Upload
others
View
16
Download
4
Embed Size (px)
Citation preview
Symantec Product Authentication Service Release Notes
Copyright © 2008 Symantec Corporation. All rights reserved.
Symantec Product Authentication Service Release Notes
Doc Version: 4.1
Symantec, the Symantec logo, Symantec Product Authentication Service are trademarks
or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other
countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THIS DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-
INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID, SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be “commercial computer
software” and “commercial computer software documentation” as defined in FAR
Sections 12.212 and DFARS Section 227.7202.
Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014
www.symantec.com
Printed in the United States of America.
Third-party legal notices
Third-party software may be recommended, distributed, embedded, or bundled
with this Symantec product. Such third-party software is licensed separately by
its copyright holder. All third-party copyrights associated with this product are
listed in the accompanying release notes.
AIX is a registered trademark of IBM Corporation.
HP-UX is a registered trademark of Hewlett-Packard Development Company,
L.P.
Linux is a registered trademark of Linus Torvalds.
Solaris is a trademark of Sun Microsystems, Inc.
Windows is a registered trademark of Microsoft Corporation.
Technical support
For technical assistance, visit http://support.veritas.com (rather than http://support/symantec.com) and select phone or email support. Use the
Knowledge Base search feature to access resources such as TechNotes, product
alerts, software downloads, hardware compatibility lists, and our customer
email notification service.
Contents
Release Notes i
Chapter 1 Release notes 1
Installation notes ................................................................................................... 2
Supported platforms ..................................................................................... 2
Other supports ............................................................................................... 3
No longer supported ...................................................................................... 3
Required patches and service packs ........................................................... 4
Patches that are required for HP 11.xx .............................................. 4
TOUR package required for HP11i ...................................................... 4
Required Solaris patches ...................................................................... 4
Required AIX patches ............................................................................ 4
Required Windows service packs ........................................................ 5
Additional requirements ............................................................................... 5
Recommended memory ........................................................................ 5
Additional requirement for Linux RedHat 5.0 .................................. 6
Additional requirement for SunOS 5.8 ............................................... 6
Additional requirement for HP Tru64 ................................................ 6
C++ runtime requirement for AIX 5.x ................................................. 6
Requirement for upgrade on Linux ............................................................. 6
Authentication broker dependency on PBX ............................................... 6
Requirement before upgrading .................................................................... 7
Solaris zone support ...................................................................................... 7
Known Issues .......................................................................................................... 7
Requirement to set LD_PRELOAD (1005736) ............................................ 7
Workaround ............................................................................................ 7
UUID support for Guest OS on Xen is not supported (1157449) ............ 8
AT configuration data is not copied to the passive nodes on HACMP
(1156854) ................................................................................................. 8
vssat pullbrokerattribs command fails on HP-UX (1142196) ................. 8
Workaround ............................................................................................ 8
vssat pushbrokerattribs command fails (1044022) .................................. 8
Workaround ............................................................................................ 8
Password is exposed in logs when package is executed (1016853) ........ 8
Workaround ............................................................................................ 8
A failover of AT on VCS Windows might hang (1160154) ....................... 9
vi
Workaround ............................................................................................ 9
vssat pullbrokerattribs is not getting the trusted credentials (1160143) 9
Authentication of localhost for homeless user with user name and password
fails (1151462) ........................................................................................ 9
Workaround ............................................................................................ 9
Configuration fails when password is required to communicate with remote
root broker through rsh (1153161) ..................................................... 9
Workaround .......................................................................................... 10
vrtsAtWebCredentialVerify fails (1237514) ............................................ 10
vssat validateprpl crashes (1232434) ....................................................... 10
On Native Chinese Windows 2008 with doublebyte username, vrtsAtInit is
failing (1237918) .................................................................................. 10
LDAP authentication for duplicate user entries across LDAP
subdomains(1368778) ......................................................................... 10
SSLv2 not working properly with AT (1655849) .................................... 11
CLIs do not work when x86_64 Client is uninstalled after upgrading to AT 5.0
(1735165) ............................................................................................... 11
VxATD process does not come up during minor upgrades (1741043) 11
listpd and showpd CLIs show updated hostname in output (1745453) 11
Timing issue during “shutdown –i6 –g0 -y” (1786889) ......................... 11
Available documentation ................................................................................... 13
Documentation addenda and corrections ........................................................ 13
Correction of syntax given for setloglevel command ............................ 13
Simplified restore method .......................................................................... 13
Change in AT upgrade and uninstall procedures on non-secure clusters 14
Chapter
1Release notes
These Release Notes for Symantec Product Authentication Service (AT) pertain
to the following:
Build 5.0.x for the EAT client
Build 5.0.x for the broker
They contain the following sections:
“Installation notes”
“Known Issues”
“Available documentation”
“Documentation addenda and corrections”
2 Release notes
Installation notes
Installation notesThis topic describes supported platforms and system requirements for running
Symantec Product Authentication Service.
Supported platformsTable 1-1 shows a list of supported platforms:
Table 1-1 Supported Platforms
----------Platforms---------- ----------Components----------
OS architecture (os version)
Supported Broker type
Supported Clients
AIX Power PC “RISC” (5.1, 5.2, 5.3,
5.4), 6.1
RISC RISC
AIX Power PC 64bit “RIS C64” (5.1,
5.2, 5.3, 5.4), 6.1
RISC RISC, RISC-64
Free BSD x86 (5.3) x86
HP_UX Itanium 64bit “ia64” (11.23,
11.31)
pa32 pa32, pa64, ia64, ia32
(32bit build for
Itanium)
HP-UX PA-RISC 32bit “pa32” (11.11,
11.23, 11.31)
pa32 pa32
HP-UX PA-RISC 64bit “pa64” (11.11.,
11.23, 11.31)
pa32 pa32, pa64
Irix mips 32 bit (7.3) mips
Irix mips 64 bit (7.3) mips, mips64
Linux Power pc 32 bit "ppc" (SuSe 9,10
& RH EL 4.0,5.0)
ppc ppc
Linux Power pc 64 bit “ppc64” (SuSe 9,
10 & RH EL 4.0, 5.0
ppc ppc, ppc64
Linux x86 (AS 3.0) x86
Linux x86 (SuSe 9, 10 & RH EL 4.0, 5.0) x86 x86
Linux x86_64 (SuSe, 9, 10 & RH EL 4.0,
5.0)
x86_64 x86 & x86_64
3Release notes
Installation notes
Other supportsAT also supports Sun JRE 1.6 from build 5.0.27.0 onwards.
No longer supportedThe following platforms are no longer supported in this release and higher
versions from now onwards:
Solaris 7 on sparc & sparc-v9
AIX 4.3 on Power PC (32-bit & 64-bit)
Linux AS 2.1 and 3.0 on x86, x86_64 & IA-64
HP-UX 11.0 on PA-RISC (32-bit)
FreeBSD 4.9 on x86
Service pack 2 for Windows 2000
HP 11.00 in AT 5.0.
Linux ia64 (SuSe 9, 10 & RH EL 4.0, 5.0) ia64 ia64
Mac Power PC “ppc” 10.3) Ppc
Solaris sparc (5.8, 5.9, 5.10) sparc sparc
Solaris sparc v9 (5.8, 5.9, 5.10) sparc sparc, sparc v9
Solaris x86 (5.8, 5.9, 5.10) x86 x86
Solaris x86_64 (5.10) x86 x86, x86_64
Tru64 alpha (5.1, 5.2) alpha alpha
Windows x86 (2000, 2003, sp, vista) x86 x86
Windows ia64 (2003) x86 x86, ia64
Windows x86_64 (2003) x86 x86, x86_64
----------Platforms---------- ----------Components----------
OS architecture (os version)
Supported Broker type
Supported Clients
4 Release notes
Installation notes
Required patches and service packs
Patches that are required for HP 11.xx
Table 1-2‚ ”Patches for HP 11.xx” lists patches for HP 11.xx
TOUR package required for HP11i
TOUR package is needed on HP 11i to support IPv6 functionality. It can be
obtained from https://h20293.www2.hp.com/portal/swdepot/
try.do?productNumber=TOUR
Required Solaris patches
On Solaris x86, users must install the latest GSS-API patches in order for GSS-
API to work. These include the following:
Solaris 8 SPARC 108434-17, 108435-17 109147-07
Solaris 8 x86 108436-15
Solaris x82 patch 108436-15 or higher
Solaris 9 SPARC 111711-11, 111712-11
Solaris 9 x86 111713-08
Required AIX patches
The following patches are required for AIX.
Table 1-2 Patches for HP 11.xx
Patch ID Patch Description
PHSS_26560 1.0 ld(1) and linker tools
PHSS_26946 1.0 ld(1) HO aC++ run-time libraries a3.37
PHSS_27740 libc cumulative patch
Table 1-3 Required AIX patches
Package Level Shipped Resolved Fix Package Level Resolved APAR
6100 TL2 SP3 6100-02-03-0909 NA NA IZ52720
6100 TL1 SP4 6100-01-04-0909 NA NA IZ52975
6100 TL0 SP8 6100-00-08-0909 NA NA IZ52988
5Release notes
Installation notes
These packages are required beause vxatd crashes after a couple of unixpwd
authentication on AIX5.3 and 6.1.
The is due to the “IZ52585: GETGRENT_R" ROUTINE CAUSES HEAP
CORRUPTION” bug in AIX. See,
http://www-01.ibm.com/support/docview.wss?uid=isg1IZ52585
This is a regression that was introduced due to “IZ17022: GETGRENT FAILING
WHEN /ETC/GROUP HAS LARGE NUMBER OF USERS” fix. See,
http://www-01.ibm.com/support/docview.wss?uid=isg1IZ17022
For information about the affected AIX versions, see
http://www-01.ibm.com/support/docview.wss?uid=isg1fixinfo110313
Note: After applying the patch, reboot the machine or else the fix does not work.
Required Windows service packs
The following service packs are required for successful installation of AT on the
Windows platform:
AT no longer supports service pack 2 for Windows 2000
For Windows 64 bit machines, you should have Service Pack 1
Additional requirements
Recommended memory
We recommend 100MB disk space.
We recommend 256MB memory.
5300 TL9 SP3 5300-09-03-0918 5300 TL9 SP4 5300-09-04-0920 IZ52719
5300 TL8 SP6 5300-08-06-0918 5300 TL8 SP7 5300-08-07-0920 IZ52585
5300 TL7 SP8 5300-07-08-0918 5300 TL7 SP9 5300-07-09-0920 IZ52906
5300 TL6 SP11 5300-06-11-0918 5300 TL6 SP12 5300-06-12-0920 IZ52944
Table 1-3 Required AIX patches
Package Level Shipped Resolved Fix Package Level Resolved APAR
6 Release notes
Installation notes
Additional requirement for Linux RedHat 5.0
AT requires the standard C++ version 5.0. You must install the following C++
compat library rpm before installing the AT rpms:
compat-libstdc++-33-3.2.3-61.i386.rpm
You can obtain the compat libraries from the following URL:
http://rpmfind.net/linux/RPM/System_Environment_Libraries.html
Additional requirement for SunOS 5.8
For SunOS 5.8, you should install patch 108820-03.
Additional requirement for HP Tru64
CXX 7.1 runtime libraries must be installed on the HP Tru64 UNIX host. To
download these libraries, copy and paste the following link into a web browser:
ftp://ftp.compaq.com/pub/products/C-CXX/tru64/cxx/CXXREDIST710.tar
C++ runtime requirement for AIX 5.x
On all AIX 5.x versions, the required C++ runtime is 8.0 and above. To download
this patch, use the following URL:
http://www-1.ibm.com/support/docview.wss?uid=swg24015076
Requirement for upgrade on LinuxOn Linux, while upgrading you need to pass these parameters:
rpm -U --nopreun <RPM_NAME>
Authentication broker dependency on PBXThe AT 5.0 authentication broker can operate with any version of PBX. There
are no specific version dependencies.
The authentication broker can operate behind a PBX service when the host is
behind a fire wall. This is also required to enable the broker's remote
administration capabilities. The authentication broker will automatically hook
up with the PBX service if the PBX is up and running during the broker
installation time. It can also be hooked up manually with PBX using the vssat
setispbxexchflag CLI.
7Release notes
Known Issues
Requirement before upgrading
Note: Before you perform an upgrade of AT or AZ, shut down local Symantec
applications that are using AT or AZ services. Otherwise, the upgrade process
imposes a short outage that could impact the applications that need those
services.
Solaris zone supportAT 5.0 packages may be installed to both global and local zones on Solaris.
Previous restrictions in AT 4.x limiting installation to only global zones do not
apply in AT 5.0.
If a broker is installed on a global zone, it may not be started or stopped from a
local zone. The service requires writing to a file system that cannot be modified
from local zones. If a broker is installed in the global zone, local zones should
only access it over the wire.
AT packages contain the following package parameters:
SUNW_PKG_ALLZONES=false
SUNW_PKG_THISZONE=true
SUNW_PKG_HOLLOW=false
Known IssuesThis section explains issues that are still remaining in this release of the
Symantec Product Authentication Service.
Requirement to set LD_PRELOAD (1005736)On Redhat Linux running on Itanium 64bit processor, when we try to create the
JVM in the parent process after the memory-mapping and before the fork, we
get signal 11> errors because apparently there is not enough memory for the
JVM to start.
Workaround
If a Java application uses our APIs, you must set LD_PRELOAD in order for the
application to work. If, for example, AT installed in /opt/VRTSat, then do as
follows:
export LD_PRELOAD=/opt/VRTSat/lib/libvrtsat_t.so
Then run the Java application. For example:
java TestDriver
8 Release notes
Known Issues
UUID support for Guest OS on Xen is not supported (1157449)UUID support for Guest OS on Xen is not supported in this release of AT.
AT configuration data is not copied to the passive nodes on HACMP (1156854)
The cluster configuration script hacmp_at_config is not copying the data in
the VRTSatlocal.conf file to the passive nodes on HACMP clusters.
vssat pullbrokerattribs command fails on HP-UX (1142196)The vssat pullbrokerattribs -b FullyQualifiedHostName:2821
command fails to run on HP-UX.
Workaround
Use the existing AT CLIs to manually add the Domain-Broker maps of the
remote host.
vssat pushbrokerattribs command fails (1044022)The vssat pushbrokerattribs -b HostName:2821 command fails to run
on the root broker machine.
Workaround
Automatic pull and push broker attributes is working. You can also use the AT
CLIs to do the same.
Password is exposed in logs when package is executed (1016853)When configuring a broker in authentication broker only mode using execpkg,
the password that is being supplied is shown on the console when Debug logs are
enabled. This happens even if the package supplied is obfuscated.
Workaround
To work around this problem, do one of the following:
Disable debug logs before you run the execpkg command
Delete the log file after you run the execpkg command
9Release notes
Known Issues
A failover of AT on VCS Windows might hang (1160154)When AT is made highly available, a shared directory is created on all of the
cluster nodes. As the AT service runs on all the nodes, in case of VCS 4.1, any
command that is run on a passive node creates lock files in the shared directory.
After these lock files are created, when a failover to another node occurs, the
failover hangs because the lock files cause the mount of the shared directory to
fail.
Workaround
To work around this problem
1 Delete the lock files from the shared directory.
2 Manually perform the failover.
vssat pullbrokerattribs is not getting the trusted credentials (1160143)
The vssat pullbrokerattribs command is not getting the trusted
credentials from the root broker.
Workaround
Use vssat setuptrust CLI.
Authentication of localhost for homeless user with user name and password fails (1151462)
The vssat authenticate command fails to authenticate localhost with a
user name and password for a homeless user.
Workaround
Use the following command to acquire the localhost credential without a user
name and password:
vssat --domain localhost
Configuration fails when password is required to communicate with remote root broker through rsh (1153161)
When configuring AT to use a remote root broker, the vssat command will fail if
a password is required to communicate with the remote root broker through rsh.
10 Release notes
Known Issues
Workaround
Reconfigure rsh/ssh to not require a password.
vrtsAtWebCredentialVerify fails (1237514)vrtsAtWebCredentialVerify fails if "Not Before" property of the cred is before
current time/date.
Workaround
Correct the system clock on both client and the broker hosts. They should be in
sync.
vssat validateprpl crashes (1232434)vssat validateprpl crashes when wild characters are passed as username for ldap
domain.
Workaround
Use the complete user name and domain name. Wild characters are not
supported in the CLIs.
On Native Chinese Windows 2008 with doublebyte username, vrtsAtInit is failing (1237918)
vrtsAtInit is failing on native Chinese Windows 2008 with doublebyte username.
Workaround
Do not use non-ascii characters in usernames (Windows users) and ensure there
are no non-ascii characters in current user appdata path.
LDAP authentication for duplicate user entries across LDAP subdomains(1368778)
When there is same user entry under domain and subdomain in LDAP, the useris
authenticated using top level domain entry, which is configured with
LDAPdomain. For example, if user “Harry” exists in “testdomain.com” and
“my.testdomain.com” domains, and if LDAP domain in AT is configured
withuserbaseDN as “testdomain.com”, user“Harry” is authenticated
from“testdomain.com”. If user “Tom” exists in “my1.testdomain.com”
and“my2.testdomain.com” but does not exists in “testdomain.com”,
authentication fails as “testdomain.com” is UserBaseDNconfigured in AT where
user “Tom” does not exists.
11Release notes
Known Issues
Configure separate domain for "my1.testdomain.com" and
“my2.testdomain.com” with respective userBaseDN to authenticate user Tom in
respective domains.
SSLv2 not working properly with AT (1655849)This is a windows specific issue, where SSLv2 is not working with EAT.
CLIs do not work when x86_64 Client is uninstalled after upgrading to AT 5.0 (1735165)
When AT is upgraded to 5.0 and the AT 4.3 x86_64 Client is uninstalled, the AT
Clis do not work.
VxATD process does not come up during minor upgrades (1741043)VxATD process does not come up during minor upgrades.
Workaround
Get the process up manually by running the following script:
/opt/vrtsat/bin/vxatd
listpd and showpd CLIs show updated hostname in output (1745453)After configuring AT 5.0.31.0 in basic mode, the listpd and showpdr cli’s show
the updated host name, instead of showing the actual root or auth broker tag in
the output.
Timing issue during “shutdown –i6 –g0 -y” (1786889)This issue is specific to Oakmont:VxAT5.0.31.
Due to a timing issue during “shutdown –i6 –g0 -y”, VCS reports the following
VxAT error in /var/adm/messages, and /var/VRTSvcs/log/
engine_A.log files, and the VxSS service group becomes faulted.
============================================================
VCS ERROR V-16-1-13067 (host_name) Agent is calling clean
for resource
(vxatd) because the resource became OFFLINE unexpectedly, on
its own.
VxSS State s245sf2 |OFFLINE|FAULTED|
VxSS State s245sf3 |ONLINE|
============================================================
12 Release notes
Known Issues
This error message can be safely ignored, and it will be addressed in the next
VxAT patch release.
13Release notes
Available documentation
Available documentationThe Symantec Product Authentication Service Administrator’s Guide provides
information on how to administer the AT. This document is included with your
Symantec product documentation.
Documentation addenda and correctionsThis section is intended to hold corrections and addenda to documents that were
already frozen when the product release was made.
Correction of syntax given for setloglevel commandThe -b broker parameter that is given for the setloglevel CLI command is not
yet supported.
Proper usage for the command is as follows:
vssat setloglevel -l <0|1|2|3|4> [ -f <filename>]
Simplified restore methodThe method for restoring broker data is now simpler than that which is detailed
in the “Backup, Restore, and Other Tasks” chapter in the Administrator’s Guide.
The vssat restorebroker command restores the broker from the archived
snapshot directory, assuming that it contains the good configuration that was
last backed up by running vssat showbackuplist. The CLI checks whether
the snapshot directory is present. If it is present, vssat restorebroker
restores it back to the original position.
To restore the broker's data
1 Shutdown the broker by running the following command:
2 Navigate to where the vssat CLI commands reside.
3 Run the following command, without line breaks:
vssat restorebroker [-a <complete path>] [-s]
On Windows net stop vrtsat
On UNIX pkill vxatd
If pkill is not supported, run the following command without line
breaks:
ps -fe | grep vxatd | grep -v grep | awk '{print $2}'
| xargs kill -9
14 Release notes
Documentation addenda and corrections
Acceptable arguments are the following:
4 Start the broker by running the following command:
On Windows: net start vrtsat
On UNIX: vxatd -<option>
Change in AT upgrade and uninstall procedures on non-secure clusters
When you upgrade or uninstall the AT on a non-secure cluster, you must first
offline the AT service group before you perform the upgrade or uninstall the AT.
In the case of an upgrade, after the upgrade is complete, you must online the AT
service group.
To offline the AT service group before an AT upgrade or uninstallation, use the
commands shown in Table 1-4 for your cluster platform.
-a Complete
Path
The complete path of the archived material. If you use this
option, the command ignores the location in the
VRTSatlocal.conf file.
For example:
vssat restorebroker -archivedloc /var/
VRTSatSnapShotDirectory
-s Runs the command silently, without any prompt for restore.
Default location is picked up from the VRTSatlocal.conf file.
For example:
vssat restorebroker -s
Table 1-4 Commands to offline the AT service group
Cluster platform Command to offline the AT service group
VCS (non-secure) hagrp -offline vxss_service -sys <Node name>
VCS (secure) hagrp -offline VxSS -sys <Node name>
hagrp -offline vxss_service -sys <Node name>
MCSG (HP-SG) cmhaltpkg -v -n <Node Name> vxsspackage
Tru Cluster caa_stop VRTSat
Sun Cluster scswitch -F -g vxss_resources
HACMP /usr/es/sbin/cluster/utilities/clRGmove -s
'false' -d -i -g vxss_service -n <Node Name>
15Release notes
Documentation addenda and corrections
To online the AT service group after an upgrade, use the commands shown in
Table 1-5 for your cluster platform.
Refer to the installation documentation for the remaining steps that you must
perform to upgrade or uninstall the AT.
MSCS cluster . group VxSS-ClusterGroup /OFFLINE /
WAIT:50
Table 1-5 Commands to online the AT service group
Cluster platform Command to offline the AT service group
VCS (non-secure) hagrp -online vxss_service -sys <Node name>
VCS (secure) hagrp -online VxSS -sys <Node name>
hagrp -online vxss_service -sys <Node name>
MCSG (HP-SG) cmrunpkg -v -n <Node Name> vxsspackage
Tru Cluster caa_start VRTSat
Sun Cluster scswitch -R -g vxss_resources -h <Node Name>
HACMP /usr/es/sbin/cluster/utilities/clRGmove -s
'false' -u -i -g vxss_service -n <Node Name>
MSCS cluster . group VxSS-ClusterGroup /ONLINE /
WAIT:50
Table 1-4 Commands to offline the AT service group
Cluster platform Command to offline the AT service group