DATE: 28 MARCH 2024

10.0.2.0-ISS-ISVG-IGVA-FP0002

GENERAL DESCRIPTION:
This README provides important information for upgrading to IBM Security Verify
Governance v10.0.2 Fix Pack 2. This is a Fix Pack release for IBM Security Verify
Governance version 10.0.2 to provide accumulated fixes for problems and
remediations for security vulnerabilities. The fixes are listed by APAR/Known
Issue number and the remediations by CVE number.

COMPONENTS:
An Appliance Fix Pack release (Firmware Upgrade) for IBM Security Verify Governance

NEW ENHANCEMENTS / FEATURES:

See the IBM Security Verify Governance documentation section labeled "What is new
in this release" at:
https://www.ibm.com/docs/en/sig-and-i/10.0.2?topic=overview-what-is-new-in-this-
product-version

DEPENDENCIES:
You must have IBM Security Verify Governance Version 10.0.2.0 installed,
configured, and working.

FIX CONTENTS:
10.0.2.0-ISS-ISVG-IGVA-FP0002.readme
10.0.2.0-ISS-ISVG-IGVA-FP0002.pkg
FileUploadUtility.jar
temptrust.jks
DBupdate.zip

CHECKSUMS:
10.0.2.0-ISS-ISVG-IGVA-FP0002.pkg
MD5 checksum: 763c724ebbd500ec345d929dcbfb3ace
SHA-512 checksum - to be used to verify the PKG file uploaded in LMI panel of
Verify Governance - Virtual Appliance:

0c2cd6550e5e3c5dc76c830d47de2f8365868419435e0b7148f50903e72d22d605cc4757a1fb568e54e
cf22d2617ee8f62e438a348adc86f80e817e50887a8f6

DBupdate.zip MD5 checksum: e4c75005185e69a92fe6fc7b17c100fc

FileUploadUtility.jar MD5 checksum: c047365ab17f5fc2be5c27a7a8696d42
temptrust.jks MD5 checksum: d8dfe39e0dbad4a02b7aa3eba1026509

ADDITIONAL COMPONENTS AVAILABLE FROM PASSPORT ADVANTAGE

The following zip files are not required for the upgrade, but you might want to
download them after you upgraded to IBM Security Verify Governance Version
10.0.2.2:
. DataMigration.zip - Contains tools that help you migrate your Verify Governance
database from the internal PostgreSQL database to a DB2 or Oracle server.
Information for running this task is at
https://www.ibm.com/docs/en/sig-and-i/10.0.2?topic=installing-migrating-your-data-
another-database
. SVG-Toolkit10.0.2.zip - A toolkit for developing custom rules. The toolkit is
documented in a PDF file that is included in the zip.
NOTE: The toolkit does not support dots (.) in the rule names. If you find java
classes with names that contain dots after you download the toolkit, remove the
dots. Update also references to these classes.
The zip files are included in file SEC_VFY_GVN_xxx_V10.0.2.2_DT_TOOL.zip that you
can download from Passport Advantage (the full name of the file depends on the type
of license that you have).
For instructions, see the Download Document at
https://www.ibm.com/support/pages/node/7136247

SECURITY VULNERABILITIES FIXED IN IBM SECURITY VERIFY GOVERNANCE v10.0.2.2:

CVE-2021-29682, CVE-2022-1415, CVE-2023-22081, CVE-2023-22067, CVE-2023-5676, CVE-
2023-22081, CVE-2023-5676

For more information view the IBM Product Security Incident Response Team (PSIRT)
blog at:
http://www.ibm.com/blogs/PSIRT

KNOWN ISSUES FIXED IN THIS RELEASE

[DT228771] Request Center: performed request visible to approver listed in
"no_required_approvers" list -TS013254787
[DT247696] Role mining impact analysis run failure - TS014725137
[IJ45589] Issue with changelog sync filter syntax with ADK/DAML based adapters -
TS012198061
[DT242376] Question about not expected handling of nulled date/time IB enterprise
connector target attribute - TS014222778
[DT236519] Cannot update ConnectionPool Settings on Virtual Appliance - TS012502857
[DT257521] Adding Limit to Audit Query Table for Ideas and Admin Realm
NOTE: As a part of the fix for this issue, the OOB "IDEAS Audit" Report is
optimized by implementing a maximum limit of 250k records. Corresponding UI changes
have been made in Request Report filter and Report Download tabs to indicate this
update in the IDEAS Audit report.
[DT269821] Suspend account failing with error as upload a valid target or adapter
profile- TS015075448
[IJ40463] JDBC Connector Turkish issue - TS009060240
[DT258939] Date format issue in IB code in SVG 10.0.2 - TS014839415
[IJ43946] The delete user entitlement operation doesn't trigger the internal event
when it is caused by hierarchy refresh - TS009818510
[DT260719] Canceling Rule change with an error message saves the Rule change anyway
- TS015145882
[DT246389] Hierarchy refresh results in entitlement assignment removal for simple
hierarchy with value as hierarchy - TS014587947
[DT221730][IJ47155] Application filter on Access Request Process causes Slow
response times, TS012637464

OTHER DEFECTS FIXED IN THIS RELEASE

[INTERNAL] Fix for the 'old pending/Authorizable role removal requests going into
invalid state for different unrelated users after a new user is created through
various different methods in IGI' issue observed in ISVG 10.0.2 FP1.
[INTERNAL] SVG 10.0.2.2 Error is seen while downloading any reports
[INTERNAL] Default IB connector profiles do not work
[INTERNAL] SVG 10.0.2 configured with Oracle Database give error while downloading
IDEAS Audit report.
[INTERNAL] Custom imports getting removed after upgrade
[INTERNAL] External OIDC : Session/token invalidation after logout from service
center or admin console.
[INTERNAL] Update documentation for default connector profiles in SVG
[Internal] Document the known limitation about not able to select specific account
configuration issue while account creation when account configurations are more
than 500.
[INTERNAL] Idle session timeout issue for Admin Console and Service Center
[INTERNAL] Hotfix on 10.0.2 GA for Entitlement removal restricted for person
IGISUP-1123

KNOWN ISSUES AND LIMITATIONS

For a detailed list of known issues and limitations in this release, see this topic
in IBM Security Verify Governance v10.0.2 online documentation:
https://www.ibm.com/docs/en/sig-and-i/10.0.2?topic=overview-known-limitations-
issues-workarounds

WORKAROUNDS
Not applicable

UPGRADING
Upgrading to IBM Security Verify Governance v10.0.2.2 from IBM Security Verify
Governance v10.0 - FIRMWARE UPGRADE:
IBM Security Verify Governance v10.0.2.2 enables firmware updates by USB device.
It also enables firmware updates to be transferred by using the included Java
utility.

Requirements:
Firmware update (.pkg): 10.0.2.0-ISS-ISVG-IGVA-FP0002.pkg
Keystore file (.jks): temptrust.jks (default) or custom keystore file
Java Utility (.jar): FileUploadUtility.jar
DB update scripts (.zip): DBupdate.zip

NOTE: As an alternative way to upload the firmware package, you can use the Upgrade
Package Upload option that is available in the local management interface of the
virtual appliance. This will spare you from using the FileUploadUtility.jar Java
utility. For more details, see https://www.ibm.com/docs/en/sig-and-i/10.0.2?
topic=10020-upgrading-virtual-appliance-previously-uploaded-package-file

Upgrade Preparation Checklist:

1. If you are using the PostgreSQL internal database, use external PostgreSQL
utilities to make a backup of the data before you run the upgrade.
2. If PostgreSQL replication is set up, then the PostgreSQL master database must be
in the primary virtual appliance.
3. If you run the Verify Governance database on a DB2 or Oracle server, update the
database before you upgrade the virtual appliance.
4. In a cluster configuration, upgrade of the primary VA must be first, followed by
the upgrade of the secondary one, and then of the member.
5. If you are using an LTPA-based single sign-on configuration, where the LTPA key
is generated from the virtual appliance, generate the LTPA key again after the
upgrade. Instructions for generating the LTPA key in the virtual appliance are
available at: https://www.ibm.com/docs/en/sig-and-i/10.0.2?topic=administration-
managing-ltpa-based-single-sign-configuration
6. In order to avoid potential failures or issues due to any schema changes during
the upgrade, it is advisable to close all the open Certification campaigns before
you upgrade.
7. If you use The Turkish character set, before you upgrade, see "Configuring the
product for the use of the Turkish dotted i character" at
https://www.ibm.com/docs/en/sig-and-i/10.0.2?topic=installing-configuring-product-
use-turkish-dotted-i-character
Also, do not forget to run the patch_turkish.sql script when you upgrade the
Verify Governance database on DB2 or Oracle.
8. If you use the IBM Security Access Request (IBM Security Verify Request) mobile
app, or integrate with the ServiceNow platform, after you upgrade, you must set the
'rest.api.visibility' parameter to 'false' in a custom file in the virtual
appliance. See "Changing the user visibility of selected REST APIs" in the IBM
Documentation at https://www.ibm.com/docs/en/sig-and-i/10.0.2?topic=apis-changing-
user-visibility-selected-rest

UPDATING THE DB
To upgrade the Verify Governance v10.0.2 database on DB2 or Oracle DB to Version
v10.0.2.2, unzip the DBupdate.zip file. The PostgreSQL database is updated with the
VA and no further action is required.

Depending on the database that you want to upgrade, refer to the corresponding
section.

Before you start updating the database, stop all the servers from the Server
Control section in the Virtual Appliance. You can restart them after the database
upgrade procedure ends.

DB2 UPDATE
Before you begin
Make sure that the following prerequisites are in place:

- IBM Security Verify Governance v10.0.2.2 supports DB2® Server v11.5.8 Standard
Edition and v11.5.9 Standard Edition.
NOTE: The eAssemblies for IBM Security Verify Governance v10.0.0 and v10.0.2.2 on
Passport Advantage include the activation key and the installation package of DB2
Standard Edition Version 11.5.8. The database is licensed for use with IBM Security
Verify Governance.
- The DB2 Client must be installed.
- You must know the common database parameters such as the IP address, server port.

Verify that the database transaction logs have enough space to contain the upgrade
logs and size them appropriately. If the transaction log fills up while upgrading,
the upgrade process might fail with the following error:

SQL0964C The transaction log for the database is full.

During the migration procedure, for some particular conditions, these diagnostic
messages can be present in the log file.

"NO FLOW <something> FOUND".

and

ERROR near line 10:

SQL0438N Application raised error or warning with diagnostic text: "DEFAULT
PRIORITY UNDEFINED".

These messages do not identify an error of the procedure and can be ignored.

The following tags are used to customize the IBM Security Verify Governance DB2
database installation.
Tag | Description
--------------- ---------------------------------------------
DBServer | DB2 Server IP address or DNS name
DBPort | DB2 instance port
IGI_DB | DB2 database name
INSTANCE_OWNER | DB2 instance owner of the database instance
PASSWORD | DB2 instance owner password
FQ_IGI_DB | <DBServer>:<DBPort>/<IGI_DB>
The scripts for the upgrade of the database are compressed in file DBupdate.zip.
You can find DBupdate.zip in the Fix Pack package.
To get the scripts, unpack the 'db2' folder from DBupdate.zip into a directory of
your choice, <your_path>/<EXTRACTION_DIR>.

Attention: If you find that the size for the product table space that was allocated
when Verify Governance was first installed (see Installing the IBM Security Verify
Governance database on the DB2 server) is not sufficient, increase the size
manually in the DB2 database. Do not run another fresh installation of the
database.

Procedure
This procedure upgrades your Verify Governance database from V10.0.2 to V10.0.2.2.

Follow these steps:

1.Stop the IBM Security Verify Governance server from the virtual appliance
dashboard.
2. Check the connection to the database with the following command:
clpplus -nw <INSTANCE_OWNER>/<INSTANCE_OWNER_PASSWORD>@<FQ_IGI_DB>

3. After this procedure, extract the DBupdate.zip archive into your directory
<EXTRACTION_DIR>

4. If you want to produce a log file of the update procedure, change the
permissions of the EXTRACTION_DIR folder with the command:
chmod -R 777 <EXTRACTION_DIR>

5. After the extraction, you can see this hierarchy of folders:

<EXTRACTION_DIR>/dbupdate/

6. If you did not change the default IGI schema password, jump to step 9,
otherwise, continue to step 7.

7. Change directory to: <EXTRACTION_DIR>/dbupdate/db2/CUMULATIVE/COMMON/

8. Edit the 01-COMMON.sql file and set the DEFINE IDEAS_SCHEMA_DEF_PASS key with
the correct value. Then, save the file.

9. Change directory to <EXTRACTION_DIR>/dbupdate/db2/CUMULATIVE/ and modify the

login.sql file by setting the appropriate connection string. See the following
string:

DEFINE IGI_DB = xxx.xxx.xxx.xxx:yyyyy/zzz

where:
xxx.xxx.xxx.xxx - DB2 Server IP address or DNS name aka <DBServer>
yyyyy - DB2 instance port aka <DBPort>
zzz - DB2 Database name aka <IGI_DB>

10. Run the cumulative_patch.sql script. Use the instance_owner userid as shown
below:

clpplus -nw <INSTANCE_OWNER>/<PASSWORD>@<DBServer>:<DBPort>/<IGI_DB>

@cumulative_patch.sql

NOTE: When you run the cumulative_patch.sql script, you may see some error messages
similar to the ones shown below. You can safely ignore these messages.
ERROR near line 1:
 SQL0803N One or more values in the INSERT statement, UPDATE statement, or
foreign key update caused by a DELETE statement are not valid because the primary
key, unique constraint or unique index identified by "2" constrains table
"IGAADM.CONFIGURATION" from having duplicate values for the index key.

ERROR near line 1:

SQL0803N One or more values in the INSERT statement, UPDATE statement, or
foreign key update caused by a DELETE statement are not valid because the primary
key, unique constraint or unique index identified by "2" constrains table
"IGACORE.CONFIGURATION" from having duplicate values for the index key.

11. If you run the Turkish locale, find the TURKISH folder in
<EXTRACTION_DIR>/dbupdate/db2/ and use the clpplus executable to run the
patch_turkish.sql script on the database.

12. Verify in the created log files if the db updates were completed successfully.

13. Start the IBM Security Verify Governance server from the virtual appliance
dashboard.

What to do next

Upgrade the virtual appliance.

ORACLE UPDATE
Before you begin
Make sure that the following prerequisites are in place:

-The Oracle Server version 19c Enterprise Edition must be installed.

-The upgrade script can be launched directly on the server that hosts the Oracle
DBMS or on another computer where the Oracle Client is installed.
-You must know the common database parameters such as the IP address, server port,
and SID.

The following tags customize the IBM Security Verify Governance Oracle database
installation.
Tag | Description
------------ -------------------------------------
IgiSID | Oracle database instance name (SID)
DBServer | Oracle Server IP address or DNS name
DBPort | Oracle listener port
ServiceName | Oracle Service Name

The scripts for the upgrade of the database are compressed in file DBupdate.zip.
You can find DBupdate.zip in the Fix Pack package.
To get the scripts, unpack the 'oracle' folder from DBupdate.zip into a directory
of your choice, <your_path>/<EXTRACTION_DIR>.

Attention: If you find that the size for the product table space that was allocated
when Verify Governance was first installed (see Installing the IBM Security Verify
Governance database on the Oracle server) is not sufficient, increase the size
manually in the Oracle database. Do not run another fresh installation of the
Verify Governance database.

Procedure
This procedure upgrades your Verify Governance database from V10.0.2 to V10.0.2.2.
1. Stop the IBM Security Verify Governance server from the virtual appliance
dashboard.
2. Access the Oracle server.

a. Log in with root privileges:

sudo su -

b. Switch to the oracle user:

sudo su oracle

c. Check that the configuration works by connecting to the database with the
following command:
sqlplus system/<password>@<IGISID>

3. After this procedure, extract the DBupdate.zip archive into your directory
<EXTRACTION_DIR>

4. If you want to produce a log file of the update procedure, change the
permissions of the [EXTRACTION_DIR]folder with the command:
chmod -R 777 <EXTRACTION_DIR>

5. After the extraction, you can see this hierarchy of folders:

<EXTRACTION_DIR>/dbupdate/

6. If you did not change the default IGI schema password, jump to step 9,
otherwise, continue to step 7.

7. Change directory to: <EXTRACTION_DIR>/dbupdate/oracle/CUMULATIVE/COMMON/

8. Edit the 01-COMMON.sql file and set the DEFINE IDEAS_SCHEMA_DEF_PASS key with
the correct value. Then, save the file.

9. Change directory to: <EXTRACTION_DIR>/dbupdate/oracle/CUMULATIVE/. Use the

oracle userid to run the cumulative_patch.sql script as follows:

sqlplus system/<PASSWORD>@<IGISID> @cumulative_patch.sql

NOTE: When you run the cumulative_patch.sql script, you may see some error messages
similar to the ones shown below. You can safely ignore these messages.
ERROR near line 1:
SQL0803N One or more values in the INSERT statement, UPDATE statement, or
foreign key update caused by a DELETE statement are not valid because the primary
key, unique constraint or unique index identified by "2" constrains table
"IGAADM.CONFIGURATION" from having duplicate values for the index key.

ERROR near line 1:

SQL0803N One or more values in the INSERT statement, UPDATE statement, or
foreign key update caused by a DELETE statement are not valid because the primary
key, unique constraint or unique index identified by "2" constrains table
"IGACORE.CONFIGURATION" from having duplicate values for the index key.

10. If you run the Turkish locale, find the TURKISH folder in
<EXTRACTION_DIR>/dbupdate/oracle/ and use the sqlplus executable to run the
patch_turkish.sql script on the database.

11. Verify in the created log files if the db updates were completed successfully.

12. Start the IBM Security Verify Governance server from the virtual appliance
dashboard.
What to do next
Upgrade the virtual appliance.

UPGRADING THE VIRTUAL APPLIANCE

NOTE1: If your virtual appliance is connected to a Network Time Protocol (NTP)

server, make sure that the configuration is valid, and that the server can be
reached before you run the upgrade. To check the configuration to the NTP server,
go to Manage>System Settings>Date/Time on the virtual appliance local management
interface.
NOTE2: See UPGRADING THE VIRTUAL APPLIANCE ON AMAZON WEB SERVICES (AWS) below if
your virtual appliance is on Amazon.

You can transfer firmware updates to the VA using USB.

Alternatively, you can install firmware updates to the VA by transferring them with
the FileUploadUtility.jar Java utility. FileUploadUtility.jar performs the same
function as the virtual appliance CLI command: svg > upgrade > transfer
As an alternative way to upload the firmware package, you can use the Upgrade
Package Upload option that is available in the local management interface of the
virtual appliance. This will spare you from using the FileUploadUtility.jar Java
utility. See https://www.ibm.com/docs/en/sig-and-i/10.0.2?topic=10020-upgrading-
virtual-appliance-previously-uploaded-package-file

The following procedure is for running the upgrade with the use of the
FileUploadUtility.jar utility:

1. Copy the FileUploadUtility.jar file onto a system where IBM Java is already
installed. Java version 1.8 is recommended.
2. Copy the firmware update file and a keystore file to the file system.
3. Run the Java command, as specified in the Usage section below, to update the
firmware.
You can use the temptrust.jks file that is supplied with this release.
Usage:
java -jar FileUploadUtility.jar <Hostname:Port> <AdminId> <AdminPassword>
<Truststore Filepath> <Truststore Password> <Absolute path to pkg file>
<sslProtocol>

For the <Hostname:Port> value, enter the <FQDN:Port> of the VA instead of the IP
address.

Valid value for <sslprotocol> is TLSv1.2. The virtual appliance and its components
are by default migrated to protocol TLSv1.2.
IMPORTANT NOTE: If you were still running on TLS or TLSv1.1, you are strongly
encouraged to upgrade to TLSv1.2 all the connected external entities, such as the
database, the LDAP server, etc.

Example:
java -jar FileUploadUtility.jar igiva.in.ibm.com:9443 admin admin
/work/temptrust.jks changeit /Downloads/10.0.2.0-ISS-ISVG-IGVA-FP0002.pkg TLSv1.2

4. After the pkg file has been transferred, use the virtual appliance CLI to
install the firmware: svg > upgrade >install
5. If LTPA-based single sign-on is configured, where the LTPA key is generated from
the virtual appliance, generate the LTPA key again.

Instructions are available at: https://www.ibm.com/docs/en/sig-and-i/10.0.2?

topic=administration-managing-ltpa-based-single-sign-configuration
UPGRADING THE VIRTUAL APPLIANCE ON AMAZON WEB SERVICES (AWS)
Follow these steps:

1. Take an AWS snapshot (hypervisor-level snapshot) of the computer that you are
to upgrade.
2. Upload the 10.0.2.0-ISS-ISVG-IGVA-FP0002.pkg file on the virtual appliance.
3. Use the virtual appliance CLI to install the firmware: svg > upgrade >install
4. Reboot the virtual appliance.

TASKS TO COMPLETE AFTER THE UPGRADE

- Verify that all your custom tasks and jobs are present in your upgraded
environment. See "Verify current set of tasks and jobs for the Task Planner module"
at https://www.ibm.com/docs/en/sig-and-i/10.0.2?topic=ufsigiv5lsvgv1-verify-
current-set-tasks-jobs-task-planner-module

- The active tasks in Task Planner might be listed with the Inconsistent Task icon.
Resynchronize the schedulers to reactivate the tasks. See "Synchronizing the Task
Planner schedulers" at https://www.ibm.com/docs/en/sig-and-i/10.0.2?topic=10020-
synchronizing-task-planner-schedulers

- The Role Mining process starts without data to analyze. For this reason, do a new
data load. See "Loading role mining data" at https://www.ibm.com/docs/en/sig-and-
i/10.0.2?topic=10020-loading-role-mining-data

- If you use the IBM Security Verify Request mobile app, or integrate with the
ServiceNow platform, set the 'rest.api.visibility' parameter to 'false' in a custom
file in the virtual appliance. See "Changing the user visibility of selected REST
APIs" at https://www.ibm.com/docs/en/sig-and-i/10.0.2?topic=apis-changing-user-
visibility-selected-rest

- If you use IBM Security Identity Governance and Administration Data Integrator
(ISIGADI), update the JAR files that are in file sdk.zip. Follow the steps that are
documented in section "Updating the SDK for IBM Security Identity Governance and
Intelligence" of the ISIGADI._707_1968516_v2 PDF that is available in technote
"Integration between IBM Security Identity Manager and IBM Security Identity
Governance and Intelligence - Data Integrator 7.0.7"
(https://www.ibm.com/support/pages/node/723369).

For the complete documentation about tasks to complete after the upgrade, see
https://www.ibm.com/docs/en/sig-and-i/10.0.2?topic=installing-upgrade-virtual-
appliance

IBM SECURITY VERIFY GOVERNANCE 10.0.2 PRODUCT DOCUMENTATION

https://www.ibm.com/docs/en/sig-and-i/10.0.2?topic=verify-governance

IBM SECURITY VERIFY GOVERNANCE 10.0.2 REQUIREMENTS

https://www.ibm.com/docs/en/sig-and-i/10.0.2?topic=installing-prerequisite-software

TRADEMARKS
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies. A
current list of IBM trademarks is available on the Web at "Copyright and trademark
information" at www.ibm.com/legal/copytrade.shtml.
COPYRIGHT (C) 2024, IBM INC.
END OF README