TCPware Version 5.8 Release Notes March 2008 This document contains a list of new features and bug fixes that have been made since TCPware V5.7-2. Revision/Update Information: This document supercedes the TCPware V5.7-2 Release Notes. Operating System and Version: VAX/VMS V5.5-2 or later; OpenVMS Alpha V6.2 or later; OpenVMS I64 V8.2 or later. ________________________ March 2008 __________ Copyright ŠCopyright 2008 by Process Software LLC No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means electronic, mechanical, magnetic, optical, or otherwise without the prior written permission of: Process Software, LLC 959 Concord Street Framingham, MA 01701-4682 USA Voice: +1 508 879 6994; FAX: +1 508 879 0042 info@process.com Process Software, LLC ("Process") makes no representations or warranties with respect to the contents hereof and specif- ically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Process Software reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of Process Software to notify any person of such revision or changes. Alpha AXP, AXP, MicroVAX, OpenVMS, Open- VMS I64, VAX, VAX Notes, VMScluster, and VMS are registered trademarks of Hewlett-Packard Corporation. Intel and Itanium are trademarks or registered trademarks of Intel Corporation. Portions of TCPWare have the following third party copy- rights: Kerberos. Copyright Š 1989, DES.C and PCBC_ENCRYPT.C Copyright Š 1985, 1986, 1987, 1988 by Massachusetts Institute of Technology. Export of this software from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. MultiNet is a registered trademark of Process Software. Secure Shell (SSH). Copyright Š 2000. This License agreement, including the Exhibits (Agreement), effective as of the latter date of execution (Effective Date), is hereby made by and between Data Fellows, Inc., a California corporation, having principal offices at 675 N. First Street, 8th floor, San Jose, CA 95112170 (Data Fellows) and Process Software, LLC, having a place of business at 959 Concord Street, Framingham, MA 01701 (OEM). Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. iii 3. All advertising materials mentioning features or use of this software must display the following acknowl- edgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IM- PLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICU- LAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, IN- DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUB- STITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to iv all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related :-). 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT v LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence TCPware is a registered trademark of Process Software. UNIX is a trademark of UNIX System Laboratories, Inc. All other trademarks, service marks, registered trademarks, or registered service marks mentioned in this document are the property of their respective holders. Copyright Š1997, 1998, 1999, 2000 Process Software Corporation. All rights reserved. Printed in USA. Copyright Š2000, 2001, 2002, 2004, 2005 Process Software, LLC. All rights reserved. Printed in USA. If the examples of URLs, domain names, internet addresses, and web sites we use in this documentation reflect any that actually exist, it is not intentional and should not be considered an endorsement, approval, or recommendation of the actual site, or any products or services located at any such site by Process Software. Any resemblance or duplication is strictly coincidental. vi Contents________________________________________________________ Chapter_1__Introduction_________________________________________ 1.1 Typographical Conventions.............................1-2 1.2 Obtaining Technical Support...........................1-2 1.2.1 Before Contacting Technical Support.........1-3 1.2.2 Sending Electronic Mail.....................1-4 1.2.3 Calling Technical Support...................1-5 1.2.4 Contacting Technical Support by Fax.........1-5 1.3 Obtaining Online Help.................................1-6 1.4 TCPware Frequently Asked Questions (FAQs) List........1-6 1.5 Accessing the TCPware Public Mailing List.............1-6 1.6 Process Software World Wide Web Server................1-7 1.7 Obtaining Software Patches over the Internet..........1-7 1.8 Documentation Comments................................1-8 1.9 CD-ROM Contents.......................................1-9 1.9.1 Online Documentation........................1-9 1.9.1.1 PDF Format............................1-9 1.9.1.2 Using Acrobat Reader.................1-10 1.9.1.3 Using XPDF...........................1-11 Chapter_2__CHANGES_AND_ENHANCEMENTS_____________________________ 2.1 Installation Disk Space Requirements..................2-1 2.2 New Features..........................................2-1 2.2.1 BIND9 Addition..............................2-1 2.2.2 FTP.........................................2-2 2.2.3 Kernel......................................2-3 2.2.4 NTP Updates.................................2-3 2.2.5 SNMP Updates................................2-3 2.2.6 SSH Updates.................................2-3 2.2.7 Telnet Updates..............................2-5 2.2.8 UCX$IPC_SHR Updates.........................2-5 iii 2.2.9 UCX$RPCXDR_SHR Update.......................2-6 2.3 Fixes in this Release.................................2-6 2.3.1 Drivers.....................................2-6 2.3.2 FTP.........................................2-6 2.3.3 LPD.........................................2-7 2.3.4 NETCP.......................................2-7 2.3.5 NETCU.......................................2-7 2.3.6 NFS Client..................................2-8 2.3.7 NFS Server..................................2-8 2.3.8 NTP.........................................2-8 2.3.9 RPC.........................................2-8 2.3.10 SFTP........................................2-9 2.3.11 SMTP.......................................2-10 2.3.12 SNMP.......................................2-10 2.3.13 SSH........................................2-10 2.4 Known Issues.........................................2-14 2.5 Known Documentation Issues...........................2-14 Chapter_3__Documentation_Notes__________________________________ 3.1 General Documentation Enhancements....................3-1 3.2 HELP Files............................................3-1 3.3 NETCU online help.....................................3-2 iv Chapter__1______________________________________________________ Introduction These Release Notes describe the changes and enhancements made to the TCPware product in version 5.8. This chapter describes conventions used in the TCPware documentation set and the various methods to contact and receive technical support. o For information about product changes and enhancements in TCPware v5.8, refer to Chapter 2. o For information about changes to the documentation set, refer to Chapter 3. Introduction 1-1 1.1 Typographical Conventions Examples in these release notes use the following conven- tions: _____________________________________________________________ Convention________Example___________Meaning__________________ Angle brackets Represents a key on your keyboard. Angle brackets Indicates that you hold with a slash down the key labeled or while simultaneously pressing another key; in this example, the "A" key. Square brackets [FULL] Indicates optional choices; you can enter none of the choices, or as many as you like. When shown as part of an example, square brackets are actual characters you should type. Underscore or file_name or Between words in hyphen file-name commands, indicates the ____________________________________item_is_a_single_element. 1.2 Obtaining Technical Support Process Software provides technical support if you have a current Maintenance Service Agreement. If you obtained TCPware from an authorized distributor or partner, you receive your technical support directly from them. You can contact Technical Support by: o Sending electronic mail (Section 1.2.2) o Calling Technical Support (Section 1.2.3) o Faxing a description of your problem to the Technical Support Group (Section 1.2.4) 1-2 Introduction 1.2.1 Before Contacting Technical Support Before you call, or send email or a fax: 1. Verify that your Maintenance Service Agreement is current. 2. Read the online Release Notes completely. 3. Have the following information available: o Your Name o Your company name o Your email address o Your voice and fax telephone numbers o Your Maintenance Contract Number o OpenVMS architecture o OpenVMS version o TCPware layered products and versions 4. Have complete information about your configuration, error messages that appeared, and problem specifics. 5. Be prepared to let a development engineer connect to your system, either with TELNET, SSH, or by dialing in using a modem. Be prepared to give the engineer access to a privileged account to diagnose your problem. You can obtain information about your OpenVMS architecture, OpenVMS version, TCPware version, and layered products with the NETCU SHOW VERSION/ALL command. Execute the following command on a fully loaded system and email the output to support@process.com: $ NETCU SHOW VERSION/ALL TCPware(R) V5.8-2 Copyright (c) 2008 Process Software OpenVMS version V8.2 booted on 28-JUN-2007 21:03:30.00, running on a HP rx2600 (1.30GHz/3.0MB). MAS number: 12345 Introduction 1-3 In this example: The machine or system architecture is I64. The OpenVMS version is V8.2. The TCPware version is V5.8. Use the following table as a template to record the relevant information about your system: _____________________________________________________________ Required_Information_______Your_System_Information___________ Your name Company name Your email address Your voice and fax telephone numbers System architecture Vax, Alpha, or I64 OpenVMS Version TCPware_Version______________________________________________ Please provide information about installed TCPware applica- tions and patch kits, by sending a copy of TCPWARE:TCPWARE_ VERSION.; file. 1.2.2 Sending Electronic Mail For many questions, electronic mail is the preferred communication method. Technical support via electronic mail is available to customers with a current support contract. Send electronic mail to support@process.com. At the beginning of your mail message, include the informa- tion listed in Section 1.2.1. Continue with the description of your situation and problem specifics. Include all relevant information to help your Technical Support Specialist process and track your electronic support request. 1-4 Introduction Electronic mail is answered within the desired goal of two hours, during our normal business hours, Monday through Friday from 8:30 a.m. to 5:00 p.m., United States Eastern Time. 1.2.3 Calling Technical Support For regular support issues, call 800-394-8700 or 508-628-5074 for support Monday through Friday from 8:30 a.m. to 7:00 p.m. United States Eastern Time. For our customers in North America with critical problems, an option for support 7 days per week, 24 hours per day is available at an additional charge. Please contact your Account Representative for further details. Before calling, have available the information described in Section 1.2.1. When you call, you will be connected to a Technical Support Specialist. If our Support Specialists are assisting other customers and you are put on hold, please stay on the line. Most calls are answered in less than 5 minutes. If you can wait for a Speciallist to take your call, please take advantage of our automatic call logging feature by sending email to support@process.com (See the Section on Sending Electronic Mail). 1.2.4 Contacting Technical Support by Fax You can send transmissions directly to Technical Support at 508-879-0042. Before faxing comments or questions, complete the steps in Section 1.2.1 and include all your system information at the beginning of your fax message. Continue with the description of your situation and problem specifics. Include all relevant information to help your Technical Support Specialist process and track your fax support request. Faxed questions are answered Monday through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. Introduction 1-5 1.3 Obtaining Online Help Extensive information about TCPware is provided in the TCPware help library. For more information, enter the following command: $ HELP TCPWARE 1.4 TCPware Frequently Asked Questions (FAQs) List You can obtain an updated list of frequently asked questions (FAQs) and answers about Process Software products from the Process Software home page located at http://www.process.com. Choose the Service & Support link to access useful informa- tion on FAQs and patch ECOs. 1.5 Accessing the TCPware Public Mailing List Process Software maintains two public mailing lists for TCPware customers: o Info-TCPware@process.com o TCPware-Announce@process.com The Info-TCPware@process.com mailing list is a forum for discussion among TCPware system managers and programmers. Questions and problems regarding TCPware can be posted for a response by any of the subscribers. To subscribe to Info- TCPware, send a mail message with the word SUBSCRIBE in the body to Info-TCPware-request@process.com. The information exchanged over Info-TCPware is also available via the USENET newsgroup vmsnet.networks.tcp-ip.tcpware. You can retrieve the Info-TCPware archives by anonymous FTP to ftp.tcpware.process.com. The archives are located in the directory [MAIL_ARCHIVES.INFO-TCPWARE]. The TCPware-Announce@process.com mailing list is a one-way communication (from Process Software to you) used to post announcements relating to TCPware (patch releases, product releases, etc.). To subscribe to TCPware-Announce, send a mail message with the word SUBSCRIBE in the body to TCPware- Announce-request@process.com. 1-6 Introduction 1.6 Process Software World Wide Web Server Electronic support is provided through the Process Software web site which you can access with any World Wide Web browser; the URL is http://www.process.com (select Service & Support). 1.7 Obtaining Software Patches over the Internet Process Software provides software patches in save set and ZIP format on its anonymous FTP server, ftp.tcpware.process.com. For the location of software patches, read the .WELCOME file in the top-level anonymous directory. This file refers you to the directories containing software patches. To retrieve a software patch, enter the following commands: $ FTP FTP.TCPWARE.PROCESS.COM ANONYMOUS password where password is your email address. A message welcoming you to the Process Software FTP directory appears next followed by the FTP prompt. Enter the following at the FTP prompt: FTP>CD [.SUPPORT.xx_x] FTP>GET update_filename In these commands: xxx is the version of TCPware you want to transfer update_filename is the name of the file you want to transfer To transfer files from Process Software directly to an OpenVMS system, you can use the GET command without any other FTP commands. However, if you need to transfer a software patch through an intermediate non-OpenVMS system, use BINARY mode to transfer the files to and from that system. In addition, if you are retrieving the software patch in save set format, make sure the save set record size is 2048 bytes when you transfer the file from the intermediate system to your OpenVMS system. Introduction 1-7 o If you use the GET command to download the file size from the intermediate system, use the FTP RECORD-SIZE 2048 command before transferring the file. o If you use the PUT command to upload the file to your OpenVMS system, log into the intermediate system and use the FTP quote site rms recsize 2048 command before transferring the file. Process Software also supplies UNZIP utilities for OpenVMS VAX, Alpha and I64 for decompressing ZIP archives in the [SUPPORT] directory. To use ZIP format kits, you need a copy of the UNZIP utility. The following example shows how to use UNZIP utility, assuming you have copied the appropriate version of UNZIP.EXE to your current default directory: $ UNZIP := $SYS$DISK:[]UNZIP.EXE $ UNZIP filename.ZIP Use VMSINSTAL to upgrade your TCPware system with the software patch. 1.8 Documentation Comments Your comments about the information in these Release Notes can help us improve the documentation. If you have corrections or suggestion for improvement, please let us know. Be as specific as possible about your comments: include the exact title of the document, version, date, and page references as appropriate. You can send your comments by email to techpubs@process.com or mail them to: Process Software 959 Concord Street Framingham, MA 01701-4682 Attention: Marketing Director You can also fax your comments to us at 508-879-0042. Your comments about our documentation are appreciated. 1-8 Introduction 1.9 CD-ROM Contents The directory structure on the CD is as follows: [TCPWARE058] TCPware Kit [Documentation] PDF format (.pdf) HTML format (.htm) Release Notes [XPDF] [XPDF.AXP] for Alpha images [XPDF.VAX] for VAX images [LYNX] [LYNX.AXP] for Alpha images [LYNX.VAX] for VAX images [VAX55_DECC_RTL] 1.9.1 Online Documentation The TCPware documentation set is available on the product CD in HTML and PDF format. The Release Notes are available on the product CD in text format. 1.9.1.1 PDF Format The TCPware documentation set has the following PDF files: o INSTALL.PDF (Installation and Configuration Guide) o MANAGE.PDF (Management Guide) o NETCU.PDF (NETCU Command Reference) o PROGRAM.PDF (Programmer's Guide) o USER.PDF (User's Guide) The PDF format is readable from a PC, a VAX or an Alpha system. There is a PDF reader for the VAX and Alpha platforms on the TCPware CD. o Use Adobe Acrobat to read the PDF files from a PC. Your PC must have 386 architecture or later to use Adobe Acrobat Reader. You can get Acrobat Reader free from Adobe Systems' Website: www.adobe.com. Introduction 1-9 o Use the XPDF Reader (found in the [XPDF] directory) to read the PDF files from a VAX or Alpha system. The [XPDF.AXP] directory contains the Alpha architecture reader, and the [XPDF.VAX] directory contains the VAX architecture reader. Note The XPDF Reader does not work on a PC. PCs running the Windows or NT operating system cannot read Process Software's CD. You cannot load files from the MultiNet CD directly to a PC. Load them to your VAX, Alpha or I64 machine, then transfer them to your PC. We suggest using FTP to transfer these files. The following is an example using MS-DOS: C:> ftp node ftp> binary ftp> mget cd:*.pdf In addition, Process Software has included LYNX, the character-cell Web browser for VMS. It is in the [LYNX] directory. 1.9.1.2 Using Acrobat Reader To read the PDF files using Acrobat Reader: 1. Double click Acrobat Exchange. 2. Choose Open from the File menu. 3. Select the .pdf file you want to open. 4. Use the menu bar at the top of the screen to navigate the document, or click a Table of Contents entry (on the left) to go directly to that information. Note The binocular icon opens search functions. The magnifying glass icon enlarges the text and illustrations. 1-10 Introduction 1.9.1.3 Using XPDF Thanks to Derek B. Noonburg for letting us download his XPDF application. Note You need a three-button mouse to use XPDF. At the DCL prompt from the directory in which the VAX or Alpha XPDF.EXE is stored, do the following: 1. Type RUN XPDF.EXE. The XPDF screen appears. 2. Position the arrow on any of the icons (except the ? icon) on the bottom of the screen. 3. Press the right nouse button to display choices. 4. Select OPEN to display the list of PDF files. 5. Select the PDF file you want, and click OPEN to read the file. 6. Use the icons on the bottom of the screen to search for the information you want. To view the online help for XPDF: 1. Position the cursor on the question mark (?) icon. 2. Press the left mouse button to open the online help. Introduction 1-11 Chapter__2______________________________________________________ CHANGES AND ENHANCEMENTS This chapter briefly describes features that are new or changed significantly in TCPware Version 5.8. 2.1 Installation Disk Space Requirements The following table indicates the disk space requirements for installing TCPWARE V5.8. _____________________________________________________________ System_Architecture_____________Peak_Usage__Net_Usage________ VAX 270,000 135,000 Alpha 360,000 220,000 I64_____________________________410,000_____250,000__________ 2.2 New Features 2.2.1 BIND9 Addition BIND9 has replaced BIND8, and is based on ISC's Bind Version 9.4.1p. Future updates to BIND will originate from the 9.4.1 baseline. With BIND 9, the ISC no longer supports the NSLOOKUP tool. It recommends using the DIG tool instead. As a result, we are including the BIND 8.x version of NSLOOKUP. In addition, the NDC tool has been replaced by RNDC for BIND 9. In addition to the BIND 9 nameserver, this release supports the following BIND 9 tools: DIG, DNSSEC_SIGNZONE, HOST, NAMED-CHECKCONF, NAMED-CHECKZONE, NSUPDATE, CHANGES AND ENHANCEMENTS 2-1 RNDC-CONFGEN, and RNDC. For further information and documentation regarding BIND 9, including details on configuration of the nameserver and tools, please refer to the ISC website and/or O'Reilly's "DNS and BIND", 4th edition or later. 2.2.2 FTP RFC 4217 support has been added to FTP. This allows the client to request TLS (SSL) authentication of the server and an encrypted control channel before attempting user authentication. User authentication is still by username and password after requesting TLS authentication. The data channel may also be set for encrypted transfers. The command channel can be set to clear text after authenticating the user and setting the data channel protection if that is desired; this allows firewalls and NAT devices to process the PORT and PASV commands and their replies so that sockets can be opened for data transfers. The server requires that a certificate and key file be specified in the configuration file. Generation of RFC4217 Certificate and Key files: If you are running a version of VMS that can install SSL from HP, then we suggest that you use the certifi- cate creation tool that they provide with SSL. See http://h71000.www7.hp.com/doc/83FINAL/BA554_90007/ch03.html For Alpha and VAX systems we provide a version of the OpenSSL image in the TCPware directory. You can consult the OpenSSL web site for information on how to create certificates: http://www.openssl.org/docs/HOWTO/certificates.txt The User's Guide, Management Guide, and Programmer's Guide all have been updated with information on how to use this functionality. 2-2 CHANGES AND ENHANCEMENTS 2.2.3 Kernel Alpha and Integrity systems have an improved connection hash that uses a larger table with an algorithm that has a more uniform distribution. Jumbo packets can be used on Gigabit Ethernet interfaces by editing TCPWARE:TCPWARE_CONFIGURE.COM and adding /MTU=9000 after the interface. It is also necessary to tell VMS that jumbo packets are desired with $ mcr lancp set dev ewa/jumbo Provided support routines for CIFS (samba) on OpenVMS V8 for Alpha and Integrity processors. Support for ConsoleWorks V3.5 was added. 2.2.4 NTP Updates NTP has been updated from NTP 4.1.1 to NTP 4.2. Added support of US 2007 Daylight Saving Time Rules and support of Canada 2007 Daylight Saving Time Rules. 2.2.5 SNMP Updates A trap receive program has been added. Page 7-14 in the Management Guide contains information on how to use the program to receive traps. 2.2.6 SSH Updates SSH has been updated to the latest release from WRQ. This update includes: o A new tool, SSH-CERTTOOL, can be used to generate PKCS#10 and PKCS#12 requests, and to view PKCS#10 and PKCS#12 packages. o The SSH-CERTENROLL2 tool has been renamed to SSH- CMPCLIENT. o For those clients that can support it (this includes the client used by all Process Software SSH products), expired password handling by the server has been modified to prompt for the new password, then the session will continue rather than being logged out. For those clients CHANGES AND ENHANCEMENTS 2-3 that don't support this, the old method of expired password handling is still used. There are some clients that may not support this method (an expired password causes an abrupt disconnect from the server system), but the server may not be able to identify them correctly. To handle those, if the logical name TCPWARE_SSH_USE_OLD_EXPIRED_PASSWORD_SCHEME is defined system-wide, the server will revert to its previous method of handling expired passwords. [DE 10260] o Access controls and operation logging have been added to the SFTP server. The logical TCPWARE_SFTP_{username}_ CONTROL can be defined /SYSTEM to any combination of NOLIST, NOREAD, NOWRITE, NODELETE, NORENAME, NOMKDIR, NORMDIR, to restrict operations. NOWRITE will disable PUT, DELETE, RENAME, MKDIR, RMDIR; NOREAD will disable GET and LIST. The restriction keywords must be spelt out in full, but punctuation does not matter. The logical TCPWARE_SFTP_{username}_ROOT can be defined /SYSTEM to restrict the user to the directory path specified. (Subdirectories below the specified directory are allowed.) The logical SSH_SFTP_LOG_SEVERITY can be defined /SYSTEM to 20000 to log file transfers or 30000 to log all SFTP operations. The logical SSH2_SFTP_LOG_ FACILITY must also be defined /SYSTEM to specify the logging class that is used with OPCOM. Values below 5 will use the network class; 5 will use OPER1, 6 will use OPER2, etc. The maximum value that can be specified is 12, which will use OPER8. [DE 9988] o The new SSH2 code in this version support the following in SSH2_DIR:SSHD2_CONFIG. 2-4 CHANGES AND ENHANCEMENTS __________________________________________________________ Config_Entries________Meaning_____________________________ Terminal.DenyUsers Prevent users in the specified list from creating SSH2 terminals and performing interactive commands. The users can still use the SFTP2, SCP1 and Public Key servers. Terminal.DenyGroups Prevent groups in the specified list from creating SSH2 terminals and performing interactive commands. The groups can still use the SFTP2, SCP1 ______________________and_Public_Key_servers._____________ [D/E 7845] o SSH2 authentication via LDAP and SecurID for OpenVMS VAX 7.3, OpenVMS AXP 6.2 and higher, and OpenVMS I64 8.2 and higher for those running the Process Software VMS Authentication Module (VAM) product. o SSH X.509 certificate tool was added. o Added support of FTRUNCATE operation to the SFTP code. [DE 10102] 2.2.7 Telnet Updates The Telnet programming library has been modified such that it no longer makes calls to CLI$ routines. These calls prevented it from being used in many cases. 2.2.8 UCX$IPC_SHR Updates o Updated UCX$IPC_SHR to support send operations with a length count greater than 65535 bytes on VMS V8. [DE 10621] o Updated UCX$IPC_SHR to support VMS V8.3 with additional entry points in the order that VMS has them for V8.3. [DE 10267] CHANGES AND ENHANCEMENTS 2-5 o The TCPWare UCX$IPC_SHR for OpenVMS V8.2 and later matches TCP/IP Services V5.6. Customers running OpenVMS V8.2 or V8.2-1 that need an image that matches TCP/IP Services V5.5 should use TCPWARE:V82_UCX$IPC_SHR.EXE by defining logicals or renaming files. 2.2.9 UCX$RPCXDR_SHR Update UCX$RPCXDR_SHR has been updated to GSMATCH 4.3. 2.3 Fixes in this Release 2.3.1 Drivers o Corrected a potential NTDRIVER crash. [DE 10600] o Increased the maxium allowed read size to 65536, allowing the latest version of TekSys ConsoleWorks to work with TCPware. [DE 10577] o Corrected errors in how the NTYDRIVER port routines link to the VMS terminal driver on Integrity systems. This fix allows Point Secure's System Detective to work with TCPware on Integrity systems. [DE 10571] o Corrected an error when receiving a new fragmented datagram that can cause a system crash. [DE 10319] o Replaced initial sequence number (ISN) algorithm with one that is more random. [DE 6893] o Corrected errors in getaddrinfo. 2.3.2 FTP o The code that handles the FTP_SERVER_DATA_PORT_RANGE has been corrected to allow for ports greater than 32767. [DE 10373] o FTP user authentication can now use Process Software's VMS Authentication Module (VAM). If the logical TCPWARE_ FTP_VAM_AUTH_METHOD is defined, then the contents of the logical is used for the VAM authentication method if the user has the apporopriate VAM_LGI_method rights identifier. If the user does not have the rights 2-6 CHANGES AND ENHANCEMENTS identifier then tthe traditional password authentication is used. If the logical TCPWARE_FTP_VAM_REQUIRED is defined, then the traditional password is not allowed for the users that don't have the VAM method. The user must also have the FTP rights identifier. [DE 10334] o A timing error in processing the TCPWARE_FTP_MAXIMUM_ CONNECTION_WAIT logical has been fixed. [DE 10185] 2.3.3 LPD o The LPD Server has been changed to correct a VAX only problem accessing spooled directory files. o A VAX issue using lpr accessing files due to incorrect FIDs has been resolved. [DE 10342] o The LPD Server has been changed to correct a problem with submitting jobs to the local queue manager resulting in a SYSTEM-F-MBTOOSML, mailbox is too small for request message. [DE 10331] 2.3.4 NETCP o Corrected errors in maintaining secondary address information. [DE 10370] o Corrected an error that prevented IP over DECnet from being used in TCPware V5.7-2. [DE 10283] 2.3.5 NETCU o Corrected a problem which would allow a secondary internet address to be added that duplicated a primary internet address. [DE 10455] o An upper limit of 60000 bytes has been added to the mailbox creation for NETCU DEBUG. This restores behavior prior to VMS V7.3-1 where VMS limited the mailbox bytlm to 60000 and allowed users with greater bytlm to use those additional resources elsewhere. [DE 10394] o The SHOW UDP command has been fixed. [DE 10310] CHANGES AND ENHANCEMENTS 2-7 o The field width in SHOW CONNECTIONS has been increased so that INET + 5 digits can be displayed properly. [DE 10221] o Added timestamps to the DEBUG output. 2.3.6 NFS Client o Corrected problems with directory listings on Itanium platforms where files were missing sometimes. [DE 10632] o Fixed the NFSMOUNT display message when mounting on a Itanium system. [DE 9793] 2.3.7 NFS Server o Corrected problems where the NFS Server process (NFSDV3) would exit when exports were added. [DE 10658] 2.3.8 NTP o Misleading error messages have been corrected, when NTPDATE is unable to reach the specified system due to insufficient routing information. [DE 10595] o Corrected errors that prevent local-master or master-clock from working on Integrity systems. [DE 10492] o Corrected errors in NTPDATE [DE 10493] 2.3.9 RPC o Corrected a RPCGEN failure when the output was a logical name. [DE 10236] o Returning call to decode a double from the XDR stream now correctly calculates the double value. [DE 9894] 2-8 CHANGES AND ENHANCEMENTS 2.3.10 SFTP o Corrected an error in interpreting the MULTINET_SFTP_ODS2_ SRI_ENCODING logical that prevented it from disabling SRI encoding/decoding when displaying directories. [DE 10671] o SFTP no longer writes output to the terminal one character at a time. This makes batch logs readable. [DE 10638] o SFTP no longer attempts to synchronize the execute protection across systems, which gets rid of a source of errors being reported when a file is successfully copied. The code to synchronize the execute protection was based upon the Unix definition of execute protection, which is very different from the VMS definition of execute protection. [DE 10622] o SFTP now disables the SMG unsolicited input mailbox. This should correct some cases where SFTP can not start SSH. [DE 10602] o Corrected a problem with SFTP assuming that files that do not have a dot in their name to be directories and hence not being able to transfer them. [DE 10572] o The SFTP server no longer returns error status of "no permission" for unimplemented requests to perform modifications to file attributes. Now it returns success and messages will appear in the log if debugging is enabled. [DE 10557] o Problems with the SFTP CD command have been corrected. [DE 10381] o Corrected errors in parsing filenames for the SFTP rename and lrename commands. [DE 10147] o Corrected an error that would lead to SFTP access violations in batch mode. [DE 10092] o Fixed a problem which could cause files to be truncated when transferred with SFTP. [DE 10090] o Corrected problems using SCP/SFTP to transfer files larger than 5 Gigabytes. [DE 9866] CHANGES AND ENHANCEMENTS 2-9 2.3.11 SMTP Corrected a timezone offset used in mail processing. [DE 10490] Fixed an error which can cause ACCVIOs on VMS 8.2-1 on Integrity. [DE 10237] Corrected an access violation related to using VRFY and EXPN commands. [DE 9648] 2.3.12 SNMP Corrected errors in the Agent X code for registering ranges of MIB variables. Required for the Intersystems Cache product to work correctly. [DE 10349] Added a new configuration statement { hostid ip_address } to allow the hostid in a trap packet to be specified with a new configuration statement. The ip_address is checked against the addresses to which the system has line configured. [DE 10371] Improve the functionality of the SNMP agent to support the WBEM$GSVIEW component of the Insight Management Agents, corrected miscellaneous errors. [DE 10199] 2.3.13 SSH Fixes for the following defects: o After installing the SSH_V562P130 and SSH_V572P061 ECO's, the password history lookups and password dictionary lookups would always fail when changing an expired pasword during an SSH login. [DE 10690] o If the following conditions are met: o The user has issued SET PROCESS/PARSE_STYLE_EXTENDED and o The logical DEC$ARGV_PARSE_STYLE is defined, then o SCP, SFTP and PUBLICKEY_ASSISTANT will encounter an error of: illegal option -- S Warning: child process (ssh_exe:ssh2.exe) exited with code -1. 2-10 CHANGES AND ENHANCEMENTS [DE 10667] o On VMS 8.x systems and some 7.3-2 systems, after applying some VMS ECO's, SSH sessions would fail with the log file showing an error of "Failed to get handed-off socket: errno 6". [DE 10636] o SSH OPCOM session accept and session reject messages would sometimes display garbage at the end of the message. [DE 10629] o The SSH client would sometimes enter an infinite loop when run in a DCL command procedure. [DE 10614] o When file transfers were done in batch jobs, the SSH client would sometimes enter an infinite loop. [DE 10592] o After applying the most recent SSH ECO's, login attempts would occasionally display messages of the form: Failed to write host key a.veeeeeeeeerrrrryyy.loooongg.domain [DE 10574] o Forwarded X11 sessions would sometimes exhibit delays when updating the screen, due to TCP_NODELAY not being set on the channel. This could be modified by setting the NoDelay keyword in the SSHD2_CONFIG file, but that would affect all connections. The keyword X11NoDelay has been added that, when set to YES(it's default), will set TCP_NODELAY for X11 sessions only. [DE 10573] o Hostbased authentication would occasionally fail because the key signer was apparently hanging. [DE 10548] o If a public key has a variable record format, operations involving that key, such as publickey authentication, will fail. [DE 10522] o For accounts with time-of-day access limitations in SYSUAF, sessions were allowed to continue past their allowable access time. [DE 10512] o On some systems,, OPCOM session accept/reject messages from the SSH server would have garbage at the end of them. [DE 10446] o Corrected problems in SFTP2 doing ASCII GET transfers. [DE 10365] CHANGES AND ENHANCEMENTS 2-11 o Corrected problems with SCP2 not using specified target name in copies. [DE 10358] o The qualifier /NOPROGRESS no longer removes the file transfer completion status line from SFTP2. The progress line is not displayed during the transfer, but a status line is displayed upon completion of the transfer. [DE 10354] o Corrected problems with SSH handling pre-expired pass- words. [DE 10330] o After logging out of an SSH2 session, the server process that was handling the session would occationally enter a tight loop. [DE 10287] o If the logical TCPWARE_SFTP_DONT_TRUNCATE is defined to Yes, True or 1 then the SFTP server will not perform truncate operations as part of FSETSTAT and SETSTAT operations. Some systems end up with unexpected file attributes when the truncate operation is performed and this provides a method of disabling it. [DE 10305] o If the logical TCPWARE_SFTP_STAT_DESTINATION_FILE is defined to be FALSE, NO or 0 (zero) then the SFTP client will not attempt to do a STAT operation to check for the presence of the destination file before opening the destination file for write. The assumption is that the destination file does not exist. If the logical TCPWARE_SFTP_STAT_DESTINATION_DIRECTORY is defined to be FALSE, NO or 0 (zero) then the SFTP client will not attempt to do a STAT operation on the destination directory before opening the destination file for write. The assumption is that the destination directory exists. These two logicals should be defined to FALSE in order to have the SFTP client work with Sterling Commerce's Connect:Enterprise product. [DE 10276] o Increased the length of DNS names that SSH can handle. [DE 10262] o Put the /ASCII=VMS option back in. [DE 10259] o Fixed a ACCVIO that can occur when exiting from a command file. [DE 10251] 2-12 CHANGES AND ENHANCEMENTS o Allowed version numbers to be used for the local source specified on SCP2 command line, even when /VMS is not used. [DE 10242] o Modified the SFTP server such that TCPWARE_SFTP_VMS_ALL_ VERSIONS will cause all file versions to be displayed no matter what the remote (client) side is. Note that when a file is copied from the VMS system to the client, the filename will contain the version number. [DE 10238] o Corrected an error that causes our SFTP2/SCP2 client to ACCVIO when dealing with an SFTP server that speaks SFTP protocol version 2. [DE 10234] o If SSH is being executed in a VMS batch job, and it at- tempts to do a remote command (e.g., "$ ssh lima.beans.com dir *.txt"), no output would be displayed. [DE 10193] o Addresses an accvio which occurred in those cases where the password being verified was not initialized properly. [DE 10182] o If the logical MULTINET_SFTP_DIRECTORY_WITH_CREATION_DATE is defined to True, Yes or 1, then the creation date is displayed in the output for DIRECTORY when operating in VMS mode instead of the modification date. Note that the times are still adjusted by the local offset from UTC. [DE 10179] o Corrected a potential ACCVIO when downloading text files via SCP and SFTP. [DE 10172] o Corrected some problems with using an absolute path name for the file in a CHMOD request for SCP/SFTP. [DE 10169] o KRB5 passwords stopped working after a recent ECO. [DE 10163] o Corrected errors in the SCP/SFTP SRI decoding algorithm. [DE 10133] o A security vulnerability has been corrected. [DE 10218] o Improved estimates of transferred file sizes to resolve problems with transferring files in ASCII mode. [DE 10106] CHANGES AND ENHANCEMENTS 2-13 o A user could spawn multiple authentication agents (SSH- AGENT) causing unpredictable results when trying to authenticate via the agent. [DE 9932] o Failed logins are not sent to the VMS audit log. [DE 9842] o Corrected a problem with the SSH client disconnecting from Cisco routers when a key is pressed. 2.4 Known Issues o Using the command "netcu set filter eia-0,eia-1 fil- ter.dat/log=filter.log" will create multiple filter.log files and only write to one of them. To insure filter log- ging occurs to separate log files, use multiple "netcu set filter" commands with unique log file names. netcu set filter eia-0 filter.dat/log=filter_eia0.log netcu set filter eia-1 filter.dat/log=filter_eia1.log This will be resolved in a future ECO kit. o When using filter logging to a file, the data may not be flushed to the file until the file is closed using a set filter/nolog command. o When using filter logging to a file, the log file may not be closed after executing the netcu set nofilter command. Prior to using the netcu set nofilter command, a netcu set filter/nolog command should be issued. 2.5 Known Documentation Issues 2-14 CHANGES AND ENHANCEMENTS Chapter__3______________________________________________________ Documentation Notes This chapter discusses the enhancements made to the TCPware for OpenVMS hardcopy and on-line documentation (including DCL HELP), as well as errata found after the publication or production dates (look for the entry "ERRATA"). 3.1 General Documentation Enhancements o The User's Guide now contains the following text in the section on TFTP: See Chapter 4 of the Installation and Configuration Guide for information about configurating the TFTP server. [DE 10350] o Miscellaneous SSH documentation errors have been cor- rected. [DE 8979] o The following note was added regarding secondary ad- dresses: It may be necessary to add a route to have the address be reachable from the system that the address is added to. [DE 8633] o Chapter 26 of the TCPware Management Guide has been updated to reflect the new SSH2 server configuration keywords enabled since 5.7-2. o Information regarding SET_VMS_LOGICALS and CALL_DST_PROC options has been added. o Documentation of how TCPWARE_FTP_{username}_ROOT is used has been added. [DE 10158] 3.2 HELP Files Documentation Notes 3-1 3.3 NETCU online help o SET LOG/FTP has been added to the NETCU online help. [DE 8668] 3-2 Documentation Notes