Skip to main content
Hitachi Vantara Knowledge

Hitachi Content Intelligence v2.2 Release Notes

About this document

This document provides information about Hitachi Content Intelligence (HCI) software release v2.2.0.8, including new features, important enhancements, product requirements, as well as fixed and known issues.

Intended audience

This document is intended for system administrators, Hitachi Vantara representatives, and authorized service providers who configure and operate the HCI software.

About this release

This release of Hitachi Content Intelligence (HCI) includes new features, such as Solr aliases and HCP for Cloud Scale Bucket Indexing, as well as password policy enhancements and multiple bug, security, and CVE fixes.

Major features

General updates

Password policy enhancements

To set additional safeguards to your local account(s) (both admin and secondary admin users), new password settings can be implemented to enhance their security.

Found under the Configuration > Security > Password Settings tab in the Admin App, administrators can now apply any or all of the following policies:
  • Password Expiration (Days): The number of days until a password needs to be reset.
  • Minimum Password Age (Days): The number of days until a password can be changed again. Set this value to 0 to ignore it.
  • Password History: The number of unique new passwords that must be associated with an account before an old password can be resused. Set this value to 0 to ignore it.
  • Allowed Login Attempts: The number of failed login attempts before a user is locked out of the system. Set this value to 0 to ignore it.
  • Lockout Duration Mode: The amount of time (in minutes) that a user is locked out of the system after reaching the maximum Allowed Login Attempts.
Solr aliases

For users with multiple Solr index collections, Solr aliases can help provide federated, sorted search results to make all of the accompanying documents more manageable to search through. The aliases you create will appear as a selectable index value in the Search App.

The results can then be queried, refined, and sorted based upon the settings you implement for the alias in Workflow Designer, and bulk actions can also be applied.

The new Solr aliases features appears as a new panel within the Workflow Designer App.

ImportantWhile Solr aliases share many things in common with Solr indexes, there are a few important distinctions to make about their functionality and use:
  • Aliases cannot be used to execute actions in a pipeline or as workflow outputs.
  • Aliases cannot be backed up or restored.
  • Aliases will only function with internal Solr 8 indexes.
Removal of the Dashboard service

Due to an OpenSSL security issue regarding CVE-2022-1292, the Dashboard service has been officially removed from HCI.

This service was previously undeployed by default. If you currently have it deployed on your system, it needs to be scaled down prior to an upgrade to version 2.2, at which point it will then be removed from the product.

For more information about this CVE and the others fixed in this release, see Resolved CVEs.

HCP for Cloud Scale Bucket Indexing (Preview Mode)

HCP for Cloud Scale Bucket Indexing allows HCP for cloud scale (HCP-CS) users to index and search the objects contained within the buckets of their S3 Console software through HCI. The auto-generated workflow creates two data connectors and an associated pipeline to seamlessly process objects between your HCI and HCP-CS systems.

HCP for Cloud Scale Bucket Indexing is a premium feature that is disabled by default. To enable it, contact your Hitachi Vantara representative.

ImportantThis feature is being released in Preview Mode. Preview Mode features are liable to change or be removed from future releases without notice.

Resolved issues

Issue

Area affected

Description

Outcome
HCI-6762UpdateA job stuck in the DELETE_READY state causes updates to fail at the Cancel all jobs step.Jobs in the DELETE_READY state no longer impact update completion.
HCI-6778Workflow DesignerHistorical metrics are not being being deleted correctly in accordance with the value set in their Days to keep logs config property. Historical metrics are now deleted correctly.
HCI-6877SolrSolr shards are left in the recovery_failed state after a terminated shard split operation occurs.Solr shards left from an terminated shard split operation are now correctly deleted.
HCI-6880SolrSolr shard splitting may leave multiple replicas of the same shard on the same node.Duplicate Solr shard replicas are now balanced and moved to separate nodes.
HCI-6957UIHTTP Strict Transport Security (HSTS) is not currently implemented for the HCI/HCM UI. HSTS instructs the browser to only use HTTPS. As of release v2.2, the HCI/HCM user interface now enforces HSTS.
HCI-7016SolrWhen changing a field type in the schema, a message prompt appears letting the user know that the change will only affect documents which are indexed moving forward. This is incorrect, as changes to the docValues field result with no additional documents being indexed at all.A message now appears which correctly explains the potential impact of their changes.
HCI-7103ConnectorsThe MQE connector incorrectly references an object's filename in the HCI_path and HCI_relativePath fields if it includes a plus sign.The HCI_path and HCI_relativePath fields now list the correct values.
HCI-7149Content MonitorHCM generates 404 errors on HCP MAPI, which causes them to incorrectly appear in visualizations.The 404 error messages no longer appear in visualizations.
HCI-7229Admin AppIf a Solr index is in an unhealthy state, where no replicas of any particular shard are showing as a leader, a change (specifically a reduction) to the IPL could potentially cause loss of data.An error message now appears alerting users of their unhealthy state and an IPL change is prevented.
HCI-7309Workflow DesignerThe Text and Metadata Extraction stage fails to process certain EML files based on their encoding.EML files are now detected and processed correctly.
HCI-7725UpdateUpdates from HCI 1.10.0 or earlier do not remove the Hadoop Distributed File System (HDFS) plugin.The HDFS plugin is now correctly removed upon updating from 1.10.0 or earlier.
HCI-7881SecurityAs a result of vulnerabilities stemming from CVE-2022-22965, depencies of Spring Framework v4.3.6 need to be removed from the Analytics service.The Analytics service no longer references Spring Framework v4.3.6.
HCI-7975SecurityHCI uses SSL v1.0.2k and v1.1.1 and as a result, is vulnerable to exploits found in CVE-2022-1292 and CVE-2022-0778.SSL has been updated to v1.1.1o and the associated vulnerabilities no longer exist.
HCI-8020SecurityApache Log4j 1 no longer provides security updates due to its end-of-life status. To better secure HCI, Log4j 1 needs to be updated to Log4j 2 in both the Apache Kafka and Spark services.Log4j 1 has been updated to Log4j v2.17.2 in both the Spark and Kafka services.
HCI-8094SecurityThe HCI code still references vulnerable Solr 8 versions, even though their underyling functionality was removed from the product.Solr 8 has been updated to Log4j v2.17.2 and references to previously vulnerable versions of Solr no longer appear.
HCI-8105SecurityThe HCI code still references vulnerable Solr 6 versions, even though their underyling functionality was removed from the product.Solr 6 has been updated to Log4j v2.17.2 and references to the vulnerable versions no longer appear.
HCI-8107SecurityIn order to maintain consistency around our security, the Apache Elastic and Logstash services should be updated alongside Spark and Kafka (HCI-8020).The Elastic and Logstash services have been updated to Log4j v2.17.2.
HCI-8109SecurityThe Solr 8 JAR files need to be updated to maintain consistency with HCI-8904.Solr 8 has been updated to Log4j v2.17.2 and references to previously vulnerable versions of Solr no longer appear.
HCI-8240ImportImporting a package that contains data connectors as dependencies fails.Packages containing data connectors as dependencies are now imported correctly.

Known issues

Issue

Area affected

Description

Outcome/Workaround
HCI-286Workflow Designer AppUsing Retry Failed Documents manually in a workflow that has failures doesn't add to the output metrics after it has successfully indexed those files.The results of the Retry Failed Documents setting do not affect output metrics and the files are still indexed successfully.
HCI-353Job DriverWhen attempting to migrate data to a namespace that has already hit its hard quota, 413 errors are received without any failure notifications in the workflow. The failures are instead reported in the advanced historic metrics.N/A
HCI-1047Content Monitor AppReplication links with forward slashes (/) do not appear in the Replication metrics.Replace the forward slashes in the Replication link name with any other ASCII character (space, %, etc.).
HCI-1737Workflow DesignerEnabling Process all documents ignores the HCP and Sharepoint connector's directories when a workflow is resumed.N/A
HCI-1918MetricsMetrics service cannot be scaled to twice the current number of instances.
  • Scale the instances back down to the original instances.
  • Wait for the scale action to complete.
  • Scale the instances back up to the desired number of instances.
HCI-6103Workflow Designer App

On a multi-node cluster, if one of the nodes goes down, the workflow halts with a task error. The task error states that the driver heap limit is too low for the workflow, but raising this value in the workflow settings does not restart the workflow.

The workflow-agent job type is configured to run on all nodes in a cluster by default. Scaling the workflow-agent off of the bad node will allow workflows to resume.

HCI-6109Admin AppHCI enters a bad state after rebooting 2 of the 3 master nodes available on a 4-node cluster.Reboot all HCI master nodes at the same time and the clusters will return normally.
HCI-6128MetricsMetrics from historical logs are ignored after an update and present an OOM message.

If you notice your imported logs missing after update, reimport them and the metrics will display correctly.

HCI-6304Workflow Designer AppTesting a data connection accessible by proxy shows a blank certificate and cancelling it makes the system seem unresponsive.

If your data connection can only be accessed by proxy and requires a certificate, download the certificate from the other system and manually add it to the Admin App

To do this, navigate to Configuration > Certificates > Client and click UPLOAD CLIENT CERTIFICATE.

HCI-6540SolrDuring an update, Solr shards appear in the Gone state if Marathon references the old port number and node name pairing when starting the Solr service.

Delete the Gone shards:

  1. Navigate to the Solr UI.
  2. Click Collections.
  3. For each affected index:
    1. Click the index name.
    2. Click the affected shards.
    3. Click X.
    4. Confirm the deletion.
HCI-6857Search AppSearch App exclusive users with bulk action permissions are able to see Workflow Designer as an option in their SSO menu. Clicking it presents a message telling the user the page cannot be displayed. N/A
HCI-7020Admin AppWhen updating from HCI 1.6.x to 1.10.1, the doc folder is owned by root on several nodes in the cluster, causing an update failure.Changing the user from root to hci and retrying the failure resolves the issue.
HCI-7341 SolrWhen attempting to recreate a delete Solr collection with a different initial schema, the old schema is still present in the UI. This is an internal HCI ticket to track the progress of SOLR-15674, which was filed directly with Apache.N/A
HCI-7366Search AppThe autocomplete functionality of the search bar in Search App does not work for file names in Chinese after reindexing text field changes.N/A
HCI-7368SolrIf an index is created without using a SolrCloud connection URL, attempts to create bulk actions using the index will fail.N/A
HCI-7369SolrWhen attempting to remove a copy field from an index, the delete fails with a "Collection not found" error and the index is unable to be written to.N/A
HCI-7370SolrSolr can only use comparatives with small numbers and returns 0 results (in error) when using larger ones.N/A
HCI-8242ImportImporting a Solr alias bundle containing an index associated with HCP for Cloud Scale Bucket Indexing results in an error.
  1. Import the HCP for Cloud Scale Bucket Indexing bundle.
  2. Reload the imported bundle.
  3. Import the Solr alias bundle.
HCI-8243ImportAfter importing specific components from a bundle, an error message is received when attempting to add additional components.Import the bundle in its entirety. If the error persists, contact your Hitachi Vantara representative.

Resolved CVEs

This table lists the high and critical Common Vulnerabilities and Exposures (CVEs) that no longer affect HCI as of v2.2. For more information, refer to https://nvd.nist.gov.

Issue

Area affected

Description

CVE-2022-1292OpenSSL

OpenSSL vulnerability

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool.

For more information on this CVE, see https://nvd.nist.gov/vuln/detail/CVE-2022-1292.

Resolution

HCI has upgraded their OpenSSL version to 1.1.1o, which addresses this issue. Additionally, the Dashboard service was removed from the product.

CVE-2022-0778OpenSSL

OpenSSL vulnerability

The BN_mod_sqrt() function, which is used when parsing certificates, can be used to trigger an infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. In particular, the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.

For more information on this CVE, see https://nvd.nist.gov/vuln/detail/CVE-2022-0778.

Resolution

HCI has upgraded their OpenSSL version to v1.1.1o, which addresses this issue.

CVE-2019-17571Log4j

Log4j vulnerability

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data, which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions 1.2 up to 1.2.17.

For more information on this CVE, see https://nvd.nist.gov/vuln/detail/CVE-2019-17571.

Resolution

HCI has upgraded their Solr 6 and Solr 8 Log4j versions to 2.17.2, which addresses this issue.

CVE-2020-9493Log4j

Log4j vulnerability

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw version 2.0, Chainsaw was a component of Apache Log4j 1.2.x, where the same issue exists.

For more information on this CVE, see https://nvd.nist.gov/vuln/detail/CVE-2020-9493.

Resolution

HCI has upgraded their Solr 6 and Solr 8 Log4j versions to 2.17.2, which addresses this issue.

CVE-2022-22965Java

Java Development Kit (JDK) vulnerability

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.

For more information on this CVE, see https://nvd.nist.gov/vuln/detail/cve-2022-22965.

Resolution

HCI has removed Spring Framework version 4.3.6 from its Analytics service.

CVE-2002-23302Log4j

Log4j vulnerability

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration, or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104.

For more information on this CVE, see https://nvd.nist.gov/vuln/detail/CVE-2022-23302.

Resolution

HCI has upgraded their Solr 6 and Solr 8 Log4j versions to 2.17.2, which addresses this issue.

CVE-2002-23305Log4j

Log4j vulnerability

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.

For more information on this CVE, see https://nvd.nist.gov/vuln/detail/CVE-2022-23305.

Resolution

HCI has upgraded their Solr 6 and Solr 8 Log4j versions to 2.17.2, which addresses this issue.

CVE-2002-23307Log4j

Log4j vulnerability

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw v2.0, Chainsaw was a component of Apache Log4j 1.2.x, where the same issue exists.

For more information on this CVE, see https://nvd.nist.gov/vuln/detail/CVE-2022-23307.

Resolution

HCI has upgraded their Solr 6 and Solr 8 Log4j versions to 2.17.2, which addresses this issue.

System requirements

This section lists the hardware, networking, and operating system requirements for running an HCI system with one or more instances.

Hardware requirements

This table shows the minimum and recommended hardware requirements for each instance in an HCI running Hitachi Content Search.

Resource

Minimum

Recommended

RAM

16 GB

32 GB

CPU

4-core

8-core

Available disk space

50 GB

500 GB

Software requirements

The following table shows the minimum requirements and best-practice software configurations for each instance in an HCI system.

ResourceMinimumBest
IP addresses(1) static(2) static
Firewall Port AccessPort 443 for SSL traffic

Port 8000 for System Management App GUI

Port 8888 for Content Search App GUI

Same
Network TimeIP address of time service (NTP)Same

Operating system and Docker minimum requirements

Each server or virtual machine you provide must have the following:

  • A 64-bit Linux distribution
  • Docker version 1.13.1 or later installed
  • IP and DNS addresses configured

Additionally, you should install all relevant patches on the operating system and perform appropriate security hardening tasks.

Important
  • Install the current Docker version suggested by your operating system, unless that version is earlier than 1.13.1. The system cannot run with Docker versions prior to 1.13.1.
  • HCI will not function on an operating system that uses cgroups v2. If your system currently utilizes it, you must downgrade to cgroups v1 prior to installation.

Operating system and Docker qualified versions

This table shows the operating systems, as well as the Docker and SELinux configurations, on which this HCI release was qualified. It acts a point of reference for our customers to better share how we operate within our internal environment and does not represent any requirements that need to be followed within your own.

Operating systemDocker versionDocker storage configurationSELinux setting
CentOS 7.6Docker 18.03.1-cedevice-mapperEnforcing
CentOS 8.1Docker 19.03.13overlay2Enforcing
Red Hat Enterprise Linux 8.1Docker 20.10.14overlay2Enforcing
Ubuntu 18.04.4 LTSDocker 18.03.1-ceoverlay2Not Installed

Docker considerations

The Docker installation folder on each instance must have at least 20 GB available for storing the HCI Docker images.

Make sure that the Docker storage driver is configured correctly on each instance before installing HCI. To view the current Docker storage driver on an instance, run docker info.

NoteAfter installing, changing the Docker storage driver requires a reinstallation of HCI.

If you are using the Docker devicemapper storage driver:

  • Make sure that there's at least 40 GB of Docker metadata storage space available on each instance. HCI needs 20 GB to install successfully and an additional 20 GB to successfully update to a later version. To view Docker metadata storage usage on an instance, run docker info.
  • On a production system, do not run devicemapper in loop-lvm mode. This can cause slow performance or, on certain Linux distributions, HCI might not have enough space to run.

SELinux considerations

You should decide whether you want to run SELinux on system instances and enable or disable it before installing HCI. To enable or disable SELinux on an instance, you must restart the instance. To view whether SELinux is enabled on an instance, run: sestatus

To enable SELinux on the system instances, use a Docker storage driver that supports it. The storage drivers that SELinux supports differ depending on the Linux distribution you're using. For more information, see the Docker documentation.

Time source requirements

If you are installing a multi-instance system, each instance should run NTP (network time protocol) and use the same external time source. For information, see support.ntp.org.

Supported browsers

The following browsers are qualified for use with HCI software. Other browsers or versions might also work.

  • Google Chrome (latest version as of the date of this publication)
  • Microsoft Edge (latest version as of the date of this publication)
  • Mozilla Firefox (latest version as of the date of this publication)

Documentation set

Along with your release notes, the following guides and documentation comprise the full set of HCI reference documentation:

  • Hitachi Content Intelligence Installing Hitachi Content Intelligence
  • Hitachi Content Intelligence Deploying the HCI Example OVF
  • Hitachi Content Intelligence (HCI) Getting Started Guide
  • Hitachi Content Intelligence Workflow Designer Help
  • Hitachi Content Intelligence Search Help
  • Hitachi Content Intelligence Content Monitor Help
  • Hitachi Content Intelligence Administrator Help

To learn more, visit the HCI Knowledge page.

 

  • Was this article helpful?