Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
 Contact HP
HP.com home
HP Tru64 UNIX: Technical Updates for the Version 5.1B and Higher Operating System and Patches > Technical Updates for the Version 5.1B and Higher Operating System and Patches

Operating System and Associated Products Updates

 

Content starts here

Netscape Browser No Longer Supported (May 2007)

The Netscape Web browser is no longer supported on Tru64 UNIX and updates to it are no longer available on the Tru64 UNIX Web site.

Because of potential security threats with the Netscape browser on Tru64 UNIX, HP recommends that you download the latest Firefox browser for Tru64 UNIX. You can find that browser at the following site:

http://h30097.www3.hp.com/internet/download.htm

If you install or reinstall Tru64 UNIX from the operating system CD that ships in the Tru64 UNIX kit, HP recommends that you not install the included Netscape browser, but instead install the Firefox browser and make that your default browser.

live_dump() Function May Not Collect All Dumps (May 2007)

Under certain circumstances the live_dump function is unable to collect dumps, even if the AdvfsDomainPanicLevel attribute is set to 1 (mounted) or 2 (mounted or unmounted). For example, live dumps will not be collected when the process is at the input/output completion path.

Help Files Missing from the AdvFS Management GUI (Oct. 2006)

Some online help files are missing in two locations from the SysMan Advanced File System (AdvFS) graphical interface. The missing help screens are apparent when you are managing volumes and want to modify the size of a partition. The following locations are affected:

  • The Managing Volumes window provides an Expand button that displays a pop-up dialog where you enter a value for the partition size. The pop-up dialog provides a help button. However, no online help is associated with this button.

  • After you modify the partition size and press the Next button, a confirmation dialog is displayed. If you press the Help button in this dialog, the following message is displayed:

    Non existent location ID: WExpandPartConfirm

    No help volume is available for this dialog.

For information on the partition size options available when modifying volume partitions see AdvFS Administration.

Applications Using SCSI_GET_INQUIRY_DATA Must Initialize Field (May 2005)

Applications that use the SCSI device SCSI_GET_INQUIRY_DATA ioctl must fully initialize the structures used in that ioctl. This change causes the previously defined ms_pgcode field (defined to contain the requested page code value) to be initialized for the page code. Prior to this change, that field was ignored, therefore applications that did not initialize that field may now see a possible change in their function.

Recommend Setting for DRD Parameter when Running LSM voltrace Command (May 2005)

When using the LSM voltrace debugging utility in a cluster, it is recommended that the DRD system configuration parameter, drd_nolwc, be set to 1 to prevent a possible assert_wait panic.

Performance enhancements in DRD changed behavior such that DRD may have blocked the thread corresponding to an I/O request that LSM now needs to block as part of voltrace processing. Turning on drd_nolwc will avoid this issue. It should be turned off after voltrace runs as it will affect overall I/O performance.

XEmacs Displays Confusing Message (Sept. 2004)

The following message is displayed when starting XEmacs Version 21.4.

% emacs
Loading xlib-math...
Loading xlib-math...done
Loading xwem-compat...
Loading xwem-compat...done

You can ignore this message.

Configuring IPsec (Feb. 2004)

The SSRT3674 - HP Tru64 UNIX IPsec/IKE Potential Security Vulnerability HP Security Bulletin identifies a potential security vulnerability in the HP Tru64 UNIX operating system using IPsec/IKE (Internet Key Exchange) with Certificates. The potential vulnerability may be remotely exploitable, resulting in unauthorized privileged access.

HP has corrected this potential vulnerability by releasing an Early Release Patch Kit (T64KIT0021591-V51BB24-ES-20040216.tar) and the following updated documentation. The updated functionality allowing for restriction of remote identities (IDs) is outlined in step 12 for securely configuring a host or gateway. This updated functionality is only available after installing the SSRT3674 Early Release Patch Kit (ERP) and will be available in the Version 5.1B PK4 Service Pack.

Use the SysMan Menu application of the Common Desktop Environment (CDE) Application Manager to configure IPsec. This section describes how to configure your system as either an IPsec host or a secure gateway.

Configuring a Host

To configure IPsec on a host, follow these steps:

  1. From the SysMan Menu, select Networking→Additional Network Services→Configure Internet Protocol Security (IPsec) to display the IPsec main window.

    Alternatively, enter the following command on the command line:

    # /usr/sbin/sysman ipsec

    If you are configuring IPsec for the first time, an informational dialog box is displayed that tells you to define secure connections before enabling IPsec. If you enable IPsec without defining secure connections, all packets into and out of the system are discarded; no traffic will flow. Select OK.

    The IPsec main window displays configured secure connections and configured public-key certificates.

  2. Select Enable IP Security (IPsec) at the top of the window.

  3. Select Add. The Add/Modify a Secure Connection dialog box is displayed.

  4. Enter a connection name.

  5. Select Add to add a remote IP address selector. The Add/Modify Selector dialog box is displayed. Do the following:

    1. Select a selector type.

    2. Do one of the following:

      • If you are communicating with a single host, enter the IP address.

      • If you are communicating with a secure gateway, enter the subnet address.

      • If you are communicating with a range of addresses, enter the first address.

    3. For an IP subnet, enter the size of the subnet mask.

    4. For a range of addresses, enter the last address.

    5. Select an upper layer protocol to match. By default, all protocols are selected.

    6. If you want to restrict the selector to a specific port number, Enter a port number to match. By default, all port numbers are selected.

    7. Select OK to accept the data and close the Add/Modify Selector dialog box. If you are finished adding remote and local addresses, go to step 7.

  6. Select Add to add a local IP address selector. Go to step 5a.

  7. Select an action to apply to the packets matching the selectors. The default is to apply IPsec protection.

  8. Select Next to accept the data and close the Add/Modify a Secure Connection dialog box. The Add/Modify Connection: IPsec Proposal dialog box is displayed. Do the following:

    1. Select an IPsec proposal from the proposal list.

    2. If you are communicating with a secure gateway, specify the IP address of the secure gateway (remote) and your system's IP address (local).

    3. Specify if you will use IKE to obtain keys or use manual configuration. Select Next to accept the data and close the Add/Modify Connection: IPsec Proposal dialog box.

      If you selected manual configuration and have created a custom proposal list with only one proposal, the Add/Modify Connection: Manual Keys dialog box displays. Go to step 9. If you selected the IKE protocol, the Add/Modify Connection: IKE Proposal dialog box displays. Go to step 11.

  9. Select Add to add a manual key and display the Modify Keys: Add/Modify IPsec Key dialog box. Do the following:

    1. Enter the key name.

    2. Enter the Security Parameter Index (SPI).

    3. Enter keys for the algorithms that are required by the proposals you chose. Select OK to accept the data and close the Modify Keys: Add/Modify IPsec Key dialog box.

  10. Select whether you want to apply the key(s) to inbound packets or outbound packets, or both. If you want to specify additional keys, go to step 9. If you are finished specifying manual keys, go to step 20.

  11. Select an IKE proposal from the proposal list.

  12. Select Add to restrict access to the connection and display the Add/Modify Remote IDs dialog box. Do the following:

    1. Select a remote identity type.

    2. Enter an identity string, usually your IP address, domain name, or e-mail address.

    3. Select OK to accept the data and close the Add/Modify Remote IDs dialog box.

    Note:

    A remote identity (ID) is one that is allowed to use this connection. Identities are values that are either specified in a certificate by the Subject Alternate Name or that you enter when specifying a pre-shared key. This step is optional. However, if you do not specify a remote identity or identities, other systems might have unauthorized access to your system.

  13. If you want to specify additional remote identities, go to step 12. If you are finished specifying remote identities, select Next to accept the data, close the Add/Modify Connection: IKE Proposal dialog box, and display the Add/Modify Connection: IKE Authentication dialog box.

  14. Select whether you want to authenticate IKE exchanges with a public-key certificate or a pre-shared-key.

  15. If you selected public-key certificate, select Add to add an IKE certificate. The Add/Modify Certificates dialog box is displayed. Do the following:

    1. Enter a certificate name, select a certificate encoding method, and enter the local path to the certificate file.

    2. If the certificate authenticates your system, select the encoding method and enter the local path to the private key file.

    3. If the certificate is trusted to sign other certificates, select CA Certificate. Otherwise, go to step f.

    4. If a Certificate Revocation List (CRL) is not available, select No Certificate Revocation List (CRL) Available. Go to step f.

    5. Select an encoding method for the CRL and enter a local path to the CRL file.

    6. Select OK to accept the data and close the Add/Modify Certificates dialog box.

  16. Select a certificate for the IKE exchange. Go to step 19.

  17. If you selected pre-shared key, select Add an IKE pre-shared key. The Add/Modify IKE Keys dialog box is displayed. Do the following:

    1. Enter a key name and key value.

    2. Select a local identity type.

    3. Enter an identity string, usually your IP address or domain name.

    4. Select OK to accept the data and close the Add/Modify IKE Keys dialog box.

  18. Select a pre-shared key for the IKE exchange.

  19. Select Next to close the Add/Modify Connection: IKE Authentication dialog box and display the Add/Modify Connection: Optional IKE Parameters dialog box. Do the following:

    1. Select any optional parameters.

    2. Select an IKE group number for initial Diffie-Hellman exchanges, if it is different from the IKE proposals.

    3. If you are using Perfect Forward Secrecy (PFS), select a group number future for Diffie-Hellman exchanges.

    4. Select a default lifetime if the proposal does not specify a lifetime.

    5. Select Finish to accept the data and close the Add/Modify Connection: Optional IKE Parameters dialog box.

  20. An informational dialog box is displayed that tells you the connection has been created. Select OK to close this dialog box.

  21. If you need to specify additional public-key certificates, select Add in the Public-Key Certificates field to display an Add/Modify Certificates dialog box into which you can enter information for the certificate. Do the following:

    1. Enter the certificate name, select a certificate encoding method, and enter a local path to the certificate file.

    2. If the certificate authenticates your system, select a private key encoding method and enter a local path to the private key file.

    3. If the certificate is trusted to sign other certificates, select CA Certificate. Otherwise, go to step f.

    4. If a Certificate Revocation List (CRL) is not available, select No Certificate Revocation List (CRL) Available. Go to step f.

    5. Select an encoding method for the CRL and enter a local path to the CRL file.

    6. Select OK to accept the data and close the Add/Modify Certificates dialog box.

  22. Select OK in the IPsec main window to save the configuration information. Whether or not IPsec is already running on your system, the Restart IPsec? dialog box is displayed. If you want to start or restart IPsec, select OK; otherwise, select No. If you select No, you must reboot the system to start or restart IPsec.

See the Network Administration: Connections manual for information on solving possible interoperability problems.

Configuring a Secure Gateway

Before configuring IPsec on a router or a gateway, make sure that the system is configured as an IP router. See the Network Administration: Connections manual for information on configuring the system as an IP router.

To configure IPsec on a router or gateway, follow these steps:

  1. From the SysMan Menu, select Networking→Additional Network Services→Set up IP Security (IPsec) to display the IPsec main window.

    Alternatively, enter the following command on the command line:

    # /usr/sbin/sysman ipsec

    If you are configuring IPsec for the first time, an informational dialog box is displayed that tells you to define secure connections before enabling IPsec. If you enable IPsec without defining secure connections, all packets into and out of the system are discarded; no traffic will flow. Select OK.

    The IPsec main window displays configured secure connections and configured public-key certificates.

  2. Select Enable IP Security (IPsec) at the top of the window.

  3. Select Add. The Add/Modify a Secure Connection dialog box is displayed.

  4. Enter a connection name.

  5. Select Add to add a remote IP address selectors. The Add/Modify Selector dialog box is displayed. Do the following:

    1. Select a selector type.

    2. Do one of the following:

      • If you are communicating with a single host, enter the IP address.

      • If you are communicating with a secure gateway, enter the subnet address.

      • If you are communicating with a range of addresses, enter the first address.

    3. For an IP subnet, enter the size of the subnet mask.

    4. For a range of addresses, enter the last address.

    5. Select an upper layer protocol to match. By default, all protocols are selected.

    6. Enter a port number to match, if you want to restrict the selector to a specific port number. By default, all port number are selected.

    7. Select OK to accept the data and close the Add/Modify Selector dialog box. If you are finished selecting remote and local addresses, go to step 7.

  6. Select Add to add a local IP address selector. Go to step 5a.

  7. Select an action to apply to the packets matching the selectors. The default is to apply IPsec protection.

  8. Select Next to accept the data and close the Add/Modify a Secure Connection dialog box. The Add/Modify Connection: IPsec Proposal dialog box is displayed. Do the following:

    1. Select an IPsec proposal from the proposal list.

    2. If you are communicating with a secure gateway or a host, specify the IP address of the remote system and your system's IP address (local).

    3. Specify if you will use IKE to obtain keys or use manual configuration. Select Next to accept the data and close the IPsec Proposal dialog box.

      If you selected manual configuration and have created a custom proposal list with only one proposal, the Add/Modify Connection: Manual Keys dialog box displays. Go to step 9. If you selected the IKE protocol, the Add/Modify Connection: IKE Proposal dialog box displays. Go to step 11.

  9. Select Add to add a manual key and display the Manual Keys: Add/Modify IPsec Key dialog box. Do the following:

    1. Enter the key name.

    2. Enter the Security Parameter Index (SPI).

    3. Enter keys for the algorithms that are required by the proposals you chose. Select OK to accept the data and close the Manual Keys: Add/Modify IPsec Key dialog box.

  10. Select whether you want to apply the key(s) to inbound packets, outbound packets, or both. If you want to specify additional keys, go to step 9. If you are finished specifying manual keys, select Finish. Go to step 20.

  11. Select an IKE proposal from the proposal list.

  12. Select Add to restrict access to the connection and display the Add/Modify Remote IDs dialog box. Do the following:

    1. Select a remote identity type.

    2. Enter an identity string, usually your IP address, domain name, or e-mail address.

    3. Select OK to accept the data and close the Add/Modify Remote IDs dialog box.

    Note:

    A remote identity (ID) is one that is allowed to use this connection. Identities are values that are either specified in a certificate by the Subject Alternate Name or that you enter when specifying a pre-shared key. This step is optional. However, if you do not specify a remote identity or identities, other systems might have unauthorized access to your system.

  13. If you want to specify additional remote identities, go to step 12. If you are finished specifying remote identities, select Next to accept the data, close the Add/Modify Connection: IKE Proposal dialog box, and display the Add/Modify Connection: IKE Authentication dialog box.

  14. Select whether you want to authenticate IKE exchanges with a public-key certificate or a pre-shared-key.

  15. If you selected public-key certificate, select Add to add an IKE certificate. The Add/Modify Certificates dialog box is displayed. Do the following:

    1. Enter a certificate name, select a certificate encoding method, and enter the local path to the certificate file.

    2. If the certificate authenticates your system, select the encoding method and enter the local path to the private key file.

    3. If the certificate is trusted to sign other certificates, select CA Certificate. Otherwise, go to step f.

    4. If a Certificate Revocation List (CRL) is not available, select No Certificate Revocation List (CRL) Available. Go to step f.

    5. Select an encoding method for the CRL and enter a local path to the CRL file.

    6. Select OK to accept the data and close the Add/Modify Certificates dialog box.

  16. Select a certificate for the IKE exchange. Go to step 19.

  17. If you selected pre-shared key, select Add an IKE pre-shared key. The Add/Modify IKE Keys dialog box is displayed. Do the following:

    1. Enter a key name and key value.

    2. Select a local identity type.

    3. Enter an identity string, usually your IP address or domain name.

    4. Select OK to accept the data and close the Add/Modify IKE Keys dialog box.

  18. Select a pre-shared key for the IKE exchange.

  19. Select Next to close the Add/Modify Connection: IKE Authentication dialog box and display the Add/Modify Connection: Optional IKE Parameters dialog box. Do the following:

    1. Select any optional parameters.

    2. Select an IKE group number for initial Diffie-Hellman exchanges, if it is different from the IKE proposals.

    3. If using Perfect Forward Secrecy (PFS), select a group number future for Diffie-Hellman exchanges.

    4. Select a default lifetime if the proposal does not specify a lifetime.

    5. Select Finish to accept the data and close the Add/Modify Connection: Optional IKE Parameters dialog box.

  20. An informational dialog box is displayed that tells you the connection has been created. Select OK to close this dialog box.

  21. If you need to specify additional public-key certificates, select Add in the Public-Key Certificates field to display an Add/Modify Certificates dialog box into which you can enter information for the certificate. Do the following:

    1. Enter the certificate name, select a certificate encoding method, and enter a local path to the certificate file.

    2. If the certificate authenticates your system, select a private key encoding method and enter a local path to the private key file.

    3. If the certificate is trusted to sign other certificates, select CA Certificate. Otherwise, go to step f.

    4. If a Certificate Revocation List (CRL) is not available, select No Certificate Revocation List (CRL) Available. Go to step f.

    5. Select an encoding method for the CRL and enter a local path to the CRL file.

    6. Select OK to accept the data and close the Add/Modify Certificates dialog box.

  22. Select OK in the IPsec main window to save the configuration information. Whether or not IPsec is already running on your system, the Restart IPsec? dialog box is displayed. If you want to start or restart IPsec, select OK; otherwise, select No. If you select No, you can reboot the system to start or restart IPsec, or start or reload the ipsecd daemon (see the Network Administration: Connections manual).

See the Network Administration: Connections manual for information on solving possible interoperability problems.

Adding Callout Functions for IP Processing (Jan. 2004)

The fr_checkp global variable is a callout hook in the kernel IP processing code. You can use this hook to call out to a customized routine to filter or verify IP packets.

To add a callout in the IP input and output processing, create a module that performs an assignment of fr_checkp during the initialization or configuration of the custom filter module, as follows:

(*fr_checkp) (struct ip *ip, int hlen, struct ifnet *rcvif, int direction, struct **mbuf bufp)

Where:

ip

Points to the IP header.

hlen

Is the length of the header.

rcvif

Is a pointer to the receiving or sending interface.

direction

0 for input; 1 for output.

bufp

Is a pointer to the mbuf message chain.

If the routine returns a zero, IP processing continues using the mbuf pointer returned in the bufp field. If a nonzero value is returned or if the mbuf pointer is zero, IP processing is terminated.

If the callout function returns a nonzero value, the callout routine must free the mbuf chain using m_freem.

The following example shows how to create a module, custom_filter, which filters out a packet if it matches the selected type of service (TOS) field of the IP header:

#include "sys/errno.h" 
#include "net/if.h" 
#include "netinet/ip.h" 
#include "sys/mbuf.h" 
#include "sys/sysconfig.h"

char custom_filter_tos = 255;
static int debug=0;
char custom_filter_version[] = "custom_filter: V1.00";

cfg_subsys_attr_t packetfilter_attributes[]  = {
        /* 
         * name of the table
         */
        {"version", CFG_ATTR_STRTYPE,
         CFG_OP_QUERY,
         (caddr_t) custom_filter_version, 2, 100, 0},
        /*
         * debug state
         */
        {"debug", CFG_ATTR_ULONGTYPE,
         CFG_OP_CONFIGURE | CFG_OP_QUERY | CFG_OP_RECONFIGURE,
         (caddr_t) &debug, 0, ULONG_MAX, 0},

        /*
         * Tos to filter on
         */
        {"tos", CFG_ATTR_UCHARTYPE,
         CFG_OP_QUERY | CFG_OP_CONFIGURE,
         (caddr_t) &custom_filter_tos, 0, 255, 0},

        {"", 0, 0, 0, 0, 0, 0}  /* must be the last element */ };

int
custom_filter(struct ip *ip, int hlen, struct ifnet *rcvif,
	      int direction, struct mbuf **bufp)
{
        if( ip->ip_tos == custom_filter_tos ){
                mfreem(bufp);
                return(1);
        }
        return(0);
}

custom_filter_configure(
        cfg_op_t                op,
        caddr_t                 indata,
        ulong                   indata_size,
        caddr_t                 outdata,
        ulong                   outdata_size)
{
	extern int (*fr_checkp) (struct ip *ip, int hlen, struct ifnet *rcvif,
				 int direction, struct mbuf **mbuf);
        switch (op) {
        case CFG_OP_CONFIGURE:

                fr_checkp=custom_filter;
                break;
        case CFG_OP_UNCONFIGURE:
                fr_checkp=NULL;
        }
        if( debug > 1 )
                printf("custom_filter_configure: returning ESUCCESS\n");
        return ESUCCESS;
}

The rcinet stop inet Command No Longer Stops IPv6 Communications (Jan. 2003)

Section 5.4.5 of the Release Notes states that the /usr/sbin/rcinet stop inet command marks all network interfaces as down, and stops IPv6 communications.

This problem has been corrected. Issuing this command no longer stops IPv6 communications.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
2002–2009 Hewlett-Packard Development Company, L.P.