Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

           Unable to deploy on IBM PureApplication appliance and
               Software due to expired security certificate
                                27 May 2019


        AusCERT Security Bulletin Summary

Product:           PureApplication System
Publisher:         IBM
Operating System:  Network Appliance
Impact/Access:     Reduced Security -- Unknown/Unspecified
Resolution:        Mitigation

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

 Unable to deploy on IBM PureApplication appliance and Software due to expired
                              security certificate

   IT28802; CertPathValidatorException; CertificateExpiredException

  Document information

   More support for: PureApplication System

   Component: PureApplication appliance and PureApplication Software

   Software version: All Versions

   Operating system(s): Platform Independent

   Reference #: 0881129

   Modified date: 25 May 2019

Flashes (Alerts)


   Unable to deploy, modify, or capture snapshots of PureApplication
   workloads due to expired security certificate used by PureApplication
   System Manager (PSM).


   When attempting to deploy, modify, capture snapshots of PureApplication
   workloads, the following error is seen on the PureApplication console:
   Metadata of script: <script name associated with pattern instance> cannot
   be loaded.

   The problem is caused because of the following exception, as seen in the
   kernel service logs:
   Caused by: java.security.cert.CertPathValidatorException: The certificate
   expired at Fri Apr 12 17:40:37 UTC 2019; internal cause is:
   This problem is related to APAR IT28802. This APAR impacts the deployment
   of new workloads, modification of running workloads, and capturing
   snapshots of running workloads. In order to resolve this problem, a new
   security patch with a new security certificate needs to be installed on
   the PSM, and the associated services need to be restarted.
   Until the new security patch is applied, you will have limited management
   usage of your PureApplication but all existing workloads will continue to
   operate without any outage. Additionally, you will continue to have a
   limited management access to the PSM for all other management features and
   If you are encountering this problem, please open a service request (PMR)
   with IBM PureApplication L2 Support via
   https://www-946.ibm.com/sr/help/index.html and express your interest in
   APAR IT28802.
   Issues post installation of APAR IT28802:
   After the APAR IT28802 test fix installation, if you notice either of
   these issues, then please open a service request (PMR), specify the text
   as "failure after applying IT28802" in the request and submit with IBM
   PureApplication L2 Support.

    1. If you have a configured system backup, the system backup stops
       working. You can validate this issue by doing these steps:
           a. Click System Console > System > Backup and Restore.
           b. Select your backup configuration.
           c. Click View History.
                You would notice that history is not updated from the last
       scheduled backup.

    2. The error, "Metadata of script: <script name associated with pattern
       instance> cannot be loaded", returns. There is a use case where the
       older version of the certificate is restored, such as PSM failovers,
       firmware upgrades, or repairs to the PSM.
       You can verify by opening any pattern under Patterns > Virtual System

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967