_nopass.pem /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/serverkey.pem
Press F3=Exit
STRTCPSVR SERVER(*CIMOM)
To verify that the new certificate is being used, execute the steps from the CIMOM Server Certificate section above.
The certificate information displayed should reflect the changes made to the certificate information, key type, key size, key algorithm, and/or validity period.
Additional information:
- The PTF SI69385 doesn't disable TLSv1.1, only disables TLSv1.0, superseding the previous one. Many customers might need to use TLSv1.1. The new feature of the PTF is to disable SSL compression (CRIME issue), and upgrade to support OPENSSL 1.1.1.
CIM enables TLSv1.1 and ciphers for client to use. But which one to use is determined by the client.
A workaround, if only use CIM server for ESA, is to review the instructions 'Temporary Fix' section from APAR SE69993, to add 2 schedule jobs and minimize the impact.
- Many ciphers we can't disable in CIM. For example, TLS_RSA_WITH_AES_128_CBC_SHA is a mandatory cipher suites for TLSv1.2. See RFC 5246, section 9: a TLS-compliant application MUST implement the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA. As long as we need to support TLSv1.2, then we need to follow RFC 5246.
- CIM doesn't have mechanism that can arrange ciphers' priority, and OPENSSL also don't. CIM follows OPENSSL's policy. Always apply the latest OPENSSL PTFs. OPENSSL fixes CVEs as required.
- Many 3rd-party software needs to use CIM, not only ESA. CIM is a server. It needs to open the port and wait for any request at any time. If disable CIM port, ESA will be unable to connect to CIM, and CIM can't know when ESA needs to use CIM.
An alternative solution would be to restrict CIM ports 5989/5990 at Firewall level. That way, will still be available for ESA but won't be available outside the box.
- Where are the OPENSSL Latest PTFs for the IBM i System?
All of the latest IBM I CVE Security Bulletins can be found here: https://www.ibm.com/support/pages/ibmsearch?tc=SGYQGH&dc=DD200&sortby=desc&dtm
In addition, the following document might help: IBM i OpenSSH & OpenSSL > https://www.ibm.com/support/pages/node/1128123
OpenSSL is provided with 5733SC1.
This is the official webpage of IBM i OpenSSL PCI Compliance > https://www.ibm.com/support/pages/node/1128159
- Do you have a listing of the Ciphers documented that are required for CIMON so we have that documented?
CIM supported ciphers have 2 parts:
i: OPENSSL supported ciphers
You can use: openssl ciphers -v to list all the OPENSSL supported ciphers
This part changes according to OPENSSL version.
ii: CIM server-side disabled ciphers:
After SI62412, the ciphers which CIMOM disables (by default) are:
MD5
RC4
RC2
DES-CBC-SHA
3DES
So the OPENSSL supported ciphers minus CIM server disabled ciphers are the ciphers that customer's CIM server can support.
- Can any Exploit the CIMON by using TLSv1.1 with Ciphers and access the data that is on the system? Can the CIMON access the Application (user data, user libraries and data in them?) if it is Exploit?
CIM server can collect system's information when CIM client requires, and send to CIM client. CIM server itself can access some system data when necessary. But CIM client can't access data directly through CIM server by using TLSv1.1.
CIM client: CIM client can't access user data, user libraries and data in them directly, CIM client only can connect to CIM server.
CIM server: CIM server can access some (user data, user libraries and data in them). CIM server is IBM formal product. It's legal and make sense that CIM server can access user data, since CIM server needs to collect information.
- Since we have no users set up in the CIMOM interface, does that mean no one can connect to it?
For USRPRF, CIM doesn't create USRPRF itself. The website https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/rzatl/rzatlauthenticate.htm describe the CIM providers can be run under what kind of USRPRF. And the USRPRF must have that authority. But CIM server doesn't create these USRPRF.
To summarize: a Client could connect to the Server, and this one could access some user data. "this one" means CIM server. CIM client can't access user data.
For your question about profile, if no authority, Client might still connect to Server, but Server will check the authority and then reject the Client's request.
- Is the data that is being sent over the SSL connection Encrypted? If so, what level?
Yes, CIM data is sent over SSL connection Encrypted.
CIM depends on OPENSSL connection Encryption tech to connect with client. OPENSSL uses asymmetric encryption at handshake phase, and symmetric encryption at transmission phase.
- If nothing is using the CIMON server except for ESA, can we restrict the ports 5990 and 5989 to allow through the IBM i Firewall some how so the scan does not see the ports? Maybe by using the ADDTCPPORT command?
ESA and CIM server are on the same IBM i box. So the source port and dest port are 127.0.0.1(local port). Every application, which uses TCP to transfer data, must depend on a TCP port. CIM server uses 5989 and 5990. CIM server always listen on 5989 to determine whether there is a request from CIM client. When ESA wants to connect to CIM, then ESA sends a request to port 5989. CIM server is listening on 5989, so that's when ESA request arrives, CIM server can know. If CIM server doesn't listen on a port, where can ESA send the request? And how can CIM know that ESA wants to connect?
ADDTCPPORT can't disable 5989 port. After run the command, the 5989 port is still listening. That's why test shows ESA hardware still works.
An option, if no other application than ESA is using CIMOM Server, closing ports at network/proxy level it's reasonable. If can disable external connection to 5989/5990 on firewall, it works to get rid of scan report, because scan tool connects IBM i box from outside the firewall, it should not discover 5989 port. But since ESA and CIM server connection is inside the firewall, so ESA should still work.
By the way, the effect of disable 5989 or end CIM server is the same. The aim is CIM server doesn't listen on 5989 (for external connections)
Was this topic helpful?
Document Information
Modified date:
08 January 2024
UID
nas8N1020253