Messages

1

Announcements & News / ALERT: GSKit 8.0.55.26+ & Post-Quantum Cryptography

« on: April 01, 2024, 07:09:00 AM »

IBM Global Security Kit is a library that is used by many IBM products to provide cryptographic functions - encrypting data, hashing passwords, etc.  It is generally a good security practise to keep your GSKit at the latest release version, to ensure the highest level of protection for your data and communications.

In one of the most recent FixPacks of GSKit (8.0.55.26+), IBM added 'post quantum cryptography' support to key databases.  "Post-Quantum Cryptography" ('PQC') refers to cryptographic methods that are resistant to factoring attacks against standard cryptographic methods that are quickly becoming feasible due to advances in quantum computing.  This change breaks CMOD v10.5.0.7 (and likely all lower versions).

With the latest GSKit Fixpack, there was no notification, no included README file, and no updated documentation released to describe the change.  It is considered bad software development practise to introduce a change that breaks upstream products, and enable that change by default in minor or 'fix' releases.

CMOD bears some of the responsibility for this issue, as it currently ignores the unreadable key database, didn't produce any error messages (or pass through the GSKit errors), and arssockd starts up, exposing an unresponsive SSL/TLS port on the server's network interface.  Only through extensive server tracing can a cryptic and uninformative GSKit error message be found.

This issue affects both server and client software.  Key Databases must be re-created for both using an undocumented option in order to work with the latest Content Manager OnDemand FixPacks.

Other products may experience similar issues if key databases are created with the latest versions of GSKit.

More information and a solution can be found here:

https://cmod.wiki/index.php?title=IBM_Content_Manager_OnDemand_v10.5.0.7_and_GSKit_support_for_Post-Quantum_Cryptography

-JD.

2

MP Server / Re: Spectrum Protect(TSM) expired certificate problem with database backups

« on: March 26, 2024, 06:25:13 AM »

You didn't mention if you're using a Certificate Authority (CA) or a self-signed certificate, so the answer will be a little vague...

Check DB2's key database for the Spectrum Protect server certificate -- if the SP server cert is self-signed, you'll have to add a copy to the DB2 database's key db.  If the SP server cert was signed by your organization's CA, then you need to make sure you have the full certificate chain (root + intermediate certificates) inside that key database.

-JD.

3

MP Server / Re: Disable users ability to change passwords

« on: March 22, 2024, 07:39:23 AM »

There's a wiki article for that:

https://cmod.wiki/index.php?title=Command_Line_Options_for_the_CMOD_Client



-JD.

4

MP Server / Re: Use of external filesystem for the Archive storage manager

« on: March 20, 2024, 12:24:31 PM »

Hi.

It's best to use local storage for CMOD functions - database, transaction logs, cache filesystem, and temporary space for indexing and loading -- having these filesystems remote means that a network issue can bring your server down in ways that are hard to recover from.  I'd only use NFS for long term "secondary" storage.

-JD.

5

MP Server / Re: Relation between CMOD Library Server and CMOD Object Server

« on: March 20, 2024, 12:21:24 PM »

That's a big question. 

First, let me start with an unpopular truth:  Object servers are an obsolete idea. 

The architecture of CMOD was designed in the early 90's, when storage and bandwidth were exceedingly scarce and expensive - there were also very hard physical limits on how much storage you could connect to a single server.  The first CMOD server I was responsible for had 4 112Mhz CPUs, 512MB of RAM, 24GB of hard drives, and a 100GB tape library -- and it was one of the most powerful midrange systems in the company -- https://en.wikipedia.org/wiki/IBM_RS/6000#Type_7013_and_7016 .

What should you do instead? 

Run a single CMOD server, and use any of the cloud-ish storage tech or Cheap and Deep filesystem storage.  Storage, CPU, Bandwidth...  All are relatively cheap.  The only remote loading you should be doing is PDFs on a Windows server.

-JD.

6

z/OS Server / Re: XML Indexer VS Generic Indexer for PDFs

« on: March 04, 2024, 09:21:03 AM »

Ah, you're right - there's a generic index format in XML - it was added in 2021...

https://www.ibm.com/support/pages/system/files/inline-files/Using%20the%20Content%20Manager%20OnDemand%20XML%20Indexer%2020210212.pdf

7

z/OS Server / Re: XML Indexer VS Generic Indexer for PDFs

« on: March 04, 2024, 09:19:02 AM »

I think there's some confusion -- you can add CMOD document metadata to XML files, and you can add PPDs to PDFs for CMOD metadata, but I don't think you can provide metadata in XML format to replace the Generic Index format.

See the presentation on XML:

http://www.odusergroup.org/forums/index.php/topic,2421.0.html

8

MP Server / Re: Loading reports online from the AS/400 to CMOD MP

« on: February 29, 2024, 11:01:27 AM »

Man, if we all showed up in one place to exchange the drinks we all owed one another...  There would be have to be a line of ambulances waiting for us that stretched around the block.

 

-JD.

9

MP Server / Re: PDF from ARSDOC GET can see only one file

« on: February 29, 2024, 10:59:25 AM »

Page 255 of the document I linked.

-JD.

10

MP Server / Re: PDF from ARSDOC GET can see only one file

« on: February 29, 2024, 06:26:09 AM »

It's not a strange format -- it's the CMOD Generic Index format (v2) which has been around for nearly 20 years, and is well documented:
https://cmod.wiki/dox/CMODv10.5/IndexingReference.pdf

If you're not loading the data to another CMOD server, you need to write a utility to do the splitting and convert the metadata, or work with someone who has already done that work. 

-JD.

11

OD/WEK & JAVA API / Re: ODWek REST - response HTTP 408 - No availble connections to pool <poolname>

« on: February 01, 2024, 07:39:32 AM »

Do the logs in the web server software give any indication as to where the problem might be?  There should be other error messages around the time of your request that might shine some light on the issue. 

-JD.

12

z/OS Server / Re: How would multiple segments be opened?

« on: January 29, 2024, 02:59:47 PM »

Check with IBM - I'm not sure if this is normal behaviour for your config.  Maybe Ed will see this and reply.

Also, I'm morbidly curious about the ONE inserted row in your database...  Let us know what's in there.

-JD.

13

z/OS Server / Re: How would multiple segments be opened?

« on: January 29, 2024, 12:05:53 PM »

I've seen something similar, but more than a decade ago on an AIX server -- there were strange errors in db2diag.log, and after chasing it down for a day, it turned out two System Log tables were open.  I closed it with the arstblsp command, and the issues went away immedately. 

Having said that, z/OS / sysplex / LPARs are a totally different beast, but I just thought I'd mention the arstblsp command (not sure what the equivalent is in z/OS).

-JD.

14

Announcements & News / Re: UPDATE: Single Sign On ("SSO") on CMOD with ICN

« on: January 29, 2024, 11:59:55 AM »

Yeah, ICN is the only available out-of-the-box solution for SSO that I know of.

-JD.

15

Content Navigator / Re: CMOD rollback after failed software upgrade

« on: January 29, 2024, 04:50:48 AM »

Best to backup all your config files, uninstall CMOD, then go back to the base level, and restore the previous FixPack level.

Unfortunately, you haven't given us much info to diagnose the issue -- there should be System Log messages around the time of the error that will reveal the underlying issue.

There's some troubleshooting information on the wiki:

https://cmod.wiki/index.php?title=Troubleshooting_Content_Manager_OnDemand

-JD.