IBM Support

CIMOM server certificate

Troubleshooting


Problem

CIMOM server certificate information.

Resolving The Problem

CIMOM server is required by ESA for collecting Inventory and it is a prerequisite product for ESA to work properly. Information is found on the Pre-activation checklist at IBM Knowledge Center.

5770UME V1R3M0 is supported on IBM i V6R1 and V7R1.
5770UME V1R4M0 is supported on IBM i V6R1 and higher (Recommended)
The 5722-UME V1R2M0 that shipped with IBM i 6.1 will be updated to 5770-UME when 5770-UME is installed.

Check the following PTFs for 5770UME R140 on system:

PTF ID
R720
R730
 
R740 R750 Description
SI51024
Superseded by SI69385
C4101720 C6085730 C9151740 C2104750 Implement new metrics to support SQL data via
Collection Service, disk unit instance enhancement and bug fix
C4101720
C6085730
C9151740 C2104750 Ship the translated dat files
C5135720
C6085730
C9151740 C2104750 Enable new feature to support setting CIM server job's default start priority by QIBM_CIM_DEFAULT_PRIORITY's
C5310720
C6085730
C9151740 C2104750 Fix the issue that UME1.4 cannot be installed successfully on v7r3m0
C5310720
C6085730
C9151740 C2104750 Fix the issue that ENDTCPSVR giving errors because of CIMOM server
SI56797
Superseded by SI69385
C5310720 C6085730 C9151740 C2104750 FIX POODLE VULNERABILITY ISSUE
SI57742
Superseded by SI69385
C5310720 C6085730 C9151740 C2104750 Fix the issue that Timestamp retrieved is incorrect
SI59193
Superseded by SI69385
C6127720 C6085730 C9151740 C2104750 To fix the potential risk of SLOTH, we are disabling MD5 in this fix
SI62412
Superseded by SI69385
C7068720
C7061730
C9151740 C2104750 Disable the default configuration of 3DES
SI60516
Superseded by SI69385
C8249720
C8242730
C9151740 C2104750 Change to OpenSSL SHA512withRSA algorithm in order to support TLSv1.2 enablement for NIST in ESA
SI61614
Superseded by SI69385
C8249720 C8242730 C9151740 C2104750 3 NEW IBM I SYSTEM METRICS
SI62640
Superseded by SI69385
C8249720 C8242730 C9151740 C2104750 Remove PTF check-in QUME_StorageExtentProvider
SI63556 (Note1)
Superseded by SI69385
C9297720 C9311730 C9151740 C2104750 gettimeofday() API can't retrieve DST info - CAN'T RETREIVE METRIC DATA FROM COLLECTION SERVICES
SI67856 (Note2)
Superseded by SI69385
NONE NONE C3313740 C3306750 DISABLE TLSv1.0
SI69385 (Note3)
Superseded by SI77271
NONE NONE C3313740 C3306750 Upgrade CIMOM to enable
TLSv1.3 and fix CRIME attack
SI77271 (Note3)
Superseded by SI73543
NONE NONE C3313740 C3306750 DISABLE TLSv1.1
SI73543 (Note3) NONE NONE C3313740 C3306750 Firmware information can't be retrieved.

PTF for errors found in QUMECIMOM job:

Licensed Program Product R730 R740 Description
5770SS1 SI75293 SI75294 API QtocLstNetIfc might incorrectly receive messages MCH6902 and C2M1212, and QtocRtvNetIfcDta has a potential memory leak.

Note 1:

This CIMOM PTF has Collection Services PTF SI66275 as a prerequisite. Follow the special instructions of SI66275 to update the Collection Services database files.

The special instructions in the PTF SI66275 are for customers who want to migrate their data from the old Collection Services files (CCSID 65535) to the new ones (CCSID 37). If a customer does not care about migrating their old data, they can do one of the following:
End Collection Services, rename their "active" collection library to something else, create a new empty library with the name of the old one, and restart Collection Services. (This saves the old data with old file formats)
End Collection Services, clear the active collection library, and restart Collection Services. (Don't save any data)
To see what the active collection library is, run CFGPFRCOL from the green screen and hit F4. It is displayed in the second field, "Collection library"

Note 2: 

This PTF Disable TLSv1.0 for CIM server.

Note 3:
Review information in APAR SE73824 for download instructions of the PTF.

SI69385 is superseded by SI73543. If SI69385 is not already on system, following instructions apply for SI73543.

 SPECIAL INSTRUCTIONS:

SI69385 depends on 5733SC1 PTF SI71746, which upgrades OPENSSL to 1.1.1d.
SI69385 only works on V7R2M0 and higher IBM i OS version. Do not try to apply this PTF to V7R1M0 or lower IBM i OS version.
 
   1. Stop CIMOM server.
   2. Install this CIMOM PTF SI69385.
   3. This CIMOM PTF set disreq PTFs SI71746(5733SC1). After applying SI69385, double check to make sure that SI71746 is already installed on the system before startup CIMOM.
And check OPENSSL version by steps:
   i. CALL QP2TERM
   ii. openssl version --> Make sure that OPENSSL version is 1.1.1d or higher.

It is also recommended to review and apply the additional PTFs from the QUMEPRVAGT job not ending document since it is a CIMOM job related to prevent extra issues.

 

CIMOM Server Certificate:

ESA invokes CIM API to implement the part of Inventory collection. For the connection between ESA and CIM server, a current certificate with validity period is needed. ESA is the CIM client.

To check the current validity period of the CIMOM Server certificate:

From the IBM i command line:

STRQSH
Press <ENTER>

Copy/paste or type the following:

openssl x509 -in /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/servercert.pem -noout -text

And press <ENTER>

Look for the section titled VALIDITY. This is the time period in which the self-signed certificate assigned for the CIMOM Server is valid. Also shows additional information related to the certificate.

Renew CIMOM certificate:

There are two ways to get a self-signed certificate and a private key if they expired: CIM Self-signed certificate or create and SSL certificate from DCM.
Note: Self-signed certificate is recommended. Instructions also include customized steps to create a self-signed certificate that will cover most of the needs.

  • CIM Self-signed certificate:
The default self-signed certificate is valid for 365 days for the *CIMOM server. After it expires, it could be removed, and then the server restarted.  This re-creates the certificate for a valid period of 365 days.

 

  • Create a new self-signed certificate with the DEFAULT information

    From the IBM i command line:

    ENDTCPSVR SERVER(*CIMOM)

    RMVDIR DIR('/QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore') SUBTREE(*ALL)

    STRTCPSVR SERVER(*CIMOM)

    Note:
    Without PTF SI60516, the certificate is SHA1 by default, and customers can use Digital Certificate Manager (DCM) to create their own certificate by using SHA2 or higher.

    If PTF SI60516 is on system, the certificate is SHA512 by default, and customers can create their own certificate that uses SHA2. But we suggest customers use SHA512 by default (much safer), not SHA2.

  • Create a new self-signed certificate with the CUSTOMIZED

    1) Customize the information in the /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/csr.conf file.

    WRKLNK '/QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/csr.conf'
    Select option 2 = Edit
    Edit the "CN=" information to customize the common name of the certificate. You can also modify the "C=", "ST=", "L=", "O=", "OU=", and "emailAddress=" values if you would like, but do not remove or edit any of the other information in the csr.conf file.
    Press F3=Save/Exit twice to save your changes.

    ************Beginning of data**************
    [ req ]
    distinguished_name= req_distinguished_name
    prompt= no
    [ req_distinguished_name ]
    C=US
    ST=Minnesota
    L=Rochester
    O=IBM
    OU=IBM i
    CN=NAME_CERTIFICATE
    emailAddress=.

    ************End of Data********************

    2) Follow these instructions to generate a new self-signed cert by using the information in the csr.conf file.

    From the IBM i command line:

    ENDTCPSVR SERVER(*CIMOM)

    CALL QP2TERM

    Type:
    openssl req -x509 -newkey rsa:2048 -sha512 -days 730 -config /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/csr.conf -keyout /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/key.pem -passout pass:default -out /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/req.pem

    Note:
    You can customize the key type, key length, and key algorithm by modifying the -newkey rsa and  -sha values. -newkey rsa can be 2048,4096,8192. -sha can be 256,512. You can also customize the validity period by modifying the -days value. Depending on your OpenSSL version, these values might change. If the parameter is not supported, its report an error.

    Type each of the below:
    openssl rsa -in /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/key.pem -passin pass:default -out /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/key_nopass.pem

    mv /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/servercert.pem /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/servercert.pem.old

    mv /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/serverkey.pem /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/serverkey.pem.old

    mv /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/req.pem /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/servercert.pem

    mv /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/key_nopass.pem /QOpenSys/QIBM/UserData/UME/Pegasus/ssl/keystore/serverkey.pem

    Press F3=Exit

    STRTCPSVR SERVER(*CIMOM)

    To verify that the new certificate is being used, execute the steps from the CIMOM Server Certificate section above.
    The certificate information displayed should reflect the changes made to the certificate information, key type, key size, key algorithm, and/or validity period.



Additional information:

  • The PTF SI69385 doesn't disable TLSv1.1, only disables TLSv1.0, superseding the previous one. Many customers might need to use TLSv1.1. The new feature of the PTF is to disable SSL compression (CRIME issue), and upgrade to support OPENSSL 1.1.1.
    CIM enables TLSv1.1 and ciphers for client to use. But which one to use is determined by the client.
    A workaround, if only use CIM server for ESA, is to review the instructions 'Temporary Fix' section from APAR SE69993, to add 2 schedule jobs and minimize the impact.
  • Many ciphers we can't disable in CIM. For example, TLS_RSA_WITH_AES_128_CBC_SHA is a mandatory cipher suites for TLSv1.2. See RFC 5246, section 9: a TLS-compliant application MUST implement the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA. As long as we need to support TLSv1.2, then we need to follow RFC 5246.
     
  • CIM doesn't have mechanism that can arrange ciphers' priority, and OPENSSL also don't. CIM follows OPENSSL's policy. Always apply the latest OPENSSL PTFs. OPENSSL fixes CVEs as required. 
     
  • Many 3rd-party software needs to use CIM, not only ESA. CIM is a server. It needs to open the port and wait for any request at any time. If disable CIM port, ESA will be unable to connect to CIM, and CIM can't know when ESA needs to use CIM.
    An alternative solution would be to restrict CIM ports 5989/5990 at Firewall level. That way, will still be available for ESA but won't be available outside the box.
FAQs:
 

  • Where are the OPENSSL Latest PTFs for the IBM i System?

    All of the latest IBM I CVE Security Bulletins can be found here: https://www.ibm.com/support/pages/ibmsearch?tc=SGYQGH&dc=DD200&sortby=desc&dtm
    In addition, the following document might help: IBM i OpenSSH & OpenSSL > https://www.ibm.com/support/pages/node/1128123
    OpenSSL is provided with 5733SC1.
    This is the official webpage of IBM i OpenSSL PCI Compliance > https://www.ibm.com/support/pages/node/1128159

 

  • Do you have a listing of the Ciphers documented that are required for CIMON so we have that documented?

    CIM supported ciphers have 2 parts:

    i: OPENSSL supported ciphers
    You can use: openssl ciphers -v to list all the OPENSSL supported ciphers
    This part changes according to OPENSSL version.

    ii: CIM server-side disabled ciphers:
    After SI62412, the ciphers which CIMOM disables (by default) are:
    MD5
    RC4
    RC2
    DES-CBC-SHA
    3DES

    So the OPENSSL supported ciphers minus CIM server disabled ciphers are the ciphers that customer's CIM server can support.

 

  • Can any Exploit the CIMON by using TLSv1.1 with Ciphers and access the data that is on the system? Can the CIMON access the Application (user data, user libraries and data in them?) if it is Exploit?

    CIM server can collect system's information when CIM client requires, and send to CIM client. CIM server itself can access some system data when necessary. But CIM client can't access data directly through CIM server by using TLSv1.1.

    CIM client: CIM client can't access user data, user libraries and data in them directly, CIM client only can connect to CIM server.
    CIM server: CIM server can access some (user data, user libraries and data in them). CIM server is IBM formal product. It's legal and make sense that CIM server can access user data, since CIM server needs to collect information.

 

  • Since we have no users set up in the CIMOM interface, does that mean no one can connect to it?

    For USRPRF, CIM doesn't create USRPRF itself. The website https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/rzatl/rzatlauthenticate.htm describe the CIM providers can be run under what kind of USRPRF. And the USRPRF must have that authority. But CIM server doesn't create these USRPRF.

    To summarize: a Client could connect to the Server, and this one could access some user data. "this one"  means CIM server. CIM client can't access user data.
    For your question about profile, if no authority, Client might still connect to Server, but Server will check the authority and then reject the Client's request.

 

  • Is the data that is being sent over the SSL connection Encrypted? If so, what level?

    Yes, CIM data is sent over SSL connection Encrypted.
    CIM depends on OPENSSL connection Encryption tech to connect with client. OPENSSL uses asymmetric encryption at handshake phase, and symmetric encryption at transmission phase.

 

  • If nothing is using the CIMON server except for ESA, can we restrict the ports 5990 and 5989 to allow through the IBM i Firewall some how so the scan does not see the ports? Maybe by using the ADDTCPPORT command?

    ESA and CIM server are on the same IBM i box. So the source port and dest port are 127.0.0.1(local port). Every application, which uses TCP to transfer data, must depend on a TCP port. CIM server uses 5989 and 5990. CIM server always listen on 5989 to determine whether there is a request from CIM client. When ESA wants to connect to CIM, then ESA sends a request to port 5989. CIM server is listening on 5989, so that's when ESA request arrives, CIM server can know. If CIM server doesn't listen on a port, where can ESA send the request? And how can CIM know that ESA wants to connect?

    ADDTCPPORT can't disable 5989 port. After run the command, the 5989 port is still listening. That's why test shows ESA hardware still works.

    An option, if no other application than ESA is using CIMOM Server, closing ports at network/proxy level it's reasonable. If can disable external connection to 5989/5990 on firewall, it works to get rid of scan report, because scan tool connects IBM i box from outside the firewall, it should not discover 5989 port. But since ESA and CIM server connection is inside the firewall, so ESA should still work.

    By the way, the effect of disable 5989 or end CIM server is the same. The aim is CIM server doesn't listen on 5989 (for external connections)

Related Documents

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000COrAAM","label":"CIMOM Server"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2.0;7.3.0;7.4.0;7.5.0"}]

Document Information

Modified date:
08 January 2024

UID

nas8N1020253