HP Tru64 UNIX Version 5.1A and higher
Copyright © 2006 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
UNIX is a registered trademark of The Open Group.
April 2006
Revised January 2007
These release notes describe potential, known, or unresolved problems, and suggest corrective action (when available).
This section contains release notes pertaining to installation of Internet Express.
Selective updating of a previous installation of Internet Express is supported, that is, you may choose to update some subsets but not others, and the Administration Utility (IAEADM subset) can be updated and administration pages of older components will still work (although help links may not), however if you update any component with administration pages, you must also update the IAEADM subset or it will not be able to use the newer administration pages.
If you have Enhanced (C2) Security enabled, you must log in as root before running the installation. Using the su root command is not sufficient. If you run the installation script (ix_install), it will check for this, but if you install subsets directly with the setld command, some subset installations will fail with C2 enabled unless you log in as root.
The ix_install script, as well as the IAEADM (Administration utility), IAEAPCH (Secure Web Server 1.3), IAEHTTPD (Secure Web Server 2.0), and IAESQD (Squid Proxy Server) subsets will check for the presence of user accounts named iass and httpd and, if they do not exist, they will be created with home directories in /usr/users/. If /usr/users is NFS mounted and not writeable by root, this will fail and cause the installation to fail.
To avoid this problem make sure that /usr/users is writeable by root before beginning the installation. If this is not practical, you could create the user accounts named iass and httpd before starting the installation and then there should be no need to write into /usr/users.
On a TruCluster Server running Tru64 UNIX Version 5.1B, during the installation of any subset that configures its service for failover, you may see error messages similar to this:
Configuring "Samba 2.2.5 File and Print Server for Windows" (IAESMB593) on member2 REBALANCE entry(ies) will be removed from clustercron Error when calling system(/var/cluster/caa/bin/caa_schedule UNREGISTER samba)
The service should still be correctly configured and these messages can be safely ignored.
If you choose to install the Internet Express Secure Web Server (IAEAPCH subset) by installing the latest version, and if you had installed any of the following dependent subsets from a previous version of Internet Express, you must also update those dependent subsets. The dependent subsets are:
| IAEADM - Internet Express Administration Utility |
| IAEAPAD - Secure Web Server Administration Utility |
| IAEMON - Internet Monitor |
| IAEIMP - IMP WebMail Email Utility |
| IAESOAP - Apache SOAP Server |
The internal data storage format changed starting with the version of PostgreSQL that was included with Internet Express Version 6.1. This change requires existing databases to be backed up before removing an existing installation and restored after the new installation is completed.
The installation procedure will detect if you have an IAEPSQL subset from Internet Express Version 6.0 or earlier installed and will back up and restore your data automatically while upgrading PostgreSQL. The migration of data provided by PostgreSQL does not handle partial indices or large objects. This data will need to be migrated manually.
After the upgrade from Internet Express Version 6.0 or earlier is complete, you must verify that your databases have been migrated successfully. A copy of previous pgsql/data directory is located at /usr/internet/pgsql/data.preIAE5xx and the output of the database dump, performed during update, is saved at /usr/internet/pgsql/dumpout.IAExxx.restored. Once you have verified your new databases, these files may be removed.
If you delete your previous installation separately (not recommended), you need to manually back up and restore your data.
For more information, see the PostgreSQL documentation at the following Web site:
The Dante SOCKS server will not start until you specify the internal and external addresses to use in the /etc/sockd.conf file. Look for and uncomment the lines like these:
#internal: 10.1.1.1 port = 1080 #external: 192.168.1.1
Change the addresses to the actual IP addresses of your system's network interfaces. To be able to use the SOCKS server, you will also need to specify valid information for the “method,” “client pass,” and “pass” fields in /etc/sockd.conf. See the sockd(8) reference page.
If you have configured an IPv6 subnet using only link-local addresses for host names, TCP Wrapper will not deny client access from IPv6 hostnames specified in the /etc/hosts.allow file unless the host name includes the interface extension for the local link. For example, to deny all telnet connects to telnetd from IPv6 host myhost.mydomain.com configured on interface tu0, you must enter the following in /etc/hosts.allow:
telnetd:myhost.mydomain.com%tu0:DENY
The Vacation Mail feature available to users via the User Self-Administration interface does not work for Cyrus IMAP users. This is because Cyrus IMAP does not currently support the use of Procmail as a delivery agent. Users attempting to enable this feature will find their settings ignored, and that no auto-reply messages will be sent. It is therefore suggested that the Vacation Mail group under the User Self-Administration interface be disabled if your users consist primarily of Cyrus IMAP users. See the Administration Guide for instructions on disabling this feature.
Due to a threading issue in HP Tru64 UNIX Version 5.1a, Sendmail can drive CPU utilization to nearly 100 percent on some of the cluster nodes. To fix this problem, please apply the appropriate patch found at the following URL:
http://www1.itrc.hp.com/service/index.html
The README included in the iASP 2.0 kit implies that this is a developer's edition that might be usable without a license. This is not the case. In order to use iASP 2.0 you must first get a license key from http://www.stryon.com/chooseproduct.asp. A 30-day evaluation license is free.
The SLP software kit described is included with Internet Express and contains the library, daemon, and examples that enable a system administrator to evaluate and implement the use of SLP on a Tru64 UNIX Version 5.1A or later operating system.
Asynchronous operation is not supported in this release.
The language-specific handle is ignored. If you register a service with a language-specific handle, when requesting services with a specified language handle you will receive all language handles.
The PostgreSQL shutdown routine /sbin/init.d/postgres stop may timeout and fail to shutdown the PostgreSQL server when the Internet Monitor is running. If the stop procedure outputs the message pg_ctl: postmaster does not shut down and there are still PostgreSQL connections to the dcs or dcsconfig database, then you must stop the Internet Monitor to allow the PostgreSQL server to finish shutting down.
To determine if there are connections to the dcs or dcsconfig databases, run the following command:
Look for commands similar to postgres: dcs dcs or postgres: dcs dcsconfig.
See the Internet Monitor Administrator's Guide for more information on how to shut down this service.
PHP session information is stored by default in the /tmp directory which, on a Tru64 UNIX cluster, is a CDSL path. Also, since the Secure Web Server is a multinode application, PHP sessions may appear to be dropped or session information may not be retrieved consistently between requests. Both IMP Webmail (IAEIMP subset), and User Self-Administration (IAEADM subset), use PHP session support. To eliminate this problem, set the session.save_path variable in the /usr/internet/httpd/conf/php.ini configuration file to a non-CDSL directory (one that is shared by all nodes of the cluster). After editing this file, you must restart the Secure Web Server by running /sbin/init.d/httpd_public cluster-restart.
If an existing Tomcat installation is updated, and Tomcat is configured to be a standalone server, it is likely that the Tomcat server will not have a default root context configured. If a default root context is not present, then Web browser request will return a HTTP status 500 - No Context configured to process this request. To correct this problem, modify the server.xml configuration file adding a default root context.
The Tomcat Java Servlet Engine configured as a standalone server and the Squid Proxy both have an default port of 8080 during installation. If both packages are to be installed, then care must be taken that both servers are not configured to use the same port.
The version of Tomcat shipped with this release contains Web-based applications for administering the Tomcat deployment and for managing the lifecycle of Web applications running within the Tomcat container. Links to these management applications can be found on the Tomcat management page within the Secure Web Server Administration utility. Links to the applications can also be found on the Tomcat start page that is installed by default at /tomcat beneath any public Web server root with which Tomcat has been associated. By default, access to these management applications is limited to browsers running on the local host and requires that users successfully authenticate themselves before access will be granted.
The local host restriction is established by access control valves in the files admin.xml and manager.xml, located in the /usr/internet/httpd/tomcat/webapps/tomcat/admin and /usr/internet/httpd/tomcat/webapps/tomcat/manager directories, respectively. To modify this restriction, edit these files and change the list of allowed hosts, or delete the Valve element entirely to remove host-based restrictions. Tomcat will need to be restarted for any changes to take effect. Note also that the default restriction requires that a browser on the local host must access the management applications using URLs that begin with http://localhost/. Attempts to access the applications with URLs that begin with http://<actual_hostname_of_local_host>/ will be rejected.
User authentication is provided by a custom realm that allows a user who successfully authenticates as the Secure Web Server administration user to be mapped to the Tomcat user roles admin and manager, which are the roles required to access the administration and Web application management utilities. If this initial authentication attempt fails, the realm then attempts to authenticate the user via Tomcat's default user authentication database, which is defined by the file /usr/internet/httpd/tomcat/conf/tomcat-users.xml. To change the behavior of this custom realm, modify the file /usr/internet/httpd/tomcat/conf/server.xml as necessary and then restart Tomcat.
When the Web-based Tomcat administration application is used to modify the Tomcat deployment, the /usr/internet/httpd/tomcat/conf/server.xml file is updated. In the process, any comments that were in the previous version of the file are stripped out. The ordering of elements within the file may also change, and some default elements that were not explicitly specified in the previous version of the file may be present in the newer version.
Saving changes made through the administration application will also cause Context elements for each deployed application to be written out to the main server.xml file. If the applications had been originally deployed as the result of the presence of application-specific xml files in the /usr/internet/httpd/tomcat/webapps directory, those files will thereafter be ignored and Tomcat will use the Context elements in the main server.xml file as the sole sources for application deployment information.
When using Axis with Java 1.4.x, client code may output the following exception:
NoClassDefFoundError: javax/servlet/ServletContext
Use Java 1.3.x or include an implementation of the Java Servlet API (servlet.jar) in your classpath. A servlet.jar file is installed with the Tomcat subset (IAETOMCAT) in the /usr/internet/httpd/tomcat/common/lib directory.
By default the Axis server is configured to only allow administration requests, that is, to deploy or undeploy services, from the localhost. This will cause Unauthorized error messages when the Axis administration request originates on a different node than that which the Tomcat instance is running.
To avoid this problem, make sure to run the AdminClient from the same node on which Tomcat is running. Alternatively, you may enable remote administration which will allow requests from all hosts. To enable remote administration, edit the file /usr/internet/xml/axis/webapp/WEB-INF/server-config.wsdd and change the parameter value for "enableRemoteAdmin" to "true" for the service "AdminService". Restart the Tomcat instance for the changes to take effect.
To enable IPV6 connectivity with other mail servers and clients, configure sendmail using the Internet Express Administrative utility. After finishing, edit the sendmail.cf file and change the value of the DaemonPortOptions line. The default value is inet. Change it to inet6. Then stop and restart sendmail.
Two connectors are provided to allow the HP Apache Web Server (powered by Apache 2.0) and the Secure Web Server (powered by Apache 1.3) to forward requests to the Tomcat servlet engine.
| Apache Module | Protocol | Tomcat Connector | Note |
|---|---|---|---|
| mod_jk | AJP 1.3 | JK Connector org.apache.ajp.tomcat4.Ajp13Connector | Deprecated |
| mod_jk2 | AJP 1.3 | Coyote/JK2 AJP 1.3 Connector | Default |
The default configuration files for Tomcat and the Web servers use the AJP 1.3 protocol with the Tomcat Coyote Connector and the Apache mod_jk2 module.
The Tomcat configuration file /usr/internet/httpd/tomcat/conf/server.xml
enables the AJP 1.3 Coyote Connector with the following clause:
<Connector debug="0" enableLookups="false" port="8009" protocol="AJP/1.3" redirectPort="8443"/>
Configuration information for the Tomcat AJP 1.3 Coyote connector is contained in the file /usr/internet/httpd/tomcat/conf/jk2.properties. The Web server loads the mod_jk2 module with the appropriate clause in one of the following configuration files:
| Web Server | Configuration File | Clause |
|---|---|---|
| Secure Web Server (powered by Apache 1.3) | /usr/internet/httpd/conf/httpd.conf | <IfDefine JK2>LoadModule jk2_module libexec/mod_jk2.so </IfDefine> |
| HP Apache Web Server (powered by Apache 2.0) | /usr/opt/hpapache2/conf/httpd.conf | <IfDefine JK2>LoadModule jk2_module modules/mod_jk2.so</IfDefine> |
Configuration information for the Web server mod_jk2 module is contained in the file workers2.properties. The location of this file is one of the following:
| Web Server | JK2 Configuration File |
|---|---|
| Secure Web Server (powered by Apache 1.3) | /usr/internet/httpd/conf/workers2.properties |
| HP Apache Web Server (powered by Apache 2.0) | /usr/opt/hpapache2/conf/workers2.properties |
Refer to the Tomcat documentation for additional information on configuring the connectors. The documentation is available at:
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/
On a system with Tomcat installed the documentation is available at http://localhost/tomcat/.tomcat-docs/.
The new release of Mailman provided in Internet ExpressVersion 6.4 does not support TruClusters, and should not be installed in a TruCluster environment. Mailman is restricted to running on a single member of a cluster.
Batik may abort with segmentation violations when using Java 1.4.1. To avoid potential issues, use Java versions 1.3.1 or 1.4.2.
As of Internet Express Version 6.4, Darwin has been removed from kit. It is available for download from the following Web site:
As of Internet Express Version 6.4, the Remote Intrustion Detector (RID) (subset IAEDOST) and the Interlink Networks Basic AAA RADIUS Server (subset IAEBRAD ) have been removed from the kit.
As of Internet Express Version 6.4, the Microsoft FrontPage Server Extensions (subset IAEFP ) has been removed from the kit.
Because of the extensive changes in the updated versions of Horde/IMP, the Internet Express Admininstration pages that were used previously for IMP Webmail Administration are no longer compatible with Horde/IMP. Therefore, at this time, the only feature available on the IMP Webmail Administration page is to Enable/Disable IMP Webmail. Any changes to Horde/IMP settings or configuration will have to be made by editing their configuration files directly. Configuration information is available on the Horde Web site in the Horde Administrator's FAQ at:
Tomcat Version 5.5.x (Tomcat version of Internet Express Version 6.5 release) is designed to run on J2SE 1.4. Therefore, you must make java14x as default java environment for Tomcat to work. If there are constraints for a user to have Java14x as the default Java environment, that user can edit /usr/internet/httpd/tomcat/bin/setenv.sh to change JAVA_HOME and JAVA_CMD to point to the java14x environment. After making this change, a restart of Tomcat is required.
It is possible that a remote attacker could use snoop.jsp to view internal IP addresses and other sensitive information of the server. Therefore, in Internet Express Version 6.5, HP has removed snoop.jsp from jsp-examples, retaining the source code for reference which is in simple HTML format. For the clients who are not willing to upgrade Tomcat, HP recommends removing snoop.jsp from the /usr/internet/httpd/tomcat/webapps/tomcat/jsp-examples/snp/ directory.
When configured with SOAP/Axis and Cocoon, Tomcat may not create desired logs. Logs can be initialized by following these steps:
Create a file called log4j.properties with the following content and save it into common/classes.
log4j.rootLogger=debug, R
log4j.appender.R=org.apache.log4j.RollingFileAppender
log4j.appender.R.File=${catalina.home}/logs/catalina.log
log4j.appender.R.MaxFileSize=10MB
log4j.appender.R.MaxBackupIndex=10
log4j.appender.R.layout=org.apache.log4j.PatternLayout
log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n
log4j.logger.org.apache.catalina=DEBUG, RBy default, this option is not enabled because it can produce a large debug log file, which can impact performance. This level should be used sparingly when you need to debug internal Tomcat operations.
The SmartFilter Web filtering software from Secure Computing will be removed from the next version of Internet Express. SmartFilter is currently included in the IAESQD subset.
When using the new Sendmail administration that contains the open source administration methods, the update of the Sendmail configuration file (sendmail.cf) is not sufficient to stop mail forwarding. The Domain Name Service mail based records (mx) must also be disabled to enforce Standalone mode.
For PHP versions prior to Version 5.1.3-RC1, there is a security issue currently under review. If the magic_quotes_gpc flag is set to "Off" in the php.ini file, then the function html_entity_decode() does not parse properly possibly causing a memory leak to occur. The work around is to set the magic_quotes_gpc flag to "On", which is the default for the php.ini file for Internet Express.
In Internet Express Version 6.5, the IMP Webmail may not start because of incompatible configuration files. To fix this problem, replace the existing IMP Webmail configuration files located at /usr/internet/horde with the updated configuration files located at the following Web site:
http://h30097.www3.hp.com/internet/download.htm
Follow these steps:
Back up the existing configuration files using the following commands:
$ mv /usr/internet/horde/config/conf.php /usr/internet/horde/config/conf.php.orig
$ mv /usr/internet/horde/imp/config/conf.php /usr/internet/horde/imp/config/conf.php.orig
$ mv /usr/internet/horde/turba/config/conf.php /usr/internet/horde/turba/config/conf.php.orig
Copy the updated configuration files (downloaded from the Tru64 UNIX Web site) onto the existing configuration files using the following commands:
$ cp Horde-conf.php.dist /usr/internet/horde/config/conf.php
$ cp IMP-conf.php.dist /usr/internet/horde/imp/config/conf.php
$ cp Turba-conf.php.dist /usr/internet/horde/turba/config/conf.php
Change the entry $conf['sql']['hostspec'] in Horde configuration file (/usr/internet/horde/config/conf.php) with the host name of machine.