                 H                     HP_TCP/IP_Services_for_OpenVMS______________________!                     Release Notes                          March 2010  H                     This document describes the new features and changesI                     introduced with Version 5.7 of the HP TCP/IP Services 1                     for OpenVMS software product.                     D                     Revision/Update Information:  This is an updated;                                                   document.   H                     Software Version:             HP TCP/IP Services forE                                                   OpenVMS Version 5.7   E                     Operating Systems:            OpenVMS Version 8.4 G                                                   for Integrity servers G                                                   OpenVMS Alpha Version 5                                                   8.4                         +                     Hewlett-Packard Company )                     Palo Alto, California                  N               ________________________________________________________________  H                Copyright 2010 Hewlett-Packard Development Company, L.P.  C               Confidential computer software. Valid license from HP F               required for possession, use or copying. Consistent withB               FAR 12.211 and 12.212, Commercial Computer Software,E               Computer Software Documentation, and Technical Data for H               Commercial Items are licensed to the U.S. Government under3               vendor's standard commercial license.   C               The information contained herein is subject to change E               without notice. The only warranties for HP products and G               services are set forth in the express warranty statements E               accompanying such products and services. Nothing herein I               should be construed as constituting an additional warranty. I               HP shall not be liable for technical or editorial errors or )               omissions contained herein.   G               Intel and Itanium are trademarks or registered trademarks D               of Intel Corporation or its subsidiaries in the United)               States and other countries.   ?               UNIX is a registered trademark of The Open Group.   A               The HP TCP/IP Services for OpenVMS documentation is "               available on CD-ROM.  H               This document was prepared using DECdocument, Version 3.3-               1b.                                  F      _________________________________________________________________  F                                                               Contents      F      Preface...................................................    vii  0      1  New Features and Behavioral Enhancements  F            1.1   New features..................................    1-1F            1.1.1     Packet Processing Engine..................    1-3F            1.1.1.1     Configuring PPE.........................    1-3F            1.1.1.2     Managing TCP/IP PPE.....................    1-4F            1.1.1.3     Monitoring PPE..........................    1-6F            1.1.1.4     Comparison testing......................    1-7F            1.1.2     FTP Anonymous Light.......................    1-82            1.1.2.1     Access restrictions for FTPF                        operations..............................   1-11F            1.2   Enhancements..................................   1-14F            1.2.1     TCPIP$CONFIG..............................   1-14>            1.2.1.1     Configuring interfaces and addresses onF                        a remote cluster member.................   1-15F            1.2.2     LPD configurable port.....................   1-16F            1.2.2.1     Configuring the remote port.............   1-17:            1.2.2.2     Using the LPD configurable port forF                        secure printing.........................   1-17F            1.2.3     FTP over SSL..............................   1-17F            1.2.3.1     Configuring an FTP server for SSL.......   1-171            1.2.3.2     Using FTP client in an SSL F                        environment.............................   1-18F            1.2.3.3     Considerations during configuration.....   1-19F            1.2.4     SMTP cluster ability......................   1-19F            1.2.4.1     Configuration...........................   1-19F            1.2.5     SMTP ASCII file configuration.............   1-20F            1.2.6     SMTP Persistent receiver..................   1-20F            1.2.6.1     Configurable parameters.................   1-21F            1.2.7     POP ASCII file configuration..............   1-21    F                                                                    iii                   7               1.2.8     POP server support for external I                         authentication............................   1-21   =         2  Installation, Configuration, Startup, and Shutdown   =               2.1   Installing Over V5.3 Early Adopter's Kits I                     (EAKs)........................................    2-1 I               2.2   Upgrading from TCP/IP Services Version 4.x....    2-1 I               2.3   Adding a system to an OpenVMS Cluster.........    2-1 >               2.3.1     Running a newly configured host on theI                         Cluster...................................    2-2 A               2.3.2     Configuring TCP/IP Services before adding I                         the system to the Cluster.................    2-3 I               2.3.3     Disabling or enabling SSH server..........    2-3 I               2.4   SSH configuration files must be updated.......    2-3 9               2.5   Troubleshooting SMTP and LPD shutdown I                     problems......................................    2-4   '         3  Restrictions and Limitations   I               3.1   IP Security...................................    3-1 I               3.2   Dnssec_signzone utility may hang..............    3-1 I               3.3   COPY /FTP restriction.........................    3-1 I               3.4   OpenVMS Mails.................................    3-1 I               3.5   Netstat utility...............................    3-1 I               3.6   SMTP configured for cluster awareness.........    3-2 =               3.7   Manually configuring an interface as DHCP I                     leads to startup problems.....................    3-2 I               3.8   SLIP restrictions.............................    3-2 A               3.9   Advanced Programming Environment restrictions I                     and guidelines................................    3-2 I               3.10  BIND/DNS restrictions.........................    3-3 I               3.11  IPv6 restrictions.............................    3-4 I               3.11.1    Mobile IPv6 restrictions..................    3-5 I               3.11.2    IPv6 requires the BIND Resolver...........    3-5 I               3.12  NFS restrictions..............................    3-6 I               3.12.1    NFS Server problems and restrictions......    3-6 I               3.12.2    NFS Client problems and restrictions......    3-7 I               3.13  NTP problems and restrictions.................    3-8 I               3.14  SNMP problems and restrictions................    3-8 I               3.14.1    Incomplete restart........................    3-8 I               3.14.2    SNMP IVP error............................    3-9 I               3.14.3    Using existing MIB subagent modules.......    3-9     
         iv                   I               3.14.4    Upgrading SNMP............................   3-11 9               3.14.5    Communication controller data not I                         completely updated........................   3-12 I               3.14.6    SNMP MIB browser usage....................   3-12 I               3.14.7    Duplicate subagent identifiers............   3-12 I               3.14.8    Community name restrictions...............   3-13 6               3.14.9    eSNMP programming and subagentI                         development...............................   3-13 >               3.14.10   SNMP installation verification programI                         restriction...............................   3-13 I               3.15  SSH problems and restrictions.................   3-14 I               3.15.1    SSH-Related security advisories...........   3-15 I               3.15.2    SSH general notes and restrictions........   3-16 ?               3.15.3    UNIX features that are not supported by I                         SSH.......................................   3-17 I               3.15.4    SSH command syntax........................   3-17 I               3.15.5    SSH authentication........................   3-18 I               3.15.6    SSH keys..................................   3-19 I               3.15.7    SSH sessions..............................   3-21 I               3.15.8    SSH messages..............................   3-22 I               3.15.9    SSH remote commands.......................   3-23 I               3.15.10   SSH batch mode............................   3-24 B               3.15.11   ls fails after cd to a logical name from aI                         Tru64 UNIX client.........................   3-26 I               3.15.12   SSH X11 port forwarding...................   3-26 I               3.15.13   SSH file transfer (All File Sizes)........   3-27 I               3.15.14   SSH transferring large files..............   3-31 ?               3.15.15   SSH server signals internal credentials I                         cache error...............................   3-31 I               3.15.16   SFTP general problems and restrictions....   3-32 @               3.15.17   SFTP generates audit warnings with classI                         device....................................   3-33 @               3.15.18   BIND Resolver diagnostics creates an SSHI                         packet corruption.........................   3-33 I               3.16  TCPDUMP restrictions..........................   3-33 I               3.17  TCP/IP Management Command restrictions........   3-34                   I                                                                         v                             4  Corrections  =               4.1   Advanced Programming Environment problems I                     fixed in this release.........................    4-1 I               4.1.1     Buffer overflow in ntpq program...........    4-1 ?               4.1.2     With PPE enabled, system crashes during I                         shutdown..................................    4-1 I               4.2   BIND Server problems fixed in this release....    4-1 A               4.2.1     Bind server crashes on receipt of dynamic I                         update message............................    4-2 @               4.2.2     SYSTEM-W-NOSUCHFILE and %DCL-E-INVIFNESTI                         Errors....................................    4-2 =               4.2.3     %LIBRAR-E-LOOKUPERR error in the BIND I                         server....................................    4-3 B               4.2.4     BINDSETUP fails to conform to the databaseI                         filename..................................    4-3 ;               4.2.5     Entering CTRL/C for TCPIP SHOW HOST I                         (/NOLOCAL)................................    4-3 I               4.2.6     Memory usage statistics...................    4-3 I               4.2.7     Delay because of using "ROUTE ADD"........    4-4 I               4.2.8     Resolving the local host database names...    4-4 >               4.2.9     Unexpected IPv6-looking address in theI                         TELNET client.............................    4-4 <               4.2.10    Specifying an invalid port number toI                         getnameinfo() ............................    4-5 I               4.2.11    NI_* flag values for getnameinfo() .......    4-5 I               4.2.12    TCPIP$SYSTEM:HOSTS.DAT ASCII file.........    4-5 I               4.2.13    Query IDs.................................    4-6 >               4.2.14    BIND cluster-wide startup and shutdownI                         command procedures........................    4-6 I               4.2.15    BIND9 Resolver aborts.....................    4-6 @               4.2.16    Spoofing and cache-poisoning attack in aI                         BIND/DNS server...........................    4-6 @               4.2.17    Spoofing and cache-poisoning attack in aI                         UDP port..................................    4-7 I               4.2.18    Memory leaks in BIND Resolver functions...    4-7 I               4.2.19    GETADDRINFO with nodename as NULL fails...    4-7 9               4.3   DHCP component problems fixed in this I                     release.......................................    4-7 B               4.3.1     DHCP server fails to update the DNS serverI                         correctly.................................    4-7 9               4.3.2     RMS-E-FLK errors when running the @                         TCPIP$$SETHOSTNAME.COM script's SET HOSTI                         and SET NOHOST commands...................    4-8   
         vi                   I               4.3.3     DHCP server listens on all interfaces.....    4-8 I               4.3.4     DHCPSIGHUP command is issued twice........    4-8 :               4.3.5     DHCP server logs events on ignoredI                         interfaces................................    4-8 I               4.4   failSAFE IP problems fixed in this release....    4-9 5               4.4.1     failSAFE IP does not read its I                         configuration file........................    4-9 @               4.4.2     failSAFE IP may pick the wrong interfaceI                         to monitor................................    4-9 @               4.4.3     If interface_list not specified, defaultI                         behavior does not work....................    4-9 @               4.4.4     IP failover sometimes losses the defaultI                         route ....................................    4-9 I               4.4.5     First static route failover...............   4-10 ;               4.5   FINGER Component problems fixed in this I                     release.......................................   4-10 ?               4.5.1     File access restrictions when following I                         symbolic links............................   4-10 @               4.6   FTP Server and Client problems fixed in thisI                     release.......................................   4-10 >               4.6.1     OpenVMS, TCP/IP, or Non-VMS FTP clientI                         access to ODS-5 disk......................   4-10 @               4.6.2     FTP client copies multiple versions of aI                         file and places them in reverse order.....   4-11 >               4.6.3     TCPIP$FTP_1 server stops communicatingI                         with the FTP child processes..............   4-11 I               4.6.4     FTP server error messages.................   4-11 ;               4.6.5     Users can still FTP with FTP client I                         disabled..................................   4-11 <               4.6.6     [VMS]COPY/FTP file with multiple-dotI                         filename does not work....................   4-12 I               4.6.7     Addition of "." to a filename.............   4-12 A               4.6.8     USER command in a session that is already I                         logged in.................................   4-12 I               4.6.9     Construction of wildcarded filenames......   4-12 I               4.6.10    "expanded" rooted logical name syntax.....   4-13 A               4.6.11    FTP server terminates when there are many I                         connections and disconnections............   4-13 >               4.6.12    DIRECTORY /FTP command fails to returnI                         failure status ...........................   4-13 A               4.6.13    Entries made in TCPIP$ETC:IPNODES.DAT are I                         not read..................................   4-14       I                                                                       vii                    <               4.6.14    FTP client echoes the keyboard inputI                         associated with ACCT......................   4-14 ?               4.6.15    GET /FDL and COPY /FTP/FDL commands may I                         fail......................................   4-14 I               4.6.16    Passive mode on a multihomed system ......   4-14 I               4.6.17    Sends the incorrect file version..........   4-15 ?               4.6.18    Display of files residing on second and I                         subsequent disks..........................   4-15 I               4.6.19    Transferring files greater than 2GB.......   4-16 I               4.7   IMAP problems fixed in this release...........   4-16 I               4.7.1     IMAP server allows potential attackers....   4-16 B               4.7.2     Listing of more than hundred empty foldersI                         fails.....................................   4-16 A               4.7.3     IMAP server process hang in the exception I                         handler...................................   4-16 I               4.8   INETDRIVER problems fixed in this release.....   4-17 +               4.8.1     System crash in the I                         KVCI$$GENERATE_ASSOC_ID routine...........   4-17 ?               4.9   IPC (socket library) problems fixed in this I                     release.......................................   4-18 I               4.9.1     TCPIP$INETACP process uses 100% CPU.......   4-18 @               4.9.2     Alignment faults in TCPIP$ACCESS_SHR.EXEI                         image.....................................   4-18 I               4.9.3     Definitions for TCP socket................   4-18 ?               4.9.4     getnameinfo( ) returns "unknown name or I                         service" error............................   4-19 I               4.9.5     freeaddrinfo( ) causes an ACCVIO..........   4-19 8               4.9.6     IPv6 address queried before IPv4I                         address...................................   4-19 @               4.9.7     BIND9 Resolver flags for getaddrinfo areI                         inadvertently shifted.....................   4-19 ?               4.9.8     Delay when communicating between socket I                         pair .....................................   4-20 I               4.9.9     Alignment faults in gethostbyname() ......   4-20 ;               4.9.10    Documentation for getaddrinfo() and I                         gai_strerror() - EAI_BADHINTS ............   4-20 I               4.10  Load Broker problems fixed in this release....   4-21 I               4.10.1    Load Broker memory leak...................   4-21 I               4.11  LPD problems fixed in this release............   4-21 8               4.11.1    Incorrect job status in the mailI                         message...................................   4-21 =               4.11.2    Printing to an LPD queue with a large I                         setup module is inefficient...............   4-21              viii                   A               4.11.3    "TCPIP-E-LPD_REQREJECT" message displayed I                         multiple times............................   4-22 ;               4.11.4    Latent coding defect within the LPD I                         symbiont..................................   4-22 ?               4.12  Management Utilities problems fixed in this I                     release.......................................   4-22 @               4.12.1    TCPIP$CONFIG does not create an alias IPI                         address...................................   4-22 =               4.12.2    Large number of packets are sent when I                         using the flood functionality.............   4-23 ?               4.12.3    netstat -i fails to display the network I                         names correctly...........................   4-23 >               4.12.4    Misleading and unsightly error messageI                         when the BIND resolver is not enabled.....   4-23 I               4.12.5    TCPIP$CONFIG.COM fails to see devices.....   4-23 <               4.12.6    Missing argument for the ip6hoplimitI                         value.....................................   4-24 I               4.12.7    Errors when executing netstat -z..........   4-24 I               4.13  NET (Kernel) problems fixed in this release...   4-25 ?               4.13.1    TCP/IP routine that services I/O CANCEL B                         and DEASSIGN requests does not restore theI                         entry IPL.................................   4-25 =               4.13.2    Entering the username and password in I                         binary mode...............................   4-25 9               4.13.3    TELNET server does not accept new I                         connections...............................   4-25 I               4.13.4    RLogin fails..............................   4-26 I               4.13.5    Corruption of non-paged pool..............   4-26 I               4.13.6    SACK retransmission transmits more data...   4-26 /               4.13.7    Fail to sense SHARE and I                         FULL_DUPLEX_CLOSE.........................   4-26 ;               4.13.8    System crash after failing to start I                         TCPIP.....................................   4-27 @               4.13.9    Setting the inet sysconfig parameter mayI                         cause a crash.............................   4-27 A               4.13.10   System crash because of coded bugcheck in I                         m_copym( )................................   4-27 I               4.13.11   System crash while processing select() ...   4-27 @               4.13.12   System crash during Packet loss and SACKI                         processing................................   4-28 ;               4.13.13   Impossible to disable error message I                         display...................................   4-28       I                                                                        ix                    6               4.13.14   System crash during a select()I                         operation.................................   4-28 I               4.13.15   Debug code to verify MBAG free list.......   4-29 =               4.13.16   Process in RWAST state during process I                         rundown...................................   4-29 >               4.13.17   use of select() results in a non-pagedI                         pool memory leak..........................   4-29 I               4.13.18   Issuing process in the RWAST state........   4-29 I               4.13.19   Multicast traffic can be lost.............   4-29 =               4.13.20   Extensive use of Out Of Band data can I                         cause system crash........................   4-30 I               4.13.21   INETACP process experiences a deadlock....   4-30 B               4.13.22   TCPIP$INETACP process attempts to write anI                         error message may result in hang..........   4-30 I               4.13.23   Processing of badly formed SACK packets...   4-30 <               4.13.24   TCPIP START ROUTING fails to start aI                         dynamic routing process ..................   4-31 I               4.13.25   ICMP6 timeouts occurring frequently.......   4-31 I               4.13.26   System crash with PGFIPLHI status.........   4-31 I               4.13.27   Service limits for NOLISTEN services......   4-31 I               4.13.28   MBUF leak (type MT_CONTROL)...............   4-32 I               4.13.29   IPv6 Logo testing.........................   4-32 I               4.13.30   INCONSTATE bugcheck.......................   4-32 ?               4.13.31   System crash during restart of the INET I                         driver....................................   4-32 ?               4.13.32   System crash when an application does a I                         select() call ............................   4-33 >               4.13.33   QIO based hostname lookup takes longerI                         time......................................   4-33 I               4.14  NFS Client problems fixed in this release.....   4-34 ;               4.14.1    TCPIP DISMOUNT/ALL command does not I                         dismount DNFS devices.....................   4-34 =               4.14.2    Mounting NFS exported shares requires I                         CMKRNL privileges.........................   4-34 I               4.14.3    System crash with PGFIPLHI................   4-34 I               4.14.4    Mounting large disks......................   4-34 I               4.15  NFS Server problems fixed in this release.....   4-35 5               4.15.1    INVEXCEPTN bugchecks occur at I                         OPENVMS_BFS_GETATTR_VMS...................   4-35 B               4.15.2    Creating and renaming directory names withI                         special characters........................   4-35 I               4.15.3    Access violation in the BFS filesystems...   4-35       	         x                    9               4.15.4    Creating a directory with special I                         character.................................   4-35 @               4.15.5    INVEXCEPTN bugcheck in INSQUE and REMQUEI                         PAL instruction...........................   4-36 I               4.15.6    LOCKD temporary files are not removed.....   4-36 I               4.15.7    Unaligned reference fault.................   4-36 <               4.15.8    Fails to trigger a defined exceptionI                         handler...................................   4-37 2               4.15.9    INVEXCEPTN bugcheck at theI                         OPENVMS_BFS_GETATTR_VMS line..............   4-37 <               4.15.10   LOCKD process crashes with an ACCVIOI                         error.....................................   4-37 <               4.15.11   Files with names that contain an oddI                         number of bytes are not created...........   4-37 I               4.16  NTP problems fixed in this release............   4-38 I               4.16.1    Stack buffer overflow in NTPQ.............   4-38 I               4.16.2    Displays the "keyid" as optional..........   4-38 ;               4.16.3    NTP fails to synchronize during the I                         repeated hour ............................   4-38 I               4.17  POP problems fixed in this release............   4-38 I               4.17.1    POP allows potential attackers............   4-39 I               4.17.2    Version number on POP's "XTND STATS" .....   4-39 I               4.18  PWIP problems fixed in this release...........   4-40 I               4.18.1    System crash during PWIP shutdown.........   4-40 I               4.18.2    Bulk data transfer performance............   4-40 I               4.19  SMTP problems fixed in this release...........   4-40 >               4.19.1    Anti spam for unresolvable-domains andI                         unqualified-senders.......................   4-41 I               4.19.2    SMTP fails to receive mails...............   4-41 <               4.19.3    Large number of recipients in the TOI                         field.....................................   4-41 >               4.19.4    VMS MAIL does not support lines longer:                         than 255 characters and mixed caseI                         headers...................................   4-42 I               4.19.5    SMTP server fails to deliver mail.........   4-42 A               4.19.6    SMTP distribution list filenames fails to I                         form properly.............................   4-42 @               4.19.7    TCPIP$SMTP_FROM logical affects the SMTPI                         Return-Path header........................   4-43 B               4.19.8    Adding Persistent-Server displays an errorI                         message...................................   4-43 I               4.20  SNMP problems fixed in this release...........   4-43       I                                                                        xi                    A               4.20.1    SNMP displays "HrProcessorLoad" as always I                         zero......................................   4-43 I               4.20.2    TCPIP$HR_MIB.EXE memory leaks.............   4-44 <               4.20.3    Error message not displayed when theI                         specified hostname is invalid.............   4-44 @               4.20.4    TCPIP$HR_MIB process dies with an ACCVIOI                         error.....................................   4-44 I               4.20.5    SNMP fails to start with IPv6 disabled....   4-44 ?               4.20.6    TCPIP$HR_MIB process consumes excessive I                         CPU time..................................   4-44 <               4.21  SSH, SCP and SFTP problems fixed in thisI                     release.......................................   4-45 A               4.21.1    Error message is overwritten for "illegal I                         options" provided with ls.................   4-45 <               4.21.2    SSH server crashes when non-existentI                         username is specified.....................   4-45 I               4.21.3    MGET *.<file extension> does not work.....   4-46 B               4.21.4    SCP Copy does not work with filenames withI                         wildcards.................................   4-46 I               4.21.5    LS *.TXT fails to display files...........   4-46 I               4.21.6    SSH idle-timeout counter fails to reset...   4-46 9               4.21.7    SFTP client converts filenames to I                         uppercase.................................   4-46 ;               4.21.8    SFTP "PUT" command fails on Windows I                         server....................................   4-47 I               4.21.9    SFTP "CD SYS$LOGIN" fails.................   4-47 A               4.21.10   SFTP process becomes CPU-bound when using I                         CHROOT....................................   4-47 >               4.21.11   ls * .txt does not display the list ofI                         files.....................................   4-47 I               4.21.12   Copy fails with wildcard (*) character....   4-48 I               4.21.13   ACCVIO on non-existent user...............   4-48 I               4.21.14   mget *.lis does not work..................   4-48 I               4.21.15   ls -l fails to work ......................   4-48 @               4.21.16   ACCVIO if identifier not the same as theI                         username..................................   4-48 I               4.21.17   Wildcard ("*") processing on "ls".........   4-49 I               4.21.18   Entering an extra <CR>....................   4-49 @               4.21.19   SSH access to an account with an expiredI                         password and a PWDLIFETIME of 0...........   4-50 I               4.21.20   put *.*;* may not work....................   4-50 A               4.21.21   Ability to navigate to subdirectories has I                         regressed.................................   4-50              xii                    I               4.21.22   ls -r fails with an error.................   4-51 I               4.21.23   Transferring larger files.................   4-51 ?               4.21.24   ls command fails to list ODS-5 extended I                         filenames.................................   4-51 =               4.21.25   Error returned by the stat() function I                         during a "get" operation..................   4-51 ;               4.21.26   SSH server enforces an idle session I                         timeout value.............................   4-52_I               4.21.27   ACCVIO error during password validation...   4-520I               4.21.28   Issues related to the password change.....   4-52gB               4.21.29   Error message appears at the conclusion ofI                         a copy operation..........................   4-54 I               4.21.30   -r command does not work as expected......   4-54dB               4.21.31   Directory logical names gets translated onI                         the client................................   4-55 I               4.21.32   Miscellaneous Problems....................   4-56 3               4.21.33   SSH server may not completeeI                         authentication............................   4-57 B               4.21.34   SSH client uses an existing SSH connectionI                         for a new SFTP session....................   4-58 @               4.21.35   Messages displaying the last interactive@                         and last non-interactive login times areI                         not displayed.............................   4-58_I               4.21.36   X application fails authentication........   4-58.=               4.21.37   PUT command to Sterling or Tumbleweed I                         software failed with errors...............   4-59 =               4.21.38   Fails to set the last non-interactiveSI                         login time................................   4-59 =               4.21.39   SSH server could be sent into a tightoI                         loop......................................   4-59 >               4.21.40   ListenAddress SSH server configurationI                         field is not supported....................   4-60 ;               4.21.41   Protections on key files created byaI                         SSH_KEYGEN................................   4-60rI               4.21.42   "-e" switch on SSH_KEYGEN does not work...   4-60nI               4.21.43   Password expiry...........................   4-61sI               4.21.44   SSH access to Integrity ILO console.......   4-61 >               4.21.45   Explanatory message back to the clientI                         during an attempted password change.......   4-62s@               4.21.46   Connecting to AIX OpenSSH server resultsI                         in an error...............................   4-62S?               4.21.47   Log into a non-existent account via SSH I                         may fail..................................   4-62     I                                                                      xiii_ _  _              I               4.21.48   UserLoginLimit is ignored.................   4-63 I               4.21.49   Using X11 forwarding frequently fails.....   4-63.B               4.21.50    RIGHTSLIST identifier missing displays anI                         ACCVIO error..............................   4-64 :               4.21.51   Opening multiple interactive loginI                         sessions over one SSH TCP connection......   4-64 A               4.21.52   Rename command for a file with an OpenVMS.I                         version number returns an error...........   4-64 7               4.21.53   "password aging" message is not.I                         displayed.................................   4-64.?               4.21.54   Re-entering the old password as the newPI                         password..................................   4-65 I               4.21.55   ACCVIO when the batch mode is used........   4-65 ;               4.21.56   Weak password and system-dictionary-I                         checking does not happen..................   4-65 ?               4.21.57   SSH login via public key authentication I                         may fail..................................   4-65 :               4.21.58   LCD command in SFTP fails with "CDI                         failed"...................................   4-66 <               4.21.59   error and command messages to stderrI                         (SYS$ERROR) and stdout (SYS$OUTPUT).......   4-66 B               4.21.60   Data appears to be truncated on the remoteI                         end.......................................   4-66e@               4.21.61   Spurious debug messages at the end of anI                         SFTP log file.............................   4-66S=               4.21.62   Authentication failure when trying to2I                         connect to HP ProLiant iLO mpSSH Server...   4-67 I               4.21.63   Only the first 3 IdKeys are processed.....   4-67S9               4.21.64   lcd to logical name specification I                         restrictions..............................   4-6720               4.21.65   Port forwarding fails if7                         ResolveClientHostName is set to I                         'no'......................................   4-67 @               4.21.66   Transferring large number of files usingI                         SFTP......................................   4-68a>               4.21.67   SSH connection requests are handled asI                         NETWORK access............................   4-68.I               4.21.68   UAF account expiry is not notified........   4-68eB               4.21.69   Characters from extended character set areI                         allowed...................................   4-68eA               4.21.70   Accessing files via SFTP causes excessive.I                         Security alarms...........................   4-69/               xiva n                 <               4.21.71   SYS$ANNOUNCE message displayed afterI                         login.....................................   4-69 =               4.21.72   "ls -l" and the "rename" command with.I                         wildcards fails...........................   4-69 I               4.21.73   Opening a second Tectia SSH client........   4-69 <               4.21.74   Server process crashes while listingI                         files.....................................   4-69 I               4.22  SYSCONFIG problems fixed in this release......   4-71 =               4.22.1    Sysconfigdb generates incorrect error I                         message...................................   4-71 I               4.23  TCPDUMP problems fixed in this release........   4-71 @               4.23.1    TCPDUMP exits with a success status whenI                         invalid arguments are passed..............   4-71 I               4.24  TELNET problems fixed in this release.........   4-71 <               4.24.1    Arbitrary characters received on theI                         TELNET server.............................   4-71 I               4.24.2    Quoted character gets dropped.............   4-72 I               4.24.3    User authorization failure................   4-72 6               4.24.4    Destination address is not setI                         correctly.................................   4-72.@               4.24.5    Allocating a freshly-created outbound TNI                         device....................................   4-72.A               4.24.6    "INVEXCEPTN @SMP$ACQUIRE_C + 00034" errormI                         displayed.................................   4-73m<               4.24.7    Logins blocked after the seed for TNI                         devices exceeding 9999....................   4-73oI               4.24.8    TN3270 users receive an error message.....   4-73o8               4.24.9    OpenVMS telnet client echoes theI                         password..................................   4-73 I               4.25  TFTP probelms fixed in this release...........   4-73 ?               4.25.1    TFTP server randomly exits in between aPI                         file transfer.............................   4-74 ?               4.26  User Control Program problems fixed in this.I                     release.......................................   4-74a?               4.26.1    Enabling the 128th service using CONFIG I                         ENABLE SERVICE............................   4-74 A               4.26.2    Entering a long domain name may trigger aSI                         failure while configuring TCPIP...........   4-74.>               4.26.3    TCPIP SHOW COMMUNICATION truncates itsI                         output....................................   4-75.4               4.26.4    SET NAME_SERVICE /INITIALIZE.                         /CLUSTER fails to findI                         TCPIP$BIND_RUNNING_*.DAT;*................   4-751    I                                                                        xv                    >               4.26.5    TCPIP SHOW DEVICE_SOCKET output is notI                         properly formatted........................   4-754           5  Documentation Update.  <               5.1   Documentation Not Being Updated for ThisI                     Release.......................................    5-1.I               5.2   Documentation Errata..........................    5-2.            A  LPD/LPR Configuration  >               A.1   Configuring LPD job from local host to theI                     remote system.................................    A-13>               A.2   Configuring LPD job from local host to theI                     remote system over the SSH tunnel.............    A-1m             Tables  I               1         TCP/IP Services Documentation.............     ix   8               1-1       TCP/IP Services for OpenVMS, NewI                         Features..................................    1-12  I               1-2       FTP restriction logicals..................   1-11   4               1-3       TCP/IP Services for OpenVMS,I                         Enhancements..............................   1-14.  I               2-1       Minimum Values for SYSUAF Parameters......    2-2.  I               3-1       CERT/SSRT Network Security Advisories.....   3-15                                    xvi. .  .                        I         _________________________________________________________________   I                                                                   Preface       B               The HP TCP/IP Services for OpenVMS product is the HPF               implementation of the TCP/IP protocol suite and InternetE               services for OpenVMS Alpha and OpenVMS Integrity server H               systems. This document describes the latest release of the5               HP TCP/IP Services for OpenVMS product.   I               TCP/IP Services provides a comprehensive suite of functions G               and applications that support industry-standard protocols C               for heterogeneous network communications and resource                sharing.  G               For installation instructions, see the HP TCP/IP Servicesr@               for OpenVMS Installation and Configuration manual.  I               The release notes provide version-specific information thataF               supersedes the information in the documentation set. TheE               features, restrictions, and corrections in this versionsH               of the software are described in the release notes. AlwaysD               read the release notes before installing the software.           Intended Audience.  F               These release notes are intended for experienced OpenVMSH               and UNIX[R] system managers and assume a working knowledgeE               of OpenVMS system management, TCP/IP networking, TCP/IP H               terminology, and some familiarity with the TCP/IP Services               product.              I                                                                       vii  u  g                       Document Structure  B               These release notes are organized into the following               chapters:t  H               o  Chapter 1 describes new features and special changes toB                  the software that enhances its observed behavior.  A               o  Chapter 2 describes changes to the installation,.D                  configuration, and startup procedures, and includesB                  other related information that is not included inD                  the HP TCP/IP Services for OpenVMS Installation and&                  Configuration manual.  C               o  Chapter 3 describes information about problems andoD                  restrictions, and includes notes describing changes4                  to particular commands or services.  D               o  Chapter 4 describes problems identified in previousB                  versions of TCP/IP Services that have been fixed.  I               o  Chapter 5 describes updates to information in the TCP/IPp0                  Services product documentation.           Related Documents.  H               Table 1 lists the documents available with this version of               TCP/IP Services.                                           viii .                 I         Table_1_TCP/IP_Services_Documentation____________________________e  I         Manual____________________Contents_______________________________H  A         HP TCP/IP Services for    This manual provides conceptualrE         OpenVMS Concepts and      information about TCP/IP networking G         Planning                  on OpenVMS systems, including generalTD                                   planning issues to consider beforeD                                   configuring your system to use the;                                   TCP/IP Services software..  F                                   This manual also describes the other@                                   manuals in the TCP/IP ServicesB                                   documentation set and provides aD                                   glossary of terms and acronyms forG                                   the TCP/IP Services software product.   D         HP TCP/IP Services for    The release notes provide version-F         OpenVMS Release Notes     specific information that supersedesF                                   the information in the documentationF                                   set. The features, restrictions, andD                                   corrections in this version of theG                                   software are described in the release F                                   notes. Always read the release notesA                                   before installing the software..  I         HP TCP/IP Services for    This manual explains how to install and H         OpenVMS Installation and  configure the TCP/IP Services product.         Configurationi  B         HP TCP/IP Services for    This manual describes how to useA         OpenVMS User's Guide      the applications available withTE                                   TCP/IP Services such as remote file.I                                   operations, e-mail, TELNET, TN3270, andn3                                   network printing.   H         HP TCP/IP Services for    This manual describes how to configureI         OpenVMS Management        and manage the TCP/IP Services product.e  B         HP TCP/IP Services        This manual describes the TCP/IP?         for OpenVMS Management    Services management commands.          Command References  I                                                  (continued on next page).  I                                                                        ixi                   I         Table_1_(Cont.)_TCP/IP_Services_Documentation____________________.  I         Manual____________________Contents_______________________________e  F         HP TCP/IP Services        This reference card lists the TCP/IPF         for OpenVMS Management    management commands by component andH         Command Quick Reference   describes the purpose of each command.         Card  >         HP TCP/IP Services for    This reference card containsF         OpenVMS UNIX Command      information about commonly performedD         Equivalents Reference     network management tasks and theirE         Card                      corresponding TCP/IP management andc7                                   UNIX command formats.   E         HP TCP/IP Services        This manual presents an overview of C         for OpenVMS ONC RPC       high-level programming using open.D         Programming               network computing remote procedureC                                   calls (ONC RPC). This manual also I                                   describes the RPC programming interface D                                   and how to use the RPCGEN protocolB                                   compiler to create applications.  I         HP TCP/IP Services for    This manual describes how to configure,aE         OpenVMS Guide to SSH      set up, use, and manage the SSH for 3                                   OpenVMS software.t  F         HP TCP/IP Services for    This manual describes how to use theB         OpenVMS Sockets API       Berkeley Sockets API and OpenVMSD         and System Services       system services to develop network/         Programming               applications.   B         HP TCP/IP Services for    This manual describes the SimpleD         OpenVMS SNMP Programming  Network Management Protocol (SNMP)F         and Reference             and the SNMP application programmingA                                   interface (eSNMP). It describessD                                   the subagents provided with TCP/IPB                                   Services, utilities provided forF                                   managing subagents, and how to build5                                   your own subagents.e  I                                                  (continued on next page)       	         x     V              I         Table_1_(Cont.)_TCP/IP_Services_Documentation____________________)  I         Manual____________________Contents_______________________________.  B         HP TCP/IP Services        This manual provides informationD         for OpenVMS Tuning and    about how to isolate the causes ofB         Troubleshooting           network problems and how to tuneF                                   the TCP/IP Services software for theD                                   best performance. It also providesF                                   information about using UNIX networkB                                   management utilities on OpenVMS.  @         HP TCP/IP Services for    This manual describes the IPv6C         OpenVMS Guide to IPv6     environment, the roles of systems.@                                   in this environment, the typesD                                   and function of the different IPv6H                                   addresses, and how to configure TCP/IPI         __________________________Services_to_access_the_IPv6_network.___.  F               For additional information about HP OpenVMS products and               services, see:  *               http://www.hp.com/go/openvms  H               For a comprehensive overview of the TCP/IP protocol suite,H               refer to the book Internetworking with TCP/IP: Principles,<               Protocols, and Architecture, by Douglas Comer.           Reader's Comments.  C               HP welcomes your comments on this manual. Please send.,               comments to openvmsdoc@hp.com.  -         How to Order Additional Documentation   ;               For information about how to order additional !               documentation, see:q  4               http://www.hp.com/go/openvms/doc/order            I                                                                        xi     .                       Conventionss  D               In the product documentation, the name TCP/IP Services)               means any of the following:   5               o  HP TCP/IP Services for OpenVMS Alpha   A               o  HP TCP/IP Services for OpenVMS Integrity servers   @               In addition, please note that all IP addresses are               fictitious..  F               The following conventions are used in the documentation.  G               Ctrl/x           A sequence such as Ctrl/x indicates that.F                                you must hold down the key labeled CtrlH                                while you press another key or a pointing-                                device button.a  F               PF1 x            A sequence such as PF1 x indicates thatG                                you must first press and release the keyaE                                labeled PF1 and then press and releasevG                                another key or a pointing device button.f  D               <Return>         In examples, a key name enclosed in aD                                box indicates that you press a key onH                                the keyboard. (In text, a key name is not2                                enclosed in a box.)  I                                In the HTML version of this document, this E                                convention appears as brackets, rather *                                than a box.  @                . . .           A horizontal ellipsis in examples=                                indicates one of the followingi-                                possibilities:.  D                                o  Additional optional arguments in a>                                   statement have been omitted.  D                                o  The preceding item or items can be=                                   repeated one or more times.r  I                                o  Additional parameters, values, or otherr=                                   information can be entered.3           xiie    R                I               .                A vertical ellipsis indicates the omission F               .                of items from a code example or commandD               .                format; the items are omitted becauseH                                they are not important to the topic being)                                discussed..  >               ( )              In command format descriptions,I                                parentheses indicate that you must enclose.I                                choices in parentheses if you specify more)(                                than one.  G               [ ]              In command format descriptions, brackets.H                                indicate optional choices. You can chooseD                                one or more items or no items. Do notE                                type the brackets on the command line. E                                However, you must include the brackets B                                in the syntax for OpenVMS directoryA                                specifications and for a substring H                                specification in an assignment statement.  G               |                In command format descriptions, vertical D                                bars separate choices within bracketsF                                or braces. Within brackets, the choicesD                                are optional; within braces, at leastF                                one choice is required. Do not type theA                                vertical bars on the command line.   E               { }              In command format descriptions, braces I                                indicate required choices; you must choose.G                                at least one of the items listed. Do not C                                type the braces on the command line.   I               bold type        Bold type represents the introduction of a3G                                new term. It also represents the name of.F                                an argument, an attribute, or a reason.  >               italic type      Italic type indicates important>                                information, complete titles ofG                                manuals, or variables. Variables include G                                information that varies in system output B                                (Internal error number), in commandE                                lines (/PRODUCER=name), and in command.F                                parameters in text (where dd representsH                                the predefined code for the device type).  I                                                                      xiii4                     F               UPPERCASE TYPE   Uppercase type indicates a command, theH                                name of a routine, the name of a file, orG                                the abbreviation for a system privilege..  E               Example          This typeface indicates code examples,t@                                command examples, and interactiveB                                screen displays. In text, this typeF                                also identifies URLs, UNIX commands andH                                pathnames, PC-based commands and folders,H                                and certain elements of the C programming(                                language.  F               -                A hyphen at the end of a command formatF                                description, command line, or code lineF                                indicates that the command or statement?                                continues on the following line.3  D               numbers          All numbers in text are assumed to beI                                decimal unless otherwise noted. Nondecimal H                                radixes-binary, octal, or hexadecimal-are4                                explicitly indicated.                                                       xiv                          I                                                                         1hI         _________________________________________________________________.  I                                  New Features and Behavioral Enhancementso    H               This chapter describes the new features of TCP/IP Services=               Version 5.7 as well as behavioral enhancements.a  F                 ________________________ Note ________________________  C                 TCP/IP Services Version 5.7 is supported on OpenVMSeE                 Alpha and OpenVMS for Integrity servers systems only.4@                 On VAX systems, use TCP/IP Services Version 5.3.  D                 To use TCP/IP Services Version 5.7, you must upgrade1                 to OpenVMS Version 8.4 or higher.   F                 ______________________________________________________  >               For information about installing and configuringE               TCP/IP Services, see the HP TCP/IP Services for OpenVMSo3               Installation and Configuration guide.            1.1 New features  I               Table 1-1 lists the new features of TCP/IP Services Versionr6               5.7 and the sections that describe them.  I               Table_1-1_TCP/IP_Services_for_OpenVMS,_New_Features________r  I               Feature_________Section__Description_______________________c  C               Packet          1.1.1    This release includes Packet'C               Processing               Processing Engine, a CPU for G               Engine                   processing TCP/IP that increasesdB                                        the performance efficiency.  I                                                  (continued on next page)m      I                              New Features and Behavioral Enhancements 1-1  e  v      0         New Features and Behavioral Enhancements         1.1 New features    I               Table_1-1_(Cont.)_TCP/IP_Services_for_OpenVMS,_New_Features   I               Feature_________Section__Description_______________________   @               FTP Anonymous   1.1.2    This release includes FTP@               Light                    Anonymous Light, used forD                                        restricting user access for aI               _________________________particular_set_of_directories.____                                                                           4         1-2 New Features and Behavioral Enhancements           I                                  New Features and Behavioral Enhancements I                                                          1.1 New features     &         1.1.1 Packet Processing Engine  E               TCP/IP Packet Processing Engine (PPE) is modeled on theeF               OpenVMS Dedicated Lock Manager. If you are familiar withE               Dedicated Lock Manager, you will only need to learn the.:               different methods used to manage TCP/IP PPE.  C               TCP/IP runs on a single CPU, which is normally shared E               with other processes. However, some system loads result G               in near saturation of the TCP/IP CPU and causes TCP/IP to.F               become a system-wide bottleneck. By dedicating a CPU forE               processing TCP/IP, a significant performance efficiency G               can be achieved, but, at the cost of dedicating a CPU for4               TCP/IP.s  F                 ________________________ Note ________________________  D                 Since TCP/IP PPE is recommended only in environmentsC                 where the TCP/IP CPU is near saturation, dedicatinge@                 a CPU to TCP/IP is a mere formality; except with$                 significant payback.  F                 ______________________________________________________  G               Also, note that TCP/IP PPE can be dynamically enabled and.G               disabled. System administrator can dynamically change the @               state of the TCP/IP PPE to suit the required load.           1.1.1.1 Configuring PPE   >               This section describes the hardware and software6               configuration required to configure PPE.  $               Hardware configuration  D               TCP/IP PPE will run only on systems with more than oneI               active CPU. If TCP/IP PPE was running and the configuration G               changes such that there is only one active CPU remaining, -               the TCP/IP PPE becomes dormant.t  H               Because, TCP/IP PPE dedicates an entire CPU for processingH               TCP/IP, it is recommended that TCP/IP must be enabled onlyE               on systems with a large number of CPUs, and only if thed7               current TCP/IP CPU is nearing saturation..  I                              New Features and Behavioral Enhancements 1-3. .  .      0         New Features and Behavioral Enhancements         1.1 New features    $               Software configuration  F               For optimum performance, a CPU must be dedicated to PPE.  H               Normally, the TCP/IP BG0: driver shares the CPU with otherE               fastpath drivers and processes. However, to achieve thedH               best results with TCP/IP PPE, it is necessary to configureE               BG0: to be the only driver using the nominated CPU; alloA               other fastpath drivers must be moved to other CPUs.l  G               If TCP/IP PPE is running and other drivers are associated A               with the same CPU as BG0:, it results in suboptimal.+               performance for both drivers.   "               Sample configuration  F               1. Configure the BG driver to be dedicated to CPU 3. ForG                  optimum results, ensure that no other fastpath devicesn                  share CPU 3.   F                  To examine the fastpath devices that are using CPU 3,'                  execute the following:k  (                          $ SHOW FASTPATH  D               2. If other fastpath drivers are assigned to that CPU,H                  move them to a different CPU. For example, if the PEA0:G                  device is assigned to CPU 3, move it to another CPU by.)                  executing the following:1  I                          $ SET DEVICE PEA0 /PREF=5  ! move PEA0 to CPU 5.2  D               3. Assign TCP/IP BG0: device to CPU 3 by executing the                  following:.  0                          $ SET DEVICE BG0/PREF=3  I               4. Verify that BG0: is the only fastpath driver assigned toi2                  CPU 3 by executing the following:  .                          $ SHOW FASTPATH/CPU=3  #         1.1.1.2 Managing TCP/IP PPE.  E               TCP/IP PPE is managed using the SYSCONFIG subsystem. TosB               manage the TCP/IP PPE, complete the following steps:  4         1-4 New Features and Behavioral Enhancements    o      I                                  New Features and Behavioral Enhancements.I                                                          1.1 New featureso    /               Dynamically enable or disable PPE3  G               1. To use sysconfig, at the DCL command line, execute the                   following:.  =                          $ @SYS$MANAGER:TCPIP$DEFINE_COMMANDS.  A               2. To examine the current state of PPE, execute thet                  following:   7                          $ SYSCONFIG -q INET PPE_ENABLE   @               3. If the ppe_enable attribute is 0, TCP/IP PPE isG                  disabled. To enable TCP/IP PPE, execute the following:   9                          $ SYSCONFIG -r INET PPE_ENABLE=1i  F                 ________________________ Note ________________________  A                 Although, the "ppe_enable" attribute may indicate_E                 that TCP/IP PPE is enabled, you must also verify that4B                 PPE is running. As described in Section 1.1.1, PPEB                 does not run if the number of active CPUs drops toD                 1. To verify that TCP/IP PPE is running, execute the                 following:  ;                            $ SHOW SYSTEM/PROC=TCPIP$INETPPE   @                 An output similar to the following is displayed:  [                    OpenVMS V8.4 on node GRYFFI  30-AUG-2009 13:32:03.22  Uptime  0 13:00:21s  _                      Pid     Process Name   State  Pri   I/O       CPU         Page flts  Pages6^                    22000438  TCPIP$INETPPE  CUR 3  63    10   0 12:49:32.25        91      108  ?                 The priority of this process is set to 63. This A                 ensures that TCP/IP PPE is not rescheduled and no -                 other process will use CPU 3..  F                 ______________________________________________________  F                  You can also use the following command to verify that'                  TCP/IP PPE is running:t  O                          $ MONITOR MODES/CPU=3 ! it will be 100% in Kernel Modep  ?                  To dynamically disable TCP/IP PPE, execute the.                  following:   9                          $ SYSCONFIG -r INET PPE_ENABLE=0S  I                              New Features and Behavioral Enhancements 1-5            0         New Features and Behavioral Enhancements         1.1 New features    E                  After a brief moment, the monitor display changes to.C                  show the CPU load distribution amongst the various                   modes.   3               Enabling TCP/IP PPE at system startupy  G               To enable TCP/IP PPE after TCP/IP has started, use one of4$               the following methods:  D               o  Add the following to the TCPIP$ETC:SYSCONFIGTAB.DAT                  file:                            inet:C                                  ppe_enable=1   # Enable TCP/IP PPEs  H                  When TCP/IP is loaded, the ppe_enable flag will also be                  set.                     OR   G               o  Add the SYSCONFIG command to the startup procedure. It1I                  is recommended that SYS$STARTUP:TCPIP$SYSTARTUP.COM musts0                  be modified with the following:  =                          $ @SYS$MANAGER:TCPIP$DEFINE_COMMANDS N                          $ SYSCONFIG -r INET PPE_ENABLE=1  ! Enable TCP/IP PPE           1.1.1.3 Monitoring PPE  8               This section describes how to monitor PPE.  I               When PPE is disabled, the performance of the TCP/IP CPU can.2               be monitored with following command:  F                $ MONITOR MODES/CPU=xx  ! where xx is the TCP/IP CPU Id  I               When PPE is enabled, the TCP/IP CPU runs 100% in the kernelnD               mode, because the CPU is dedicated entirely to TCP/IP.B               Hence, the monitor command is not useful when PPE is               running.  C               This section describes how to collect statistics when.C               PPE is running. Also note that this method provides aeE               much finer granularity and can also be used when PPE is.H               disabled. This approach also helps you compare performance.               when PPE is enabled or disabled.  E               To gather statistics, enable profiling by executing the3               following:  4                       $SYSCONFIG -r INET PROFILING=1  4         1-6 New Features and Behavioral Enhancements .  .      I                                  New Features and Behavioral Enhancements I                                                          1.1 New features     @               Note that with profiling enabled, there is a smallB               processing overhead to collect the statistics. It isB               recommended to enable profiling only while gatheringD               statistics. With profiling enabled, the statistics can>               be gathered using the TCPMON command as follows:  9                $ SET COMMAND TCPIP$EXAMPLES:TCPIP$TCP_MON !                $ TCPMON/SHOW=INETr  H               For more information on how to use the TCPMON command, see2               the help by executing the following:  A                $ HELP/LIBRARY=TCPIP$EXAMPLES:TCPIP$TCP_MON TCPMON   C               You can also use the Performance Data Collector (TDC) B               to monitor PPE. TDC can automatically gather the PPEG               statistics. For more information about TDC, visit the Web.               site at:  G               http://h71000.www7.hp.com/openvms/products/tdc/index.html   "         1.1.1.4 Comparison testing  I               With profiling enabled, you can compare performance data of H               when PPE is enabled and disabled. Assuming that you have aG               test that sufficiently saturates the TCP/IP CPU, complete.I               the following steps to produce data sets that can be easilya               compared:   !               1. Enable profiling   E                  Profiling must be enabled while gathering statistics.B                  only. To enable profiling, execute the following:  ;                             $ SYSCONFIG -r INET PROFILING=1t  H               2. Ensure that PPE is disabled by executing the following:  ;                            $ SYSCONFIG -r INET PPE_ENABLE=0m  C               3. Run the stress test and monitor the performance asr                  follows:t  -                  o  Using the MONITOR utility.  G                     If the MONITOR utility shows that the TCP/IP CPU is E                     not approaching saturation, enabling PPE will notn(                     yield any advantage.  =                      $ MONITOR MODES/CPU=xx ! xx = TCP/IP CPU   ,                  o  Using the TCPMON utility  I                              New Features and Behavioral Enhancements 1-7            0         New Features and Behavioral Enhancements         1.1 New features    E                     Capture the fine-granularity statistics and write F                     them to a comma-separated value (CSV) file as wellD                     as display them on to the terminal. The CSV fileD                     can later be graphically analyzed using externalG                     programs, such as TLViz (from TDC) or a spreadsheet9                     program.  K                      $ TCPMON /CSV=PPE_COMPARISON.CSV /DISPLAY [/SHOW=INET]7  <                  o  Run the Performance Data Collector (TDC)  H                     TDC provides the complete data set, which provides a5                     whole-system view of performance..  H                     For more information about TDC, see the Web site at:  M                     http://h71000.www7.hp.com/openvms/products/tdc/index.html.  )               4. Dynamically enabling PPEe  D                  After collecting sufficient data with PPE disabled,F                  dynamically enable PPE. There is no need to interruptA                  the data collection methods described in step 3.   2                   $ SYSCONFIG -r INET PPE_ENABLE=1  #               5. Comparing the datat  F                  After gathering sufficient data with PPE disabled andI                  enabled, compare the performance characteristics for the F                  given test load. Stop the data collection and examine                  the data set.  "               6. Disable profiling  I                  There is a small overhead associated with profiling. So, G                  it is recommended to disable profiling when statistics !                  is not gathered..  1                   $ SYSCONFIG -r INET PROFILING=0d  !         1.1.2 FTP Anonymous Lightt  I               FTP Anonymous Light can be used for restricting user access.H               to a particular set of directories. A system administratorC               who wants to restrict an OpenVMS user's FTP access to E               a particular set of directories must set the TCPIP$FTP_ 6               ANONYMOUS_LIGHT parameter for that user.  4         1-8 New Features and Behavioral Enhancements c  h      I                                  New Features and Behavioral Enhancements I                                                          1.1 New featurest    E               Setting this parameter restricts the FTP operations forpE               the user to a set of directories indicted by TCPIP$FTP_.I               ANONYMOUS_DIRECTORIES. The TCPIP$FTP_ANONYMOUS_LIGHT can be.#               defined in LOGIN.COM.   E               To restrict the FTP access for all users, the parameter.H               must be defined using a system-wide logical. FTP AnonymousF               Light users must specify the correct password to log in.D               By default, when an anonymous user is prompted for theH               identity, any password is accepted. Optionally, the systemG               administrator can also set TCPIP$FTP_ANONYMOUS_WELCOME to 6               display a message upon successful login.  G               The following example illustrates how FTP Anonymous Light                works:  G               "TCPIP$FTP_ANONYMOUS_DIRECTORY" = "TCPIP$ENETINFO1:[UCX]"O+               = "TCPIP$ENETINFO1:[UCX_AXP]"                = "TCPIP$ECO:"               = "TCPIP$PATCH:"-               = "COMMON_SYSDISK:[FAL$SERVER]"O!               = "TCPIP$INTERNAL:"C/               "TCPIP$FTP_ANONYMOUS_LIGHT" = "1"uM               "TCPIP$FTP_ANONYMOUS_LOG" = "SYS$LOGIN:TCPIP$FTP_ANONYMOUS.LOG"lH               "TCPIP$FTP_ANONYMOUS_WELCOME" = "FTP Anonymous Light demo"  (               ftp plane.tcpip.zko.hp.comH               220 plane.tcpip.zko.hp.com FTP Server (Version 5.6) Ready.,               Connected to plane.zko.hp.com.+               Name (plane.zko.hp.com:test):e3               331 Username test requires a Passwords               Password:h*               230-FTP Anonymous Light demo<               230 Guest login OK, access restrictions apply.                FTP> cd sys$systemH               550 insufficient privilege or file protection violation  1                 FTP> cd tcpip$eco )               250-CWD command successful. ]               250 New default directory is TCPIP$ENETINFO1:[TCPIP$ENGINEERING_CHANGE_ORDERS]2n          I                              New Features and Behavioral Enhancements 1-9o n  T      0         New Features and Behavioral Enhancements         1.1 New features                   FTP> cd sys$login )               250-CWD command successful. 8               250 New default directory is WORK4$:[TEST]               FTP> bye               221 Goodbye.  I               ___________________________________________________________ I               Field_______Description____________________________________   F               1           This directory is not included in TCPIP$FTP_F                           ANONYMOUS_DIRECTORY, so access is restricted  B               2           This directory is included in TCPIP$FTP_I               ____________ANONYMOUS_DIRECTORY,_so_access_is_allowed______C  D               An output similar to the following is saved in the log               file:   W               20-JUN-2008 05:21:45.64 Anonymous Light User:test from Host:16.116.92.100,O               20-JUN-2008 05:22:39.61 Anonymous Light User:test status:00010001r_                                       CWD dir:TCPIP$ENETINFO1:[TCPIP$ENGINEERING_CHANGE_ORDERS] O               20-JUN-2008 05:23:13.49 Anonymous Light User:test status:000100015;                                       CWD dir:WORK4$:[TEST] O               20-JUN-2008 05:23:19.15 Anonymous Light User:test status:00000000 E                                       RETR file:WORK4$:[TEST]A.TXT;30 J               20-JUN-2008 05:23:26.07 Anonymous Light User:test logged out  @               Although the system administrator does not specifyD               the directory, SYS$LOGIN is always added to TCPIP$FTP_I               ANONYMOUS_DIRECTORY. As a result, the Anonymous Light usersn9               will always have access to their SYS$LOGIN.   F               At some instances, the system administrator may not wantE               the user to access their SYS$LOGIN. To prevent the user I               from accessing the SYS$LOGIN, the system administrator mustgG               define TCPIP$FTP_ANONYMOUS_NOSYSLOGIN for that particularrH               user. This parameter is useful when a user has changed theF               directory in LOGIN.COM and when the system administrator9               does not want to grant access to SYS$LOGIN.             5         1-10 New Features and Behavioral Enhancementse           I                                  New Features and Behavioral EnhancementsuI                                                          1.1 New features-    6         1.1.2.1 Access restrictions for FTP operations  F               The FTP Anonymous Light feature restricts user access toE               a particular set of directories. To increase the systemcI               administrator's flexibility, a new set of parameters can bef2               defined to restrict user operations.  F               The FTP server checks for the existence of the following               four parameters:  ;               o  TCPIP$FTPD_NOLIST - LIST and NLST commands   2               o  TCPIP$FTPD_NOREAD - RETR commands  I               o  TCPIP$FTPD_NOWRITE - STOR, STOU, APPE, RNFR, RNTO, DELE,S&                  MKD, and RMD commands  <               o  TCPIP$FTPD_NODELETE - DELE and RMD commands  E               If the parameter is defined, the FTP server will rejectT               all.  F               These new access restrictions are applicable in additionC               to any restrictions implied by the protections of the B               underlying files, directories, volumes, and devices.  E               If TCPIP$FTPD_NOLIST is defined, the usage of wildcardstD               is not allowed in FTP operations. This is necessary toE               prevent FTP users from obtaining a list of the files inaG               the directory by attempting to retrieve or delete all the F               files. Table 1-2 lists the FTP restriction logicals that2               are used to control their operation:  I               Table_1-2_FTP_restriction_logicals_________________________C  I               Client_command________FTP_Logical___________________________  5               Directory             TCPIP$FTPD_NOLIST   5               View                  TCPIP$FTPD_NOREAD   6               Put                   TCPIP$FTPD_NOWRITE  5               Get                   TCPIP$FTPD_NOREADe  6               Append                TCPIP$FTPD_NOWRITE  6               Rename                TCPIP$FTPD_NOWRITE  6               Create                TCPIP$FTPD_NOWRITE  I                                                  (continued on next page)d  I                             New Features and Behavioral Enhancements 1-11c           0         New Features and Behavioral Enhancements         1.1 New features    I               Table_1-2_(Cont.)_FTP_restriction_logicals_________________i  I               Client_command________FTP_Logical__________________________o  I               Delete________________TCPIP$FTPD_NOWRITE___________________T  F               For example, if the System Administrator does not want aG               user to delete files through FTP, set TCPIP$FTPD_NODELETER               for that user.  >               The following example illustrates how to set the8               TCPIP$FTPD_NODELETE and TCPIP$FTPD_NOLIST:  )               "TCPIP$FTPD_NODELETE" = "1" '               "TCPIP$FTPD_NOLIST" = "1"   *               $ ftp plane.tcpip.zko.hp.comH               220 plane.tcpip.zko.hp.com FTP Server (Version 5.6) Ready.,               Connected to plane.zko.hp.com.0               Name (plane.zko.hp.com:test): test3               331 Username test requires a Passwordg               Password:l*               230-FTP Anonymous Light demo<               230 Guest login OK, access restrictions apply.               FTP> directory **               200 PORT command successful.?               550 Cannot execute LIST command, Access denied. 1   5               %TCPIP-E-FTP_NOSUCHFILE, no such file *                FTP> delete a.txt =               550 Cannot execute DEL command, Access denied.2s                 FTP> bye               221 Goodbye.  I               ___________________________________________________________ I               Field_______Description____________________________________o  H               1           The DIRECTORY command is not allowed because aI                           wildcard present in the command and TCPIP$FTPD_a,                           NOLIST is defined.  G               2           The DELETE command is not allowed because thesI               ____________TCPIP$FTPD_NODELETE_logical_is_set.____________u  F               FTP restriction logicals can be used in conjunction withF               FTP Anonymous Light to restrict user access through FTP,  5         1-12 New Features and Behavioral Enhancementsa    v      I                                  New Features and Behavioral Enhancements I                                                          1.1 New featuresP    D               helping to mitigate a risk to the system that has been4               problematic for system administrators.                                                                                      I                             New Features and Behavioral Enhancements 1-13     d      0         New Features and Behavioral Enhancements         1.2 Enhancements             1.2 Enhancements  I               Table 1-3 lists the enhancements of TCP/IP Services Version 6               5.7 and the sections that describe them.  I               Table_1-3_TCP/IP_Services_for_OpenVMS,_Enhancements________p  I               Enhancement_____Section__Description_______________________P  F               TCPIP$CONFIG    1.2.1    Interface Configuration Menu is0                                        enhanced.  F               LPD             1.2.2    LPR/LPD port can be configured.               configurable               port  F               FTP over SSL    1.2.3    FTP software is enhanced to useH                                        the security features provided by+                                        SSL.   B               SMTP cluster    1.2.4    SMTP is made cluster aware.               ability   E               SMTP            1.2.5    Supports the SMTP configurableh.               ASCII file               fields.               configuration   H               SMTP            1.2.6    The SMTP receiver process is made2               Persistent               persistent.               receiver  D               POP ASCII file  1.2.7    Supports the POP configurable.               configuration            fields.  B               POP server      1.2.8    Supports the POP server for?               support for              external authentication.d               externalI               authentication_____________________________________________g           1.2.1 TCPIP$CONFIG  E               With support for IP as the cluster interconnect (IPCI),FF               Interface Configuration Menu now supports the following:  B               o  Management of interfaces and addresses on anotherH                  cluster member that shares the same TCPIP$CONFIGURATION                  database.  D               o  Addresses that can be configured for use with IPCI.  5         1-14 New Features and Behavioral Enhancements            I                                  New Features and Behavioral Enhancements I                                                          1.2 Enhancements     H         1.2.1.1 Configuring interfaces and addresses on a remote cluster                 member  >               Assuming that the cluster members share the sameF               TCPIP$CONFIGURATION database, each cluster member can beE               configured from the same console. This only affects the G               TCPIP$CONFIGURATON database; it is not possible to managen>               the active addresses on a remote cluster member.  E               An output similar to the following is displayed for thedF               TCPIP$CONFIG Interface * Address Configuration menu from+               one of the node in a cluster:   a                             HP TCP/IP Services for OpenVMS Interface & Address Configuration Menue  E                Hostname Details: Configured=kirra-g0, Active=kirra-g0   %                Configuration options:e  @                  0  -  Set The Target Node (Current Node: KIRRA)<                  1  -  IE0 Menu (EIA0: TwistedPair 1000mbps)R                  2  -  19.176.56.100/23    kirra-g0              Configured,ActiveZ                  3  -  19.176.56.101/23    kirra-g1              Configured,Active-StandbyZ                  4  -  19.176.57.100/23    hogwarts-nfs          Configured,Active-StandbyZ                  5  -  19.176.56.25/23     ns1                   Configured,Active-Standby<                  6  -  IE1 Menu (EIB0: TwistedPair 1000mbps)R                  7  -  19.176.56.101/23    kirra-g1              Configured,ActiveZ                  8  -  19.176.56.100/23    kirra-g0              Configured,Active-StandbyZ                  9  -  19.176.57.100/23    hogwarts-nfs          Configured,Active-StandbyZ                 10  -  19.176.56.25/23     ns1                   Configured,Active-Standby;                  I  -  Information about your configuration                   [E] -  Exit menu  -               Enter configuration option: 0 1 <               Enter name of node to manage [KIRRA]: GRYFFI 2;               Enter system device for GRYFFI [$1$DGA62:]: 3 4               Enter system root for GRYFFI [SYS0]: 4  Y                     HP TCP/IP Services for OpenVMS Interface & Address Configuration Menu   9                Hostname Details: Configured=gryffindor-e0t  %                Configuration options:c    I                             New Features and Behavioral Enhancements 1-15     m      0         New Features and Behavioral Enhancements         1.2 Enhancements    T                  0  -  Set The Target Node (Current Node: GRYFFI - $1$DGA62:[SYS0.]);                  1  -  IE0 Menu (EIA0: TwistedPair 100mbps) K                  2  -  19.176.56.65/23     gryffindor-e0         Configured K                  3  -  19.176.56.81/23     gryffindor-e1         Configured K                  4  -  19.176.57.100/23    hogwarts-nfs          Configured K                  5  -  19.176.56.25/23     ns1                   Configured ;                  6  -  IE1 Menu (EIB0: TwistedPair 100mbps) K                  7  -  19.176.56.81/23     gryffindor-e1         Configured K                  8  -  19.176.56.65/23     gryffindor-e0         Configured K                  9  -  19.176.57.100/23    hogwarts-nfs          ConfigurednK                 10  -  19.176.56.25/23     ns1                   ConfiguredU;                  I  -  Information about your configurationr                  [E] -  Exit menu  )               Enter configuration option:i  I               ___________________________________________________________ I               Field_______Description____________________________________C  G               1           If node GRYFFI is another cluster member that G                           shares the same TCPIP$CONFIGURATION database, H                           to manage the interfaces and addresses on node4                           GRYFFI, select option "0".  I               2           Enter the SCSNODE name of the other node in the H                           cluster to manage. In this case, it is GRYFFI.  B               3           To support the management of IPCI, it isE                           necessary to confirm the system root on the I                           remote node. The remote cluster member's system <                           device is determined using SYSMAN.  E               4           The remote clusters member's system root isiG                           determined using SYSMAN. The new TCPIP$CONFIGtG                           window now displays the configuration on node I                           GRYFFI. Changes to this screen will affect nodeaI               ____________GRYFFI's_permanent_TCP/IP_configuration_only.__o  #         1.2.2 LPD configurable port   E               LPR/LPD provided by TCP/IP services for OpenVMS 5.6 and F               prior versions connects directly to port 515 on a remoteE               server and sends the data as specified in the RFC 1179. D               With TCP/IP services for OpenVMS 5.7, this remote portC               is made configurable. A system manager can choose any                ephemeral port.u  5         1-16 New Features and Behavioral Enhancementsc t  d      I                                  New Features and Behavioral EnhancementssI                                                          1.2 Enhancements     +         1.2.2.1 Configuring the remote portP  H               In the printcap file, TCPIP$PRINTCAP.DAT, for each printerC               entry, a new field, rt is added, which can be used tos$               configure remote port.                 For example:  -               LOOP_BOGUS_P_1|loop_bogus_p_1:\ S                                     :lf=/TCPIP$LPD_ROOT/000000/LOOP_BOGUS_P_1.LOG:\_#                :lp=LOOP_BOGUS_P_1:\ =                               :rm=qtvtcp.digitalindiasw.net:\ -                               :rp=bogus_p_1:\S(                               :rt#2333:\@                              :sd=/TCPIP$LPD_ROOT/LOOP_BOGUS_P_1:  C         1.2.2.2 Using the LPD configurable port for secure printingr  8               Using the rt field in the printer entry inB               TCPIP$PRINTCAP.DAT, the LPD jobs is sent over an SSHE               encrypted tunnel. You can configure SSH port forwarding_D               to establish a tunnel from port (rt) on a system to anD               LPD receiver port (default is 515 or any other port onI               which LPD service is configured manually) on another systemaE               where the LPD receiver is listening. For sample LPD/LPRf-               configurations, see Appendix A.            1.2.3 FTP over SSL  H               The Transport Layer Security/Secure Socket Layer (TLS/SSL)B               feature enables the FTP software to use the securityI               features provided by SSL. When this feature is enabled, FTPCH               provides a secured FTP session and a secure file transfer.C               FTP over SSL is compliant with RFC 4217 and RFC 2228.n  1         1.2.3.1 Configuring an FTP server for SSL   D               To configure an FTP server and to allow the FTP serverG               to handle incoming client connections which are over SSL,_G               the certificates and keys must be copied at the following                location:   5               Certificate file : SSL$CERTS:SERVER.CRTd+               Key file: SSL$KEYS:SERVER.KEY   I                             New Features and Behavioral Enhancements 1-17            0         New Features and Behavioral Enhancements         1.2 Enhancements    G               The key and certificate file of the server must be placedsC               in this directory and must be named as SERVER.CRT anduG               SERVER.KEY. During the FTP server startup, if it does noteI               find either the key or the certificate file in the required.<               location, the FTP server will not support SSL.  6         1.2.3.2 Using FTP client in an SSL environment  B               You can use FTP over SSL to connect to the server by?               invoking the client using the following commands:b                  $FTP /SSL <server>                 Or                 $FTP(               FTP> CONNECT /SSL <server>  D               If you connect to the server using the /SSL qualifier,F               both the control and data connection use SSL by default.I               By default, the PROT P command is sent by the client to thenF               server indicating that the data connection will use SSL.  E               If you want the data connection communication to happenhH               in clear text, you can issue the PROT C command on the FTP               client CLI._                 ftp> PROT Cl  G               The OpenVMS FTP client and server also supports the ClearaG               Command Channel (CCC) mode of operation. The CCC mode cantC               be used in NAT environments that need a clear commandfD               channel to setup NAT for FTP/SSL. An FTP Client issuesH               the CCC command to indicate to the server that the commandG               channel must not be encrypted. Note that the data channeloH               will remain encrypted. As a result, the file transfer will,               continue to be secured by SSL.  G               For example, if you want the control connection to not behG               encrypted, execute the CCC command at the FTP client CLI:a                 ftp> CCC  F                 ________________________ Note ________________________  E                 The CCC command can be issued only after logging into B                 the FTP server with a valid username and password.  F                 ______________________________________________________  5         1-18 New Features and Behavioral Enhancementsm s         I                                  New Features and Behavioral Enhancements I                                                          1.2 Enhancementso    I               If you want to use the copy operation in FTP, COPY/FTP, theh#               syntax is as follows:c  B               copy /ftp/ssl=(data,ccc) <src system>   <dst system>  E               If you do not want the data connection to be encrypted,tF               specify NODATA in the preceding command instead of DATA.  E               If you want CCC (by default), specify CCC, else specifya               NOCCC.  3         1.2.3.3 Considerations during configuration.  @               o  If the server does not find the SEREVER.CRT andD                  SERVER.KEY, the server will not accept the AUTH TLSE                  command. However, the server will continue to accepto)                  regular FTP connections.a  D                  An SSL enabled client will still be able to connectE                  to non-SSL enabled server and displays the following                   message:   M                  AUTH command will fail, session will continue in plain text.   F               o  A non-SSL enabled client will be able to login to SSL                   enabled server.  "         1.2.4 SMTP cluster ability  E               SMTP provided by TCP/IP Services for OpenVMS is clusterCI               aware. It exploits the high availability and load balancing0I               features of a cluster. The name of the generic queue is now H               TCPIP$SMTP, without the node name as the suffix. This is aE               common SMTP generic queue for all nodes in the cluster.            1.2.4.1 Configuration   G               The following configurable parameters can be found in the #               TCPIP$SMTP.CONF file:a  C               o  Number-Of-Queues-Per-Node: Specifies the number ofII                  execution SMTP queues created on each node of a cluster.oF                  The default value is 1. The execution queue will have,                  the name format as follows:  6                  TCPIP$SMTP_<emphasis>(<nodename>_<n>)  I                             New Features and Behavioral Enhancements 1-19  T  s      0         New Features and Behavioral Enhancements         1.2 Enhancements    F               o  Queue-name: Specifies the name of generic SMTP queue.+                  The default is TCPIP$SMTP.   F                 ________________________ Note ________________________  E                 The SMTP configuration files, the SMTP home directoryuA                 and the MAIL box must be placed in a disk that is 4                 visible to all nodes in the cluster.  F                 ______________________________________________________  +         1.2.5 SMTP ASCII file configuration   I               TCPIP$SMTP.CONF can also be used to configure the trace andhC               debug parameters, but the precedence will be changed.   C               The existing configuration based on logical names andsA               TCPIP> SET CONFIGURATION SMTP is obsolete. The SMTPTE               rollover tool, TCPIP$SMTP_V57_ROLLOVER.EXE, can be usedwB               to upgrade the TCP/IP software to Version 5.7. Up onD               upgrade, the SMTP startup procedure will automatically?               change over to new ASCII file based configuration3@               method. It creates the TCPIP$SMTP.CONF file in theE               TCPIP$SMTP_COMMON directory. Up on successful rollover, A               SYS$MANAGER:TCPIP$SMTP_V57_ROLLOVER.FLG is created.   G               Include the appropriate SMTP parameters in this file. TheoD               configuration template file, TCPIP$SMTP.CONF_TEMPLATE,?               contains the description of all SMTP configurable '               parameters and its usage._  F                 ________________________ Note ________________________  D                 Only the debug and tracing logicals will take higherB                 precedence, and the other logical will be ignored.  F                 ______________________________________________________  &         1.2.6 SMTP Persistent receiver  E               The SMTP receiver process is made persistent so that it F               does not die after receiving each mail. Prior to VersionE               5.7, for each new mail, a new SMTP receiver process wasrD               created and it died after receiving the mail. StartingG               with Version 5.7, each receiver process services multiplei+               incoming mails as configured.   5         1-20 New Features and Behavioral Enhancements  e  l      I                                  New Features and Behavioral EnhancementseI                                                          1.2 EnhancementsD    '         1.2.6.1 Configurable parameters   D               Following are the configurable parameters used in SMTP"               persistent receiver:  G               o  Persistent-Server: Enables the persistence of the SMTP A                  receiver if set to ON. The default value is OFF.a  D               o  Loop-max: Specifies the maximum number of times theF                  SMTP receiver must retry a connection. The default isH                  no maximum (the same as setting this option to 0). ThisE                  behavior requires the Persistent-Server option to bea                  specified..  H               o  Idle-Timeout: Specifies the time that the SMTP receiverH                  waits for an incoming SMTP connection, in OpenVMS deltaE                  time format. The default is 5 minutes. This behavior D                  requires the Persistent-Server option be specified.  *         1.2.7 POP ASCII file configuration  F               HP TCP/IP Services for OpenVMS, Version 5.7 supports allD               the POP configurable fields through the TCPIP$POP.CONF9               file, except the POP tracing logical names.h  ?               The existing configuration based on logical names @               is obsolete. The POP rollover tool, TCPIP$POP_V57_F               ROLLOVER.EXE, can be used to upgrade the TCP/IP softwareF               to Version 5.7. Up on upgrade, the POP startup procedureD               will automatically change over to new ASCII file-basedF               configuration method. It will create TCPIP$POP.CONF fileF               in SYS$SYSDEVICE:[TCPIP$POP] directory. Up on successful               rollover,nE               SYS$MANAGER:TCPIP$POP_V57_ROLLOVER.FLG will be created.   E               Include the appropriate POP configuration parameters in I               this file. The configuration template file, TCPIP$POP.CONF_e?               TEMPLATE, contains the description of all the POPl4               configurable parameters and its usage.  <         1.2.8 POP server support for external authentication  E               POP Server support for external authentication adds the E               capability to POP clients to authenticate an user on anPD               OpenVMS system. The POP server uses the SYS$ACM system4               service that provides this capability.  I                             New Features and Behavioral Enhancements 1-21     $      0         New Features and Behavioral Enhancements         1.2 Enhancements    ?               OpenVMS Authentication and Credentials ManagementEE               Extensions (ACME) subsystem provides the authenticationo               services.   F               The new configuration parameter, No-SYSACM-User-Pass, isG               added to support the Username and Password authenticationsC               on the ACME agents. The ACME agents can be VMS nativeaC               authentication extensions or any other Agents such asgC               LDAP, which can authenticate the VMS user externally.TD               When you configure the POP to make use of POP externalI               authentication, you must ensure that the ACME agents are upa               and running.  I               No-SYSACM-User-Pass can be assigned with 0 or 1 as follows:   2               No-SYSACM-User-Pass: <Boolean Value>  /               Where: <Boolean Value> is either:F  F               o  0 / FALSE: POP Server uses SYS$ACM system service for6                  username and password authentication.                    OR   B               o  1 / TRUE : POP Server does not use SYS$ACM systemB                  service for username and password authentication.  F               By default, the No-SYSACM-User-Pass is set to TRUE, thatD               is, the POP server is configured to use the native VMS.               authentication using SYS$GETUAI.  F                 ________________________ Note ________________________  B                 The external authentication using $ACM support for?                 APOP shared secret string authentication is not                  provided.B  F                 ______________________________________________________              5         1-22 New Features and Behavioral Enhancements  h  t                    I                                                                         2mI         _________________________________________________________________s  I                        Installation, Configuration, Startup, and Shutdowne    A               This chapter includes notes and changes made to the C               installation and configuration of TCP/IP Services, as G               well as startup and shutdown procedures. Use this chapterdD               in conjunction with the HP TCP/IP Services for OpenVMS4               Installation and Configuration manual.  <         2.1 Installing Over V5.3 Early Adopter's Kits (EAKs)  E               If you have installed one or more of the following V5.3 F               EAKs, you must use the PCSI REMOVE command to remove the;               EAKs before you install TCP/IP Services V5.7:n  $               o  SSH for OpenVMS EAK                  o  failSAFE IP EAK  F                 ________________________ Note ________________________  B                 If you install the current TCP/IP Services version@                 after removing the failSAFE IP EAK, you must runD                 TCPIP$CONFIG.COM to reestablish your target and home                 interfaces.n  F                 ______________________________________________________  6         2.2 Upgrading from TCP/IP Services Version 4.x  @               Upgrading from versions prior to V5.0 has not been)               qualified for this release.   1         2.3 Adding a system to an OpenVMS Clustera  E               The TCPIP$CONFIG.COM configuration procedure for TCP/IP H               Services Version 5.6 creates OpenVMS accounts using largerE               system parameter values than in previous versions. OnlyrD               new accounts get these larger values. These values areF               useful on OpenVMS Alpha systems but essential on OpenVMS               I64 systems.  I                    Installation, Configuration, Startup, and Shutdown 2-1e e  r      :         Installation, Configuration, Startup, and Shutdown1         2.3 Adding a system to an OpenVMS Clustert    E               To have your OpenVMS I64 system join an OpenVMS ClustereB               as a TCP/IP host, HP recommends adding the system toC               the cluster before you configure TCP/IP Services. TheyG               guidelines in Section 2.3.1 assume you have followed thisS               recommendation.e  H               If you configure TCP/IP Services before you add the system.               to a cluster, see Section 2.3.2.  <         2.3.1 Running a newly configured host on the Cluster  F               The following recommendations assume you are configuringI               TCP/IP Services on the system after having added the systemn%               to the OpenVMS Cluster.   E               If TCP/IP Services has previously been installed on theOA               cluster and you encounter problems running a TCP/IP @               component on the system, modify the cluster SystemG               Authorization File (SYSUAF) to raise the parameter valuesYI               for the account used by the affected component. The minimum 9               recommended values are listed in Table 2-1."  I               Table_2-1_Minimum_Values_for_SYSUAF_Parameters_____________R  I               Parameter_____Minimum_Value________________________________P                 ASTLM         100P                 BIOLM         400   "               BYTLM         108000                 DIOLM         50                 ENQLM         100                  FILLM         100c  !               PGFLQUOTA[1]  50000                  TQELM         50                  WSEXTENT      4000                  WSQUOTA       1024I               [1]This_parameter's_value_setting_is_especially_critical.__   I               ___________________________________________________________r  D               The IMAP, DHCP, and XDM components can exhibit accountF               parameter problems if the value assigned to PGFLQUOTA orG               to any of the other listed parameters is too low. Use the D               OpenVMS AUTHORIZE utility to modify SYSUAF parameters.  >         2-2 Installation, Configuration, Startup, and Shutdown e  i      I                        Installation, Configuration, Startup, and ShutdownmI                                 2.3 Adding a system to an OpenVMS Cluster     D               For more information, see HP OpenVMS System Management.               Utilities Reference Manual: A-L.  I         2.3.2 Configuring TCP/IP Services before adding the system to the_               Cluster   H               If you configure TCP/IP Services before you add the systemB               to a cluster, when you add the system to the clusterE               the owning UIC for each of the TCP/IP service SYS$LOGINtD               directories (TCPIP$service-name, where service-name isH               the name of the service) may be incorrect. Use the OpenVMS6               AUTHORIZE utility to correct these UICs.  .         2.3.3 Disabling or enabling SSH server  G               When you use the TCPIP$CONFIG.COM configuration procedure6G               to disable or enable the SSH server, the following promptt               is displayed:   <               * Create a new default Server host key? [YES]:  B               Unless you have a specific reason for creating a newC               default server host key, you should enter "N" at this E               prompt. If you accept the default, clients with the oldnH               key will need to obtain the new key. For more information,!               see Section 3.15.6.   3         2.4 SSH configuration files must be updated   F               Note that this section refers to upgrades from a version                prior to V5.4 ECO.  A               The SSH client and server on this version of TCP/IPNC               Services cannot use configuration files from previous                versions of SSH.  <               If the SSH client and server detect systemwideC               configuration files from an older version of SSH, theLC               client and server will fail to start. The client willNH               display the following warning message, and the server willD               write the following warning message to the SSH_RUN.LOG               file:h  M               You may have an old style configuration file. Please follow therL               instructions in the release notes to use the new configuration               files.  I                    Installation, Configuration, Startup, and Shutdown 2-3  N  F      :         Installation, Configuration, Startup, and Shutdown3         2.4 SSH configuration files must be updated     E               If the SSH client detects a user-specific configurationTD               file from an older version of SSH, the SSH client willE               display the warning and will allow the user to proceed.i  B               To preserve the modifications made to the SSH serverG               configuration file and the SSH client configuration file,eG               you must edit the templates provided with the new version !               of SSH, as follows:-  I               1. Extract the template files using the following commands:s  P                  $ LIBRARY/EXTRACT=SSH2_CONFIG SYS$LIBRARY:TCPIP$TEMPLATES.TLB -F                  _$ /OUT=TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSH2_CONFIG.  Q                  $ LIBRARY/EXTRACT=SSHD2_CONFIG SYS$LIBRARY:TCPIP$TEMPLATES.TLB -eG                  _$ /OUT=TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG.r  I                  These commands copy the new template files into the SSH2 C                  configuration directory with a new version number.e  G               2. Copy the modifications made in the old versions of thet9                  configuration files to the new versions.   7               3. Start SSH using the following command:   /                  $ @SYS$STARTUP:SSH_STARTUP.COM 6                  $ @SYS$STARTUP:SSH_CLIENT_STARTUP.COM  :         2.5 Troubleshooting SMTP and LPD shutdown problems  F               If SMTP or LPD shutdown generates errors indicating thatH               the queue manager is not running, check your site-specificF               shutdown command procedure (VMS_SYSHUTDOWN.COM). If thisF               procedure contains the command to stop the queue managerG               (STOP/QUEUE/MANAGER), make sure this command is after the I               command that runs the TCPIP$SHUTDOWN.COM command procedure.   F                 ________________________ Note ________________________  E                 You do not have to stop the queue manager explicitly. F                 The queue manager is automatically stopped and started,                 when you restart the system.  F                 ______________________________________________________  >         2-4 Installation, Configuration, Startup, and Shutdown n                       I                                                                         3_I         __________________________________________________________________  I                                              Restrictions and Limitations_    B               This chapter provides information about problems andI               restrictions in the current version of TCP/IP Services, andDF               also includes other information specific to a particularF               command or service, such as changes in command syntax or               messages.            3.1 IP SecurityE  H               The IP Security (IPSec) feature that is included with thisI               kit is not currently supported. HP recommends that you muste8               not use IPSec in a production environment.  ,         3.2 Dnssec_signzone utility may hang  D               The dnssec_signzone utility may hang when invoked fromE               a foreign symbol. The utility will neither exhibit this F               behavior when it is executed from the command line usingH               a foreign symbol or MCR, nor when the -r option is used to*               specify a source of entropy.  !         3.3 COPY /FTP restrictionN  B               COPY /FTP does not properly support ODS-5 filesystem               files.           3.4 OpenVMS Mails.  F               OpenVMS mails sent to a distribution list, to an invalidI               remote addresses does not get bounced. However, the mail to 4               an invalid local address gets bounced.           3.5 Netstat utility   F               An IP address added to a tunnel interface cannot be seenF               with ifconfig. The new address cannot be seen unless you"               execute netstat -rn.  I                                          Restrictions and Limitations 3-1     _      $         Restrictions and Limitations1         3.6 SMTP configured for cluster awarenessa    1         3.6 SMTP configured for cluster awarenessn  C               If SMTP is configured for cluster awareness, the diskFB               on which the SMTP configuration files are saved mustC               be mounted before the TCP/IP software is started. The G               system will hang up on TCP/IP startup, if the disk is not                mounted.  F         3.7 Manually configuring an interface as DHCP leads to startup             problems  F               Manually configuring an interface to be managed via DHCPB               may lead to an error, TCPIP-E-DEFINTE, when startingB               TCP/IP. This causes TCP/IP to not start properly. ToD               work around this problem, shutdown TCP/IP, then on theG               interface that was manually configured as DHCP, issue thesH               following command: $ tcpip set config inter ifname/PRIMARY!               Now restart TCP/IP.p           3.8 SLIP restrictions   I               The serial line IP protocol (SLIP) is not supported in this                release.  H         3.9 Advanced Programming Environment restrictions and guidelines  F               The header files provided in TCPIP$EXAMPLES are providedI               as part of the advanced TCP/IP programming environment. The F               following list describes restrictions and guidelines for               using them:   F               o  Use of the functions and data structures described inG                  TCPIP$EXAMPLES:RESOLV.H is limited to 32-bit pointers. F                  The underlying implementation will only handle 32-bitC                  pointers. Previously, 64-bit pointers were wrongly B                  accepted, resulting in undefined behavior for the+                  underlying implementation.a  F               o  The IP.H and IP6.H header files are incomplete in theE                  OpenVMS environment. They contain include directivesrG                  for header files that are not provided in this version H                  of TCP/IP Services. Refer to the HP TCP/IP Services forH                  OpenVMS Sockets API and System Services Programming for"                  more information.  (         3-2 Restrictions and Limitations    I      I                                              Restrictions and LimitationsFI                                                3.10 BIND/DNS restrictions     "         3.10 BIND/DNS restrictions  <               BIND Version 9 has the following restrictions:  G               o  Certain DNS server implementations do not support AAAA H                  (IPv6 address) records. When queried for an AAAA (IPv6)E                  record type by the BIND resolver, these name servers D                  will return an NXDOMAIN status, even if an A (IPv4)C                  record exists for the same domain name. These name F                  servers should be returning NOERROR as the status forG                  such a query. This problem can result in delays duringe&                  host name resolution.  I                  BIND Version 9.3.1, which is supported with this releasedF                  of TCP/IP Services, and prior versions of BIND do not&                  exhibit this problem.  %               o  Serving secure zoness  B                  When acting as an authoritative name server, BIND@                  Version 9 includes KEY, SIG, and NXT records inD                  responses as specified in RFC 2535 when the request2                  has the DO flag set in the query.  "               o  Secure resolution  E                  Basic support for validation of DNSSEC signatures ineH                  responses has been implemented but should be considered                  experimental.  E                  When acting as a caching name server, BIND Version 9TD                  is capable of performing basic DNSSEC validation ofD                  positive as well as nonexistence responses. You canF                  enable this functionality by including a trusted-keysG                  clause containing the top-level zone key of the DNSSECd0                  tree in the configuration file.  B                  Validation of wildcard responses is not currentlyB                  supported. In particular, a "name does not exist"@                  response will validate successfully even if theE                  server does not contain the NXT records to prove theS5                  nonexistence of a matching wildcard.a  F                  Proof of insecure status for insecure zones delegatedF                  from secure zones works when the zones are completelyH                  insecure. Privately secured zones delegated from secureC                  zones will not work in all cases, such as when the D                  privately secured zone is served by the same server6                  as an ancestor (but not parent) zone.  I                                          Restrictions and Limitations 3-3e c  f      $         Restrictions and Limitations"         3.10 BIND/DNS restrictions    ?                  Handling of the CD bit in queries is now fullyoG                  implemented. Validation is not attempted for recursivem&                  queries if CD is set.  &               o  Secure dynamic update  D                  Dynamic updating of secure zones has been partiallyI                  implemented. Affected NXT and SIG records are updated by:H                  the server when an update occurs. Use the update-policyE                  statement in the zone definition for advanced accessg                  control.u  &               o  Secure zone transfers  D                  BIND Version 9 does not implement the zone transferA                  security mechanisms of RFC 2535 because they are D                  considered inferior to the use of TSIG or SIG(0) to8                  ensure the integrity of zone transfers.  4               o  SSL$LIBCRYPTO_SHR32.EXE requirement  H                  In this version of TCP/IP Services, the BIND Server andG                  related utilities have been updated to use the OpenSSL H                  shareable image SSL$LIBCRYPTO_SHR32.EXE. There is now aH                  requirement that this shareable image from OpenSSL V1.2I                  or higher be installed on the system before starting the_H                  BIND Server. It must also be installed before using the*                  following BIND utilities:                    BIND_CHECKCONF                   BIND_CHECKZONE                   DIG                  DNSSEC_KEYGEN                   DNSSEC_SIGNZONE                  HOSTd                  NSUPDATE                   RNDC_CONFGENt           3.11 IPv6 restrictions  H               The following sections describe restrictions in the use of               IPv6..      (         3-4 Restrictions and Limitations           I                                              Restrictions and LimitationsoI                                                    3.11 IPv6 restrictionse    '         3.11.1 Mobile IPv6 restrictions   ;               Mobile IPv6 is not supported in this release.   .         3.11.2 IPv6 requires the BIND Resolver  G               If you are using IPv6, you must enable the BIND resolver.CC               To enable the BIND resolver, use the TCPIP$CONFIG.COMoG               command procedure. From the Core environment menu, select                BIND Resolver.  A               You must specify the BIND server to enable the BIND C               resolver. If you do not have access to a BIND server,/E               specify the node address 127.0.0.1 as your BIND server.                                                               I                                          Restrictions and Limitations 3-5c f  O      $         Restrictions and Limitations         3.12 NFS restrictionsm             3.12 NFS restrictions   G               The following sections describe problems and restrictionsc               with NFS.   3         3.12.1 NFS Server problems and restrictionsn  A               The following restrictions apply to the NFS server:2  F               o  When performing a mount operation or starting the NFSE                  server with OPCOM enabled, the TCP/IP Services MOUNT F                  server can erroneously display the following message:  S                  %TCPIP-E-NFS_BFSCAL, operation MOUNT_POINT failed on file /dev/dirS  H                  This message appears even when the MOUNT or NFS startupC                  has successfully completed. In the case of a mount G                  operation, if it has actually succeeded, the following 0                  message will also be displayed:  B                  %TCPIP-S-NFS_MNTSUC, mounted file system /dev/dir  F               o  If the NFS server and the NFS client are in differentI                  domains and unqualified host names are used in requests, G                  the lock server (LOCKD) fails to honor the request andS*                  leaves the file unlocked.  E                  When the server attempts to look up a host using itspG                  unqualified host name (for example, johnws) instead of1G                  the fully qualified host name (for example, johnws.abcuD                  com), and the host is not in the same domain as the+                  server, the request fails.f  E                  To solve this type of problem, you can do one of the                   following:y  H                  -  When you configure the NFS client, specify the fullyH                     qualified host name, including the domain name. This:                     ensures that translation will succeed.  G                  -  Add an entry to the NFS server's hosts database foriE                     the client's unqualified host name. Only that NFSsD                     server will be able to translate this host name.I                     This solution will not work if the client obtains its 2                     address dynamically from DHCP.  (         3-6 Restrictions and Limitations           I                                              Restrictions and Limitations I                                                     3.12 NFS restrictionss    3         3.12.2 NFS Client problems and restrictions   A               o  If the OpenVMS NFS client is executing the MOUNT E                  commands from the script in a non-sequential manner,eI                  a wrong unit number is returned causing the NFS exported G                  directory to mount on a wrong device number because of "                  the timing issue.  I                  For example, the following mount command makes NFS to bewH                  mounted on DNFS8 instead of the requested device DNFS4.  C                  $ TCPIP MOUNT DNFS4:[<directory>]/HOST=<host-name> ;                    /PATH=<path-name>/SUPER/PROCESSOR=UNIQUEm                    WorkaroundS  H                  Execute the mount commands such that the device numbers                   are sequential.  G                  For example, instead of the following set of commands:h  C                  $ TCPIP MOUNT DNFS3:[<directory>]/HOST=<host-name>d;                    /PATH=<path-name>/SUPER/PROCESSOR=UNIQUE C                  $ TCPIP MOUNT DNFS2:[<directory>]/HOST=<host-name> ;                    /PATH=<path-name>/SUPER/PROCESSOR=UNIQUEoC                  $ TCPIP MOUNT DNFS1:[<directory>]/HOST=<host-name>n;                    /PATH=<path-name>/SUPER/PROCESSOR=UNIQUE>  0                  Change the sequence as follows:  C                  $ TCPIP MOUNT DNFS1:[<directory>]/HOST=<host-name>o;                    /PATH=<path-name>/SUPER/PROCESSOR=UNIQUENC                  $ TCPIP MOUNT DNFS2:[<directory>]/HOST=<host-name>s;                    /PATH=<path-name>/SUPER/PROCESSOR=UNIQUE C                  $ TCPIP MOUNT DNFS3:[<directory>]/HOST=<host-name> ;                    /PATH=<path-name>/SUPER/PROCESSOR=UNIQUE   <               o  SYMLINKs fail to work for NFS client disks.  B               o  To get proper timestamps, when the system time isF                  changed for daylight savings time (DST), dismount allH                  DNFS devices. (The TCP/IP management command SHOW MOUNTD                  should show zero mounted devices.) Then remount the                  devices.   H               o  The NFS client does not properly handle file names withD                  the semicolon character on ODS-5 disk volumes. (ForE                  example, a^;b.dat;5 is a valid file name.) Such file-6                  names are truncated at the semicolon.  I                                          Restrictions and Limitations 3-7            $         Restrictions and Limitations         3.12 NFS restrictions     F               o  The NFS client included with TCP/IP Services uses the-                  NFS Version 2 protocol only.   G               o  With the NFS Version 2 protocol, the value of the filef,                  size is limited to 32 bits.  F               o  The ISO Latin-1 character set is supported. The UCS-2.                  characters are not supported.  F               o  File names, including file extensions, can be no more*                  than 236 characters long.  E               o  Files containing characters not accepted by ODS-5 on G                  the active OpenVMS version or whose name and extension E                  exceeds 236 characters are truncated to zero length. G                  This makes them invisible to OpenVMS and is consistent 8                  with prior OpenVMS NFS client behavior.  *         3.13 NTP problems and restrictions  G               The NTP server has a stratum limit of 15. The server doeslG               not synchronize to any time server that reports a stratumiE               of 15 or greater. This may cause problems if you try to D               synchronize to a server running the UCX NTP server, ifE               that server has been designated as "free running" (withgI               the local-master command). For proper operation, the local-eD               master designation must be specified with a stratum no               greater than 14.  +         3.14 SNMP problems and restrictions   G               This section describes restrictions to the SNMP component @               for this release. For more information about usingD               SNMP, refer to the HP TCP/IP Services for OpenVMS SNMP/               Programming and Reference manual.   !         3.14.1 Incomplete restarto  B               When the SNMP master agent and subagents fail or areC               stopped, TCP/IP Services is often able to restart alllI               processes automatically. However, under certain conditions, H               subagent processes may not restart. When this happens, theG               display from the DCL command SHOW SYSTEM does not includecG               TCPIP$OS_MIBS and TCPIP$HR_MIB. If this situation occurs,T>               restart SNMP by entering the following commands:  (         3-8 Restrictions and Limitations _  _      I                                              Restrictions and LimitationstI                                       3.14 SNMP problems and restrictions     4               $ @SYS$STARTUP:TCPIP$SNMP_SHUTDOWN.COM  3               $ @SYS$STARTUP:TCPIP$SNMP_STARTUP.COM_           3.14.2 SNMP IVP errorA  A               On slow systems, the SNMP Installation Verification D               Procedure can fail because a subagent does not respondC               to the test query. The error messages look like this:u                    .                  .                  .5               Shutting down the SNMP service... done.   B               Creating temporary read/write community SNMPIVP_153.  &               Enabling SET operations.  0               Starting the SNMP service... done.  C               SNMPIVP: unexpected text in response to SNMP request:f8               "- no such name - returned for variable 1"P               See file SYS$SYSDEVICE:[TCPIP$SNMP]TCPIP$SNMP_REQUEST.DAT for more               details.<               sysContact could not be retrieved.  Status = 0:               The SNMP IVP has NOT completed successfully.)               SNMP IVP request completed.r*               Press Return to continue ...  @               You can ignore these types of messages in the IVP.  2         3.14.3 Using existing MIB subagent modules  H               If an existing subagent does not execute properly, you mayE               need to relink it against the current version of TCP/IP G               Services to produce a working image. Some subagents (such I               as those for HP Insight Management Agents for OpenVMS) alsoPH               require a minimum version of OpenVMS and a minimum version!               of TCP/IP Services.   /               The following restrictions apply:r  F               o  In general, only executable images linked against theD                  following versions of the eSNMP shareable image are  I                                          Restrictions and Limitations 3-9            $         Restrictions and Limitations+         3.14 SNMP problems and restrictionse    E                  upward compatible with the current version of TCP/IPi                  Services:  F                  -  UCX$ESNMP_SHR.EXE from TCP/IP Services Version 4.2                     ECO 4p  I                  -  TCPIP$ESNMP_SHR.EXE from TCP/IP Services Version 5.0A                      ECO 1e  D                  Images built under versions other than these can beC                  relinked with one of the shareable images, or with E                  TCPIP$ESNMP_SHR.EXE in the current version of TCP/IPe                  Services.  D               o  The underlying eSNMP API changed from DPI in TCP/IPD                  Services Version 5.0 to AgentX in later versions ofE                  TCP/IP Services. Therefore, executable images linked A                  against older object library versions of the APIeF                  (*$ESNMP.OLB) must be relinked against either the newC                  object library or the new shareable image. LinkingaB                  against the shareable image ensures future upwardB                  compatibility and results in smaller image sizes.  F                 ________________________ Note ________________________  ?                 Although images may run without being relinked, E                 backward compatibility is not guaranteed. Such imagessC                 can result in inaccurate data or run-time problems.   F                 ______________________________________________________  D               o  This version of TCP/IP Services provides an updatedD                  version of the UCX$ESNMP_SHR.EXE shareable image toI                  provide compatibility with subagents linked under TCP/IP E                  Services Version 4.2 ECO 4. Do not delete this file.   D               o  The SNMP server responds correctly to SNMP requestsD                  directed to a cluster alias. Note, however, that anD                  unexpected host may be reached when querying from aI                  TCP/IP Services Version 4.x system that is a member of aiC                  cluster group but is not the current impersonator.n  H               o  The SNMP master agent and subagents do not start if theI                  value of the logical name TCPIP$INET_HOST does not yield E                  the IP address of a functional interface on the host I                  when used in a DNS query. This problem does not occur ifnI                  the server host is configured correctly with a permanenthH                  network connection (for example, Ethernet or FDDI). The  )         3-10 Restrictions and Limitations            I                                              Restrictions and Limitations I                                       3.14 SNMP problems and restrictionse    G                  problem can occur when a host is connected through PPP H                  and the IP address used for the PPP connection does notI                  match the IP address associated with the TCPIP$INET_HOST                   logical name.  G               o  Under certain conditions observed primarily on OpenVMSnE                  VAX systems, the master agent or subagent exits withaC                  an error from an internal select() socket call. InPG                  most circumstances, looping does not occur. If loopingrD                  occurs, you can control the number of iterations byI                  defining the TCPIP$SNMP_SELECT_ERROR_LIMIT logical name.   >               o  The MIB browser provided with TCP/IP ServicesE                  (TCPIP$SNMP_REQUEST.EXE) supports getnext processingrH                  of OIDs that include the 32-bit OpenVMS process ID as aG                  component. However, other MIB browsers may not provide                   this support.  I                  For example, the following OIDs and values are supported                   on OpenVMS:  ?                  1.3.6.1.2.1.25.4.2.1.1.1321206828 = 1321206828v?                  1.3.6.1.2.1.25.4.2.1.1.1321206829 = 1321206829i?                  1.3.6.1.2.1.25.4.2.1.1.1321206830 = 1321206830N  :                  These examples are from hrSWRunTable; the:                  hrSWRunPerfTable may be affected as well.  E               o  You can ignore the following warning that appears in G                  the log file if a null OID value (0.0) is retrieved in @                  response to a Get, GetNext, or GetBulk request:  E                  o_oid; Null oid or oid->elements, or oid->nelem == 0            3.14.4 Upgrading SNMP   >               After upgrading to the current version of TCP/IPG               Services, you must disable and then enable SNMP using thedI               TCPIP$CONFIG.COM command procedure. When prompted for "thistG               node" or "all nodes," select the option that reflects thea%               previous configuration.h        I                                         Restrictions and Limitations 3-11I e  c      $         Restrictions and Limitations+         3.14 SNMP problems and restrictionsl    C         3.14.5 Communication controller data not completely updatedn  A               When you upgrade TCP/IP Services and then modify anuF               existing communication controller, programs that use theC               communication controller might not have access to theS"               updated information.  I               To ensure that programs like the MIB browser (SNMP_REQUEST)_A               have access to the new data about the communicationi+               controller, do the following:F  E               1. Delete the communication controller using the TCP/IPoD                  management command DELETE COMMUNICATION_CONTROLLER.  B               2. Reset the communication controller by running the@                  TCPIP$CONFIG.COM command procedure and exiting.  C               3. Restart the program (such as SNMP) by entering the $                  following commands:  1                  $ @SYS$STARTUP:SNMP_SHUTDOWN.COMC  0                  $ @SYS$STARTUP:SNMP_STARTUP.COM  2               4. Use the TCP/IP management command=                  LIST COMMUNICATION_CONTROLLER to display thei                  information.   %         3.14.6 SNMP MIB browser usagea  D               If you use either the -l (loop mode) or -t (tree mode)H               flag, you cannot also specify the -m (maximum repetitions)F               flag or the -n (nonrepeaters) flag. The latter flags are8               incompatible with loop mode and tree mode.  A               Incorrect use of the -n and -m flags results in the *               following types of messages:  Y               $ snmp_request mynode.co.com public getbulk -v2c -n 20 -m 10 -t 1.3.6.1.2.1 F               Warning: -n reset to 0 since -l or -t flag is specified.F               Warning: -m reset to 1 since -l or -t flag is specified.4               1.3.6.1.2.1.1.1.0 = mynode.company.com  -         3.14.7 Duplicate subagent identifiers   E               With this version of TCP/IP Services, two subagents canoI               have the same identifier parameter. Be aware, however, that H               having two subagents with the same name makes it difficultD               to determine the cause of problems reported in the log               file.P  )         3-12 Restrictions and Limitations  O         I                                              Restrictions and LimitationsoI                                       3.14 SNMP problems and restrictionso    *         3.14.8 Community name restrictions  G               The following restrictions on community names are imposed "               by TCPIP$CONFIG.COM:  D               o  Do not specify community names that include a space                  character.   F               o  A quotation mark (") specified as part of a communityF                  name might be handled incorrectly. Check the validityF                  of the name with the SHOW CONFIGURATION SNMP command,@                  and if necessary, correct the name with the SET,                  CONFIGURATION SNMP command.  9         3.14.9 eSNMP programming and subagent development   B               The following notes pertain to eSNMP programming and#               subagent development._  F               o  In the documentation, the terms "extension subagent",E                  "custom subagent", and "user-written subagent" refernF                  to any subagent other than the standard subagents forI                  MIB-II and the Host Resources MIB, which are provided aso5                  part of the TCP/IP Services product.   E               o  In the [.SNMP] subdirectory of TCPIP$EXAMPLES, filesSH                  with the .C, .H, .COM, .MY, and .AWK extensions contain7                  additional comments and documentation.   H               o  The TCPIP$SNMP_REQUEST.EXE, TCPIP$SNMP_TRAPSND.EXE, andG                  TCPIP$SNMP_TRAPSND.EXE programs are useful for testingt7                  during extension subagent development.C  I               o  For information about prototypes and definitions for the F                  routines in the eSNMP API, see the TCPIP$SNMP:ESNMP.H                  file.  B         3.14.10 SNMP installation verification program restriction  E               The SNMP Installation Verification Program will not runPG               correctly if debug or trace options are turned on for anyv4               TCP/IP Services for OpenVMS component.  .               For example, including the line:                 options debugS  I               in TCPIP$ETC:RESOLV.CONF results in unsuccessful completionc               status.o  I                                         Restrictions and Limitations 3-13s y         $         Restrictions and Limitations+         3.14 SNMP problems and restrictionsy    H               The problem also exists if socket tracing is turned on and@               directed to SYS$OUTPUT with the following command:  4               $ DEFINE TCPIP$SOCKET_TRACE SYS$OUTPUT  E               The additional output produced by these and other debug C               or trace options can cause problems with the SNMP IVP E               because it was designed to parse output from a standardm!               configuration only.V  F                 ________________________ Note ________________________  ?                 To run the SNMP IVP test either run the programe                 directly:o  B                 $ RUN SYS$SYSROOT:[SYSTEST.TCPIP]TCPIP$SNMPIVP.EXE  8                 or execute the TCPIP configuration menu:  +                 $ @SYS$MANAGER:TCPIP$CONFIG   F                 and then select option "7 - Run tests" and then option                 "2 - SNMP IVP".i  F                 ______________________________________________________  *         3.15 SSH problems and restrictions  >               This section contains the following information:  A               o  SSH-related security advisories (Section 3.15.1)   D               o  SSH general notes and restrictions (Section 3.15.2)  <               o  UNIX features that are not supported by SSH!                  (Section 3.15.3)n  :               o  SSH command syntax notes and restrictions!                  (Section 3.15.4)t  :               o  SSH authentication notes and restrictions!                  (Section 3.15.5)   A               o  SSH keys notes and restrictions (Section 3.15.6)o  :               o  SSH session restrictions (Section 3.15.7)  E               o  SSH messages notes and restrictions (Section 3.15.8)g  :               o  SSH remote command notes and restrictions!                  (Section 3.15.9)   >               o  SSH batch mode restrictions (Section 3.15.10)  )         3-14 Restrictions and Limitations            I                                              Restrictions and Limitations I                                        3.15 SSH problems and restrictions     C               o  X11 port forwarding restrictions (Section 3.15.12)   <               o  File transfer restrictions (all file sizes)"                  (Section 3.15.13)  9               o  File transfer restrictions (large files) "                  (Section 3.15.14)  F                 ________________________ Note ________________________  C                 References to SSH, SCP, or SFTP commands also implye4                 SSH2, SCP2, and SFTP2, respectively.  F                 ______________________________________________________  .         3.15.1 SSH-Related security advisories  H               Computer Emergency Readiness Team (CERT[R]) advisories areH               issued by the CERT Coordination Center (CERT/CC), a centerD               of Internet security expertise located at the SoftwareD               Engineering Institute, a federally-funded research andH               development center operated by Carnegie Mellon University.C               CERT advisories are a core component of the Technical C               Cyber Security Alerts document featured by the United G               States Computer Emergency Readiness Team (US-CERT), which H               provides timely information about current security issues,,               vulnerabilities, and exploits.  @               CERT and HP Software Security Response Team (SSRT)D               security advisories might be prompted by SSH activity.I               CERT advisories are documented at the following CERT/CC webn               site:   -               http://www.cert.org/advisories.   F               Table 3-1 provides brief interpretations of several SSH-!               related advisories:   I               Table_3-1_CERT/SSRT_Network_Security_Advisories____________   I               Advisory__________Impact_on_OpenVMS________________________   H               CERT CA-2003-24   OpenSSH only; OpenVMS is not vulnerable.  I                                                  (continued on next page)o  I                                         Restrictions and Limitations 3-15s           $         Restrictions and Limitations*         3.15 SSH problems and restrictions    I               Table_3-1_(Cont.)_CERT/SSRT_Network_Security_Advisories____u  I               Advisory__________Impact_on_OpenVMS________________________.  @               CERT CA-2002-36   A worst case consequence of thisD                                 vulnerability is a denial of serviceG                                 (DoS) for a single connection of one ofi4                                 the following types:  G                                 o  Server process handling a connectionp:                                    from a malicious client  A                                 o  Client process connecting to ay3                                    malicious serverl  G                                 In either case, a malicious remote hostdF                                 cannot gain access to the OpenVMS hostI                                 (for example, to execute arbitrary code),eG                                 and the OpenVMS server is still able to 9                                 receive a new connection.s  F               CERT-2001-35      OpenVMS is not vulnerable. Affects SSHG                                 Version 1 only, which is not supported._  G               CERT CA-1999-15   RSAREF2 library is not used; OpenVMS iso/                                 not vulnerable.u  I               SSRT3629A/B_______OpenVMS_is_not_vulnerable._______________   1         3.15.2 SSH general notes and restrictions   G               This section includes general notes and restrictions that/?               are not specific to a particular SSH application.n  E               o  The UNIX path /etc is interpreted by the OpenVMS SSH.8                  server as TCPIP$SSH_DEVICE:[TCPIP$SSH].  G               o  The following images are not included in this release:   1                  -  TCPIP$SSH_SSH-CERTENROLL2.EXEe  ?                     This image provides certificate enrollment.u  1                  -  TCPIP$SSH_SSH-DUMMY-SHELL.EXEo  I                     This image provides access to systems where only file 8                     transfer functionality is permitted.  ,                  -  TCPIP$SSH_SSH-PROBE2.EXE  )         3-16 Restrictions and LimitationsC P         I                                              Restrictions and LimitationsII                                        3.15 SSH problems and restrictionsd    E                     This image provides the ssh-probe2 command, whicheI                     sends a query packet as a UDP datagram to servers andfH                     then displays the address and the SSH version number=                     of the servers that respond to the query.   :         3.15.3 UNIX features that are not supported by SSH  I               This section describes features that are expected in a UNIX C               environment but are not supported by SSH for OpenVMS.w  F               o  The server configuration parameter PermitRootLogin is                  not supported.   G               o  The client configuration parameter EnforceSecureRutilsr"                  is not supported.  I               o  There is no automatic mapping from the UNIX ROOT account /                  to the OpenVMS SYSTEM account.i  F               o  The SSH1 protocol suite is not supported for terminalF                  sessions, remote command execution, and file transferH                  operations. Parameters unique to SSH1 in the server and8                  client configuration files are ignored.  !         3.15.4 SSH command syntax   H               This section includes notes and restrictions pertaining to               command syntax.   E               o  From a non-OpenVMS client, if you use OpenVMS syntaxNG                  for names (such as device names), enclose the names iniE                  single quotation marks to prevent certain charactersoB                  from being interpreted as they would be on a UNIX                  system.  G                  For example, in the following command, UNIX interprets G                  the dollar sign ($) as a terminator in the device namer?                  SYS$SYSDEVICE:[user], resulting in SYS:[user].   D                  # ssh user@vmssystem directory SYS$SYSDEVICE:[user]  C                  To avoid this problem, enter the command using the "                  following format:  F                  # ssh user@vmssystem directory 'SYS$SYSDEVICE:[user]'  I                                         Restrictions and Limitations 3-17     e      $         Restrictions and Limitations*         3.15 SSH problems and restrictions    !         3.15.5 SSH authentication   H               This section includes notes and restrictions pertaining to!               SSH authentication.   ?               o  The location of the SHOSTS.EQUIV file has beeni;                  moved from TCPIP$SSH_DEVICE:[TCPIP$SSH] to 3                  TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2].t  C               o  If hostbased authentication does not work, the SSH C                  server may have failed to match the host name sentcE                  by the client with the one it finds in DNS/BIND. YouaG                  can check whether this problem exists by comparing thesG                  output of the following commands (ignoring differencesn-                  in case of the output text):   '                  -  On the server host:n                        $ TCPIP7                      TCPIP> SHOW HOST client-ip-address   '                  -  On the client host:r  )                      $ write sys$output -uY                      $_ "''f$trnlnm("TCPIP$INET_HOST")'.''f$trnlnm("TCPIP$INET_DOMAIN")'"t  E                     If the two strings do not match, you should checkSH                     the host name and domain configuration on the clientH                     host. It may be necessary to reconfigure and restart7                     TCP/IP Services on the client host.   H               o  If the user default directory in the SYSUAF user recordF                  is specified with angle brackets (for example, <user-I                  name>) instead of square brackets ([user-name]), hostkey H                  authentication fails. To solve this problem, change the4                  user record to use square brackets.  G               o  The pairing of user name and UIC in the OpenVMS rightstG                  database, as displayed by the AUTHORIZE utility's SHOWoC                  /IDENTIFIER command, must match the pairing in thesE                  SYSUAF record for that user name. If the pairings do I                  not match, the following message error is displayed whenn?                  the user attempts to establish an SSH session:c    )         3-18 Restrictions and Limitationse h  a      I                                              Restrictions and LimitationsfI                                        3.15 SSH problems and restrictions                        $ ssh hosta E                   %SYSTEM-F-ACCVIO, access violation, reason mask=00, U                   virtual address=000000000000 0000, PC=FFFFFFFF811A88E8, PS=0000001Be  D                     Improperly handled condition, image exit forced.C                       Signal arguments:   Number = 0000000000000005qC                                           Name   = 000000000000000CBC                                                    0000000000000000tC                                                    0000000000000000RC                                                    FFFFFFFF811A88E8bC                                                    000000000000001Bn  $                       Register dump:\                       R0  = FFFFFFFFFFFFFFFE  R1  = 0000000000495D08  R2  = 000000000001DEE0\                       R3  = 00000000004ABE18  R4  = 0000000000000000  R5  = 0000000000000000\                       R6  = 0000000000000000  R7  = 0000000000000000  R8  = 0000000000000000\                       R9  = 0000000000000000  R10 = 0000000000000000  R11 = 00000000002F7C20\                       R12 = 0000000000000000  R13 = 0000000000498708  R14 = 00000000004EDF48\                       R15 = 000000007AECFE10  R16 = 0000000000000000  R17 = 0000000000000000\                       R18 = 0000000000000000  R19 = 000000007B624258  R20 = 0000000077770000\                       R21 = 0000000000000008  R22 = FFFFFFFF77774A00  R23 = 0000000300000000\                       R24 = 0000000000000001  R25 = 0000000000000001  R26 = 0000000000118A6C\                       R27 = 000000007C062700  R28 = 0000000000000000  R29 = 000000007ADEF290\                       SP  = 000000007ADEF290  PC  = FFFFFFFF811A88E8  PS  = 100000000000001B  H                  To solve this, use the AUTHORIZE utility to correct theI                  pairing of user name and UIC value in the OpenVMS rights                   database.           3.15.6 SSH keyse  H               This section includes notes and restrictions pertaining to               SSH keys.   G               o  SSH client users can copy their own customized version E                  of the SSH2_CONFIG. file and modify the value of theoH                  variable StrictHostKeyChecking. By setting the value ofF                  this variable to "no," the user can enable the clientD                  to automatically copy the public key (without beingC                  prompted for confirmation) from an SSH server wheno;                  contacting that server for the first time.i  A                  A system manager can tighten security by settinghC                  the StrictHostKeyChecking variable to "yes" in theaG                  systemwide SSH2_CONFIG. file, and forcing users to use-G                  only the systemwide version of the file. In this case, G                  to copy the public key from the server, users (and the   I                                         Restrictions and Limitations 3-19e i         $         Restrictions and Limitations*         3.15 SSH problems and restrictions    I                  system manager) must use another mechanism (for example, E                  a privileged user can manually copy the public key). F                  To enforce this tighter security response, the system9                  manager can perform the following steps:   D                  1. Edit TCPIP$SSH_DEVICE:[TCPIP$SSH]SSH2_CONFIG. to/                     include the following line:s  .                     StrictHostKeyChecking  yes  !                  2. Restrict user F                     access to TCPIP$SSH_DEVICE:[TCPIP$SSH]SSH2_CONFIG.                      For example:  b                     $ SET SECURITY/PROTECTION=(G,W) TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSH2_CONFIG.;  E                  3. Edit the SYS$STARTUP:TCPIP$SSH_CLIENT_STARTUP.COMfE                     command procedure to install the SSH server imageeI                     with the READALL privilege. In the following example,iH                     change the existing line to the replacement line, as                     indicated:                          .                        .                        .R                     $     image = f$edit("sys$system:tcpip$ssh_ssh2.exe","upcase")R                     $!    call install_image 'image' ""          <== existing lineP                     $     call install_image 'image' "readall"   <== replacement                        .                        .                        .  H                  4. Enable the SSH client, as described in the HP TCP/IP6                     Services for OpenVMS Guide to SSH.  F                 ________________________ Note ________________________  <                 Steps 2 and 3 involve modification of system?                 files. Therefore, it may be necessary to repeatwA                 the modifications after a future update of TCP/IP                  Services.a  F                 ______________________________________________________  B               o  If you do not specify the key file in the SSH_ADDE                  command, and SSH_ADD finds no INDENTIFICATION. file,NC                  it adds only the first private key it finds in the-+                  [username.SSH2] directory.S  )         3-20 Restrictions and Limitationsr o  S      I                                              Restrictions and Limitations I                                        3.15 SSH problems and restrictionse    F               o  Do not use the SSH_KEYGEN -e option (used to edit theH                  comment or passphrase of the key). This option does not                  work.  F               o  With this release, the default size of keys generatedD                  by the SSH_KEYGEN utility is 2048 bits (for earlierI                  releases, the default size was 1024 bits). Consequently,aD                  generation of keys takes longer - sometimes five toA                  ten times longer. On slow systems, or during SSH]E                  configuration, key generation may seem to be hangingRD                  when it is not. No progress indicator is displayed.A                  During SSH configuration, the following messagesU7                  indicate the keys are being generated:S  T                  Creating private key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEYW                  Creating public key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY.PUBm  F                 ________________________ Note ________________________  F                 While the keys are being generated, you might notice a5                 delay. This does not indicate a hang.   F                 ______________________________________________________           3.15.7 SSH sessionsn  B               This section includes restrictions pertaining to SSH               sessions.i  =               o  In an SSH session on the OpenVMS server, the G                  originating client host name and the user name or portoD                  identification are not available. For example, in aF                  TELNET session, the OpenVMS DCL command SHOW TERMINALH                  displays the following information about a UNIX client:  C                  Remote Port Info: Host: unixsys.myco.com Port:2728y  F                  Likewise, information about an OpenVMS client appears                  as:  C                  Remote Port Info: Host: mysys.com Locn:_RTA4:/USERt  E                  Neither of these lines is displayed in a similar SSHrB                  session; however, information for SSH sessions isE                  available in the logical names SYS$REM_ID (username) F                  and SYS$REM_NODE and SYS$REM_NODE_FULLNAME (hostname)  I                                         Restrictions and Limitations 3-21e e  2      $         Restrictions and Limitations*         3.15 SSH problems and restrictions    @               o  Starting SSH sessions recursively (for example,E                  starting one SSH session from within an existing SSH I                  session) creates a layer of sessions. Logging out of the G                  innermost session may return to a layer other than the 8                  one from which the session was started.  B               o  SSH escape sequences are not fully supported. ForD                  example, you may have to enter the Escape . (escapeA                  character followed by a space and a period) exittC                  sequence twice for it to take effect. On exit, thew=                  terminal is left in NOECHO and PASTHRU mode.4  I               o  On certain non-OpenVMS clients, after attempting to exitrI                  from an SFTP session, you must press Enter an extra timef:                  to return to the operating system prompt.           3.15.8 SSH messages   H               This section includes notes and restrictions pertaining to#               SSH session messages.S  E               o  Normally, the translation of the system logical name B                  SYS$ANNOUNCE is displayed after authentication isI                  complete. In this version of SSH, no automated mechanismeF                  exists for displaying this text as a prelogin banner.  F                  To provide a prelogin banner from a text file, createG                  the file SSH_BANNER_MESSAGE. containing the text to beP(                  displayed before login.  A                  To enter multiple lines in the banner text, make E                  sure each line ends with an explicit carriage-return 0                  character except the last line.  4                  Save the banner message file in theB                  TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2] directory, withH                  privileges that allow it to be read by the user account                  [TCPIP$SSH].   <                  If you do not use the default file name and=                  location for the message banner file, definek?                  them using the BannerMessageFile option in the E                  TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG. file. B                  Specify the location and file name of your bannerE                  message file as the argument to the option using one *                  of the following formats:  )         3-22 Restrictions and Limitations            I                                              Restrictions and LimitationsEI                                        3.15 SSH problems and restrictions     L                  BannerMessageFile   TCPIP$SSH_DEVICE:[TCPIP$SSH]BANNER1.TXT  L                  BannerMessageFile   /TCPIP$SSH_DEVICE/TCPIP$SSH/BANNER2.TXT  5                  BannerMessageFile   /etc/banner3.txt   C                  Note that the argument may be in either OpenVMS or3D                  UNIX format and is not case sensitive. (If multipleD                  definitions for the same option are included in theB                  configuration file, the last one listed will take                  effect.).  I               o  Some SSH informational, warning, and error message codest;                  are truncated in the display. For example:   =                  %TCPIP-E-SSH_FC_ERR_NO_S, file doesn't exists  <               o  Some SSH log and trace output messages, andH                  informational, warning, and error messages display file3                  specifications as UNIX path names.a  "         3.15.9 SSH remote commands  H               This section includes notes and restrictions pertaining to"               SSH remote commands.  G               o  Command lines for remote command execution through SSHt/                  are limited to 153 characters.   I               o  After you execute an SSH remote command, you may need toiC                  press the Enter key to get back to the DCL prompt._  D               o  When you execute remote commands on the OpenVMS SSHF                  server, the log file TCPIP$SSH_RCMD.LOG is created inD                  the directory defined by the logical name SYS$LOGINC                  for your user account. This log file is not purgede                  automatically.   C               o  When you execute remote commands on an OpenVMS SSH E                  client connected to a non-OpenVMS SSH server, output H                  may not be displayed correctly. For example, sequentialF                  lines might be offset as if missing a linefeed, as in'                  the following example:s    I                                         Restrictions and Limitations 3-23i n         $         Restrictions and Limitations*         3.15 SSH problems and restrictions    *                  $ ssh user@unixhost ls -a#                    user's password:_-                    Authentication successful.                     .                     .."                       .TTauthority-                                   .Xauthority 3                                              .cshrcm6                                                    .dt@                                                       .dtprofile  H                  To display the output correctly, use the -t option withB                  the command, as in the following command example:  -                  $ ssh -t user@unixhost ls -a   C               o  Any OpenVMS command that refreshes the display can F                  have unexpected results when executed as a remote SSHE                  command. For example, the following command exhibits                   this behavior:e  *                  $ MONITOR PROCESS /TOPCPU  D                  Executed locally, this command displays a bar chartH                  that is continuously updated. When executed as a remoteB                  command, it displays each update sequentially. InI                  addition, you cannot terminate the command using Ctrl/C.            3.15.10 SSH batch mode  <               This section includes batch mode restrictions.  H               o  Because the SSH, SFTP, and SCP commands are implementedF                  by code ported from UNIX sources, they do not supportE                  all of the standard OpenVMS behaviors for SYS$INPUT,iE                  SYS$OUTPUT, and SYS$ERROR in command procedures. ForR                  example:   I                  -  SYS$INPUT is not the default batch command procedure.   ?                  -  Output written to a batch log file or otheroI                     SYS$OUTPUT file may have an extra <CR> (ASCII decimalo@                     13) or other explicit formatting characters.  B                  -  You can direct SYS$OUTPUT to a file, as in the&                     following example:  /                     $ ASSIGN OUT.DAT SYS$OUTPUTa  )         3-24 Restrictions and Limitations     a      I                                              Restrictions and LimitationstI                                        3.15 SSH problems and restrictionsn    H               o  When you run these commands from an interactive commandG                  procedure, you should use the explicit UNIX batch modeo9                  flags, as listed in the following table:Q  I                  ________________________________________________________ I                  For..._____________________Use..._______________________h  <                  SSH (remote command        -o batchmode yes"                  execution or port                  forwarding),   0                  SCP,                       "-B"  I                  SFTP,______________________"-B"_{batchfile}_____________3  A               o  If you use the SSH command in batch mode with an1E                  interactive session (that is, not for remote commandpH                  execution or setting up port forwarding), the batch job                  hangs.   H                  If the -s option is used in an interactive SSH session,G                  or with an SSH command executed interactively in a DCL F                  command procedure, the terminal session hangs. Ctrl/YG                  and Ctrl/C will not restore the DCL prompt. To release4D                  the hung terminal session, you must restart the SSH#                  client and server.   :               o  For the SFTP command, note the following:  E                  -  If the command is used without the -B {batchfile} D                     option, SFTP uses the following file by default:7                     SYS$LOGIN:TCPIP$SFTP_BATCHFILE.TXT.   ,               o  When running in batch mode:  I                  -  The SFTP command displays the final state-of-progressS8                     indicator; the SCP command does not.  C                  -  The SSH command will not prompt for a password,uG                     password update, or passphrase. If one is required,u(                     the batch job fails.  G                  -  The SSH command will not cause a new host key to be H                     saved if the value of StrictHostkeyChecking is "no;"F                     SSH will not prompt for one if the value is "ask."  H                     For other notes and restrictions pertaining to keys,'                     see Section 3.15.6.t  I                                         Restrictions and Limitations 3-25C U  A      $         Restrictions and Limitations*         3.15 SSH problems and restrictions    C                  -  If an ls command is contained in the SFTP batch I                     input, and the interactive output requires input from E                     the keyboard to continue, then some of the outputWC                     lines might be omitted from the batch log file.   E         3.15.11 ls fails after cd to a logical name from a Tru64 UNIXC                 client  E               ls can fail when using sftp cd to a logical name from ae                Tru64 UNIX client.  2               For a workaround, try the following:  A               1. cd to the path for the directory in UNIX format, <                  e.g., instead of: cd tcpip$ssh_home, use cd)                  /sys$sysdence/tcpip$ssh.p  H               2. Perform the ls specifying the logical name in the path,*                  e.g., ls /tcpip$ssh_home.  '         3.15.12 SSH X11 port forwardinge  H               This section includes X11 port forwarding restrictions and               problems.0  F               o  To use X11 forwarding in native mode, the system mustF                  be running DECwindows MOTIF Version 1.3 or higher. InF                  addition, the X Authority utility (xauth) is required@                  on the system. The X11 server uses this utilityC                  for authenticating host/user connections. For more,C                  information on how to use this utility, see the HPt<                  DECwindows Motif for OpenVMS documentation.  G               o  To display a remote X11 client application on your X11iE                  server, you must set the display variable on the X11RF                  client to the address of the X11 server the client isG                  connecting to. You can verify that the variable is setiF                  correctly on an OpenVMS system by using the following                  DCL command:P  ,                  $ SHOW LOGICAL DECW$DISPLAY  I                  For WSA display devices, use the SHOW DISPLAY command to 0                  see the display variable value.  )         3-26 Restrictions and Limitationse n  d      I                                              Restrictions and LimitationsII                                        3.15 SSH problems and restrictions     D                  To set the display variable on an OpenVMS client toH                  point to your server, use the SET DISPLAY command as inG                  the following example, where 127.127.1.1 is the serverp                  node address:  F                  $ SET DISPLAY/CREATE/NODE=127.127.1.1/TRANSPORT=TCPIP  >                  SSH on OpenVMS supports only local and TCP/IPI                  transports. If you are using a local transport, you haveIH                  to be at the system where the display is to appear, andF                  that system must be running the X11 server. For localI                  transport, use the following command to set the display:M  5                  $ SET DISPLAY/CREATE/TRANSPORT=LOCALt  F                  On UNIX systems, use the following command to set theH                  display variable to point to a server node with address>                  16.20.176.33 and using the TCP/IP transports:  1                  >setenv display 16.20.176.33:0.0r  H                  To use local transport, use the following UNIX command:  %                  >setenv display :0.0P  E               o  To set up a standard port forwarding session for X11iG                  on a remote OpenVMS system, HP recommends that you useiG                  remote port forwarding; local port forwarding will notp                  work.  2         3.15.13 SSH file transfer (All File Sizes)  G               This section includes SSH restrictions pertaining to filei"               transfer operations.  F               o  Using the colon character ":" in the pathname for theE                  source and destination filename parameters in an SCPo+                  command may cause a delay.a  D                  Due to an overloading of the colon character in SCPG                  syntax to indicate a hostname and in OpenVMS as a path E                  delimiter, what is intended to be an OpenVMS logical H                  name for a device or directory in an SCP file parameterC                  may be checked as a hostname first and passed to atD                  DNS lookup. Normally this is benign, but this couldH                  incur an otherwise unexplainable wait in an environmentI                  experiencing DNS lookup delays. To avoid the possibility_>                  of confusion, use UNIX-style filename syntax.  I                                         Restrictions and Limitations 3-27S T  P      $         Restrictions and Limitations*         3.15 SSH problems and restrictions    D               o  On OpenVMS, setting the ForcePTTYAllocation keyword@                  to "yes" in the SSH2_CONFIG. file can result inC                  failures when performing file copy operations. (In_B                  other implementations of SSH, setting the keywordF                  ForcePTTYAllocation to "yes" in the SSH2_CONFIG. fileF                  has the same effect as using the -t option to the SSH                  command.)  F               o  When connected to some servers, the client can detectC                  packet benign file transfer protocol packet-length =                  errors. By default, no message is displayed.(  A                  To display warning messages, type the following:t  C                  $ DEFINE/SYS NO TCPIP$SSH_TOLERANT_PROTOCOL STATUSy  E                  using either the "NO" or any string starting with ann'                  upper- or lowercase N.   >                  Following is an example of a warning message:  >                  Warning: packet length mismatch: expected 27,:                  got 8; connection to non-standard server?  C                  To retain the logical name assignment through eachiB                  reboot, add the DEFINE command to the appropriate+                  startup command procedure.                  o  VMS Plus Mode:r  C                  When the client and the server are OpenVMS systemsrD                  running v5.6, they recognize each other as such andA                  implement TCP/IP Services specific SFTP protocol B                  extensions that allow transfer of files in either@                  direction while preserving the key OpenVMS fileA                  attributes: record format and record attributes.P  @                  The TCP/IP Services SCP client uses SFTP as theD                  underlying protocol so VMS Plus mode works with SCP                  as well.   D                  VMS Plus mode supports only sequential organization                  files.R  D                  Remember that if a v5.6 system is connected with anG                  older TCP/IP Services system that does not support VMStF                  Plus mode, file attributes will not be preserved. VMSE                  Plus mode can only be used if both sides support it.   6               o  Talking to a system without VMS Plus:  )         3-28 Restrictions and Limitations  e  e      I                                              Restrictions and LimitationsrI                                        3.15 SSH problems and restrictionsm    I                  If one side of the file transfer, client or server, doestI                  not support VMS Plus mode for SFTP, file attributes will "                  not be preserved.  H                  In this mode TCP/IP Services supports reading of any ofF                  the following types of sequential organization files:                    o  Stream_LF   #                  o  Variable Lengtht                    o  VFC-  ,                  o  Fortran Carriage Control                     o  Fixed Length                    o  Undefined   D                  Note that which side is the server and which is theG                  client is irrelevant. OpenVMS is simply running on theaI                  side that is reading the file. You can, for example, use G                  SFTP client from OpenVMS to put a VFC file to UNIX, ortH                  you could use the SFTP client on the UNIX system to getG                  the same file from the OpenVMS system. In either case,TI                  the OpenVMS system is reading the file and the Unix filem                  is writing it._  C                  Copying some VFC files from OpenVMS to systems nothD                  running OpenVMS and then back to OpenVMS may resultH                  in a file that the OpenVMS DIFFERENCES command shows asH                  different from the original file. This is unpreventableG                  and the file as transferred out and back in is correct B                  in that the TYPE and PRINT commands display it asE                  expected and the output here is the same as that for #                  the original file.   G                  Copying Fortran CC files from OpenVMS to systems other E                  than OpenVMS will always result in a file that shows F                  differences from the original. This is because on itsH                  transfer from OpenVMS to UNIX the Fortran CC attributesA                  were converted to inline ASCII control character I                  sequences that print the lines as the Fortran CC control F                  bytes require. For example, the Fortran character forI                  overstrike results in a pair of carriage returns for the 6                  line thus implementing an overstrike.  >               o  TCP/IP Services supports only sequential file<                  organization, not relative or indexed files  I                                         Restrictions and Limitations 3-29r o  p      $         Restrictions and Limitations*         3.15 SSH problems and restrictions    D                  To transfer these unsupported files you can packageF                  the file(s) into an OpenVMS saveset and transfer thatC                  or, depending on how many hops over which SFTP/SCP D                  implementations and operating systems, you may needA                  to use more extreme measures. One way that works E                  consistently (provided that you have FTSV installed) E                  is packaging files into a save set, then using SPOOLCI                  COMPRESS to make them into an self-extracting VMS image, I                  then using UUENCODE to transform the image into an ASCIIa                  text file.   G               o  Not all variants of UNIX path names are supported when C                  referring to files on OpenVMS clients and servers.   E               o  The SCP and SFTP commands from the following Windows I                  clients have been tested and interoperate correctly with (                  the OpenVMS SSH server:                    -  PuTTYe  &                  -  SSH Communications  H                  Other versions and other clients may work, depending onH                  protocol implementation and factors such as whether theF                  client can handle OpenVMS-format file specifications.  F               o  When using the SFTP command, pressing Ctrl/C does notD                  display "Cancel" as expected. Also, Ctrl/T does notE                  work as in DCL to display a status line; instead, itnF                  switches two adjacent characters, as on UNIX systems.H                  Other problems with character handling have been fixed.  F               o  The SFTP ls command pauses for an extended time afterF                  displaying a page of data and then continues with theI                  next page. This occurs because the ssh server is sending D                  back a complete directory listing, which the clientI                  filters; therefore, for directories with many files, theMG                  delay is due to the client waiting for listing results H                  from the server. This is typical SFTP behavior, and not%                  specific to OpenVMS.   H               o  Using SCP or SFTP command to copy a file back to itselfD                  (either in local mode, or by connecting back to the=                  client host) fails with the following error:e  N                  %TCPIP-E-SSH_FC_ERR_INVA, file record format invalid for copy  )         3-30 Restrictions and Limitationsm s         I                                              Restrictions and LimitationshI                                        3.15 SSH problems and restrictions     I               o  The SCP command issued from a client using SSH Version 1 G                  will not work with the OpenVMS SSH server. The OpenVMS 7                  server does not support SSH Version 1.   ,         3.15.14 SSH transferring large files  >               This section includes restrictions pertaining to'               transferring large files:h  G               o  The minimum version of DECC$SHR running on your systembE                  must be that which was released with OpenVMS Version                   8.2.D  H               o  You may need to adjust memory parameters (WSDEF, WSQUO,A                  WSEXTENT, and PGFLQUO) to accommodate the memorytE                  requirements of the file copy client and server. ThefD                  exact value depends on system resources and virtual@                  memory configuration. For more information, seeF                  Section 2.3. For ssh filecopy, testing has shown that9                  the main parameter to adjust is PGFLQUO.   C         3.15.15 SSH server signals internal credentials cache errort  >               If an SSH client attempts to use gssapi-with-micC               authentication to the TCP/IP Services for OpenVMS SSHnG               server on a server host that is running Kerberos V2.1 and F               the SSH client user's TGT is forwardable (a kinit -f hasF               been done) and the GssapiDelegateCredentials flag is setH               then the SSH server will signal the following error in the               server log:n  .               Internal credentials cache error  I               This error text may appear on the SSH client user's screen,i)               depending on configuration.   H               This can be worked around in either of the following ways:  A               1. Upgrade to Kerberos V3.0 on the SSH server host.   E               2. Use the kinit without the -f flag on the SSH client.T  H               3. Turn the GssapiDelegateCredentials configuration switch'                  off on the SSH client.i  C               Because forwarding of client credentials with gssapi-gB               with-mic authentication to the OpenVMS SSH server isD               not supported setting GssapiDelegateCredentials is not               necessary.  I                                         Restrictions and Limitations 3-31R r  i      $         Restrictions and Limitations*         3.15 SSH problems and restrictions    6         3.15.16 SFTP general problems and restrictions  H               This section includes SFTP general notes and restrictions.  D               o  In an SFTP session, the ls command entered with theE                  directory path in a OpenVMS syntax displays or lists8E                  the content of the directory in the UNIX syntax. Forg                  example:   2                          sftp> ls [.ssh_testfiles](                          ./ssh_testfiles6                          ./ssh_testfiles/98277_SLF.Z;1  E               o  In a SFTP session, the ls -R command fails to handle I                  sub-directories if the directory filename includes ODS-5 %                  extended characters.   F               o  The following sftp command with the "*.*" format does8                  not provide the complete list of files:  -                  sftp> ls [.ssh_testfiles]*.*   F                  However, you can use the following command formats to$                  list all the files:  /                  sftp> ls [.ssh_testfiles]*.*;* +                  sftp> ls [.ssh_testfiles]*   H               o  The SFTP get command does not parse the correct versionG                  number to the file. For example, the following command0G                  gets the file with the version number, but the versionC#                  number is invalid.0  8                  sftp> get TCPIP$FTP_SERVER.LOG;-5000000  G               o  No error message is displayed with an SFTP get command H                  on a file with an invalid version number and a wildcard                  character.0  C               o  In an SFTP session, the lrm command fails when the B                  command is entered with wildcard character "*" as                  follows:   (                          sftp> lrm *.*;*(                          Command failed..                          sftp> lrm BIG_VFC.*;*(                          Command failed.  )         3-32 Restrictions and Limitationsr t         I                                              Restrictions and LimitationsiI                                        3.15 SSH problems and restrictions     G               o  The SFTP client exhibits a memory leak. It runs out of E                  memory and generates an error message because of the G                  extensive use of wildcard filenames in the get and put                   operations.  ?         3.15.17 SFTP generates audit warnings with class devicei  E               This restriction applies only to those using AUDIT witho7               class device as in the following command:n  >               $ SET AUDIT/ALARM/ENABLE=ACCESS=ALL/CLASS=DEVICE  G               If the SFTP server generates audit warnings for a logicalsH               IO to a mailbox when the SFTP user exits SFTP, perform the<               following step to prevent this from occurring:  ?               $ DEFINE/SYSTEM TCPIP$SSH_SERVER_WAIT_FOR_CHILD 1   ?         3.15.18 BIND Resolver diagnostics creates an SSH packet                  corruption  E               When you turn on BIND Resolver Diagnostics using eithersD               of the following methods, you can create an SSH packet               corruption:)  B               o  Define the logical name TCPIP$BIND_RES_OPTIONS to                  "debug".t  A               o  Add the following line to TCPIP$ETC:RESOLV.CONF:e                    options debug  !         3.16 TCPDUMP restrictionss  F               TCPDUMP works the same way on OpenVMS as it does on UNIX7               systems, with the following restrictions:   I               o  On UNIX systems, tcpdump sets the NIC (Network InterfacetH                  Controller) into promiscuous mode and everything in the1                  transmission is sent to tcpdump.   B                  On OpenVMS systems, TCPDUMP only sees the packetsF                  destined for and sent from the local host. Therefore,E                  TCPDUMP works in copy-all mode. Because it only seestG                  a copy of the packets that are processed by the TCP/IPtF                  kernel, TCPDUMP can only trace natively IP, IPv6, and+                  ARP protocols on Ethernet.   I                                         Restrictions and Limitations 3-33            $         Restrictions and Limitations!         3.16 TCPDUMP restrictions"    D                  TCPDUMP can format or filter packets that have been@                  traced from another platform running TCPDUMP inE                  promiscuous mode. In this case it will process other (                  protocols, like DECnet.  H               o  Ethernet is the only supported type of NIC. Other typesG                  of NICS (such as ATM, FDDI, Token Ring, SLIP, and PPP) #                  are not supported._  F               o  The -i option is not supported. On UNIX systems, thisH                  option specifies the interface that tcpdump is attached                  to.  E                  On OpenVMS systems, TCPDUMP obtains packets from the                   TCP/IP kernel._  A               o  The -p option is not supported. On UNIX systems,nD                  this option specifies that tcpdump stops working in"                  promiscuous mode.  G                  On OpenVMS, TCPDUMP does not work in promiscuous mode. :                  Therefore, this option is set by default.  D               o  If you are using the Ethereal software to dump IPv6E                  network traffic, use the following command format to 6                  write the data in the correct format:  .                  $ TCPDUMP -s 1500 -w filename  B               o  Only one process at a time can issue traces. ThisB                  restriction applies to both TCPTRACE and TCPDUMP.  3         3.17 TCP/IP Management Command restrictionsd  G               The following restrictions apply to the TCP/IP management                commands:e  I               o  An IP address added to a tunnel interface cannot be seenkH                  with ifconfig. Execute netstat with -rn to view the new                  IP address.  @               o  TCP/IP Services Version 5.4 introduced failSAFEB                  IP, which obsoletes the IP cluster alias address.G                  Consequently, the following TCP/IP management commandsU)                  are no longer supported:i  ,                  -  SET INTERFACE /NOCLUSTER  +                  -  SHOW INTERFACE /CLUSTERH  )         3-34 Restrictions and Limitationsf :  P      I                                              Restrictions and Limitations_I                               3.17 TCP/IP Management Command restrictionsi    E                  To display interface addresses, including IP clustercE                  alias addresses, use the following TCP/IP management_                  command:.  #                  TCPIP> ifconfig -as  B                  To delete a cluster alias address from the active@                  system, use a command similar to the following:  6                  TCPIP> ifconfig ie0 -alias 10.10.10.1  H                  The following TCP/IP management commands continue to be                  supported:   )                  -  SET INTERFACE/CLUSTERO  8                  -  SET CONFIGURATION INTERFACE /CLUSTER  :                  -  SET CONFIGURATION INTERFACE /NOCLUSTER  9                  -  SHOW CONFIGURATION INTERFACE /CLUSTERs  '               o  SET NAME_SERVICE /PATHa  I                  This command requires the SYSNAM privilege. If you entermE                  the command without the appropriate privilege at theyE                  process level, the command does not work and you arerE                  not notified. If you enter the command at the SYSTEMED                  level, the command does not work and you receive an                  error message.   $               o  SET SERVICE command  H                  o  When you modify parameters to a service, disable andG                     re-enable the service for the modifications to take                      effect.   I                  o  After a "SET SERVICE" command is used to define a newSG                     user defined TCP service, if the same "SET SERVICE" D                     command is entered again, the service may appear6                     disabled and cannot be re-enabled.  @               For more information on TCP/IP Services managementC               commands, refer to the HP TCP/IP Services for OpenVMSa1               Management Command Reference guide.y  I                                         Restrictions and Limitations 3-35e c  O                    I                                                                         4 I         _________________________________________________________________   I                                                               Correctionst    C               This chapter describes the problems corrected in this )               version of TCP/IP Services.   C         4.1 Advanced Programming Environment problems fixed in this              releasea  A               The following sections describe programming-relatedS-               problems fixed in this release.   -         4.1.1 Buffer overflow in ntpq program,                 Problem:  =               The stack buffer overflows in the ntpq program.n                 Solution:   8               This problem is corrected in this release.  >         4.1.2 With PPE enabled, system crashes during shutdown                 Problem:  E               When PPE is enabled, the system crashes during shutdownt)               with the following message:   J               "SPLIPLLOW, IPL has fallen below level of owned spinlock(s)"                 Solution:   8               This problem is corrected in this release.  6         4.2 BIND Server problems fixed in this release  H               The following sections describe BIND server problems fixed               in this release.  I                                                           Corrections 4-1                     Correctionsk6         4.2 BIND Server problems fixed in this release    F         4.2.1 Bind server crashes on receipt of dynamic update message                 Problem:F               Bind server crash can be caused on receipt of a specific,               remote dynamic update message.                 Solution:   4               This problem is fixed in this release.  =         4.2.2 SYSTEM-W-NOSUCHFILE and %DCL-E-INVIFNEST Errors                  Problem:<               TCPIP$BIND_STARTUP.COM displays the %SYSTEM-W-=               NOSUCHFILE and %DCL-E-INVIFNEST errors when theTD               SYS$SHARE:SSL$LIBCRYPTO_SHR32.EXE image is not present               on the system.                                                                 4-2 Corrections            I                                                               Corrections I                            4.2 BIND Server problems fixed in this releases                   Solution:u  4               This problem is fixed in this release.  :         4.2.3 %LIBRAR-E-LOOKUPERR error in the BIND server                 Problem:  B               While configuring TCP/IP, using TCPIP$CONFIG, in theF               BIND server, the %LIBRAR-E-LOOKUPERR error is displayed.=               TCPIP$CONFIG incorrectly looks for LOOPBACK_DB.                  Solution:   :               This problem has been fixed in this release.  A         4.2.4 BINDSETUP fails to conform to the database filename                  Problem:  I               TCPIP$BINDSETUP fails to conform to the new BIND local hostn                database filename.                 Solution:C  8               This problem is corrected in this release.  <         4.2.5 Entering CTRL/C for TCPIP SHOW HOST (/NOLOCAL)  !               may display ACCIVO)a               Problem:  I               On OpenVMS Integrity servers, entering CTRL/C for the TCPIP F               SHOW HOST (/NOLOCAL) command may display an ACCIVO error'               within the BIND resolver.D                 Solution:   8               This problem is corrected in this release.  %         4.2.6 Memory usage statistics                  Problem:  G               This release adds the ability to generate and display thee:               memory usage statistics for the BIND Server.                 Solution:H  I               To display the memory usage statistics for the BIND Server,e1               define the logical name as follows:t  5                $ DEFINE /SYSTEM TCPIP$BIND_MEMSTATS 1l  I                                                           Corrections 4-3d m  t               Corrections 6         4.2 BIND Server problems fixed in this release    H               TCPIP$BIND_MEMSTATS is an existing logical name. The value6               does not matter; but it must be defined.  F               Use either the rndc stats command or the TCPIP SHOW NAMEH               /STATISTICS command to send the memory usage statistics toF               the file TCPIP$BIND.STATS. The memstats information willG               complement the server Statistics Dump information that is (               normally sent to the file.  0         4.2.7 Delay because of using "ROUTE ADD"                 Problem:  E               There is a delay because of using the ROUTE ADD command 1               when the BIND resolver is disabled.   B               Solution: This problem is corrected in this release.  5         4.2.8 Resolving the local host database names                  Problem:  C               TCPDUMP, and potentially other applications, fails toaG               resolve the local host database names. When _SOCKADDR_LENEG               is not defined, a call to the getaddrinfo() function will E               not look in the local host database. When getaddrinfo()mE               was called with the hints argument as NULL, the routineo#               fails with an ACCVIO.s                 Solution:5  8               This problem is corrected in this release.  B         4.2.9 Unexpected IPv6-looking address in the TELNET client                 Problem:  C               The getaddrinfo() function sometimes returned AF_INEToI               structures even when the AI_V4MAPPED flag was set. The most I               obvious effect was that attempting to reach an unresponsive E               host via TELNET would provoke a unexpected IPv6-lookinguF               address in the TELNET client and displays the Trying ...               message.                 Solution:U  8               This problem is corrected in this release.           4-4 Correctionsi    m      I                                                               Corrections I                            4.2 BIND Server problems fixed in this releaseI    A         4.2.10 Specifying an invalid port number to getnameinfo()                  Problem:  H               Specifying an invalid port number to getnameinfo() results!               in an ACCVIO error.r                 Solution:   8               This problem is corrected in this release.  1         4.2.11 NI_* flag values for getnameinfo()d                 Problem:  H               The getnameinfo() NI_* flag values were improperly changedE               for V5.6 when updating to the BIND 9 resolver. Changing I               these values broke applications that were built on pre_v5.6 6               versions of TCP/IP Services for OpenVMS.                 Solution:e  F               The NI_* flag values for the getnameinfo() function wereH               improperly changed with the V5.6 release. This would causeI               any applications using the NI_* flag values that were built H               against pre-V5.6 TCP/IP versions not to run as expected onH               TCP/IP V5.6. This problem has been corrected, and the flagF               values have been returned to their pre-V5.6 definitions.H               Note that any applications using the NI_* flag values thatH               were built against V5.6 will no longer execute properly onE               V5.6 ECO1 or later. These applications must be rebuilt.C  0         4.2.12 TCPIP$SYSTEM:HOSTS.DAT ASCII file                 Problem:  I               The undocumented TCPIP$SYSTEM:HOSTS.DAT ASCII file is stillrE               provided during TCP/IP installation, but the file is no /               longer used by the BIND resolver.e                 Solution:   8               This problem is corrected in this release.    I                                                           Corrections 4-5e u  n               Corrections 6         4.2 BIND Server problems fixed in this release             4.2.13 Query IDs                 Problem:  E               Query IDs generated by the DNS server are vulnerable to %               cryptographic analysis.d                 Solution:o  8               This problem is corrected in this release.  H         4.2.14 BIND cluster-wide startup and shutdown command procedures                 Problem:  G               BIND cluster-wide startup and shutdown command proceduresl@               are generated with embedded physical device names,H               requiring extra effort upon changing to a new system disk.                 Solution:   8               This problem is corrected in this release.  $         4.2.15 BIND9 Resolver aborts                 Problem:  D               The BIND9 Resolver aborts when multiple threads calledE               getadrinfo simultaneously, although, RFC 3493 describesaB               getaddrinfo as a thread safe or re-entrant function.                 Solution:h  8               This problem is corrected in this release.  G         4.2.16 Spoofing and cache-poisoning attack in a BIND/DNS serverl                 Problem:  F               The BIND/DNS server is vulnerable to a widely publicized2               spoofing and cache-poisoning attack.                 Solution:   8               This problem is corrected in this release.           4-6 Correctionsr n  I      I                                                               Corrections I                            4.2 BIND Server problems fixed in this releasef    @         4.2.17 Spoofing and cache-poisoning attack in a UDP port                 Problem:  F               The BIND/DNS cache server uses a fixed or an arbitrarilyI               selected UDP port for out going DNS queries. This will leadT>               to UDP port spoofing and cache-poisoning attack.                 Solution:s  8               This problem is corrected in this release.  6         4.2.18 Memory leaks in BIND Resolver functions                 Problem:  F               The BIND Resolver functions, GETNAMEINFO, GETHOSTBYNAME,G               GETHOSTBYADDR GETNETBYNAME,GETNETBYADDR,GETSERVBYNAME andtF               GETSERVBYPORT causes memory leaks and does not close theF               files properly when called from a multithreaded program.                 Solution:   8               This problem is corrected in this release.  6         4.2.19 GETADDRINFO with nodename as NULL fails                 Problem:  H               getaddrinfo with nodename as NULL fails with BADHINTS: Not               found in explore                 Solution:   8               This problem is corrected in this release.  9         4.3 DHCP component problems fixed in this releases  H               The following sections describe the DHCP problems fixed in               this release.i  B         4.3.1 DHCP server fails to update the DNS server correctly                 Problem:  D               When DNS updates are enabled, the DHCP server fails toD               update the DNS server correctly if the netmask for the:               client's network differs from 255.255.255.0.                 Solution:a  8               This problem is corrected in this release.  I                                                           Corrections 4-7S D  L               CorrectionsT9         4.3 DHCP component problems fixed in this releaseo    F         4.3.2 RMS-E-FLK errors when running the TCPIP$$SETHOSTNAME.COM7               script's SET HOST and SET NOHOST commandsm                 Problem:  F               The DHCP client, when run in a cluster where the TCPIP$*H               data files are shared between cluster members, could incurF               RMS-E-FLK errors when running the TCPIP$$SETHOSTNAME.COM8               script's SET HOST and SET NOHOST commands.                 Solution:   8               This problem is corrected in this release.  3         4.3.3 DHCP server listens on all interfacess                 Problem:  B               The OpenVMS DHCP server cannot be disabled on one orC               more interfaces. The server always listens on all thed               interfaces.                  Solution:o  I               A new logical, TCPIP$DHCP_IGNOR_IFS is now supported to fixH               this problem.   0         4.3.4 DHCPSIGHUP command is issued twice                 Problem:  G               The DHCPSIGHUP command is issued twice to update the DHCP                Debug Level.                 Solution:a  8               This problem is corrected in this release.  ;         4.3.5 DHCP server logs events on ignored interfacese                 Problem:  D               DHCP server logs events on ignored interfaces. LoggingD               events for ignored interfaces leads to huge log files.                 Solution:   8               This problem is corrected in this release.           4-8 Correctionsd m  r      I                                                               CorrectionsoI                            4.4 failSAFE IP problems fixed in this releaseh    6         4.4 failSAFE IP problems fixed in this release  H               The following sections describe failSAFE IP problems fixed               in this release.  >         4.4.1 failSAFE IP does not read its configuration file                 Problem:  H               failSAFE IP does not read its configuration file if stored&               in the STREAM_LF format.                 Solution:   8               This problem is corrected in this release.  A         4.4.2 failSAFE IP may pick the wrong interface to monitore                 Problem:  H               In some configurations, the failSAFE IP may pick the wrongI               interface to monitor. This is displayed on OPCOM and in the 1               logfile during failSAFE IP startup.o                 Solution:T  8               This problem is corrected in this release.  H         4.4.3 If interface_list not specified, default behavior does not               work                 Problem:  E               If the interface_list is not specified, by default, alllF               the interfaces must be monitored. One of the earlier ECO;               release did not support the default behavior.n                 Solution:o  8               This problem is corrected in this release.  <         4.4.4 IP failover sometimes losses the default route                 Problem:  E               failSAFE IP failover sometimes losses the default routeg&               when IPv6 is configured.                 Solution:a  8               This problem is corrected in this release.  I                                                           Corrections 4-9n    i               Corrections 6         4.4 failSAFE IP problems fixed in this release    )         4.4.5 First static route failovere                 Problem:  F               Under certain circumstances, only the first static routeG               reliably fails over. This is typically the default route.u                 Solution:p  8               This problem is corrected in this release.  ;         4.5 FINGER Component problems fixed in this release   G               The following sections describe FINGER component problemsa$               fixed in this release.  E         4.5.1 File access restrictions when following symbolic links.s                 Problem:  I               The FINGER server does not properly enforce the file access G               restrictions when following symbolic links. The client is 3               vulnerable to a format string attack.h                 Solution:e  8               This problem is corrected in this release.  @         4.6 FTP Server and Client problems fixed in this release  C               The following sections describe FTP server and clientu-               problems fixed in this release.   I         4.6.1 OpenVMS, TCP/IP, or Non-VMS FTP client access to ODS-5 diski                 Problem:@               On a non-VMS FTP client, such as Windows, UNIX, orB               LINUX, the filenames are displayed in the VMS formatA               with the "^" characters in the filename. Also, wheneH               retrieving the filenames using the non-VMS FTP client, theG               filename in OpenVMS format is displayed with "^", such as G               file^.1^.2^.3^.4.txt. For retrieving the files and saving H               them on the PC, the "^" characters must not be included in               the filenames.                 Solution:L  8               This problem is corrected in this release.           4-10 Corrections           I                                                               Corrections I                  4.6 FTP Server and Client problems fixed in this releasei    F         4.6.2 FTP client copies multiple versions of a file and places#               them in reverse ordere                 Problem:  C               The FTP client copies multiple versions of a file and +               places them in reverse order.s                 Solution:   4               This problem is fixed in this release.  G         4.6.3 TCPIP$FTP_1 server stops communicating with the FTP childm               processest                 Problem:I               When the FTP server limit is reached and no new connectionsnH               were accepted the TCPIP$FTP_1 server stopped communicatingC               with the FTP child processes on the system. After thefF               limit was reached, the child processes hung waiting on aF               mailbox. Although, the process rejected the new incomingG               connections; it appeared that communication was lost withc                the old processes.                 Solution:   4               This problem is fixed in this release.  '         4.6.4 FTP server error messages                  Problem:F               In certain scenarios, the OpenVMS FTP server reports the'               following error messages:n  5               425-Can't build data connection for ...F4               425 Connect to network object rejected                 Solution:r  4               This problem is fixed in this release.  :         4.6.5 Users can still FTP with FTP client disabled                 Problem:  C               Although the FTP client is disabled, users can ftp toeD               another system. Because, FTP is a DCL command, the FTPH               client image can be invoked even if the FTP client service               is shutdown.                 Solution:   I                                                          Corrections 4-11                     Correctionsa@         4.6 FTP Server and Client problems fixed in this release    8               This problem is corrected in this release.  I         4.6.6 [VMS]COPY/FTP file with multiple-dot filename does not work                  Problem:  E               On a remote Linux or HP-UX node, if the filename startsoC               with a dot and has multiple dots within the name, foreE               example, .test.001, the filename is truncated. That is,oE               the characters before the second dot are not displayed.e                 Solution:n  8               This problem is corrected in this release.  +         4.6.7 Addition of "." to a filename                  Problem:  E               When using FTP or $ COPY /FTP to transfer files from an H               OpenVMS system to a UNIX system, the FTP client adds a "."8               character to a filename without extension.                 Solution:d  8               This problem is corrected in this release.  A         4.6.8 USER command in a session that is already logged in                  Problem:  H               The FTP server, upon receiving a USER command in a sessionI               that is already logged in, failed to return a proper error,n                leading to a hang.                 Solution:s  >               A message similar to the following is displayed:  4               "503 User SMITH, is already logged in"  '               and the problem is fixed.   2         4.6.9 Construction of wildcarded filenames                 Problem:  C               The FTP client does not properly construct wildcarded A               filenames. COPY /FTP TEST.EXE_OLD nodename"username I               password"::*.EXE creates a file named "_.EXE" on the remote D               system. Also, COPY /FTP TEST.EXE_OLD nodename"usernameD               password"::FILE.* creates a file named "FILE._" on the               remote system.           4-12 Corrections d         I                                                               Corrections I                  4.6 FTP Server and Client problems fixed in this release                    Solution:i  ?               The FTP client properly constructs the wildcarded                filenames.  4         4.6.10 "expanded" rooted logical name syntax                 Problem:  H               FTP does not understand the "expanded" rooted logical name               syntax.c                 Solution:   8               This problem is corrected in this release.  H         4.6.11 FTP server terminates when there are many connections and                disconnections                  Problem:  G               The FTP server terminates with an ACCVIO error when therehE               are many connections and disconnections. The FTP serveriC               also displays an error message that is similar to the                following:  P               session connection from 127.124.172.114 at 11-JAN-2007 18:42:08.421                %SYSTEM-F-NOSLOT, no PCB available5D                %TCPIP-E-FTP_CREPRC, failed to create a child process                 Solution:o  8               This problem is corrected in this release.  D         4.6.12 DIRECTORY /FTP command fails to return failure status                 Problem:  B               The DIRECTORY /FTP command fails to return a failure?               status, even when the target file does not exist.                  Solution:d  8               This problem is corrected in this release.  I                                                          Corrections 4-13e p  s               Correctionsr@         4.6 FTP Server and Client problems fixed in this release    A         4.6.13 Entries made in TCPIP$ETC:IPNODES.DAT are not read                  Problem:  I               Entries made in the TCPIP$ETC:IPNODES.DAT file are not readi                by the FTP client.                 Solution:l  8               This problem is corrected in this release.  H         4.6.14 FTP client echoes the keyboard input associated with ACCT                 Problem:  I               The OpenVMS FTP client echoes the keyboard input associated H               with the Account (ACCT) command. Because, some FTP serversE               use the "account" as a secondary password, which raised                 security concerns.                 Solution:e  8               This problem is corrected in this release.  ;         4.6.15 GET /FDL and COPY /FTP/FDL commands may faile                 Problem:  H               Because of a non existent owner on the destination system,C               the GET /FDL and COPY /FTP/FDL commands may fail. The 8               original owner must be omitted or ignored.                 Solution:   8               This problem is corrected in this release.  2         4.6.16 Passive mode on a multihomed system                 Problem:  E               When using passive mode on a multihomed system, the FTPtG               client fails to ensure that the source IP address for theaI               data connection matches the IP address used for the control F               connection. Many FTP servers reject such connections for               security reasons.o                 Solution:m  8               This problem is corrected in this release.           4-14 Corrections           I                                                               Corrections I                  4.6 FTP Server and Client problems fixed in this releasey    /         4.6.17 Sends the incorrect file version                  Problem:  H               The FTP server sends the incorrect file version in the 150-               info message to the FTP client.                  Solution:t  8               This problem is corrected in this release.  G         4.6.18 Display of files residing on second and subsequent disksl                 Problem:  C               When a DIRECTORY command is executed on a search listeB               pointed to by a concealed logical, the list containsF               information about files only on the first disk and failsD               to display the files residing on second and subsequent               disks.                                                  I                                                          Corrections 4-15e .                  Corrections @         4.6 FTP Server and Client problems fixed in this release                   Solution:   8               This problem is corrected in this release.  2         4.6.19 Transferring files greater than 2GB                 Problem:  E               While transferring huge files, greater than 2GB, from atI               disk, all the other operations on this disk will hang untill3               the transfer of file is accomplished.                  Solution:n  8               This problem is corrected in this release.  /         4.7 IMAP problems fixed in this releasei  I               The following sections describe IMAP problems fixed in this                release.  4         4.7.1 IMAP server allows potential attackers                 Problem:I               IMAP server allows potential attackers with unlimited guess 4               of username and password combinations.                 Solution:   4               This problem is fixed in this release.  >         4.7.2 Listing of more than hundred empty folders fails                 Problem:  E               The IMAP server crashes while listing more than hundredu               empty folders.                 Solution:r  8               This problem is corrected in this release.  ?         4.7.3 IMAP server process hang in the exception handler.                 Problem:  G               An IMAP server process may hang in the exception handler.n                 Solution:g  8               This problem is corrected in this release.           4-16 Corrections E  U      I                                                               CorrectionsrI                             4.8 INETDRIVER problems fixed in this releaseS    5         4.8 INETDRIVER problems fixed in this releaset  G               The following sections describe INETDRIVER problems fixedS               in this release.  A         4.8.1 System crash in the KVCI$$GENERATE_ASSOC_ID routine                  Problem:  F               Users of the SRI QIO interface (INETDRIVER) experience aI               system crash with INVEXCEPTN in the KVCI$$GENERATE_ASSOC_ID                routine.                 Solution:i  8               This problem is corrected in this release.                                                          I                                                          Corrections 4-17s c  n               Corrections ?         4.9 IPC (socket library) problems fixed in this releasey    ?         4.9 IPC (socket library) problems fixed in this releases  B               The following sections describe IPC (socket library)-               problems fixed in this release.n  1         4.9.1 TCPIP$INETACP process uses 100% CPUp                 Problem:H               In a multithreaded customer application in which thousandsG               of threads call select(), TCPIP$INETACP process uses 100%r               CPU.                 Solution:   4               This problem is fixed in this release.  <         4.9.2 Alignment faults in TCPIP$ACCESS_SHR.EXE image                 Problem:C               Alignment faults are observed in TCPIP$ACCESS_SHR.EXE 7               image. The most common PC range is below: &               TCPIP$ACCESS_SHR + 54230&               TCPIP$ACCESS_SHR + 54264                 Solution:P  4               This problem is fixed in this release.  (         4.9.3 Definitions for TCP socket                 Problem:  I               Some of the "definitions" are not available for certain TCPo:               socket options in SYS$SHARE:TCPIP$INETDEF.*.                 Solution:h  F               The following definitions are added with this release of               TCP/IP:   M                       #DEFINE INET$C_TCP_TSOPTENA 16  /* time stamp option */XF                #DEFINE INET$C_TCP_PAWS 32      /* PAWS option       */F                #DEFINE INET$C_TCP_SACKENA 64   /* SACK enabled      */  E               Counterparts with the TCPIP$ prefix used instead of the_*               INET$ prefix are also added.           4-18 Corrections           I                                                               CorrectionsoI                   4.9 IPC (socket library) problems fixed in this releasem    D         4.9.4 getnameinfo( ) returns "unknown name or service" error                 Problem:  C               The getnameinfo() function returns an unknown name orkF               service error if the specified address is not found. TheE               RFC defines that getnameinfo() must return the address. D               The routine also fails to honor the NI_NAMEREQD or NI_(               NOFQDN flags in all cases.                 Solution:C  8               This problem is corrected in this release.  .         4.9.5 freeaddrinfo( ) causes an ACCVIO                 Problem:  C               freeaddrinfo() causes an ACCVIO condition when a NULL 3               pointer is passed for freeaddrinfo().w                 Solution:a  8               This problem is corrected in this release.  6         4.9.6 IPv6 address queried before IPv4 address                 Problem:  H               The BIND9 Resolver sends queries for IPv6 addresses beforeB               querying for IPv4 addresses, even when no local IPv6'               addresses are configured.                  Solution:R  8               This problem is corrected in this release.  D         4.9.7 BIND9 Resolver flags for getaddrinfo are inadvertently               shiftedR                 Problem:  A               The BIND9 Resolver AI_ALL and AI_V4MAPPED flags forrH               getaddrinfo are inadvertently shifted, preventing the IPv6F               application build against the previous versions of TCPIP)               from working on TCPIP V5.6.                  Solution:f  I                                                          Corrections 4-19                     Correctionsa?         4.9 IPC (socket library) problems fixed in this releasei    F               Because the previous flag values are restored, some IPv6I               applications built for the original TCPIP V5.6 release willEH               no longer function correctly following the installation of               this kit.   I               The relevant header file is netdb.h. Application developersUG               having trouble with these flags must ensure that they are I               using a "netdb.h" file with the old (and recently restored)                values.m  :         4.9.8 Delay when communicating between socket pair                 Problem:  H               The socketpair() call returns a pair of TCP sockets, whichG               are connected through a localhost ephemeral port numbers.wH               When communicating between this socket pair, a 200ms delayH               is encountered while receiving and acknowledging the data.                 Solution:   8               This problem is corrected in this release.  1         4.9.9 Alignment faults in gethostbyname()                  Problem:  G               Alignment faults are detected in the gethostbyname() callP               and friends.                 Solution:   8               This problem is corrected in this release.  D         4.9.10 Documentation for getaddrinfo() and gai_strerror()  -                EAI_BADHINTSe                 Problem:  G               Along with the other getaddrinfo() error codes documentedaC               in the HP TCP/IP Services for OpenVMS Sockets API and G               System Services Programming guide, getaddrinfo() may also                return:   7               EAI_BADHINTS    "Invalid value for hints"_  G               This error is returned if the hints parameter in the call <               to getaddrinfo() is not correctly initialized.                 Solution:c  8               This problem is corrected in this release.           4-20 Corrections           I                                                               Corrections I                           4.10 Load Broker problems fixed in this releasee    7         4.10 Load Broker problems fixed in this release   H               The following section describes Load Broker problems fixed               in this release.  &         4.10.1 Load Broker memory leak                 Problem:  C               If you are running several OpenVMS Clusters and usinga?               several dynamic cluster aliases for balancing the G               workload across the cluster members with each load broker I               maintaining 10 cluster aliases, after few days of operationaC               the load broker dies with the %SYSTEM-F-OPCCUS error.                  Solution:l  8               This problem is corrected in this release.  /         4.11 LPD problems fixed in this release   H               The following sections describe LPD problems fixed in this               release.  7         4.11.1 Incorrect job status in the mail message                  Problem:  G               LPD printing with the /PARAMETERS=MAIL qualifier includes D               an incorrect job status in the resulting mail message.                 Solution:   8               This problem is corrected in this release.  D         4.11.2 Printing to an LPD queue with a large setup module is                inefficient                 Problem:  >               Printing to an LPD queue with a large (over 1024H               characters) setup module is inefficient. Although, correctE               output is printed, the logfile shows that for each job,NI               there is a series of attempts to read the setup module into )               increasingly large buffers..                 Solution:   I                                                          Corrections 4-21                     Corrections /         4.11 LPD problems fixed in this release     H               A new configuration parameter, "Setup-Buffer-Size", in theF               TCPIP$LPD.CONF file allows the system manager to specifyH               the initial setup module buffer size. The default value is               1024 bytes.l  G         4.11.3 "TCPIP-E-LPD_REQREJECT" message displayed multiple times,                 Problem:  G               The TCPIP-E-LPD_REQREJECT message is displayed many timesCF               when attempting to deliver LPD jobs to a printer that is               not in service.                  Solution:o  8               This problem is corrected in this release.  ;         4.11.4 Latent coding defect within the LPD symbiontI                 Problem:  D               A latent coding defect within the LPD symbiont led theH               symbiont to exit with an ACCVIO error after the VMS83A_RMSI               V8.0 (or later) patch was installed on an OpenVMS 8.3 Alpha                system.                  Solution:y  G               LPD users should install the latest TCP/IP kit along with))               the RMS V8.0 or V9.0 patch.   @         4.12 Management Utilities problems fixed in this release  B               The following sections describe Management Utilities-               problems fixed in this release.b  ?         4.12.1 TCPIP$CONFIG does not create an alias IP address                  Problem:E               TCPIP$CONFIG does not create an alias IP address, whichnH               is a substring of the primary address. For example, if theG               primary address is 10.1.1.100, then it is not possible to -               add an alias address 10.1.1.10.                  Solution:   4               This problem is fixed in this release.           4-22 Corrections    .      I                                                               CorrectionsTI                  4.12 Management Utilities problems fixed in this releaset    D         4.12.2 Large number of packets are sent when using the flood                functionality                 Problem:I               In some instances, a large number of packets are sent, whenTG               using the flood functionality of the PING utility (-f) intE               combination with the option for sending fixed number off               packets(-c).                 Solution:"  4               This problem is fixed in this release.  F         4.12.3 netstat -i fails to display the network names correctly                 Problem:  F               netstat -i fails to display the network names correctly.                 Solution:a  8               This problem is corrected in this release.  C         4.12.4 Misleading and unsightly error message when the BIND &                resolver is not enabled                 Problem:  I               Attempting to use the "dig" utility results in a misleading G               and unsightly error message when the BIND resolver is not                enabled.                 Solution:h  8               This problem is corrected in this release.  4         4.12.5 TCPIP$CONFIG.COM fails to see devices                 Problem:  G               TCPIP$CONFIG.COM fails to see devices when the controller H               letter does not begin with "A". For example, if EIB existsI               but EIA does not, then the EI controller does not appear ine!               the Interface menu.                  Solution:t  8               This problem is corrected in this release.  I                                                          Corrections 4-23e a  d               Corrections @         4.12 Management Utilities problems fixed in this release    9         4.12.6 Missing argument for the ip6hoplimit valuei                 Problem:  D               Executing the $ IFCONFIG WE0 INET6 IP6HOPLIMIT commandF               results in an ACCVIO because of the missing argument for$               the ip6hoplimit value.                 Solution:i  8               This problem is corrected in this release.  /         4.12.7 Errors when executing netstat -z                  Problem:  A               When executing netstat -z, the following message iso               displayed:  E               netstat: -z is not implemented on this operating systemb                 Solution:e  E               Netstat will now zero the counters. In addition, if you5F               attempt to use the -z option without privileges, netstatH               will no longer attempt to display the counters, but rather-               displays the following message:   4               netstat: must be root to zero counters                                         4-24 Corrections c  g      I                                                               CorrectionstI                          4.13 NET (Kernel) problems fixed in this release     8         4.13 NET (Kernel) problems fixed in this release  I               The following sections describe NET (Kernel) problems fixedn               in this release.  C         4.13.1 TCP/IP routine that services I/O CANCEL and DEASSIGNv6                requests does not restore the entry IPL                 Problem:F               Some processes, such as CIMSERVER, were found hanging inG               the RWINS state. This happened because the TCP/IP routinerF               that services I/O CANCEL and DEASSIGN for the BG devicesI               was not restoring the Interrupt Priority Level (IPL) to thel)               entry IPL before returning.B                 Solution:   F               The entry IPL is now saved on the stack at the beginning;               and restored from the stack before returning.   @         4.13.2 Entering the username and password in binary mode                 Problem:D               When a user enters ((Ctrl+U) and username) followed byD               ((Ctrl+U) and password) to the telnet server in binary1               mode, the user authorization fails.   F                 ________________________ Note ________________________  D                 A new logical TCPIP$TELNET_BINARY_IGNORE is defined,F                 which when enabled on binary negotiation, will not setE                 the TT$M_PASSALL bit in the terminal characteristics.   F                 ______________________________________________________                 Solution:t  4               This problem is fixed in this release.  <         4.13.3 TELNET server does not accept new connections                 Problem:A               Occasionally, the TELNET server does not accept newlD               connections whereas other services such as FTP and SSH/               appear to accept new connections.                  Solution:a  4               This problem is fixed in this release.  I                                                          Corrections 4-25a -  s               Correctionss8         4.13 NET (Kernel) problems fixed in this release             4.13.4 RLogin failsd                 Problem:  @               Rlogin to a remote system crashes and displays the                following message:  =               SSRVEXCEPT, Unexpected system service exception                  Solution:   8               This problem is corrected in this release.  +         4.13.5 Corruption of non-paged poole                 Problem:  G               Various system crashes are reported, involving corruption                 of non-paged pool.                 Solution:a  8               This problem is corrected in this release.  6         4.13.6 SACK retransmission transmits more data                 Problem:  A               SACK retransmission resulted in too much data beingsF               retransmitted; that is, it retransmitted beyond the SACK               Left Edge, SLE.                  Solution:   8               This problem is corrected in this release.  8         4.13.7 Fail to sense SHARE and FULL_DUPLEX_CLOSE                 Problem:  H               While it was possible to set the socket options, it is not<               possible to sense SHARE and FULL_DUPLEX_CLOSE.                 Solution:   8               This problem is corrected in this release.           4-26 Corrections t  o      I                                                               CorrectionsnI                          4.13 NET (Kernel) problems fixed in this release     8         4.13.8 System crash after failing to start TCPIP                 Problem:  D               The system crashes after a mysterious failure to start5               TCPIP, displaying the SPLIPLHIGH error.i                 Solution:r  8               This problem is corrected in this release.  E         4.13.9 Setting the inet sysconfig parameter may cause a crashd                 Problem:  H               Setting the inet sysconfig parameter, ovms_printf_to_opcomE               may cause a crash at TCPIP start, on any version of the C               scaling kernel. The crash happens if the startup code 7               attempts to print something, for example:   J                sysconfigtab: attribute sobacklog_hiwat in subsystem socket"                can't be configured                 Solution:   8               This problem is corrected in this release.  D         4.13.10 System crash because of coded bugcheck in m_copym( )                 Problem:  E               A system crash occurs due to a coded bugcheck in the m_ B               copym()routine because an unexpected negative offsetC               is calculated during selective acknowledgement (SACK)M               processing.T                 Solution:d  8               This problem is corrected in this release.  6         4.13.11 System crash while processing select()                 Problem:  G               A system crash within the TCPIP$INTERNET_SERVICES execlett6               occurs while processing a select() call.                 Solution:   8               This problem is corrected in this release.  I                                                          Corrections 4-27  H                  Corrections 8         4.13 NET (Kernel) problems fixed in this release    C         4.13.12 System crash during Packet loss and SACK processinge                 Problem:  E               The system occasionally crashed or created an ACK stormpF               during some circumstances involving packet loss and SACK               processing.e                 Solution:   8               This problem is corrected in this release.  ;         4.13.13 Impossible to disable error message displayo                 Problem:  B               It is not possible to disable certain error messagesF               displayed via OPCOM or directly to the operator console.                 Solution:   -               Messages such as the following:   >                    arp: local IP address nn.nn.nn.nn in use by5                    hardware address mm-mm-mm-mm-mm-mm   9               can now be displayed in the following ways:f  D                $ sysconfig -r inet ovms_printf_to_opcom=1 ! On OPCOM  D                $ sysconfig -r inet ovms_printf_to_opcom=0 ! On OPA0:  <                $ sysconfig -r inet log_open=1   ! No display  G               In the future, the final setting may send messages to the <               SYSLOG facility if and when it is implemented.  8         4.13.14 System crash during a select() operation                 Problem:  @               The system crashes during a select() operation, or:               immediately after the operation is complete.                 Solution:   8               This problem is corrected in this release.           4-28 Corrections h  p      I                                                               CorrectionsfI                          4.13 NET (Kernel) problems fixed in this release:    3         4.13.15 Debug code to verify MBAG free list                  Problem:  D               Add debug code to verify MBAG free list during get and               free.                  Solution:r  8               This problem is corrected in this release.  =         4.13.16 Process in RWAST state during process rundowni                 Problem:  G               The Process goes into RWAST state during process rundown.s                 Solution:   8               This problem is corrected in this release.  G         4.13.17 use of select() results in a non-paged pool memory leak                  Problem:  D               Under certain conditions, use of the select() function6               results in a non-paged pool memory leak.                 Solution:i  8               This problem is corrected in this release.  2         4.13.18 Issuing process in the RWAST state                 Problem:  H               A select() operation with certain parameters can cause the7               issuing process to enter the RWAST state.n                 Solution:.  8               This problem is corrected in this release.  -         4.13.19 Multicast traffic can be lostm                 Problem:  I               Multicast traffic can be lost when aggressive IGMP snoopingoC               is enabled on a switch. This is the result of OpenVMShC               delaying IGMP reports when the IGMP query specified a 9               maximum response time less than 10 seconds.i                 Solution:e  8               This problem is corrected in this release.  I                                                          Corrections 4-29e r  d               Correctionsh8         4.13 NET (Kernel) problems fixed in this release    H         4.13.20 Extensive use of Out Of Band data can cause system crash                 Problem:  C               Extensive use of Out Of Band data by applications can:H               trigger a system crash at offset PANIC_C+00330 (On V5.6-9,!               Integrity servers).s                 Solution:   8               This problem is corrected in this release.  6         4.13.21 INETACP process experiences a deadlock                 Problem:  D               The INETACP process experiences a deadlock, frequentlyE               stuck in the RWAST state. The internal AQB (work queue) F               would be non-empty, with perhaps hundreds of outstanding               requests.a                 Solution:i  8               This problem is corrected in this release.  H         4.13.22 TCPIP$INETACP process attempts to write an error message"                 may result in hang                 Problem:  G               When the TCPIP$INETACP process attempts to write an error.I               message, when the socket send buffer is full, may result in                hang.e                 Solution:   8               This problem is corrected in this release.  7         4.13.23 Processing of badly formed SACK packets                  Problem:  D               A system crash with INCONSTATE status can occur during6               processing of badly formed SACK packets.                 Solution:t  8               This problem is corrected in this release.           4-30 Corrections o  c      I                                                               Corrections I                          4.13 NET (Kernel) problems fixed in this release     D         4.13.24 TCPIP START ROUTING fails to start a dynamic routing                 processt                 Problem:  C               On OpenVMS Integrity systems, the TCPIP START ROUTINGaG               command fails to actually start a dynamic routing process                 (ROUTED or GATED).                 Solution:   8               This problem is corrected in this release.  3         4.13.25 ICMP6 timeouts occurring frequentlyT                 Problem:  H               ICMP6 timeouts may occur more frequently than the required               500ms and 200ms.                 Solution:j  8               This problem is corrected in this release.  1         4.13.26 System crash with PGFIPLHI status                  Problem:  F               A system crash occurs with PGFIPLHI status, with a PC of?               INET_SENSE_SOCKET_COUNTERS_C+004A8 (on A56-ECO2).                  Solution:C  8               This problem is corrected in this release.  4         4.13.27 Service limits for NOLISTEN services                 Problem:  C               Service limits for NOLISTEN services are not strictlye               enforced.                  Solution:   8               This problem is corrected in this release.  I                                                          Corrections 4-31. V  C               Correctionsd8         4.13 NET (Kernel) problems fixed in this release    +         4.13.28 MBUF leak (type MT_CONTROL)h                 Problem:  C               An MBUF leak (type MT_CONTROL) is observed within the                kernel.1                 Solution:.  8               This problem is corrected in this release.  !         4.13.29 IPv6 Logo testing                  Problem:  I               The following ND6 test cases fail during IPv6 Logo testing:.  F               o  11. Part A: Neighbor Solicitation Origination, Target)                  Address Being Link-local   F               o  12. Part B: Neighbor Solicitation Origination, Target%                  Address Being Globali  #         4.13.30 INCONSTATE bugchecki                 Problem:  B               An INCONSTATE bugcheck can occur when an applicationA               specified invalid parameters on an IO$_READVBLK QIO                operation.                 Solution:o  8               This problem is corrected in this release.  >         4.13.31 System crash during restart of the INET driver                 Problem:  D               System crashes during restart of the INET driver. ThisF               is because the INETDRIVER is sending a request to open a<               kernel VCI port after the kernel had shutdown.                 Solution:   8               This problem is corrected in this release.           4-32 Corrections           I                                                               CorrectionsoI                          4.13 NET (Kernel) problems fixed in this releasem    E         4.13.32 System crash when an application does a select() callF                 Problem:  C               Various identical system crashes are reported when ano/               application does a select() call.                  Solution:   8               This problem is corrected in this release.  ;         4.13.33 QIO based hostname lookup takes longer time                  Problem:  H               QIO based hostname lookup takes longer than the intended 1I               second when multiple pathnames or servers are configured on                 the bind resolver.                 Solution:i  8               This problem is corrected in this release.                                              I                                                          Corrections 4-33c e  o               Correctionso6         4.14 NFS Client problems fixed in this release    6         4.14 NFS Client problems fixed in this release  G               The following sections describe NFS client problems fixed                in this release.  H         4.14.1 TCPIP DISMOUNT/ALL command does not dismount DNFS devices                 Problem:G               TCPIP DISMOUNT/ALL command does not dismount DNFS devicesn8               with units greater than or equal to 32767.  E               In addition to this, these mounted DNFS devices are not F               displayed when you execute the TCPIP SHOW MOUNT command.                 Solution:   4               This problem is fixed in this release.  F         4.14.2 Mounting NFS exported shares requires CMKRNL privileges                 Problem:F               Mounting NFS exported shares requires CMKRNL privileges.                 Solution:   4               This problem is fixed in this release.  )         4.14.3 System crash with PGFIPLHI                  Problem:  @               When using the NFS client, the system crashes withC               PGFIPLHI, Pagefault with IPL too high, or INVEXCEPTN, +               Exception while above ASTDEL.                  Solution:E  8               This problem is corrected in this release.  #         4.14.4 Mounting large disks                  Problem:  B               NFS client can mount very large disks, but when SHOWG               DEVICE/FULL is executed on the NFS disk, it fails to show E               the total number of blocks and displays illegal logical !               block number error.c                 Solution:   8               This problem is corrected in this release.           4-34 Corrections c  e      I                                                               CorrectionsiI                            4.15 NFS Server problems fixed in this release     6         4.15 NFS Server problems fixed in this release  G               The following sections describe NFS server problems fixedP               in this release.  D         4.15.1 INVEXCEPTN bugchecks occur at OPENVMS_BFS_GETATTR_VMS                 Problem:C               INVEXCEPTN bugchecks occur at OPENVMS_BFS_GETATTR_VMSPD               when REMQUEQ operation was done. These bugchecks occur               at different PCs.n                 Solution:T  4               This problem is fixed in this release.  A         4.15.2 Creating and renaming directory names with speciald                characters                  Problem:I               NFS Server cannot handle requests for creating and renamingsE               directory names with special characters. The NFS servere*               reports the following error:                 File not found                 Solution:   4               This problem is fixed in this release.  6         4.15.3 Access violation in the BFS filesystems                 Problem:B               The NFS server process fails to restart after access9               violation occurred in the BFS file systems.                  Solution:   4               This problem is fixed in this release.  :         4.15.4 Creating a directory with special character                 Problem:  E               When the NFS client requests the NFS server to create a I               directory with one or more special characters (For example, F               "New Folder", where, " ", space in the directory name isF               the special character) and requests the server to renameG               the new directory, NFS server fails to open the directory *               and displays File not found.                 Solution:   I                                                          Corrections 4-35o c  n               Correctionsa6         4.15 NFS Server problems fixed in this release    8               This problem is corrected in this release.  G         4.15.5 INVEXCEPTN bugcheck in INSQUE and REMQUE PAL instruction                  Problem:  H               An INVEXCEPTN bugcheck occurs in TCPIP$NFS_SERVICES:REMQUEB               and INSQUE PAL instruction called from different BFSG               routines, namely OPENVMS_BFS_READ_VMS, OPENVMS_BFS_CLOSE.i:               This can also occur with other BFS routines.                 Solution:o  8               This problem is corrected in this release.  4         4.15.6 LOCKD temporary files are not removed                 Problem:  >               LOCKD temporary files are not being removed fromC               SYS$SYSDEVICE:[TCPIP$NFSLCK] after they are no longeriD               needed. The files are named LOCKDxxxxPID.;1 where xxxxG               was a unique series of letters and PID is the pid for thee9               process. The files are zero blocks in size.l                 Solution:   8               This problem is corrected in this release.  (         4.15.7 Unaligned reference fault                 Problem:  A               While using the NFS server, system crashes with the.I               following message: INVEXCEPTN, Exception while above ASTDEL H               Exception is an "Unaligned Reference Fault" for an addressC               that is inside an NFS KPB thread stack. The exceptionsD               address is inside the "EFI/PAL/SAL Memory" region (see8               the SDA CLUE SHOW MEMORY /LAYOUT command).                 Solution:r  8               This problem is corrected in this release.             4-36 Corrections    T      I                                                               CorrectionssI                            4.15 NFS Server problems fixed in this release     ;         4.15.8 Fails to trigger a defined exception handler                  Problem:  A               The NFS server fails to trigger a defined exception                handler.                 Solution:I  8               This problem is corrected in this release.  F         4.15.9 INVEXCEPTN bugcheck at the OPENVMS_BFS_GETATTR_VMS line                 Problem:  F               An INVEXCEPTN bugcheck occurs at OPENVMS_BFS_GETATTR_VMSH               line 87591: REMQUEQ from PSPEC$A_NFS_USER_BLOCKS[0]. Other%               PC's are also possible.i                 Solution:   8               This problem is corrected in this release.  :         4.15.10 LOCKD process crashes with an ACCVIO error                 Problem:  =               The LOCKD process crashes with an ACCVIO error.r                 Solution:   8               This problem is corrected in this release.  H         4.15.11 Files with names that contain an odd number of bytes are                 not createdr                 Problem:  B               The NFS server fails to create files with names thatA               contain an odd number of bytes. For example, "a.t",i@               "aaa.t", and "aaaaa.t". The server returns ENOENT.                 Solution:H  8               This problem is corrected in this release.  I                                                          Corrections 4-37+ 2                  Corrections /         4.16 NTP problems fixed in this releasee    /         4.16 NTP problems fixed in this release   H               The following sections describe NTP problems fixed in this               release.  ,         4.16.1 Stack buffer overflow in NTPQ                 Problem:I               A stack buffer overflow problem exists in the NTPQ program.                  Solution:C  4               This problem is fixed in this release.  /         4.16.2 Displays the "keyid" as optionalE                 Problem:  G               NTPDC incorrectly displays the "keyid" as optional in the/(               usage and help statements.                 Solution:p  H               A related correction applies to the HP TCP/IP Services forE               OpenVMS Management Command Reference, Section 13.8.3.3, D               NTPDC Request Commands: For the broadcast bullet only:/               change "[prefer]" to "[minpoll]".   @         4.16.3 NTP fails to synchronize during the repeated hour                 Problem:  F               NTP does not synchronize during the repeated hour at the+               summer to winter time change.d                 Solution:   8               This problem is corrected in this release.  /         4.17 POP problems fixed in this release   H               The following section describes POP problems fixed in this               release.             4-38 Corrections o  c      I                                                               Corrections I                                   4.17 POP problems fixed in this releaseh    -         4.17.1 POP allows potential attackerse                 Problem:  G               POP allows potential attackers with unlimited username or                password guesses.i                 Solution:   8               This problem is corrected in this release.  3         4.17.2 Version number on POP's "XTND STATS"r                 Problem:  G               On OpenVMS Integrity servers, the version number on POP's G               XTND STATS command was fixed at compile time, rather thansA               being based upon the image ident of the POP server.r                 Solution:e  8               This problem is corrected in this release.                                              I                                                          Corrections 4-39     p               Corrections 0         4.18 PWIP problems fixed in this release    0         4.18 PWIP problems fixed in this release  I               The following section describes PWIP problems fixed in this                release.  0         4.18.1 System crash during PWIP shutdown                 Problem:  I               A system crash occurs during PWIP shutdown and displays the &               following error message:  5                DECNET, DECnet detected a fatal error.c                 Solution:e  8               This problem is corrected in this release.  -         4.18.2 Bulk data transfer performanced                 Problem:  I               Bulk data transfer (such as file copy) performance across anG               PWIP connection (such as DECnet over IP) is slow comparedaH               to FTP, over certain types of networks. There is no way toA               increase the TCP window size for such a connection.                  Solution:h  =               The following TCPIP logical names are included:n  B               o  TCPIP$PWIP_TCPRCVBUF - Receive socket buffer size  8               o  TCPIP$PWIP_TCPSNDBUF - Send socket size  H               The logicals must be defined system-wide prior to starting@               PWIP. If not defined, the default behavior remains               unchanged.  0         4.19 SMTP problems fixed in this release  I               The following section describes SMTP problems fixed in this.               release.             4-40 Corrections m         I                                                               CorrectionsgI                                  4.19 SMTP problems fixed in this release     I         4.19.1 Anti spam for unresolvable-domains and unqualified-senders                  Problem:6               TCPIP SMTP antispam works correctly for:2               - Accept-Unresolvable-Domains: FALSE1               - Accept-Unqualified-Senders: FALSEH  F               But, if on the BIND server, a MX wildcard record of typeF               [ *.ind.hp.com. IN MX 10 munar ] with munar having a "A"D               record defined, anti spam for Unresolvable-Domains and0               Unqualified-Senders stops working.  E               Removing the *.ind.hp.com MX record makes the system to I               work as expected, that is, the system refuses the mail with "               unresolvable domain.                 Solution:r  4               This problem is fixed in this release.  *         4.19.2 SMTP fails to receive mails                 Problem:  G               Although, the mails sent to the local or remote host (not G               running TCPIP 5.7) work, SMTP fails to receive mails sent H               from a remote host. On replying back to a mail sent from a1               TCPIP 5.7 system, the mail bounces.i                 Solution:   8               This problem is corrected in this release.  9         4.19.3 Large number of recipients in the TO field-                 Problem:  G               Having a large number of recipients in the TO field of ansG               arriving SMTP message could lead to corrupt header lines.h                 Solution:b  8               This problem is corrected in this release.    I                                                          Corrections 4-41                     Correctionsh0         4.19 SMTP problems fixed in this release    I         4.19.4 VMS MAIL does not support lines longer than 255 charactersu%                and mixed case headers                  Problem:  @               o  VMS MAIL does not support lines longer than 255H                  characters. Long header lines are becoming increasinglyC                  common in the modern Internet. While fetching suchrI                  messages, the IMAP server may return some headers in thetI                  body part of the mail, causing it to appear corrupted toa                  the client.  H               o  IMAP has trouble fetching mails with lowercase or mixed"                  case RFC headers.                 Solution:   8               This problem is corrected in this release.  0         4.19.5 SMTP server fails to deliver mail                 Problem:  H               The SMTP server fails to deliver mail when the domain nameF               is a combination of letters and numbers. As per RFC, theH               domain name can be any combination of numbers and letters.                 Solution:"  8               This problem is corrected in this release.  F         4.19.6 SMTP distribution list filenames fails to form properly                 Problem:  D               SMTP distribution list filenames are not always formedD               properly, and it is not possible to specify a locationC               other than TCPIP$SMTP_COMMON: to contain *.DIS files.t                 Solution:e  8               This problem is corrected in this release.               4-42 Corrections    b      I                                                               CorrectionsAI                                  4.19 SMTP problems fixed in this releasel    C         4.19.7 TCPIP$SMTP_FROM logical affects the SMTP Return-Path                 headerl                 Problem:  F               The TCPIP$SMTP_FROM logical affects the SMTP Return-PathC               header when defined. The Return-Path must reflect theoD               contents of the logical name, as it did prior to TCPIPF               V5.6, with no need to encapsulate the value within angle               brackets.                  Solution:   8               This problem is corrected in this release.  A         4.19.8 Adding Persistent-Server displays an error messagee                 Problem:  ?               When you add the "Persistent-Server" field in the D               TCPIP$SMTP.CONF file and restart SMTP, TCP/IP displays"               the following error:  N               unknown configuration field; Persistent-Server has been ignored.                 Solution:   8               This problem is corrected in this release.  0         4.20 SNMP problems fixed in this release  I               The following section describes SNMP problems fixed in thisf               release.  =         4.20.1 SNMP displays "HrProcessorLoad" as always zerof                 Problem:?               For OpenVMS systems having one CPU, SNMP displays-/               "HrProcessorLoad" as always zero.                  Solution:f  4               This problem is fixed in this release.    I                                                          Corrections 4-43t -  a               Correctionsn0         4.20 SNMP problems fixed in this release    ,         4.20.2 TCPIP$HR_MIB.EXE memory leaks                 Problem:<               TCPIP$HR_MIB.EXE has two memory leaks for OIDs3               hrProcessorFrwID and hrProcessorLoad.h                 Solution:B  4               This problem is fixed in this release.  I         4.20.3 Error message not displayed when the specified hostname isn                invalid                 Problem:  I               An SNMP request, tcpip$snmp_request command does not return G               the error message when the specified hostname is invalid.                  Solution:I  8               This problem is corrected in this release.  =         4.20.4 TCPIP$HR_MIB process dies with an ACCVIO errore                 Problem:  A               The TCPIP$HR_MIB process dies with an ACCVIO error.                  Solution:o  8               This problem is corrected in this release.  5         4.20.5 SNMP fails to start with IPv6 disabledo                 Problem:  A               SNMP fails to start on a system with IPv6 disabled.C                 Solution:   8               This problem is corrected in this release.  ?         4.20.6 TCPIP$HR_MIB process consumes excessive CPU time                  Problem:  D               If the total number of BG or MBA devices exceeds 5000,H               TCPIP$HR_MIB process consumes excessive CPU time and leads&               to sluggish performance.                 Solution:            4-44 Corrections           I                                                               CorrectionsuI                                  4.20 SNMP problems fixed in this releasen    D               A new logical, TCPIP$SNMP_SCAN_ALLDEV, is included. IfB               TCPIP$SNMP_SCAN_ALLDEV is defined, the entire set ofD               devices will be scanned. If the logical is not defined>               then only the following devices will be scanned:                 o  Disk,                 o  Tapei  %               o  Communication devicee                 o  Terminal                  o  Line printer                  o  Work stations                 o  General audio                 o  Bus                 o  General video  #               o  DEC voice products   =         4.21 SSH, SCP and SFTP problems fixed in this release1  H               The following section describes SSH, SCP and SFTP problems$               fixed in this release.  A         4.21.1 Error message is overwritten for "illegal options"e                provided with ls.                 Problem:G               For illlegal options provided with ls, such as ls a, SFTPoF               displays an error message: Illegal option---a. The errorH               message is partially overwritten by blank lines and by the                next sftp> prompt.                 Solution:   4               This problem is fixed in this release.  I         4.21.2 SSH server crashes when non-existent username is specifiedt                 Problem:G               SSH server crashes on login when a non-existent user name /               is specified at the login prompt.i                 Solution:r  4               This problem is fixed in this release.  I                                                          Corrections 4-45                     Correctionsr=         4.21 SSH, SCP and SFTP problems fixed in this releases    4         4.21.3 MGET *.<file extension> does not work                 Problem:G               A MGET *.<file extension> does not work with SFTP server._                 Solution:e  4               This problem is fixed in this release.  C         4.21.4 SCP Copy does not work with filenames with wildcards                  Problem:C               SCP copy does not work with filenames with wildcards._                 Solution:_  4               This problem is fixed in this release.  .         4.21.5 LS *.TXT fails to display files                 Problem:=               LS *.TXT fails to display files on SFTP client.                  Solution:E  4               This problem is fixed in this release.  6         4.21.6 SSH idle-timeout counter fails to reset                 Problem:I               Although the SSH server sends messages to the client withiniF               the configured idle-timeout period, the SSH client wouldF               still timeout. Hence, the SSH idle-timeout counter wouldF               fail to reset if a message was received from the server.                 Solution:   4               This problem is fixed in this release.  :         4.21.7 SFTP client converts filenames to uppercase                 Problem:  D               On ODS-5 disks, when connecting to a UNIX system usingD               the get command, the SFTP client converts filenames to               uppercase.                 Solution:   8               This problem is corrected in this release.           4-46 Corrections f  n      I                                                               CorrectionseI                     4.21 SSH, SCP and SFTP problems fixed in this releasea    9         4.21.8 SFTP "PUT" command fails on Windows server                  Problem:  ?               When copying a file using the PUT command from annB               OpenVMS to a Windows 2003 PC using WS_FTP Server 7.1G               from IPSWITCH.COM, SSH_FILEXFER_ATTR_PERMISSIONS error is G               returned. A file header is created, but no data is placed:D               in the file. Both binary transfers and ascii stream_lf               transfers fail.t                 Solution:E  8               This problem is corrected in this release.  (         4.21.9 SFTP "CD SYS$LOGIN" fails                 Problem:  I               In an SFTP from an OpenVMS system, the user cannot navigatecI               to the home directory using "cd sys$login" or "cd /" or "cdeI               ~". When such an operation is attempted, the user is either G               directed to a wrong directory (which in most cases is the H               ssh's home directory) in case of a privileged user or getsB               a "CD FAILED" error in case of an unprivileged user.                 Solution:   8               This problem is corrected in this release.  @         4.21.10 SFTP process becomes CPU-bound when using CHROOT                 Problem:  G               SFTP process becomes CPU bound when using CHROOT. If mostnG               of the SFTP processes become CPU-bound, it can render thec=               OpenVMS system unusable with Denial of Service.                  Solution:a  8               This problem is corrected in this release.  <         4.21.11 ls * .txt does not display the list of files                 Problem:  H               The ls * .txt command in SFTP command fails to display theF               list of files in the current working directory and exits               with an ACCVIO.h                 Solution:   I                                                          Corrections 4-47u e  u               Correctionse=         4.21 SSH, SCP and SFTP problems fixed in this releasen    8               This problem is corrected in this release.  6         4.21.12 Copy fails with wildcard (*) character                 Problem:  F               SCP copy fails when the command is entered with wildcardE               (*) character. The copy command also fails when entered '               with percentage sign (%).l                 Solution:e  8               This problem is corrected in this release.  +         4.21.13 ACCVIO on non-existent usero                 Problem:  G               The SSH server fails with an ACCVIO on non-existent user.h                 Solution:K  8               This problem is corrected in this release.  (         4.21.14 mget *.lis does not work                 Problem:  G               In an SFTP session, the mget *.lis command fails to work.s                 Solution:u  8               This problem is corrected in this release.  #         4.21.15 ls -l fails to work                  Problem:  6               The ls -l command in SFTP does not work.                 Solution:   8               This problem is corrected in this release.  A         4.21.16 ACCVIO if identifier not the same as the username                  Problem:  H               An ACCVIO error occurs in the SSH client if the identifierG               name for the current UIC is not the same as the username.a                 Solution:o           4-48 Corrections    s      I                                                               Corrections-I                     4.21 SSH, SCP and SFTP problems fixed in this releasen    D               To keep compatibility with older versions, the logicalC               name, TCPIP$SSH_ALLOW_IDENT_MISMATCH must be assignedwD               in the system table to enable the new behavior. If notE               assigned, or if assigned with numeric value 0, the codeh.               behaves as in previous versions.  1         4.21.17 Wildcard ("*") processing on "ls"                  Problem:  B               Within SFTP, wildcard ("*") processing does not workF               properly on ls or, if the target file already exists, on               mget.r                 Solution:   8               This problem is corrected in this release.  &         4.21.18 Entering an extra <CR>                 Problem:  G               Within SFTP, it is necessary to enter an extra <CR> aftergE               pressing <CTRL/Z>, <CTRL/Y>, or <CTRL/C>. Also, display D               of the resulting messages such as "** Interrupt **" isB               not consistent with other TCPIP components, nor with%               longstanding VMS usage.                                     I                                                          Corrections 4-49t    e               Corrections =         4.21 SSH, SCP and SFTP problems fixed in this release                    Solution:   H               A new logical name, TCPIP$SSH_SFTP_SUPPRESS_EXIT_MESSAGES,I               is available to suppress display of the following messages:   )                    - CTRL/Z -> ** Exit **s.                    - CTRL/Y -> ** Interrupt **+                    - CTRL/C -> ** Cancel **   C               It is effective if the logical name is defined at the =               system level (/SYSTEM) with any value except 0.   G         4.21.19 SSH access to an account with an expired password and a                   PWDLIFETIME of 0                 Problem:  E               SSH access to an account with an expired password and asG               PWDLIFETIME of 0 still requires a password change, unlikeu!               TELNET or SET HOST.i                 Solution:M  8               This problem is corrected in this release.  &         4.21.20 put *.*;* may not work                 Problem:  E               The SFTP command, put *.*;* fails with an ACCVIO error.                  Solution:C  8               This problem is corrected in this release.  C         4.21.21 Ability to navigate to subdirectories has regressed                  Problem:  H               From a PC SFTP client, specifically the one from SSH Inc.,E               the ability to navigate to subdirectories has regressedg"               from a previous fix.                 Solution:   8               This problem is corrected in this release.           4-50 Corrections r  e      I                                                               Corrections I                     4.21 SSH, SCP and SFTP problems fixed in this released    )         4.21.22 ls -r fails with an errorA                 Problem:  H               In SFTP, an ls -r command fails with an error and does not6               display any files in the subdirectories.                 Solution:h  8               This problem is corrected in this release.  )         4.21.23 Transferring larger filesr                 Problem:  C               Using SCP or SFTP to transfer a file larger than 2 GBe(               results in a corrupt file.                 Solution:s  8               This problem is corrected in this release.  A         4.21.24 ls command fails to list ODS-5 extended filenamesp                 Problem:  D               In SFTP, output from an ls command fails to list ODS-5!               extended filenames.                  Solution:N  8               This problem is corrected in this release.  D         4.21.25 Error returned by the stat() function during a "get"                 operation                  Problem:  F               Although, the files are in a subdirectory of the currentB               source with recursion disabled, SFTP complains aboutC               an error returned by the stat() function during a get                operation.                 Solution:   8               This problem is corrected in this release.  I                                                          Corrections 4-51n a                  Corrections =         4.21 SSH, SCP and SFTP problems fixed in this release     A         4.21.26 SSH server enforces an idle session timeout values                 Problem:  C               The SSH server enforces an idle session timeout value .               because of the following issues:  F               o  The actual idle timeout is about 10% greater than the.                  configured IdleTimeOut value.  H               o  Activity from the client after approximately 90% of theH                  IdleTimeOut duration is not counted; the session is cut                  off anyway.                 Solution:S  D               A new logical name, TCPIP$SSH_SHIFT_IDLE_TIMEOUT, whenD               defined with anything other than "0" causes a shiftingE               of the window of actual enforced timeout values. RathereG               than allowing an idle user a grace period of up to 10% ofcF               the configured IdleTimeOut, the timeout will actually beG               enforced at some time between 95% and 105% of that value.   7         4.21.27 ACCVIO error during password validationd                 Problem:  G               An ACCVIO error occurs in SSH during password validation.N                 Solution:b  8               This problem is corrected in this release.  5         4.21.28 Issues related to the password change                  Problem:  E               Following are the issues related to the password change                feature in SSH:e  D               o  The old password sent by a client is ignored by the$                  OpenVMS SSH server.  E               o  The OpenVMS client never prompts the user for an oldi                  password.                 Solution:            4-52 Corrections t         I                                                               Corrections I                     4.21 SSH, SCP and SFTP problems fixed in this release     C               On the SSH server, if the value for pwdlifetime for aVE               user account in the SYSUAF is 0 (none), the user at the F               client is not prompted to update his password even if itF               has expired. This is an OpenVMS feature, not specific to               SSH.  F               For the password update feature to work, the appropriateF               value in SSHD2_CONFIG. must be set to "yes" (without the               quotation marks).d                      Client is VMS:=                   AllowVmsLoginWithExpiredPw (default is yes) +                          Client is not VMS: F                          AllowNonvmsLoginWithExpiredPw (default is no)  F               For some clients, if the value of AllowedAuthenticationsE               in SSHD2_CONFIG. is set to password only, the following =               situation may occur for the user at the client:t  9               o  Client prompts for the account password.o  2               o  User enters the correct password.  E               o  The password has expired; client prompts user to re- 1                  enter the old and new passwords.   ;               o  The user enters an incorrect old password.a  G               o  Client now re-prompts the user to enter a password, assG                  described in step a. However, when the user enters the I                  correct password, step c does not occur. Instead, step es                  is repeated.   5               o  Eventually, the login attempt fails.   C               This behavior does not occur with the OpenVMS client.   F               There is a new logical name: To enable prompting for oldI               password in the OpenVMS SSH client when updating an expiredt2               password, use the following command:  F                   $ DEFINE /SYSTEM TCPIP$SSH_NUM_OLD_PASSWORD_CHECKS n  D               Where; "n" is the number of guesses that the client isF               to be allowed for the old password. You should make thisC               value less than or equal to the value of the variabletE               PasswordGuesses in the server configuration file SSHD2_yD               CONFIG. A separate mechanism is required to define theC               value for the client since it does not have access to45               SSHD2_CONFIG., but only to SSH2_CONFIG.g  I                                                          Corrections 4-53i    R               Corrections =         4.21 SSH, SCP and SFTP problems fixed in this releasee    F               To make this value permanent across reboots, include the6               command in the system startup procedure.A               Note that if n = 0 or "0", or if the logical is not,A               defined, the SSH client will not prompt for the old                password.   A         4.21.29 Error message appears at the conclusion of a copy.                 operation                  Problem:  C               When using SCP to copy a file to a remote non-OpenVMS G               server, the error message, got EOF reading file sometimes C               appears at the conclusion of copy operation, which is /               otherwise a successful operation.                  Solution:   8               This problem is corrected in this release.  4         4.21.30 -r command does not work as expected                 Problem:  ;               The scp -r command does not work as expected.r                                                 4-54 Corrections s  x      I                                                               CorrectionsoI                     4.21 SSH, SCP and SFTP problems fixed in this releaseu                   Solution:G  G               The -r option is intended to be used when the source pathcG               specifies a directory, not including filename(s). Copy ofdG               files where filename is specified does not require use of                the -r option.  G               Note, however, that when a filename is specified, even ifaI               it is in a subdirectory of the current default, the file is I               copied to the target default. When a directory name is usedaF               as the source and -r is specified, the directory tree is.               reproduced on the target system.  E               The fix for this case enables the OpenVMS SCP client to D               handle directory levels more than one deep when the -rH               option is used. As before, recursive copy is not supported"               for the SFTP client.  I               Also, recursive copy with filenames not specified preserveseH               the version number of the source file. This behavior meansF               that when the target of a put command is also an OpenVMSI               system, the file will not be copied if that version alreadysC               exists. An error message, similar to the following ise               displayed:  *                        tcpip$ssh_scp2.exe:<                 warning: open: ./testroot/AFILE.TXT;1 (dst):B                 unspecified failure (server msg: 'syserr: bad file6                 number, file: ./testroot/AFILE.TXT;1')  E         4.21.31 Directory logical names gets translated on the client                  Problem:  I               In SFTP and SCP, directory logical names gets translated onnF               the client system instead of being passed to the server.                 Solution:c  D               Logical names entered through the SCP and SFTP clientsH               should be translated on the server system. For example, ifH               the client and server systems have a different translationC               for the same system-wide logical name, the one on thesF               server should be used. Note that because the SFTP serverF               does not execute the SYS$SYLOGIN command procedure, someE               logical names available in interactive sessions are not6)               available, e.g., SYS$LOGIN.   I                                                          Corrections 4-55o    m               CorrectionsC=         4.21 SSH, SCP and SFTP problems fixed in this released    H               If a user does not have access to the directory referenced@               by a logical name (e.g., TCPIP$SSH_HOME for a non-F               privileged account), a cdin SFTP will fail, as expected.  E               Also note that from a non-OpenVMS client, no attempt isUD               made to translate a string as a logical name; behaviorF               depends on the client. For example, from a Red Hat Linux               system:,                  sftp> cd nameM                (no leading slash before "name") results in an attempt to move K                to the [.name] subdirectory of the current default location.                 sftp> cd /nameSF                results in an attempt to go to a device "name", with no0                directory specified, which fails.  J                Current default: dev1:[user1]; dev1:[user2] does not exist:                  sftp> cd dirname                 sftp> pwd<                Remote working directory: /DEV1/user1/dirname                  sftp> cd /dev1e?                Couldn't canonicalise: No such file or directorya  #                sftp> cd /dev1/user1                 sftp> pwd;                Remote working directory: /dev1/000000/user1   #                sftp> cd /dev1/user2 C                Couldn't stat remote file: No such file or directoryX  &         4.21.32 Miscellaneous Problems                 Problem:  E               o  Within SFTP, the cd .. command does not work, and lsT4                  *.*; does not work for directories.  E               o  SFTP behavior is inconsistent for cd and ls when the A                  target directory did not allow full user access.n  E               o  For directories allowing READ+EXECUTE access, the lsrI                  command sometimes results in an error message along withh8                  a display of the appropriate filenames.           4-56 Corrections    t      I                                                               CorrectionstI                     4.21 SSH, SCP and SFTP problems fixed in this release     H               o  For directories allowing EXECUTE access only, ls shouldA                  not list files, but it did list them (along withtD                  an error message). It must list a file only if that8                  specific name is specified by the user.                 Solution:   I               The following are some differences from DCL or FTP behavior                and messages:P  I               When an "ls" encounters a file for which attributes are not F               accessible to the user on the SFTP server, the followingI               text is included in any message displayed: no privilege forw/               attempted operation. For example:   @                 fcr_readdir_lstat: G-R.TXT;1 (src): no such fileC                 (server msg: 'platform cannot stat() filename: filee<                 does not exist or no privilege for attempted                 operation.')  I               Like FTP and DCL, SFTP does not allow a general ls (with no H               filename specified) for a directory on the server to whichG               the user has E (Execute) access only. However, unlike FTP I               or DCL, SFTP does not work for an ls followed by a specific 0               filename in an E access directory.  F               For certain files, mainly those that do not exist on theI               server, the following new client-based message is displayed A               instead of the standard message sent by the server:t  D                 no such file (client msg: no such file or directory,8                 or no privilege for attempted operation)  :         4.21.33 SSH server may not complete authentication                 Problem:  H               If the TCPIP$SOCKET_TRACE logical name is defined, the SSHI               server may not complete authentication and all logins fail.                  Solution:   8               This problem is corrected in this release.    I                                                          Corrections 4-57e                    Corrections =         4.21 SSH, SCP and SFTP problems fixed in this releaseo    I         4.21.34 SSH client uses an existing SSH connection for a new SFTP                  sessione                 Problem:  F               The SSH server may fail to generate an ACCVIO error whenF               the SSH client uses an existing SSH connection for a new               SFTP session.S                 Solution:l  8               This problem is corrected in this release.  A         4.21.35 Messages displaying the last interactive and last =                 non-interactive login times are not displayed                  Problem:  I               When logging into OpenVMS with SSH, messages displaying the G               last interactive and last non-interactive login times are H               not displayed. Neither a message flags the number of login7               failures since the last successful login.i                 Solution:   8               This problem is corrected in this release.  2         4.21.36 X application fails authentication                 Problem:  G               X11 chaining with a TCP/IP Services host in the middle of H               the chain causes the X application to fail authentication.F               For example, if host1 through host3 are OpenVMS systems:  $                host1> SSH "+X" host2                ...snip... $                host2> SSH "+X" host3                ...snip...a/                host3> RUN SYS$SYSTEM:DECW$CLOCKD?                warning: X11 auth data does not match fake data.aN                XIO: fatal IO error 65535 (network partner disconnected logical*                link) on X server "_WSA12:"                 Solution:            4-58 Corrections a         I                                                               CorrectionsiI                     4.21 SSH, SCP and SFTP problems fixed in this release     B               Some clients may attempt keyboard interactive clientH               authentication, which may send a null username string. TheG               new code should handle this situation; in case of errors, F               the workaround is to change or add the following line inF               the TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG. file:  ,                       PreserveUserKeyCase no  E         4.21.37 PUT command to Sterling or Tumbleweed software failede                 with errors                  Problem:  I               SFTP put to servers running Sterling or Tumbleweed software E               failed with errors such as Operation unsupported or TheUH               requested operation cannot be performed because there is a(               file transfer in progress.                 Solution:d  8               This problem is corrected in this release.  @         4.21.38 Fails to set the last non-interactive login time                 Problem:  G               SFTP sessions does not set the last non-interactive logineG               time in the user's UAF record, which is inconsistent witht               FTP.  F               Neither SFTP sessions nor single command mode SSH loginsE               get an SSH-generated USER type accounting record, as do.0               other interactive terminal logins.                 Solution:   8               This problem is corrected in this release.  :         4.21.39 SSH server could be sent into a tight loop                 Problem:  B               When the Tectia SSH client is used and multiple fileE               transfer windows are open, the SSH server could be sento                into a tight loop.  E               When using a client that multiplexed SFTP sessions overpA               existing SSH connections, each time an SFTP sessionaG               ended, the SSH server parent process (the process runningrE               TCPIP$SSH_SSHD2.EXE) is left with a link to a BG device   I                                                          Corrections 4-59                     Corrections =         4.21 SSH, SCP and SFTP problems fixed in this releaseo    H               that no longer exists, a waste of resources for the server               process.                 Solution:c  8               This problem is corrected in this release.  C         4.21.40 ListenAddress SSH server configuration field is notn                 supported                  Problem:  E               The ListenAddress SSH server configuration field is notnD               supported on TCP/IP Services for OpenVMS. Instead, theH               same effect can be achieved by using the command TCPIP SETG               SERVICE /ADDRESS. However, this difference is not obvious                to users.u                 Solution:e  I               A warning message, generated by the SSH server, is added to -               point the user to that command.t  >         4.21.41 Protections on key files created by SSH_KEYGEN                 Problem:  H               Protections on key files created by the SSH_KEYGEN utilityC               are UNIX-style, not OpenVMS-style. Specifically, theyeD               allowed only READ and not EXECUTE access. For example:  *                 KEYFILE.;   -- (RWD,RWD,,),                 KEYFILE.PUB -- (RWD,RWD,R,R)                 Solution:t  8               This problem is corrected in this release.  7         4.21.42 "-e" switch on SSH_KEYGEN does not workm                 Problem:  D               The -e switch on the SSH_KEYGEN utility does not work.                 Solution:P  8               This problem is corrected in this release.           4-60 Corrections o  m      I                                                               Corrections I                     4.21 SSH, SCP and SFTP problems fixed in this release              4.21.43 Password expiryP                 Problem:  E               When a password expires and the UAF DisForce_Pwd_ChangenF               flag is set, the SSH server does not set the PWD_EXPIREDH               or PWD2_EXPIRED UAF flag to prevent subsequent user loginsI               not to change their password with SET PASSWORD. This allowsnH               circumvention of password expiration as users with expired3               passwords may not continue to log in.   F               When logging in with the PWD_EXPIRED or PWD2_EXPIRED UAFG               flag set, the SSH server does not issue a text warning toeE               the client as they expected from using TELNET and other                login methods:  I                    Your password has expired; contact your system managerP  I               Instead, the SSH server cues three times for password, evenfI               if the password is entered correctly, and then disconnects.i                 Solution:p  A               If a user's account has the DisForce_Pwd_Change UAFxB               flag set, and the user does not change their expiredB               password during password-based login, any subsequentE               login (including SSH public key) will be rejected untilbG               the user's PWD_EXPIRED (or PWD2_EXPIRED) flag is reset by '               the system administrator.e  F               When logging in with the PWD_EXPIRED or PWD2_EXPIRED UAFF               flag set, the SSH server now correctly returns the text:  I                    Your password has expired; contact your system manager   ?               However, some clients do not display the message.   3         4.21.44 SSH access to Integrity ILO consoleC                 Problem:  @               SSH access to Integrity ILO console results in the               following error:  2                    warning: Authentication failed.F                    Disconnected; key exchange or algorithm negotiation0                    failed (Key exchange failed.)                 Solution:n  I                                                          Corrections 4-61  o  e               Correctionss=         4.21 SSH, SCP and SFTP problems fixed in this release     8               This problem is corrected in this release.  @         4.21.45 Explanatory message back to the client during an)                 attempted password changee                 Problem:  F               The SSH server fails to send an explanatory message backF               to the client during an attempted password change if the+               chosen password is too short.                  Solution:s  G               After a password is entered, a message about the passwordsG               being too short or in the history list is returned, or ifcH               the new password is good, the user is logged in. The valueG               of PasswordGuesses in sshd2_config is not checked for newC%               password entry guesses.P  D         4.21.46 Connecting to AIX OpenSSH server results in an error                 Problem:  I               Connecting from an OpenVMS SSH client to AIX OpenSSH server 5               results in the following error message:   @               Did not receive identification string from n.n.n.n                 Solution:N  I               The SSH client's modified behavior (sending an SSH protocoleI               version string of "SSH-2.0" rather than "SSH-1.99") appliestI               only when the new TCPIP$SSH_AIX_PATCH logical is defined in 5               the SYSTEM table with a non-zero value.   @         4.21.47 Log into a non-existent account via SSH may fail                 Problem:  H               An attempt to log into a non-existent account via SSH withE               password authentication may cause an SSH server ACCVIO.                  Solution:   8               This problem is corrected in this release.           4-62 Corrections    t      I                                                               Corrections I                     4.21 SSH, SCP and SFTP problems fixed in this release     )         4.21.48 UserLoginLimit is ignorede                 Problem:  F               The SSH server configuration parameter UserLoginLimit is               ignored.                 Solution:   8               This problem is corrected in this release.  5         4.21.49 Using X11 forwarding frequently fails                  Problem:  <               When using SSH in single command mode with the?               TCP/IP Services for OpenVMS SSH server, where the ?               command being issued used X11 forwarding (such asnC               CREATE/TERMINAL/DETACH), the command frequently failsrH               with an error such as X Toolkit Error: Can't Open display.D               A call to WAIT in TCPIP$SSH_RCMD.COM worked around the6               problem but introduces additional delay.  E               When interactively logging into the TCP/IP Services for I               OpenVMS SSH server, every login incurred an unnecessary onee               second delay.i                                      I                                                          Corrections 4-63  t                  CorrectionsS=         4.21 SSH, SCP and SFTP problems fixed in this release                    Solution:   8               This problem is corrected in this release.  G         4.21.50  RIGHTSLIST identifier missing displays an ACCVIO errors                 Problem:  D               If SSH_KEYGEN is used from an account whose RIGHTSLISTI               identifier is missing, an ACCVIO is displayed rather than a *               more graceful error message.                 Solution:S  8               This problem is corrected in this release.  H         4.21.51 Opening multiple interactive login sessions over one SSH                 TCP connection                 Problem:  I               When an SSH client tries to open multiple interactive logincG               sessions over one SSH TCP connection, the TCP/IP ServicestI               for OpenVMS SSH server loops or exits with an error, rathere@               than gracefully rejecting the additional sessions.                 Solution:   8               This problem is corrected in this release.  H         4.21.52 Rename command for a file with an OpenVMS version number                  returns an error                 Problem:  I               When an SFTP client user issues a rename command for a file G               with an OpenVMS version number, an error is returned. The "               file is not renamed.                 Solution:1  8               This problem is corrected in this release.  9         4.21.53 "password aging" message is not displayed                  Problem:  F               The SSH server does not provide a password aging messageF               when the user logs into the system with a nearly expired               password.X                 Solution:i           4-64 Corrections i  h      I                                                               CorrectionstI                     4.21 SSH, SCP and SFTP problems fixed in this release     8               This problem is corrected in this release.  @         4.21.54 Re-entering the old password as the new password                 Problem:  G               During a forced password change, if the user tries to re- G               enter the old password as the new one, the SSH server may I               simply close the connection rather than displaying an error I               message and allows the user to choose a different password.                  Solution:n  8               This problem is corrected in this release.  2         4.21.55 ACCVIO when the batch mode is used                 Problem:  A               An ACCVIO occurs in the SCP or SFTP client when the C               batch mode option, -b is used from a DCL procedure inbE               a subprocess where SYS$OUTPUT or SYS$INPUT has been re- )               defined to point to a file.e                 Solution:r  8               This problem is corrected in this release.  E         4.21.56 Weak password and system-dictionary checking does noti                 happen                 Problem:  B               During a forced password change, the SSH server doesE               not perform weak password checking or system-dictionaryt4               checking on the proposed new password.                 Solution:   8               This problem is corrected in this release.  @         4.21.57 SSH login via public key authentication may fail                 Problem:  E               Although the expired password is not used, an SSH loginsH               via public key authentication may fail, if the target userH               has the DISFORCE_PWD_CHANGE flag set or improperly set the/               PWD_EXPIRED or PWD_EXPIRED2 flag.                  Solution:   8               This problem is corrected in this release.  I                                                          Corrections 4-65e                    Correctionso=         4.21 SSH, SCP and SFTP problems fixed in this releasee    :         4.21.58 LCD command in SFTP fails with "CD failed"                 Problem:  E               The LCD command in SFTP fails with a CD failed error ifoG               not connected to a remote SFTP server, although it should E               have been possible to change the local directory. Also, D               the CD command returns the same error when an OpenVMS-I               style directory specification is used while connecting to a-!               non-OpenVMS server.r                 Solution:   8               This problem is corrected in this release.  D         4.21.59 error and command messages to stderr (SYS$ERROR) and#                 stdout (SYS$OUTPUT)t                 Problem:  H               The SFTP client fails to properly direct error and commandG               messages to stderr (SYS$ERROR) and stdout (SYS$OUTPUT) ash               appropriate.                 Solution:   8               This problem is corrected in this release.  >         4.21.60 Data appears to be truncated on the remote end                 Problem:  H               The SFTP and SCP utilities are not properly 'put'ing fixedI               record format files to non-VMS systems. The data appears toD-               be truncated on the remote end.n                 Solution:   8               This problem is corrected in this release.  F         4.21.61 Spurious debug messages at the end of an SFTP log file                 Problem:  F               Spurious debug messages appear at the end of an SFTP log               file.w                 Solution:e  8               This problem is corrected in this release.           4-66 Corrections           I                                                               CorrectionsnI                     4.21 SSH, SCP and SFTP problems fixed in this releaser    C         4.21.62 Authentication failure when trying to connect to HPR)                 ProLiant iLO mpSSH Server<                 Problem:  I               Authentication fails when attempting to use the OpenVMS SSH C               client to connect to an HP ProLiant iLO mpSSH Server.h                 Solution:g  8               This problem is corrected in this release.  5         4.21.63 Only the first 3 IdKeys are processeds                 Problem:  E               When using SSH with public key authentication, only theeH               first 3 IdKeys are processed from the IDENTIFICATION file.                 Solution:T  8               This problem is corrected in this release.  >         4.21.64 lcd to logical name specification restrictions                 Problem:  D               o  When SFTPed to a UNIX system, lcd to a logical nameG                  specification works for the first time, but subsequent >                  attempts to lcd to any logical name may fail.  C               o  When sftp'd to an OpenVMS or UNIX system, lcd to anC                  logical name specification followed by an lcd to a H                  directory specification in OpenVMS syntax (For example,;                  [.tmp]) may fail with the following error:u  H                  Warning: chdir(/sys$login/./tmp) errno = 2  PWD failed.                 Solution:   8               This problem is corrected in this release.  H         4.21.65 Port forwarding fails if ResolveClientHostName is set to                 'no'                 Problem:  C               SSH port forwarding fails if the SSHD2_CONFIG. option.3               ResolveClientHostName is set to 'no'.r                 Solution:   8               This problem is corrected in this release.  I                                                          Corrections 4-67b e  r               Corrections =         4.21 SSH, SCP and SFTP problems fixed in this release     =         4.21.66 Transferring large number of files using SFTPC                 Problem:  B               Transferring a very large number of files using SFTPF               can result in a memory allocation error and displays the               following error:  !               "Not enough memory"                or<               TCPIP-F-SSH_ALLOC_ERROR) due to a memory leak.                 Solution:p  8               This problem is corrected in this release.  E         4.21.67 SSH connection requests are handled as NETWORK access                  Problem:  C               All the various types of SSH connection requests (For ?               example, SSH interactive sessions, single commandcC               mode, SFTP) are handled as NETWORK access, instead ofm.               differentiating by session type.                 Solution:O  8               This problem is corrected in this release.  2         4.21.68 UAF account expiry is not notified                 Problem:  D               If an UAF account has "expired", SSH does not properlyF               notify the user. It also logs an inappropriate intrusionD               record when a valid but expired password is presented.                 Solution:   8               This problem is corrected in this release.  B         4.21.69 Characters from extended character set are allowed                 Problem:  B               Although, the UAF flag PWDMIX is not set, SSH allowsC               characters from the extended character set to be usedcH               when creating a password during an expired password change               event.                 Solution:o  8               This problem is corrected in this release.           4-68 Corrections 1         I                                                               Corrections I                     4.21 SSH, SCP and SFTP problems fixed in this release     I         4.21.70 Accessing files via SFTP causes excessive Security alarmso                 Problem:  G               Accessing files via SFTP causes excessive Security alarmsAA               in the Audit log complaining that EXECUTE access is /               required for the SYSUAF.DAT file.s                 Solution:   8               This problem is corrected in this release.  :         4.21.71 SYS$ANNOUNCE message displayed after login                 Problem:  D               The SYS$ANNOUNCE message is displayed after login, andD               display of the SYS$WELCOME message is not implemented.                 Solution:   8               This problem is corrected in this release.  E         4.21.72 "ls -l" and the "rename" command with wildcards failsn                 Problem:  H               Using the SFTP ls -l and the rename command with wildcards@               (*) fails when the specified name was a directory.                 Solution:   8               This problem is corrected in this release.  2         4.21.73 Opening a second Tectia SSH client                 Problem:  E               Attempts to open a second Tectia SSH client session may ;               result in both sessions getting disconnected.                  Solution:   8               This problem is corrected in this release.  :         4.21.74 Server process crashes while listing files                 Problem:  I               The SFTP Server process crashes while listing files, if anytI               one the listed file owner name is equal to greater than the G               OpenVMS maximum allowable length, that is, 12 characters.i                 Solution:   I                                                          Corrections 4-69     r               Corrections =         4.21 SSH, SCP and SFTP problems fixed in this releaset    8               This problem is corrected in this release.                                                                                                 4-70 Corrections r  t      I                                                               CorrectionstI                             4.22 SYSCONFIG problems fixed in this release     5         4.22 SYSCONFIG problems fixed in this releases  I               The following section describes SYSCONFIG problems fixed inl               this release.e  <         4.22.1 Sysconfigdb generates incorrect error message                 Problem:  C               The sysconfigdb command generates a %SYSTEM-F-SSFAIL, A               system service failure exception instead of exiting 1               gracefully upon detecting an error.d                 Solution:   8               This problem is corrected in this release.  3         4.23 TCPDUMP problems fixed in this release   G               The following section describes TCPDUMP problems fixed ina               this release.   I         4.23.1 TCPDUMP exits with a success status when invalid arguments                 are passedt                 Problem:  B               Although, invalid command line arguments are passed,B               TCPDUMP may exit with a success status. It must exitF               with something more descriptive, such as %SYSTEM-E-ABORT"               (condition code 42).                 Solution:r  8               This problem is corrected in this release.  2         4.24 TELNET problems fixed in this release  F               The following section describes TELNET problems fixed in               this release.M  A         4.24.1 Arbitrary characters received on the TELNET serverh                 Problem:E               Arbitrary characters are received on TELNET server whenu"               used in binary mode.                 Solution:u  4               This problem is fixed in this release.  I                                                          Corrections 4-71m    u               Corrections 2         4.24 TELNET problems fixed in this release    ,         4.24.2 Quoted character gets dropped                 Problem:  H               Binary telnet session occasionally drops quoted character.                 Solution:   8               This problem is corrected in this release.  )         4.24.3 User authorization failurea                 Problem:  E               When you establish a telnet session in a binary mode to E               an OpenVMSvms host by entering Ctrl-U+Username followed D               by Ctrl-U+password, it results in a user authorization               failure.                 Solution:t  8               This problem is corrected in this release.  7         4.24.4 Destination address is not set correctlyy                 Problem:  D               The destination address associated with an outbound TN1               device is not always set correctly.f                 Solution:   8               This problem is corrected in this release.  >         4.24.5 Allocating a freshly-created outbound TN device                 Problem:  D               Allocating a freshly-created outbound TN device is notI               possible because the device is initially marked as mounted. F               The message SYSTEM-F-DEVMOUNT, device is already mountedI               may result from an attempt to use the DCL ALLOCATE command.                  Solution:n  8               This problem is corrected in this release.           4-72 Corrections r  t      I                                                               CorrectionstI                                4.24 TELNET problems fixed in this releasee    B         4.24.6 "INVEXCEPTN @SMP$ACQUIRE_C + 00034" error displayed                 Problem:  <               The system crashes with the following message:  1                INVEXCEPTN @SMP$ACQUIRE_C + 00034.e                 Solution:t  8               This problem is corrected in this release.  E         4.24.7 Logins blocked after the seed for TN devices exceeding                 9999h                 Problem:  F               Further logins are blocked after the seed for TN devices               exceeds 9999.                  Solution:   8               This problem is corrected in this release.  4         4.24.8 TN3270 users receive an error message                 Problem:  G               TN3270 users receive an error message while attempting to .               load the translation table file.                 Solution:   8               This problem is corrected in this release.  8         4.24.9 OpenVMS telnet client echoes the password                 Problem:  E               OpenVMS telnet client echoes the password, when you try G               to login to a Linux busybox telnet server from an OpenVMS.               system.d                 Solution:c  8               This problem is corrected in this release.  0         4.25 TFTP probelms fixed in this release  I               The following section describes TFTP problems fixed in this                release.  I                                                          Corrections 4-73  h  l               Correctionsg0         4.25 TFTP probelms fixed in this release    D         4.25.1 TFTP server randomly exits in between a file transfer                 Problem:  H               To boot diskless systems, the TFTP server is used to fetchD               the boot files from the server. When an OpenVMS systemE               tries to boot by first fetching the files from the TFTPlH               server, it works as expected. But when this same operationC               is performed by multiple systems, random failures aree,               observed in the file transfer.                 Solution:g  8               This problem is corrected in this release.  @         4.26 User Control Program problems fixed in this release  B               The following section describes User Control Program-               problems fixed in this release.   E         4.26.1 Enabling the 128th service using CONFIG ENABLE SERVICEH                 Problem:G               A maximum of 127 new services can be created using TCPIP> F               CONFIG ENABLE SERVICE On enabling the 128th service, the3               following error message is displayed:e  M                %TCPIP-E-CONFIGERROR,   error processing configuration request K                %TCPIP-E-TOOMANYSERV, database already has maximum number ofi                 Solution:u  4               This problem is fixed in this release.  F         4.26.2 Entering a long domain name may trigger a failure while                 configuring TCPIP                 Problem:  I               While executing TCPIP$CONFIG.COM in an attempt to initially C               configure TCPIP, entering a very long domain name may F               trigger a failure, making it impossible to configure theC               system. The underlying cause was a failing TCPIP SHOWsI               CONFIGURATION COMMUNICATION /OUTPUT=filename command, whicht9               had an 80-character line length limitation.                  Solution:R  8               This problem is corrected in this release.           4-74 Corrections           I                                                               CorrectionscI                  4.26 User Control Program problems fixed in this releaseP    <         4.26.3 TCPIP SHOW COMMUNICATION truncates its output                 Problem:  G               The TCPIP SHOW COMMUNICATION command truncates its outputhC               when the domain name is more than 29 characters long.n                 Solution:r  8               This problem is corrected in this release.  B         4.26.4 SET NAME_SERVICE /INITIALIZE /CLUSTER fails to find)                TCPIP$BIND_RUNNING_*.DAT;*e                 Problem:  H               The SET NAME_SERVICE /INITIALIZE /CLUSTER command attemptsC               to find the file TCPIP$BIND_RUNNING_*.DAT;* but failsoD               because the semantics of the TCPIP$BIND_COMMON logical                name have changed.                 Solution:s  8               This problem is corrected in this release.  H         4.26.5 TCPIP SHOW DEVICE_SOCKET output is not properly formatted                 Problem:  D               When used with the DCL command PIPE, the output from aI               TCPIP SHOW DEVICE_SOCKET command is not properly formatted.                  Solution:e  8               This problem is corrected in this release.                    I                                                          Corrections 4-75n e  g                    I                                                                         5 I         _________________________________________________________________e  I                                                      Documentation Updatet    F               This chapter describes updates to the information in the4               TCP/IP Services product documentation.  G               This information will be supplied in the final release ofo               TCP/IP Services.  <         5.1 Documentation Not Being Updated for This Release  G               The following manuals are not updated for TCP/IP Services B               Version 5.7. Documentation changes planned for these$               manuals are indicated:  =               o  TCP/IP Services for OpenVMS Installation andi                  Configuration  =               o  TCP/IP Services for OpenVMS Management Guide   9               o  TCP/IP Services for OpenVMS Guide to SSH   B               o  TCP/IP Services for OpenVMS Concepts and Planning  I               o  TCP/IP Services for OpenVMS Management Command Reference   E               o  TCP/IP Services for OpenVMS Management Command Quick                   Reference Cardu  @               o  TCP/IP Services for OpenVMS ONC RPC Programming  C               o  TCP/IP Services for OpenVMS Sockets API and System %                  Services Programming   G               o  TCP/IP Services for OpenVMS Tuning and TroubleshootingH  9               o  TCP/IP Services for OpenVMS User's Guide.    I                                                  Documentation Update 5-1  e  o               Documentation Update          5.2 Documentation Errata              5.2 Documentation Errata  G               The following section describes the documentation updates 6               and errata for TCP/IP documentation set:  0               o  Point-to-Point Protocol Support  E                  The HP TCP/IP Services for OpenVMS Management manual @                  specifies that Point-to-Point Protocol (PPP) isE                  supported only on Alpha systems. This feature is nowHF                  supported on both OpenVMS Integrity servers and Alpha                  systems.   .               o  REPLY /ENABLE=NETWORK command  H                  In the HP TCP/IP Services for OpenVMS Management manualE                  (page 24-13), Section 24.10, Receiving LPR/LPD OPCOMrD                  Messages, the following command used to receive the                  notifications:   4                  $ TCPIP SET SERVICE LPD /LOG=option&                  $ REPLY /ENABLE=OPCOM  $                  stands corrected as  4                  $ TCPIP SET SERVICE LPD /LOG=option(                  $ REPLY /ENABLE=NETWORK  /               o  Default value for TCP_KEEPIDLE.  F                  In the HP TCP/IP Services for OpenVMS Sockets API andB                  System Services Programming manual (page A-3) andD                  TCP/IP Help, the /PROBE_IDLE setting corresponds toI                  three different sysconfig parameters: TCP_KEEPINIT, TCP_oH                  KEEPINTVL, and TCP_KEEPIDLE. The default value for TCP_H                  KEEPIDLE was mentioned as 75 seconds. The default valueH                  for TCP_KEEPIDLE is now increased to 2 hrs, which is onH                  par with the RFC requirement, and the default value forI                  TCP_KEEPINIT and TCP_KEEPINTVL remains same, which is 75r                  seconds.   D               o  SSH_KEYGEN -e Command Option Converts OpenSSH-based-                  Public Key to OpenVMS Formatl  F                  If you want to enable public-key authentication on anC                  OpenVMS system by copying the public key generated E                  from a Linux (or other OpenSSH-based) system instead F                  of generating the pair of keys using the OpenVMS ssh-D                  keygen utility, use the -e qualifier to convert theI                  public key before you transfer it to the OpenVMS system.u            5-2 Documentation Update a         I                                                      Documentation Update I                                                  5.2 Documentation Errata3    I                  OpenSSH-based systems, such as the typical Linux system, 8                  use their own file format for SSH keys.                    For example:e  J                  % ssh_keygen -e -f public-key > openvms-format-public-key  E                  The -e qualifier has been inadvertently omitted from I                  the HP TCP/IP Services for OpenVMS Guide to SSH Section, 8                  Using the SSH_KEYGEN Utility (page 46).                                                                      I                                                  Documentation Update 5-3     r                    I                                                                         AnI         _________________________________________________________________t  I                                                     LPD/LPR Configurations    E               This appendix illustrates how to configure LPD/LPR jobs 3               from a local host to a remote system.h  D         A.1 Configuring LPD job from local host to the remote system  H               The print jobs must be submitted from local host, "HOSTA",,               to the remote system, "HOSTB".  G               To configure the LPD jobs from a local host to the remote F               system, where the LPD server is not listening on default7               port (515), complete the following steps:   H               1. On "HOSTA", setup the printcap entry for the printer in8                  the TCPIP$PRINTCAP.DAT file as follows:  0                  LOOP_BOGUS_P_1|loop_bogus_p_1:\H                          :lf=/TCPIP$LPD_ROOT/000000/LOOP_BOGUS_P_1.LOG:\-                          :lp=LOOP_BOGUS_P_1:\O+                          :rm=hostb.hp.com:\c(                          :rp=bogus_p_1:\#                          :rt=1234:\S<                          :sd=/TCPIP$LPD_ROOT/LOOP_BOGUS_P_1:  I               2. On "HOSTB", configure the LPD receiver to listen on porttE                  1234. Manually define another service database entrytG                  that is same as LPD. Use the standard procedure to setG(                  and enable the service.  I         A.2 Configuring LPD job from local host to the remote system over              the SSH tunnel  E               The print jobs are submitted from "HOSTA" to the remoteTC               system, "HOSTB". The LPD receiver is running on HOSTB E               listening to default port or any other configured port.tF               The encrypting SSH tunnel is established between HOSTA'sE               port (rt) and HOSTB's port on which the LPD receiver ise               listening.  I                                                 LPD/LPR Configuration A-1                     LPD/LPR ConfigurationtX         A.2 Configuring LPD job from local host to the remote system over the SSH tunnel    H               To configure LPD jobs from a local host to a remote system@               over the SSH tunnel, complete the following steps:  H               1. On "HOSTA", setup the printcap entry for the printer in8                  the TCPIP$PRINTCAP.DAT file as follows:  0                  LOOP_BOGUS_P_1|loop_bogus_p_1:\H                          :lf=/TCPIP$LPD_ROOT/000000/LOOP_BOGUS_P_1.LOG:\-                          :lp=LOOP_BOGUS_P_1:\E(                          :rm=localhost:\(                          :rp=bogus_p_1:\#                          :rt=1234:\d<                          :sd=/TCPIP$LPD_ROOT/LOOP_BOGUS_P_1:  >                  Note that the rm field is set to "localhost".  A               2. On "HOSTB", using the standard LPD configuration H                  procedure, configure the LPD receiver listening on port                  515.                     Ors  F                  If the you want to configure LPD on a port other thanB                  the default port, manually define another service8                  database entry that is the same as LPD.  D               3. Run the SSH command on "HOSTA" to establish the SSHC                  tunnel between the local port and remote port. FornA                  example, if the rt is 1234 on the local host andnD                  the remote port is "515" on which the LPD server isF                  listening, use the following command to establish the                  SSH tunnel:  8                  SSH -"L"1234:localhost:515 hostb.hp.com                      !         A-2 LPD/LPR Configuration 