6.2.7.0.ifix01 – December 19th, 2017

Secured Authentication Tokens

Users can restrict the authentication tokens used by process steps so that only tokens with the minimum permissions needed to accomplish the step are created. Also, authentication tokens are now encrypted in storage, and existing tokens can be updated to the new encryption standard.

Increased Detail in Audit Logging

The audit log now specifies whether the user used an authentication token to log in and more detail about the security settings that were changed.

Additional Permissions Added

Specific permissions have been added to upgrade and delete agents, delete agent relays, and edit post processing scripts.

Optional Manual Task Notifications

Choose notification options for manual tasks including no notification. You can restrict approvals for manual task to the person who started the deployment.

Full z/OS Component Versions

Components using z/OS now have the option to use full or incremental versions.

Terraform

Greater support for creating Terraform documents in the blueprint designer. The blueprint designer now combines different provider syntaxes into one, unified graphical representation.

Enhancements to the Terraform extensions (provider, provisioner) for IBM UrbanCode Deploy.

Plug-ins Atom Feed

Stay up-to-date on all new plug-in releases by following the UrbanCode Plug-ins Atom feed. Subscribe using your favorite RSS/Atom feed reader.

Enhancements in this Release

105917 Provide different types of audit entries for different types of authentication requests
106531 Provides unique auditLog entries to be able to determine specific setting changed in all cases within #security/roles
91193 Require permissions/access to upgrade and delete agents and agent relays
97944 need more granular control of edit & execution perms for Post Processing Scripts

Fixes in this release

PI89546 ERRORS WHEN EDITING RESOURCE TREE CONTAINING (,), AND / CHARACTERS
PI89496 CAN’T EDIT COMPONENT TEMPLATE WITHOUT MANAGE TEAMS PERMISSION
PI88865 COMPONENT PROCESS NEVER STARTS AFTER APPROVALS
PI88439 Server does not start after upgrade: ‘String contains ASCII control characters’
PI85953 COMPLETED PROCESSES ARE SHOWING AS RUNNING IN UI
PI84661 AGENTS CAN BE ASSIGNED TO RESOURCES THAT THE USER DOESN’T HAVE PERMISSION TO VIEW OR EDIT IN THE APPLICATION CREATION WIZARD
PI82670 OUTPUT LOG CAN’T BE VIEWED FROM THE UCD UI
PI80996 LAST VERSION IN APPLICATION’S COMPONENT TAB SHOWS ARCHIVED
VERSIONS
PI67556 SOME SOURCE CONFIG PLUGINS DO NOT SUPPORT “PRESERVE EXECUTE
BITS” OPTION.
PI65004 UNABLE TO USE BATCH EDIT ON ENTRIES WITH MULTIPLE LINES
PI57072 UNABLE TO CHANGE DATE RANGE AFTER A REPORTS INITIAL DATE SELECTION
PI92399 DISABLE HEAT ENGINE CONVERGENCE MODE IN OPENSTACK NEWTON OR HIGHER TO USE BLUEPRINT DESIGNER
PI92351 WHEN IMPORTING A COMPONENT THAT INHERITS COMPONENT TEMPLATE PROPERTIES, COMPONENT PROPERTIES DO NOT GET IMPORTED.
PI84409 IMPORTING COMPONENTS WITHOUT COMPONENT/COMPONENT TEMPLATE PROPERTIES CAUSES ERROR IN LOGS.
PI85894 YOU CAN MAP AGENTS DURING THE APPLICATION WIZARD DESPITE NOT HAVING AGENT: CREATE RESOURCE PERMISSION
PI87384 Component template can’t be imported if it contains new processes
PI88211 UNABLE TO LOAD “WORK ITEMS” TAB
PI88507 SNAPSHOT CANNOT BE LOCKED IF RESOURCE CONTAINS “/ ” IN THE NAME
PI93742 POST PROCESSING SCRIPT MAY EXECUTE BEFORE THE OUTPUT LOG HAS BEEN FULLY WRITTEN
Security Bulletin Multiple Vulnerabilities in Apache Tomcat affects IBM UrbanCode Deploy (CVE-2017-7674, CVE-2017-7675)
Security Bulletin Authenticated Users Can Gain Privilege in IBM UrbanCode Deploy (CVE-2017-1493)

Known Problems and Workarounds

PI90236 UNABLE TO PERFORM DEPLOYMENTS AFTER UPGRADING TO 6.2.6.1 OR 6.2.7.0

To search for additional post-release issues that IBM Rational Support documented, visit the IBM Support portal.

Severe Defect in Unfixed 6.2.7.0

6.2.7.0 contains APAR PI93742, which can cause plugin steps to fail even if they have actually succeed. To avoid APAR PI93742, upgrade 6.2.7.0 to 6.2.7.0.ifix01, and then upgrade all agents.


Upgrade Notes

Starting in 6.2.5.2

Starting the server for the first time may take longer than usual. For very large installations, allow an extra hour for the first server startup. Subsequent startups will take the regular amount of time.

Users now do not receive notifications based on their membership in a role on the System Team. Users will have to be added to the correct role on a different team as well to receive notifications.

The server now deletes all contents of the var/temp directory on server startup.

Starting in 6.2.5.1

Process requests from deleted environments will now be deleted. To keep process requests from deleted environments, add this property to the installed.properties file: com.urbancode.ds.cleanup.HistoryCleanup.disableDeletedEnvironmentCleanup=true

Starting in 6.2.5.0

The UCD_SESSION_KEY header has been renamed to UCD_CSRF_TOKEN. The previous name is also accepted until 6.3 when it will be removed from the product.

Users now require the “Execute” permission on agents in order to run processes against them. All existing user roles will receive this permission when upgrading from a version before 6.2.5.0. When upgrading, ensure that any user that needs to execute processes is on the same team as the agents required to run those processes.

Starting in 6.2.4.0

You must upgrade Agent Relays when upgrading from a version below 6.2.4.0. Also, the TLS protocol 3DES is no longer supported.

After upgrading from before 6.2.4.0, users will not be able to view or delete agent relays until they have been granted permission to those relays. Relays that existed before the upgrade are only added to the System Team by default. For users to view agent relays, a user with Manage Security permission should give the correct roles the new For relays that existed before the upgrade, a user with Manage Security permissions will have to add the agent relays to the correct teams and give the correct roles the Agent Relay view and edit permissions.

When upgrading an IBM UrbanCode Deploy agent, end-to-end JMS encryption will automatically be enabled on all agents. In order for agent communication to function properly with end-to-end encryption enabled, the IBM UrbanCode Deploy server and agent clocks need to be synchronized to within a few minutes. To disable this feature, add the line agent.jms.disable_full_encryption=true” to the agent’s conf/agent/installed.properties file before upgrading the agent.

Starting in 6.2.3.0

If you are upgrading from version 6.2.3.0 and earlier, servers and relays must be upgraded at the same time. Agents connected through relays may not connect successfully until both server and relay are upgraded. This is due to an incompatibility between versions of an library used by UCD.

Starting in 6.2.3.0, authentication tokens will be obfuscated in the UI and REST API after their initial creation. Scripts and users will only be able to retrieve the full authentication token immediately after creating it.

The silent install of the IBM UrbanCode Deploy server hangs when prompting for the value of the server installation directory (install.server.dir). To workaround the problem, run the following instead of calling ./install-server.sh directly:
echo "" > answerFile.txt echo "" >> answerFile.txt ./install-server.sh < answerFile.txt (or install-server.bat < answerFile.txt for Windows installations)

Starting in 6.2.2.0

The IBM UrbanCode Deploy server and agent relays now require a Java Runtime Environment (JRE) or Java Development Kit (JDK) version 8. If you are updating or changing the JRE to the latest version, see
Changing or updating the JRE of servers and Updating the JRE location for agent relays for instructions. For documentation on the IBM JRE, see IBM SDK, Java Technology Edition.

Starting in 6.2.1.1

To ensure that all secure property values are obscured, the values of all properties in the history for existing deployments are obscured. In the deployment history for deployments that you run after you upgrade, only secure properties are obscured in the logs.

New security features erase old component version import logs to hide secure information. If you want to keep the logs, in the installed.properties file, set the com.urbancode.ds.cleanup.sourceConfig.fullCleanupSkip property to true.

Plan & Prepare

For fixes contained in this release, and any known issues, review the release notes.

For supported platforms and requirements, see the reports that can be dynamically generated using the Software Product Compatibility Reports (SPCR) tool.

Note: Some supported plug-ins have system requirements that vary from the core product. Information on system requirements for individual plug-ins is available on the download page for that plug-in.

To get started quickly to try the software, IBM UrbanCode Deploy is shipped with an Apache Derby database. Apache Derby deployments are not supported for production environments. As you plan your production topology, review the installation guide.