Internet Express for Tru64 UNIX Version 6.7 Release Notes

HP Tru64 UNIX Version 5.1B and higher

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

UNIX is a registered trademark of The Open Group.

October 2007

Abstract

This document includes release notes for Internet Express for HP Tru64 UNIX Version 6.7. Read this document before installing or using Version 6.7 of the product.


Release Notes


These release notes describe potential, known, or unresolved problems, and suggest corrective action (when available).

Installation Notes

This section contains release notes pertaining to installation of Internet Express.

Administration Utility Support for Selective Updates

Selective updating of a previous installation of Internet Express is supported, that is, you may choose to update some subsets but not others, and the Administration Utility (IAEADM subset) can be updated and administration pages of older components will still work (although help links may not), however if you update any component with administration pages, you must also update the IAEADM subset or it will not be able to use the newer administration pages.

Installation with Enhanced (C2) Security Requires Login as Root

If you have Enhanced (C2) Security enabled, you must log in as root before running the installation. Using the su root command is not sufficient. If you run the installation script (ix_install), it will check for this, but if you install subsets directly with the setld command, some subset installations will fail with C2 enabled unless you log in as root.

The /usr/users Directory Must Be Writeable by root

The ix_install script, as well as the IAEADM (Administration utility), IAEAPCH (Secure Web Server 1.3), IAEHTTPD (Secure Web Server 2.0), and IAESQD (Squid Proxy Server) subsets will check for the presence of user accounts named iass and httpd and, if they do not exist, they will be created with home directories in /usr/users/. If /usr/users is NFS mounted and not writeable by root, this will fail and cause the installation to fail.

To avoid this problem make sure that /usr/users is writeable by root before beginning the installation. If this is not practical, you could create the user accounts named iass and httpd before starting the installation and then there should be no need to write into /usr/users.

Error Message on TruCluster Server Version 5.1B

On a TruCluster Server running Tru64 UNIX Version 5.1B, during the installation of any subset that configures its service for failover, you may see error messages similar to this:

Configuring "Samba 2.2.5 File and Print Server for Windows" (IAESMB593) on member2
REBALANCE entry(ies) will be removed from clustercron
Error when calling system(/var/cluster/caa/bin/caa_schedule UNREGISTER samba)

The service should still be correctly configured and these messages can be safely ignored.

Updating Internet Express Requires Updating Dependent Components

If you choose to install the Internet Express Secure Web Server (IAEAPCH subset) by installing the latest version, and if you had installed any of the following dependent subsets from a previous version of Internet Express, you must also update those dependent subsets. The dependent subsets are:

IAEADM - Internet Express Administration Utility
IAEAPAD - Secure Web Server Administration Utility
IAEMON - Internet Monitor
IAEIMP - IMP WebMail Email Utility
IAESOAP - Apache SOAP Server

PostgreSQL Data Storage Format

The internal data storage format changed starting with the version of PostgreSQL that was included with Internet Express Version 6.1. This change requires existing databases to be backed up before removing an existing installation and restored after the new installation is completed.

The installation procedure will detect if you have an IAEPSQL subset from an earlier version of Internet Express installed and will back up and restore your data automatically while upgrading PostgreSQL. The migration of data provided by PostgreSQL does not handle partial indices or large objects. This data will need to be migrated manually.

After the upgrade from Internet Express Version 6.5 or 6.6 is complete, you must verify that your databases have been migrated successfully. A copy of previous pgsql/data directory is located at /usr/internet/pgsql/data.preIAE6xx and the output of the database dump, performed during update, is saved at /usr/internet/pgsql/dumpout.IAExxx.restored. Once you have verified your new databases, these files may be removed.

If you delete your previous installation separately (not recommended), you need to manually back up and restore your data.

For more information, see the PostgreSQL documentation at the following Web site:

http://www.postgresql.org

Dante SOCKS Server Startup Requirements

The Dante SOCKS server will not start until you specify the internal and external addresses to use in the /etc/sockd.conf file. Look for and uncomment the lines like these:

#internal: 10.1.1.1 port = 1080
#external: 192.168.1.1

Change the addresses to the actual IP addresses of your system's network interfaces. To be able to use the SOCKS server, you will also need to specify valid information for the “method,” “client pass,” and “pass” fields in /etc/sockd.conf. See the sockd(8) reference page.

Denying Hosts Using Link-Local IPv6 Addresses

If you have configured an IPv6 subnet using only link-local addresses for host names, TCP Wrapper will not deny client access from IPv6 hostnames specified in the /etc/hosts.allow file unless the host name includes the interface extension for the local link. For example, to deny all telnet connects to telnetd from IPv6 host myhost.mydomain.com configured on interface tu0, you must enter the following in /etc/hosts.allow:

telnetd:myhost.mydomain.com%tu0:DENY 

Vacation Mail Not Supported With Cyrus IMAP

The Vacation Mail feature available to users via the User Self-Administration interface does not work for Cyrus IMAP users. This is because Cyrus IMAP does not currently support the use of Procmail as a delivery agent. Users attempting to enable this feature will find their settings ignored, and that no auto-reply messages will be sent. It is therefore suggested that the Vacation Mail group under the User Self-Administration interface be disabled if your users consist primarily of Cyrus IMAP users. See the Administration Guide for instructions on disabling this feature.

Sendmail CPU Utilization in a Multinode Cluster

Due to a threading issue in HP Tru64 UNIX Version 5.1a, Sendmail can drive CPU utilization to nearly 100 percent on some of the cluster nodes. To fix this problem, please apply the appropriate patch found at the following URL:

http://www1.itrc.hp.com/service/index.html 

Restrictions and Use of the SLP Software

The SLP software kit described is included with Internet Express and contains the library, daemon, and examples that enable a system administrator to evaluate and implement the use of SLP on a Tru64 UNIX Version 5.1A or later operating system.

Asynchronous operation is not supported in this release.

The language-specific handle is ignored. If you register a service with a language-specific handle, when requesting services with a specified language handle you will receive all language handles.

PostgreSQL Server May Fail To Shut Down With Internet Monitor Running

The PostgreSQL shutdown routine /sbin/init.d/postgres stop may timeout and fail to shutdown the PostgreSQL server when the Internet Monitor is running. If the stop procedure outputs the message pg_ctl: postmaster does not shut down and there are still PostgreSQL connections to the dcs or dcsconfig database, then you must stop the Internet Monitor to allow the PostgreSQL server to finish shutting down.

To determine if there are connections to the dcs or dcsconfig databases, run the following command:

# ps -U postgres | grep dcs

Look for commands similar to postgres: dcs dcs or postgres: dcs dcsconfig.

See the Internet Monitor Administrator's Guide for more information on how to shut down this service.

PHP Session Issue With TruClusters

PHP session information is stored by default in the /tmp directory which, on a Tru64 UNIX cluster, is a CDSL path. Also, since the Secure Web Server is a multinode application, PHP sessions may appear to be dropped or session information may not be retrieved consistently between requests. Both IMP Webmail (IAEIMP subset), and User Self-Administration (IAEADM subset), use PHP session support. To eliminate this problem, set the session.save_path variable in the /usr/internet/httpd/conf/php.ini configuration file to a non-CDSL directory (one that is shared by all nodes of the cluster). After editing this file, you must restart the Secure Web Server by running /sbin/init.d/httpd_public cluster-restart.

Tomcat Default Context

If an existing Tomcat installation is updated, and Tomcat is configured to be a standalone server, it is likely that the Tomcat server will not have a default root context configured. If a default root context is not present, then Web browser request will return a HTTP status 500 - No Context configured to process this request. To correct this problem, modify the server.xml configuration file adding a default root context.

Tomcat and Squid Default to the Same Network Port

The Tomcat Java Servlet Engine configured as a standalone server and the Squid Proxy both have an default port of 8080 during installation. If both packages are to be installed, then care must be taken that both servers are not configured to use the same port.

Security of Tomcat Administration and Management Applications

The version of Tomcat shipped with this release contains Web-based applications for administering the Tomcat deployment and for managing the lifecycle of Web applications running within the Tomcat container. Links to these management applications can be found on the Tomcat management page within the Secure Web Server Administration utility. Links to the applications can also be found on the Tomcat start page that is installed by default at /tomcat beneath any public Web server root with which Tomcat has been associated. By default, access to these management applications is limited to browsers running on the local host and requires that users successfully authenticate themselves before access will be granted.

The local host restriction is established by access control valves in the files admin.xml and manager.xml, located in the /usr/internet/httpd/tomcat/webapps/tomcat/admin and /usr/internet/httpd/tomcat/webapps/tomcat/manager directories, respectively. To modify this restriction, edit these files and change the list of allowed hosts, or delete the Valve element entirely to remove host-based restrictions. Tomcat will need to be restarted for any changes to take effect. Note also that the default restriction requires that a browser on the local host must access the management applications using URLs that begin with http://localhost/. Attempts to access the applications with URLs that begin with http://<actual_hostname_of_local_host>/ will be rejected.

User authentication is provided by a custom realm that allows a user who successfully authenticates as the Secure Web Server administration user to be mapped to the Tomcat user roles admin and manager, which are the roles required to access the administration and Web application management utilities. If this initial authentication attempt fails, the realm then attempts to authenticate the user via Tomcat's default user authentication database, which is defined by the file /usr/internet/httpd/tomcat/conf/tomcat-users.xml. To change the behavior of this custom realm, modify the file /usr/internet/httpd/tomcat/conf/server.xml as necessary and then restart Tomcat.

Tomcat Administration Application Side-Effects

When the Web-based Tomcat administration application is used to modify the Tomcat deployment, the /usr/internet/httpd/tomcat/conf/server.xml file is updated. In the process, any comments that were in the previous version of the file are stripped out. The ordering of elements within the file may also change, and some default elements that were not explicitly specified in the previous version of the file may be present in the newer version.

Saving changes made through the administration application will also cause Context elements for each deployed application to be written out to the main server.xml file. If the applications had been originally deployed as the result of the presence of application-specific xml files in the /usr/internet/httpd/tomcat/webapps directory, those files will thereafter be ignored and Tomcat will use the Context elements in the main server.xml file as the sole sources for application deployment information.

Apache Axis Client Requirement When Using Java 1.4.x

When using Axis with Java 1.4.x, client code may output the following exception:

NoClassDefFoundError: javax/servlet/ServletContext

Use Java 1.3.x or include an implementation of the Java Servlet API (servlet.jar) in your classpath. A servlet.jar file is installed with the Tomcat subset (IAETOMCAT) in the /usr/internet/httpd/tomcat/common/lib directory.

Axis AdminClient, Command- Line Tool May Fail on a Cluster

By default the Axis server is configured to only allow administration requests, that is, to deploy or undeploy services, from the localhost. This will cause Unauthorized error messages when the Axis administration request originates on a different node than that which the Tomcat instance is running.

To avoid this problem, make sure to run the AdminClient from the same node on which Tomcat is running. Alternatively, you may enable remote administration which will allow requests from all hosts. To enable remote administration, edit the file /usr/internet/xml/axis/webapp/WEB-INF/server-config.wsdd and change the parameter value for "enableRemoteAdmin" to "true" for the service "AdminService". Restart the Tomcat instance for the changes to take effect.

Enabling IPV6 Connections with Sendmail

To enable IPV6 connectivity with other mail servers and clients, configure sendmail using the Internet Express Administrative utility. After finishing, edit the sendmail.cf file and change the value of the DaemonPortOptions line. The default value is inet. Change it to inet6. Then stop and restart sendmail.

Tomcat Web Server Connector

Two connectors are provided to allow the HP Apache Web Server (powered by Apache 2.0) and the Secure Web Server (powered by Apache 1.3) to forward requests to the Tomcat servlet engine.

Apache Module Protocol Tomcat Connector Note
mod_jk AJP 1.3 JK Connector org.apache.ajp.tomcat4.Ajp13Connector Deprecated
mod_jk2 AJP 1.3 Coyote/JK2 AJP 1.3 Connector Default

The default configuration files for Tomcat and the Web servers use the AJP 1.3 protocol with the Tomcat Coyote Connector and the Apache mod_jk2 module.

The Tomcat configuration file /usr/internet/httpd/tomcat/conf/server.xml

enables the AJP 1.3 Coyote Connector with the following clause:

<Connector debug="0" enableLookups="false" port="8009" protocol="AJP/1.3"         
redirectPort="8443"/>

Configuration information for the Tomcat AJP 1.3 Coyote connector is contained in the file /usr/internet/httpd/tomcat/conf/jk2.properties. The Web server loads the mod_jk2 module with the appropriate clause in one of the following configuration files:

Web Server Configuration File Clause
Secure Web Server (powered by Apache 1.3) /usr/internet/httpd/conf/httpd.conf <IfDefine JK2>LoadModule jk2_module libexec/mod_jk2.so </IfDefine>
HP Apache Web Server (powered by Apache 2.0) /usr/opt/hpapache2/conf/httpd.conf <IfDefine JK2>LoadModule jk2_module modules/mod_jk2.so</IfDefine>

Configuration information for the Web server mod_jk2 module is contained in the file workers2.properties. The location of this file is one of the following:

Web Server JK2 Configuration File
Secure Web Server (powered by Apache 1.3) /usr/internet/httpd/conf/workers2.properties
HP Apache Web Server (powered by Apache 2.0) /usr/opt/hpapache2/conf/workers2.properties

Refer to the Tomcat documentation for additional information on configuring the connectors. The documentation is available at:

http://jakarta.apache.org/tomcat/tomcat-5.0-doc/

On a system with Tomcat installed the documentation is available at http://localhost/tomcat/.tomcat-docs/.

Mailman in a Cluster Environment

The new release of Mailman provided in Internet ExpressVersion 6.7 does not support TruClusters, and should not be installed in a TruCluster environment. Mailman is restricted to running on a single member of a cluster.

Batik with Java 1.4.1 May Cause Segmentation Violations

Batik may abort with segmentation violations when using Java 1.4.1. To avoid potential issues, use Java versions 1.3.1 or 1.4.2.

IMP Webmail Administration

You can use the IMP Webmail Administration utility to perform such tasks as enabling and disabling IMP Webmail, modifying the mail server, and modifying preference driver. This utility can be used to modify the configuration parameters of IMP Webmail. Configuration information is available on the Horde Web site in the Horde Administrator's FAQ at:

http://wiki.horde.org/FAQ

Tomcat Default Java Environment

Tomcat Version 5.5.x (Tomcat version of Internet Express Version 6.7 release) is designed to run on J2SE 1.4. Therefore, you must make java14x as default java environment for Tomcat to work. If there are constraints for a user to have Java14x as the default Java environment, that user can edit /usr/internet/httpd/tomcat/bin/setenv.sh to change JAVA_HOME and JAVA_CMD to point to the java14x environment. After making this change, a restart of Tomcat is required.

Tomcat Security issue with snoop.jsp

It is possible that a remote attacker could use snoop.jsp to view internal IP addresses and other sensitive information of the server. Therefore, in Internet Express Version 6.5, HP has removed snoop.jsp from jsp-examples, retaining the source code for reference which is in simple HTML format. For the clients who are not willing to upgrade Tomcat, HP recommends removing snoop.jsp from the /usr/internet/httpd/tomcat/webapps/tomcat/jsp-examples/snp/ directory.

Logging In With SOAP and Cocoon Enabled

When configured with SOAP/Axis and Cocoon, Tomcat may not create desired logs. Logs can be initialized by following these steps:

  1. Create a file called log4j.properties with the following content and save it into common/classes.

    log4j.rootLogger=debug, R 
    log4j.appender.R=org.apache.log4j.RollingFileAppender 
    log4j.appender.R.File=${catalina.home}/logs/catalina.log
    log4j.appender.R.MaxFileSize=10MB 
    log4j.appender.R.MaxBackupIndex=10 
    log4j.appender.R.layout=org.apache.log4j.PatternLayout 
    log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n 
    log4j.logger.org.apache.catalina=DEBUG, R
  2. Restart Tomcat.

By default, this option is not enabled because it can produce a large debug log file, which can impact performance. This level should be used sparingly when you need to debug internal Tomcat operations.

SmartFilter Removed From the Kit

The SmartFilter Web filtering software from Secure Computing has been removed from the Internet Express kit. 

Restricting Sendmail In Standalone Mode

When using the new Sendmail administration that contains the open source administration methods, the update of the Sendmail configuration file (sendmail.cf) is not sufficient to stop mail forwarding. The Domain Name Service mail based records (mx) must also be disabled to enforce Standalone mode.

Possible PHP Security Vulnerability

For PHP versions prior to Version 5.1.3-RC1, there is a security issue currently under review. If the magic_quotes_gpc flag is set to "Off" in the php.ini file, then the function html_entity_decode() does not parse properly possibly causing a memory leak to occur. The work around is to set the magic_quotes_gpc flag to "On", which is the default for the php.ini file for Internet Express.

Mozilla SeaMonkey Application Suite

Internet Express Version 6.7 includes the Mozilla SeaMonkey Application Suite, which replaces the Mozilla Application Suite that was part of previous releases of Internet Express.

Administration for Thunderbird E-mail and Newsgroup Client

To open the help, release notes, and links from Thunderbird, add a file named user.js in your thunderbird profile directory containing the following lines:

user_pref("network.protocol-handler.app.http", "/usr/bin/X11/firefox"); 
user_pref("network.protocol-handler.app.https", "/usr/bin/X11/firefox"); 
user_pref("network.protocol-handler.app.ftp", "/usr/bin/X11/firefox")

These lines inserted into user.js use Firefox to open links from Thunderbird. An alternative method for opening links in Seamonkey is to use /usr/bin/X11/seamonkey .

Issues with Sendmail Server/Using Open Source Configuration Rules Link

The following issues are related to the use of the Sendmail server with the Open Source Configuration Rules.

AntiSpam LDAP

  • The AntiSpam LDAP relay option Check for Blacklist Recipients in Access Database can be enabled successfully using the PHP link but the functionality does not work as expected.

  • To fully enable the Sendmail LDAP lookup option, the following section in the sendmail.cf file must be manually updated to include the sequence:luser option, as follows:

    #location of alias file
    O AliasFile=btree:/var/adm/sendmail/aliases,sequence:luser
    

    After updating the sendmail.cf file, stop and start Sendmail.

    This procedure must be done apart from enabling the Configure LDAP option using the PHP link. Refer the Help page for more information on how to configure Sendmail LDAP lookup.

Enabling milter

To enable milter functionality, the following section in the sendmail.cf file must be manually updated by uncommenting the O InputMailFilters configure option and specifying the name of the milter, as follows:

# Input mail filters
O InputMailFilters=milter name

After updating the sendmail.cf file, stop and start Sendmail. This procedure must be done apart from enabling the Configure Milter option using the PHP link. Refer the Help page for more information on how to configure Milter.

Enabling Masquerading

The Enabling Masquerading feature does not work for local users (that is, users on the same system). The following masquerading options do not work for both local and non-local users (that is, Internet users):

Masquerading hosts/domains
Exclude User
Sub-domain masquerading

Queue Performance

The Queue Performance PHP Page currently provides an option for modifying the following queue parameters only:

  • Queue Sort Order

  • Queue Factor

  • Queue Load Factor

  • Max Queue Children

  • Min Queue Age

Some Internet Express Documents Have Been Archived and Cross-References Do Not Work

As of Internet Express Version 6.6, some of the documents are considered archived, and no future revisions are planned. The archived documents include the Internet Monitor Administrator's Guide and all of the Internet Express Best Practice documents. As Internet Express Version 6.7, the Best Practices documents have been removed from the kit.

While these documents are still technically accurate, they may contain cross-references to other documents which do not work. For example, the Internet Monitor Administrator's Guide contains cross-references to the Administration Guide, Installation Guide, and Read this First. If you are reading the HTML version of the Internet Monitor Administrator's Guide and click on a link to one of these documents, the link will not work. You can still access these other documents by choosing the appropriate title from the Documentation menu of the Internet Express Administration menu, or by accessing the Documentation and Sources CD-ROM.

Sendmail Installation Problems

During Sendmail startup, the following error message might be displayed: /usr/sbin/sendmail: /sbin/loader: Fatal Error: Cannot map library libdb-4.4.so

If so, create a symbolic link as follows:

  1. Log in as root.

  2. Enter the following commands:

    cd /usr/local/lib
    ln  -fs  /usr/opt/IAE660/usr/local/lib/libdb-cyrus-4.4.so libdb-4.4.so

Clam AntiVirus Installation

The following problem has been identified with the installation of Clam AntiVirus.

The following message might be displayed: /usr/internet/amavis/virusmails: No such file or directory.

If so, create a symbolic link as follows:

  1. Log in as root.

  2. Enter the following commands:

    cd /usr/internet/amavis
    ln  -fs  /data/amavis/virusmails virusmails

IMP Webmail Problems with Configuration Files

In Internet Express Version 6.5, Version 6.6 and Version 6,7, , the IMP Webmail may not start because of incompatible configuration files. To fix this problem, replace the existing IMP Webmail configuration files located at /usr/internet/horde with the updated configuration files located at the following Web site:

http://h30097.www3.hp.com/internet/download.htm

Follow these steps:

  1. Back up the existing configuration files using the following commands:

    $ mv /usr/internet/horde/config/conf.php /usr/internet/horde/config/conf.php.orig

    $ mv /usr/internet/horde/imp/config/conf.php /usr/internet/horde/imp/config/conf.php.orig

    $ mv /usr/internet/horde/turba/config/conf.php /usr/internet/horde/turba/config/conf.php.orig

  2. Copy the updated configuration files (downloaded from the Tru64 UNIX Web site) onto the existing configuration files using the following commands:

    $ cp Horde-conf.php.dist /usr/internet/horde/config/conf.php

    $ cp IMP-conf.php.dist /usr/internet/horde/imp/config/conf.php

    $ cp Turba-conf.php.dist /usr/internet/horde/turba/config/conf.php

  3. Change the entry $conf['sql']['hostspec'] in Horde configuration file (/usr/internet/horde/config/conf.php) with the host name of machine.

Components Moved to Web Download

As of Internet Express Version 6.7, the following components are no longer on the Internet Express CD:

  • IRC Chat

  • TCP Wrappers

  • Internet Monitor

  • Thunderbird

These components can be downloaded from the following Web site:

http://h30097.www3.hp.com/internet/download.htm

Index

B

Batik
segmentation violations with Java, Batik with Java 1.4.1 May Cause Segmentation Violations

C

Clam AntiVirus
installation, Clam AntiVirus Installation
Cyrus IMAP
problem with vacation mail, Vacation Mail Not Supported With Cyrus IMAP

D

Dante SOCKS server
startup requirements, Dante SOCKS Server Startup Requirements
documentation
broken cross-references, Some Internet Express Documents Have Been Archived and Cross-References Do Not Work

E

enhanced (C2) security
installation prerequisites, Installation with Enhanced (C2) Security Requires Login as Root

I

IMP Webmail
administration, IMP Webmail Administration
configuration files, IMP Webmail Problems with Configuration Files
installation
notes, Installation Notes
IPv6 networking
using link-local addresses for hostname, Denying Hosts Using Link-Local IPv6 Addresses

J

Java environment
Tomcat, Tomcat Default Java Environment

P

PHP
issue with TruClusters, PHP Session Issue With TruClusters
security vulnerability, Possible PHP Security Vulnerability
PostgreSQL data storage format
change to, PostgreSQL Data Storage Format
PostgreSQL server
problem with Internet Monitor, PostgreSQL Server May Fail To Shut Down With Internet Monitor Running

T

Thunderbild
opening links from, Administration for Thunderbird E-mail and Newsgroup Client
Tomcat
administration application side-effects, Tomcat Administration Application Side-Effects
default context, Tomcat Default Context
default Java environment, Tomcat Default Java Environment
default network port, Tomcat and Squid Default to the Same Network Port
failure to create desired logs, Logging In With SOAP and Cocoon Enabled
security issue with snoop.jsp, Tomcat Security issue with snoop.jsp
security of administration and management applications, Security of Tomcat Administration and Management Applications
Web server connector, Tomcat Web Server Connector

V

vacation mail
Cyrus IMAP, Vacation Mail Not Supported With Cyrus IMAP