Topics

1

Announcements & News / ALERT: GSKit 8.0.55.26+ & Post-Quantum Cryptography

« on: April 01, 2024, 07:09:00 AM »

IBM Global Security Kit is a library that is used by many IBM products to provide cryptographic functions - encrypting data, hashing passwords, etc.  It is generally a good security practise to keep your GSKit at the latest release version, to ensure the highest level of protection for your data and communications.

In one of the most recent FixPacks of GSKit (8.0.55.26+), IBM added 'post quantum cryptography' support to key databases.  "Post-Quantum Cryptography" ('PQC') refers to cryptographic methods that are resistant to factoring attacks against standard cryptographic methods that are quickly becoming feasible due to advances in quantum computing.  This change breaks CMOD v10.5.0.7 (and likely all lower versions).

With the latest GSKit Fixpack, there was no notification, no included README file, and no updated documentation released to describe the change.  It is considered bad software development practise to introduce a change that breaks upstream products, and enable that change by default in minor or 'fix' releases.

CMOD bears some of the responsibility for this issue, as it currently ignores the unreadable key database, didn't produce any error messages (or pass through the GSKit errors), and arssockd starts up, exposing an unresponsive SSL/TLS port on the server's network interface.  Only through extensive server tracing can a cryptic and uninformative GSKit error message be found.

This issue affects both server and client software.  Key Databases must be re-created for both using an undocumented option in order to work with the latest Content Manager OnDemand FixPacks.

Other products may experience similar issues if key databases are created with the latest versions of GSKit.

More information and a solution can be found here:

https://cmod.wiki/index.php?title=IBM_Content_Manager_OnDemand_v10.5.0.7_and_GSKit_support_for_Post-Quantum_Cryptography

-JD.

2

Announcements & News / UPDATE: Single Sign On ("SSO") on CMOD with ICN

« on: September 28, 2023, 04:57:21 AM »

The document describing how to implement SSO with CMOD and ICN has been updated:

https://www.ibm.com/support/pages/node/713479

-JD.

3

Announcements & News / SECURITY: CMOD Fixpack v10.5.0.7 supports TLS v1.3

« on: August 28, 2023, 09:16:56 AM »

Just a quick note for anyone whose CIO/CISO team requires TLS v1.3 support for applications, this support has been added to FixPack v10.5.0.7 with GSKit v8.0.55.31.  You will also require a Client-side update for Windows Clients.

Visit Fix Central to download these packages, or direct links can be found here:  https://cmod.wiki/index.php?title=Main_Page#IBM_CMOD_Fixpacks_.26_Security_Bulletins

-JD.

4

Content Navigator / Are you interested in CMOD + ICN + Datawatch RMS?

« on: February 15, 2023, 03:30:40 PM »

I've got a customer who is upgrading their entire ECM portfolio, and wants to see ICN v3 + Datawatch RMS support.

I'm wondering who else is in the same boat.

If you don't want to post publicly, just send me a DM, eMail, or give me a call.

-JD.

5

Announcements & News / SECURITY: ZLib vulnerability in CMOD

« on: September 28, 2022, 01:37:19 PM »

IBM released a security bulletin for an old vulnerability from 2018 that affects current versions of CMOD:

https://www.ibm.com/support/pages/node/6824729

In short, it would allow an attacker that ALREADY has a very high level of access to your system to cause CMOD to crash.

Upgrading to the latest fixpack is always a good idea, this is just another reason to stay current on patches.

Ask your questions below, and I'll ask the developers to pop by and respond.  Thanks.

-JD.

6

Announcements & News / IBM Support Uploads - ECUREP moving to secure protocols

« on: January 27, 2022, 02:38:21 PM »

From IBM support:

https://supportcontent.ibm.com/support/pages/node/6541526
 
Unsecured and anonymous FTP to upload IBM documentation will be disabled 31 August 2022
 
Effective 31 August 2022, all uploads of documentation to both the IBM testcase and ecurep servers' /toibm directories will require an authenticated log-in using an IBM Support File Transfer ID and password (token). In addition, a secure transport protocol, such as HTTPS, FTPS, or SFTP will need to be used to upload to the testcase and ecurep servers.

7

Announcements & News / SECURITY: Apache Log4j vulnerability

« on: December 11, 2021, 10:10:30 AM »

Apache log4j version 2 is included as a requisite library for CMOD v10.1 and v10.5, and a serious vulnerability has been announced. 

ICN v3 uses log4j v1.2.x that is in 'End of Life' -- it will not receive security updates, so you must upgrade to v2.15.x or above to be protected.

CMOD v9.x does not use Apache log4j, so those versions are unaffected. 

More information on the Apache Log4j exploit is here:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228

There's an article on the Wiki with some more background and discussion of the impact:
https://cmod.wiki/index.php?title=Apache_Log4j_%26_CMOD_ODWEK_ICN

Please discuss / ask your questions here.

-JD.

UPDATES:
IBM Technote on CMOD v10.1:  https://www.ibm.com/support/pages/node/6525892
IBM Technote on CMOD v10.5:  https://www.ibm.com/support/pages/node/6525888
IBM TechNote on WebSphere & log4j:  https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-apache-log4j-affect-ibm-websphere-application-server-and-ibm-websphere-application-server-liberty-cve-2021-4104-cve-2021-45046

8

Other / Anyone loading data from Oracle ERP into CMOD?

« on: May 26, 2021, 11:18:40 AM »

Or alternately, does anyone have any experience with an Oracle ERP to IBM Content Manager OnDemand migration? 

-JD.

9

Announcements & News / ALERT: IBM Content Manager OnDemand - Possible resource data deletion

« on: May 25, 2021, 10:56:34 AM »

IBM sent an Alert notification about the potential for resource deletion:

"In some circumstances, storing a resource to one of the affected storage managers results in the deletion of other similarly named stored resources from the same application group."

Abstract

In some circumstances, storing a resource to one of the affected storage managers results in the deletion of other similarly named stored resources from the same application group.

Who is affected?

If you are using Amazon S3, IBM Cloud Object Storage, or Hitachi Content Platform with one of the affected versions and platforms of Content Manager OnDemand and you are storing documents which contain resources (such as AFP, PDF, or XML), you might be affected.

The following table applies to all Content Manager OnDemand platforms (AIX, Linux, Windows, zLinux, IBM i and z/OS):

Content Manager OnDemand server versions:

10.1.0.6 and earlier    not affected
10.1.0.7, 10.1.0.8    affected
   
10.5.0.0    not affected
10.5.0.1, 10.5.0.2    affected

This issue only affects the Content Manager OnDemand server (both library and object servers). The fix must be applied to both library and object servers if they are running on separate systems. This issue does not affect any of the Content Manager OnDemand clients (such as the OnDemand Windows client, Content Manager OnDemand Web Enablement Kit (ODWEK) APIs, REST Services, or CICS interface).

Link to the full article is below:  https://www.ibm.com/support/pages/node/6454823

There's a table on the wiki with direct links to the CMOD Interim Fixes:  https://cmod.wiki/index.php?title=Main_Page#IBM_CMOD_Fixpacks_.26_Security_Bulletins

10

Announcements & News / CMOD 9.5 Fixpack 13 released...

« on: May 17, 2020, 08:33:07 AM »

Just a quick note that if you're still on v9.5, (presumably) the last Content Manager OnDemand fixpack (v9.5.0.13) for 9.5 was released on Friday May 15th, 2020.

http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%20Content%20Management&product=ibm/Information+Management/Content+Manager+OnDemand+for+Multiplatforms&release=9.5.0.12&platform=All&function=all&source=fc

... or, if you prefer, the shortlink:  http://CMOD.co/95013

the OnDemand server Fixpack appears to include a bump in the support GSKit version to 8.0.55.12 (which is not available for download from FixCentral ?!?) and includes some ODWEK CGI and ODWEK Java API bug fixes.

-JD.

11

Announcements & News / CMOD v10.5 Announced

« on: March 10, 2020, 02:55:05 PM »

CMOD v10.5 was announced today, availability via Passport Advantage Online is expected Friday March 13th.

There are two separate announcements for z/OS and Multiplatforms:

z/OS:  http://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/9/897/ENUS220-059/index.html&lang=en&request_locale=en

CMOD v10.5 on z/OS highlights:

• REST Services APIs. Content Manager OnDemand for z/OS includes REST Services APIs along with regular Java APIs (OnDemand Web Enablement Kit). REST Services APIs offer a simplified interface for integrating enterprise applications that need to interface with Content Manager OnDemand by using HTTP-based stateless protocol.
• Support for object storage from multiple vendors. In addition to traditional on-premises file-system-based storage, Content Manager OnDemand for z/OS now supports different types of object storage, such as IBM Cloud Object Storage, Amazon AWS S3, Hitachi Content Platform and Microsoft Azure object storage.
• Immutable object storage with IBM Cloud Object Storage and Hitachi Content Platform. Content Manager OnDemand for z/OS helps preserve your content and uses write once read many (WORM) configuration of IBM Cloud Object Storage or Hitachi Content Platform to protect data against deletion or modifications until the end of a specified retention period.
• HTML5 line data viewer with graphical annotation. With the deprecation of applet-based technologies, a modern HTML5-based line data viewer with graphical annotation capability is available for use with IBM Content Navigator to view and annotate line data content in Content Manager OnDemand for z/OS.
• Single sign-on for IBM Content Navigator. When IBM Content Navigator is configured for use with Content Manager OnDemand for z/OS, single sign-on capability can be enabled.
• LDAP sync tool is included to help automate synchronization of changes in users and groups definitions in corporate directory servers into Content Manager OnDemand for z/OS.

MP:  https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/0/897/ENUS220-060/index.html&lang=en&request_locale=en

CMOD v10.5 on Multiplatforms highlights:

• REST Services APIs. Content Manager OnDemand for Multiplatforms now includes REST Services APIs along with regular Java APIs (OnDemand Web Enablement Kit). REST Services APIs offer a simplified interface for integrating enterprise applications that need to interface with Content Manager OnDemand by using HTTP-based stateless protocol.
• Management of content encryption keys in external management server that is compliant with OASIS Key Management Interoperability Protocol (KMIP). For improved security and centralized management of encryption keys, enterprises typically use a key management server. Content Manager OnDemand for Multiplatforms now supports KMIP. Content Manager OnDemand for Multiplatforms can be configured with IBM Security Key Lifecycle Manager.
• Azure object storage. Content Manager OnDemand for Multiplatforms supports object storage from multiple vendors such as IBM Cloud Object Storage, Amazon AWS S3, and Hitachi Content Platform. The choice of object storage is further expanded with support for Azure object storage.
• Immutable object storage with IBM Cloud Object Storage and Hitachi Content Platform. Content Manager OnDemand for Multiplatforms helps preserve your content and uses write once read many (WORM) configuration of IBM Cloud Object Storage or Hitachi Content Platform to protect data against deletion or modifications until the end of a specified retention period.
• HTML5 line data viewer with graphical annotation. With the deprecation of applet-based technologies, a modern HTML5-based line data viewer with graphical annotation capability is available for use with IBM Content Navigator to view and annotate line data content in Content Manager OnDemand for Multiplatforms.
• Single sign-on for IBM Content Navigator. When IBM Content Navigator is configured for use with Content Manager OnDemand for Multiplatforms, single sign-on capability can be enabled.
• LDAP sync tool is included to help automate the synchronization of changes in users and groups definitions in corporate directory servers into Content Manager OnDemand for Multiplatforms.

12

OD/WEK & JAVA API / Is anyone using the load calls in ODWEK as their primary method for loading?

« on: January 15, 2020, 08:38:58 AM »

I'm at a customer site, and they're re-architecting their load process from lines of business.  Because Java programmers are a commodity, they've decided to create a 100% Java solution that can be deployed on their internal cloud.

One of the programmers came to my desk this morning, and asked me about the ODWEK LoadInit / LoadAddDoc / LoadCommit / LoadReset calls (which were introduced in CMOD v9.5).

I've never heard of someone using this functionality to perform loads.  They've apparently already written the code to parse the generic index files.  I'm concerned for the operational headaches that this could cause.  (What will appear in the System Log?  Where will Load ID's be stored?  How will we get logs of load failures for diagnostics?)

Any insight would be appreciated!

-JD.

13

Other / Tightening Security / Locking Down CMOD

« on: September 20, 2019, 12:42:31 PM »

Hey everyone.

With all the leaks that have been happening around the world lately, I've been more interested in what other folks are doing to secure their CMOD installations. 

In a lot of customer sites, IBM CMOD Security is rather lax - default passwords, inactive accounts, and way too much authority/permissions for service accounts.

I have a long list of fixes I'll share, but I wondered if anyone else has been through the process, and if they did anything interesting to help secure CMOD.

-JD.

14

MP Server / I just found an AG with no Segment Field...

« on: August 07, 2019, 10:42:31 AM »

So at a customer site, I found an Application Group that was defined without a Segment Field.  Despite the warning about not defining an App Group without a Segment field, this definition made it all the way to production...  three years ago!

The Storage is set to 'Cache Only' and the expiration type is "Load", and the Load ID is coming back with zeros in the mix/max date fields...  But somehow, data is still expiring on an appropriate schedule.

I'm baffled as to how this is actually working.  Has anyone dealt with this before?

-JD.

15

MP Server / CMOD ERM + TSM

« on: August 06, 2019, 01:03:56 PM »

Hey everyone. 

I'm looking for some insight regarding CMOD Enhanced Retention Management and TSM/Spectrum Protect.

We're building Application Groups with implied holds, and storing the data long-term in TSM.  We've got the TSM hierarchy set up, but we're wondering if we've got the config right...

We've set retinit=event, but we're not sure exactly how to set everything else. 

The config is that an upstream system will deliver a file to us with a list of documents expiring that day, and we'll process that and tell CMOD which documents to expire -- so... do we set the retention to one day, so that the documents are deleted the day after we get the permission from the upstream system to dispose of the file? 

It's my first time setting up ERM this way, so any info / insight / wisdom would be greatly appreciated. 

Thanks.

-JD.