Updated Date: 08/30/2013
This release note documents the version 2.0 feature release of the Enterprise Manager®. To review the features introduced in this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to version 1.7 and later. For information about installing the software, please refer to Installing the software.
In addition to these release notes, the following user documentation is relevant to this release.
You can find the user guides and the solutions database in the AskF5SM Knowledge Base, https://support.f5.com.
The supported browsers for the Enterprise Manager web interface are:
Note that we recommend that you leave the browser cache options at the default settings, and disable popup blockers and other browser add-ons or plug-ins.
The version 2.0 release applies only to the supported platforms listed below; each one provides all minimum system requirements. This release supports the following platforms:
If you are using a new Enterprise Manager system, the current software is loaded and configured. See Setting up a new system to get started using Enterprise Manager. If you are upgrading an existing Enterprise Manager system, see Upgrading an existing system for instructions on how to download and install Enterprise Manager version 2.0.
Important: We recommend that you download and verify the MD5 checksum on any ISO image or IM upgrade file you download to ensure the integrity of the installation file.
The Enterprise Manager version 2.0 was shipped to you installed on the Enterprise Manager platform you selected. You only need to set up the system in your network, license the system, and connect it to one or more devices that you want to manage.
For an explanation of networking options and setup instructions, see chapter 2, Installation and Setup, and chapter 3, Licensing and Configuring the System in the Enterprise Manager™ Administrator Guide available at https://support.f5.com.
Important: After you complete the licensing process, you must reboot the Enterprise Manager system in order for the user interface to function properly.
If you have an existing Enterprise Manager system, you can use the F5 Electronic Software Distribution site to download a new software image. Then, you can use the Enterprise Manager software upgrade wizard to upgrade your Enterprise Manager system. You can upgrade to Enterprise Manager to version 2.0 from version 1.7 or version 1.8. If you upgrade from version 1.7, you must use the command line installation. To avoid a potential error with the upgrade wizard, we recommend using the command line option for upgrading from version 1.8.
Important: If during the upgrade you choose to convert to the LVM disk management scheme, the system erases the software repository, archives, and other data stored in the Enterprise Manager database. You must re-import software and hotfix images on the upgraded system. However, you can back up and restore device data, archives, and statistics data. To retain these items, use the following procedure to back up important Enterprise Manager data.
To perform these actions, you must log on to the Enterprise Manager command line as the root user.
To perform these actions, you must log on to the Enterprise Manager command line as the root user.
To download the software upgrade, you must create an account at http://downloads.f5.com. This site uses an F5 single sign-on account for technical support and downloads. After you create an account, you can log on and download the Enterprise Manager 2.0 software.
Important: If you upgrade to version 2.0 and you choose to convert Enterprise Manager to Logical Volume Management, you cannot downgrade to a previous version. To maintain the ability to downgrade, you must maintain the partitioned disk scheme when you upgrade Enterprise Manager to version 2.0.
For further instructions on using the Software Upgrade wizard, see the Managing Software Images chapter in the Enterprise Manager Administrator Guide available at https://tech.f5.com.
When you upgrade from version 1.8 to version 2.0, you may want to use the command line installation to avoid any potential errors when upgrading to a Logical Volume Management disk scheme. Also, if you are upgrading from version 1.7 to version 2.0, you must use the command line installation method, as the Software Upgrade Wizard does not support that specific upgrade path.
This section lists only the very basic steps for installing the software. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.
Before you begin, ensure that all applicable tasks are complete:
Installation consists of the following steps.
After the installation finishes, you must complete the following steps before the system can manage devices.
Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and we strongly recommend that you reference the guide to ensure successful completion of the installation process. Although Enterprise Manager uses the same TMOS® environment as other BIG-IP systems, not all of the traffic-specific instructions apply to Enterprise Manager.
The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
To watch an in-progress installation operation, run the command watch b software status, which runs the b software status command every two seconds. Pressing Ctrl+C stops the watch feature.
If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.
This release includes the following new features and fixes.
Enabling and disabling pool members and nodes
You can use Enterprise Manager to enable or disable pool members and nodes on managed devices in the network.
Enterprise Manager 4000 platform support
Enterprise Manager now supports the new Enterprise Manager 4000 platform.
Enterprise Manager features the new TMOS® architecture, with the look and feel of the latest version of TMOS introduced with BIG-IP version 10.0.0.
Application Editor role introduced for Enterprise Manager (CR127057)
Enterprise Manager now uses the Application Editor user role found in other BIG-IP systems instead of the Advanced Operator role.
Tomcat vulnerabilities fixed (CR85197, CR104935, CR126259)
We included a new tomcat package to address the vulnerabilities described in CVE-2007-3382, CVE-3385, CVE-5333, CVE-2008-2370, CVE-2008-5515, and CVE-2009-0783.
Cross-site scripting vulnerabilities fixed (CR89622, CR96144, CR96889)
We changed certain screens to prevent local cross-site scripting vulnerabilities.
libbind vulnerability fixed (CR92592)
We included an updated libbind package to address the vulnerabilities described in CVE-2008-0122 and CVE-2007-6251.
Local vulnerability in HTTP GET parameters (CR94040)
Previously, if a user had accessed the Configuration utility of an Enterprise Manager system, and then browsed to an untrusted site and clicked on a malicious link, the system may have been vulnerable to cross-site scripting attacks. We corrected this issue in the new version of Enterprise Manager.
Forms-based authentication (CR99322)
With the introduction of forms-based authentication, users will now be able to log out of an Enterprise Manager session without needing to close the browser window.
Command line utilities added (CR107898, CR107904)
With the new version of Enterprise Manager, the system now supports the following command line tools commonly available in BIG-IP systems: b daemon <daemon> audit, b cli audit, and b remote users.
TACACS+ now supported (CR107905)
This version of Enterprise Manager now supports TACACS+ user authentication.
Tcpdump vulnerabilities fixed (CR108858)
We updated the tcpdump package included with Enterprise Manager to address the local vulnerabilities described in CVE-2004-0055.
Bind DSA key vulnerability (CR115215)
The included version of bind included with Enterprise Manager fixes the DSA key vulnerabilities described in CVE-2009-0025.
NTP vulnerabilities fixed (CR115608)
This version of Enterprise Manager includes an updated ntp package to address the vulnerabilities described in CVE-2009-0021.
Secure FTP option available (CR120785)
In the Support Data Collection wizard, you can now select an SFTP option for a secure connection when sending information to the F5 support site.
http-security webapp appears in list (CR121030)
Previously, in the Deploy Security Policy wizard, you could select the http-security web application although it should not have appeared in this list. The system now correctly excludes it from the list.
Failover states for 10.x devices not supported (CR121730)
Enterprise Manager did not previously display offline and forced offline states for managed devices running BIG-IP version 10.0.x. The system can now display all possible states of a managed device.
Apache vulnerabilities fixed (CR123537)
We included an updated httpd package to address the vulnerabilities described in CVE-2008-1678, and CVE-2009-1195.
OpenSSL vulnerabilities fixed (CR123875)
Enterprise Manager contains an updated OpenSSL package to address the vulnerabilities described in CVE-2009-1387.
Warning messages for qkview (CR125417, CR125418, CR130403)
Previously, if you ran the qkview command from the command line, you may have received a warning message indicating that qkview was out of date. As we have updated the qkview package to include Enterprise Manager-specific data, these warnings no longer appear.
Kernel vulnerabilities fixed (CR121197, CR126252)
The updated kernel included in Enterprise Manager fixes vulnerabilities described in CVE-2008-4307, CVE-2009-0787, CVE-2009-1336, CVE-2009-1337, CVE-2007-5966, CVE-2009-1385, CVE-2009-1389, CVE-2009-1895, CVE-2009-2407, and CVE-2009-1388.
Apr-util local vulnerabilities fixed (CR125223)
We included an updated apr-util packages to address local vulnerabilities described in CVE-2009-0023, CVE-2009-1955, and CVE-2009-1956.
Bind DoS vulnerability fixed (CR125853)
The updated bind package included with Enterprise Manager fixes the vulnerability described in CVE-2009-0696.
MySQL vulnerability fixed (CR125982)
The updated MySQL package included with Enterprise Manager fixes the vulnerability described in CVE-2009-2446.
NSS/NSPR vulnerabilities fixed (CR126055)
Enterprise Manager includes updated NSS/NSPR libraries to address the vulnerabilities described in CVE-2009-2404, CVE-2009-2408, and CVE-2009-2409.
Java local vulnerabilities fixed (CR126476)
The updated Java Runtime Environment included with Enterprise Manager addresses the local vulnerabilities described in CVE-2009-0217, CVE-2009-2745, CVE-2009-2746, CVE-2009-2625, CVE-2009-2670 though 2675, and CVE-2009-2690.
Libmxl2 vulnerabilities fixed (CR126813)
We included an updated libxml2 library to address vulnerabilities described in CVE-2009-2414, CVE-2009-2416.
Curl vulnerabilities fixed (CR126907)
The updated curl package included with Enterprise Manager addresses the vulnerabilities described in CVE-2009-2417.
Cyrus-sasl vulnerabilities fixed (CR127190)
We included updated cyrus-sasl libraries to address the vulnerabilities described in CVE-2009-0688.
Version information updated correctly (CR127363)
Previously, when you used the software upgrade wizard to update a system using Software Volume Management, the version did not properly update on the device list. Now, the correct version appears on the device list after an upgrade.
Launch link authentication for Operator and Application Editor users (CR127470)
Previously, the system did not always properly authenticate Enterprise Manager users with Operator or Advanced Operator (now Application Editor) roles when you clicked a Launch link from a device properties screen. We corrected this issue so users with these user roles are authenticated.
Auto refresh updated (CR128695)
We enhanced the auto refresh control on the task properties screen.
Power failure corrupts statistics database (CR129712)
If the system encounters a power failure, the statistics monitoring database can become corrupted. You can follow the instructions in SOL10736 in the Solutions database in the AskF5 Knowledge Base to use the proper parameters with this script to repair the database.
Failover and peer management address issues (CR129733)
When you configure Enterprise Manager version 2.0 as a high availability system, initially, both peers are set to an offline state. Additionally, when you upgrade a managed pair of Enterprise Manager systems, upon upgrade, both systems are set to offline. For failover to work properly, you must specify a peer management address.
OpenSSH vulnerabilities fixed (CR129920)
We included updated OpenSSH packages with the new version of Enterprise Manager to address vulnerabilities described in CVE-2009-2904.
Discovery tasks do not time out (CR130883)
If a discovery task encounters an error, the status page may continually refresh instead of timing out.
TCP metrics inaccurate (CR130308)
We corrected an issue were certain device-level TCP metrics were inaccurate. TCP metrics reported in statistical data are now correct.
File names not preserved for support upload (CR131446)
If you configure a Gather Support Information task and attach a file, the file names may not be preserved when you send the information to the F5 support site.
Software images not included in advanced archives (CR131764)
Previously, when you created an advanced archive of an Enterprise Manager configuration, this included images stored the software repository. This often resulted in very large backup files. To provide more useful backup files, the advanced archive script no longer includes images stored in the Enterprise Manager software repository. If you need to recover these images, you can download the images from the F5 downloads site, https://downloads.f5.com/.
The current release includes the fixes and enhancements that were distributed in prior releases. Please see the Enterprise Manager version 1.8 release notes to view fixes and enhancements introduced in version 1.x releases.
If you upgraded the Enterprise Manager to version 2.0 from a version earlier than version 1.7, you must re-license the system before you can use the performance monitoring feature.
Note: The performance monitoring features originally introduced in version 1.7 are only available on the Enterprise Manager 3000 and Enterprise Manager 4000 platforms due to the greater CPU, memory, and hard drive requirements for this feature.
The following items are known issues in the current release. Known issues are cumulative, and include all known issues for a release. Please see the Enterprise Manager version 1.8 release notes to view known issues documented in version 1.x releases.
Installation warning (CR105166)
When you install Enterprise Manager version 2.0, and view installation messages the console, you may see an error indicating a missing /usr/bin/rpmgraph directory. The system upgrade installs successfully, and you can ignore this message.
Statistics screen does not time out (CR105234)
If you are viewing a statistics screen, the user session logged in to the system does not time out as it does when viewing other screens. If you need to maintain the regular timeout interval for logged in users, then navigate away from a statistics screen.
OpenSSH vulnerability in old SSH clients (CR112411)
This release contains the new OpenSSH client and server, which addresses the vulnerability Plaintext Recovery Attack Against SSH, reported as CPNI-957037. When an older client connects to the new server, however, a vulnerability exists. If you are still using old SSH clients, you should manually set those client's cipher list to only include CTR ciphers. To use only CTR ciphers for the OpenSSH client, the command line must include the following option: -c aes128-ctr,aes192-ctr,aes256-ctr.
New volumes do not appear (CR123430)
If you are managing a system that uses Logical Volume Management, and you add a new volume to the managed device, the Enterprise Manager system may not detect the new volume immediately.
Inaccurate list of boot locations on EM 4000 platform (CR126805)
On the Device Platform screen, if you view the platform information for an EM 4000, inaccurate details about the boot location appear. The details indicate available Compact Flash boot locations where there are none.
NTP vulnerability (CR131466)
Although the ntp package included with Enterprise Manager is affected by the vulnerabilities described in CVE-2009-3563, the system incorporates a read-only configuration so that the system is not vulnerable in this instance.
Samba vulnerabilities (CR131547)
The samba packages included with Enterprise Manager are affected by the vulnerabilities described in CVE-2009-1888, CVE-2009-2813, CVE-2009-2906, and CVE-2009-2948.
Upgrading to version 2.0 and possible errors (CR131966)
If you use the software upgrade wizard to perform a self-installation upgrade from Enterprise Manager 1.8 to version 2.0, it is possible that you may encounter errors during the upgrade process. In certain instances, the system may mark the task Cancelled, but the task will continue to run in the background to upgrade the system. If this occurs, you can check the image_install.log file to confirm that the installation completed, then manually reboot the system. As an alternative to the software upgrade wizard, you can perform an installation from the command line of the Enterprise Manager system. See the Upgrading an existing system section of the release note for instructions.
Issues when logging into devices with Launch link (CR132455, CR132933)
If you user the Launch link on the device properties screen to open a new window to log into a managed device, you may not be able to perform management tasks on the managed device. Additionally, you cannot use the Logout link on the managed device's Configuration utility to log off of the system. To work around this scenario, you must clear cookies associated with the managed device and avoid using the Launch link.
Copied Guest user role has no access (CR132696)
If you use Enterprise Manager to copy a Guest user account from a version 9.x managed device to a version 10.x managed device, the Guest user's access level is changed to No Access. You must manually change the user role permissions on the managed device in this scenario.
emsnmpd service errors (CR133464)
You may encounter errors in the emsnmpd service when using the snmpwalk command at the command line. These errors could result cause the emsnmpd service to restart.
Upgrades may fail for CF devices (CR133590)
If you use Enterprise Manager to upgrade devices that user a Compact Flash drive, the upgrade may not complete.
Show All link issues (CR133680)
On the Device Statistics configuration screen, if you click the Show All link to display more than two pages of objects, the link does not appear to work. Click Show All again to view all objects.
Incorrect alert name in log (CR133808)
If you configure multiple alert instances and these alerts are triggered, the system may not log these alerts properly in the alert log. Although the message associated with these alerts occur when the alert is triggered, the system may log only one alert name in the history log.
Administrator permissions errors (CR133835)
When you configure a user on the Enterprise Manager system with an administrator user role, this user may not be able to perform certain tasks that the Administrator user can perform.
Delete button error on Archive Properties screen (CR133954)
If you disable role permissions by changing the Archive Device Configuration setting for Operator or Application Editor user roles, then a user with one of these roles attempts to delete a configuration archive from the Archive Properties screen, this causes an error. The Delete button on this screen should not be available after disabling permissions.
Statistics database corruption and repair (CR133956)
In rare cases, the statistics database could become corrupted after a power failure and you can use an included script from the command line to repair it. However, if you use the em-repair-extern command from the command line, you may encounter a disk full error. To avoid this error, you must perform some manual adjustments to the script. See SOL10736 on the AskF5 Knowledge Base for instructions.
Statistics collection errors (CR133964)
While collecting statistical data with Enterprise Manager, if you disable collection of certain metrics individually so that the system collects no statistical data, the system may still continue to collect data for the last metric you disable. To avoid this scenario, if you plan to disable statistics collection entirely, set the Collect Statistics Data setting to Disabled on the Statistics: Options screen.
Platform issues with EM4000 (CR134203, CR135616)
You may encounter minor issues when using the EM4000 platform. These issues do not affect the performance of the system or the Enterprise Manager software, and include the following: Interactive startup option does not work, so avoid pressing the I key to start interactive startup when prompted during initial boot; End User Diagnostics does not log any results in any file on the active partition until you define a boot partition; Ltm log file displays "The requested BIGdb variable (platform.diskmonitor.growthalert.shared) was not found"; because the system does not run the BIG-IP Local Traffic Manager software, you can ignore this message; when you use the b platform command, the device incorrectly displays the platform as Enterprise Manager 3900.
Enterprise Manager 3000 platform does not support LACP (CR137579)
Because the Enterprise Manager 3000 platform is not switch-based like the 500 or 4000 platforms, it does not support Link Aggregation Control Protocol (LACP).
SFTP Proxy not supported (ID 336886)
Enterprise Manager does not support SFTP through a proxy server for a Support Data Collection Task. Although the Enterprise Manager Administrator Guide indicates that this is possible, it is incorrect.
Please see the Enterprise Manager version 1.8 release notes to view workarounds described for known issues docu mented in version 1.x releases.
For additional information, please visit https://www.f5.com