AIX Version 7.2 Expansion Pack Release Notes

Read this before installation

Before you use this software, you should go to the Fix Central website and install the latest available fixes that address security vulnerabilities and other critical issues.

The Expansion Pack DVD contains programs that are provided by IBM® and other program suppliers. Each program is licensed under the terms and conditions of that specific program. These terms and conditions can vary depending on the specific program or the program supplier. Specific information about the content of this DVD and the terms and conditions under which these programs are licensed are contained in a readme file on the media.

To obtain the content and Terms and Conditions information:
  1. Log in as the root user.
  2. Insert the DVD into the media drive. If your media drive is not /dev/cd0, substitute the correct device name and type the following commands:
         mount -v cdrfs -o ro /dev/cd0 /mnt
         cp /mnt/README*  /tmp
         unmount  /mnt

    The /tmp/README and /tmp/README.html files contain the content or the Terms and Conditions under which these programs are licensed. View this information by using a web browser, or run the more command or the pg command.

Softcopy documentation for each product is included with the product. These Release Notes supplement the product documentation by outlining the steps for getting started and by pointing you to more product information.

Installation, migration, upgrade, and configuration information

The AIX® Version 7.2 Expansion Pack Release Notes include information that helps you install the products that are included on the AIX Version 7.2 Expansion Pack. To view the most current version, see the AIX Release Notes topic.

The AIX Version 7.2 Expansion Pack is included with the AIX Version 7.2 operating system as a vehicle for delivering new IBM and non-IBM products. Most AIX Version 7.2 Expansion Pack products can be installed by using normal installation methods. Some Expansion Pack products cannot be installed by using normal installation methods. Their installation procedures are provided under their product descriptions.

The AIX Version 7.2 Expansion Pack might include products that contain a cryptographic function that is subject to special export-licensing requirements by the US Department of Commerce. Import restrictions can also apply to certain countries. Different packages of the AIX Version 7.2 Expansion Pack accommodate varying country export or import restrictions. To determine which package is appropriate for you, review the Ordering Information which is located in the Expansion Pack announcement. Contact your IBM representative or IBM Business Partner to determine which type of encryption you are entitled to receive.

The contents of the Expansion Pack vary over time. New software products can be added, changed, or removed. Changes to the content of the AIX Version 7.2 Expansion Pack are announced either as part of an AIX announcement or independently of the release announcement.

Unless otherwise indicated, products can be installed from the DVD by using the System Management Interface Tool (SMIT). For more information about installing products, see theInstallation and migration topic. (http://www.ibm.com/support/knowledgecenter/ssw_aix_72/com.ibm.aix.install/insgdrf-kickoff.htm).

Listing and previewing installation software

You can list the available software products, packages, and filesets on AIX media, which can be a DVD or directory. The output shows the available packages and filesets on the media. The descriptions are provided at the fileset level.

You can perform a preview installation before doing the actual installation. A preview installation provides the preinstallation information that occurs during a regular installation, except that no software is installed.

When you select a package or fileset to be installed with the preview installation process, you see a list that contains all of the requisite packages and filesets needed by the selected package or fileset to be successfully installed.

Other information generated during the preinstallation process concerns the file system-size checking. The file systems are checked to ensure that there is enough free space available to install the selected package or fileset.

You can list the software and use the previewing software functions from the command line or the SMIT interface.

Listing and previewing software from the command line

  1. Log in as the root user.
  2. To list the software on the first DVD of the base media, insert the DVD into the media drive, and type the following command:
    installp -ld/dev/cd0 | pg
    A list similar to the following is displayed:
      fileset Name                Level                     I/U Q Content
      ====================================================================
      ICU4C.adt                   2.8.0.0                    I  N usr
    #   ICU Application Developer's Toolkit
    
      ICU4C.man.en_US             2.8.0.0                    I  N usr
    #   ICU Manual Pages - U.S. English
    
  3. To perform a preview installation at the command line, use the -p flag with the installp command. For example, to preview the installation of the ICU4C.adt fileset, enter the following command from the command line:
    installp -aXgq -p -d/dev/cd0 ICU4C.adt
    The preview option displays the requisite filesets, that are to be installed and the system resources that are being used.

Listing and previewing software from the ASCII SMIT interface

  1. Log in as the root user.
  2. From the command line, enter smitty install_update.
  3. Select Install Software.
  4. Press F4 (List) to list the available input devices and select the appropriate one, or type the input device name in the blank field. Press Enter to continue.
  5. In the SOFTWARE to Install field, press F4 (List) to list all available software on the selected media.
  6. Scroll through the list of software by using the arrow keys or the Page Up or Page Down keys.
    Note: The following listing shows the available software packages and filesets for that software product.

    If the fileset is preceded by a plus sign (+), it is available to be installed. If the fileset is preceded by an at sign (@), the fileset is already installed.

    For example, in the following output example, the software product is ICU4C:

         ICU4C.adt                                                          ALL
          + 2.8.0.0  ICU Application Developer's Toolkit
    
         ICU4C.man.en_US                                                    ALL
          + 2.8.0.0  ICU Manual Pages - U.S. English
    
         ICU4C.rte                                                          ALL
          + 2.8.0.0  International Components for Unicode
    The three packages are ICU4C.adt, ICU4C.man.en_US, and ICU4C.rte. The fileset in the ICU4C.adt package is the ICU Application Developer's Toolkit at the 2.8.0.0 level. The descriptions for the software product are provided at the fileset level. There is often more than one fileset per package.
  7. Select the package or fileset you want to install and press the F7 (Edit). Press Enter to continue.
  8. To preview the installation of the package or fileset that you selected, press the Tab key and select yes in the PREVIEW only? field. Press Enter to continue.
    Note: To obtain detailed information about the installation, select yes in the DETAILED output? field. The filesets being installed are displayed in parentheses.

AIX Version 7.2 Expansion Pack security

This section lists security restrictions and limitations for the AIX Version 7.2 Expansion Pack.

OpenSSL version 1.0.1

OpenSSL 0.9.8 shared objects (libcrypto.so.0.9.8 and libssl.so.0.9.8) are also included as part of the libraries in the OpenSSL 1.0.1.515 fileset to allow compatibility with earlier versions of OpenSSL.

OpenSSL 0.9.8 is going end of support (EOS) in December 2015. IBM continues to support OpenSSL 0.9.8 until May 2016. This level of support from IBM involves backporting of any applicable security vulnerabilities that are reported in OpenSSL 1.0.1. The OpenSSL 0.9.8 shared objects will be retained in the libraries after May 2016, but there will not be any support or fixes made after this date. You should update your applications to use the newer version of the OpenSSL libraries.

Applications should use OpenSSL version 1.0.1 shared objects (libcrypto.so or libcrypto.so.1.0.0, and libssl.so or libssl.so.1.0.0) that are included in libraries of OpenSSL 1.0.1.515 fileset to continue using the supported version of OpenSSL.

POWER8 hardware cryptography capability and OpenSSL version 1.0.1.515

The OpenSSL version 1.0.1.515 fileset and AIX Version 7.2 can use the in-core cryptographic function that is available with POWER8® systems. To use this function, the following conditions must be met:
  • Any existing applications that use an older version of the OpenSSL fileset must be recompiled with the latest headers and relinked to the newer 1.0.1 libraries that are included with the OpenSSL 1.0.1.515 fileset.
  • Applications that use the dlopen function to load the 0.9.8 version of the OpenSSL shared objects must be reconfigured to load the 1.0.1 version of the OpenSSL shared object.
  • A future OpenSSL release that is incompatible requires that you complete a re-complication with the latest headers and relinked with the newer binaries.
Only the following algorithms in the OpenSSL 1.0.1.515 fileset use the POWER8 in-core cryptographic capabilities:
  • AES-128-CBC
  • AES-192-CBC
  • AES-256-CBC
  • AES-128-ECB
  • AES-192-ECB
  • AES-256-ECB
  • SHA224
  • SHA256
  • SHA384
  • SHA512
Note: Applications that use prior versions of the OpenSSL fileset continue to function and use the OpenSSL default software cryptographic modules on the POWER8 system.

To download the latest version of the OpenSSL filset, see the AIX Web Download Pack Programs website.

Data Encryption Standard kernel extension 64-bit

With the Data Encryption Standard (DES) kernel extension, nfs_kdes_full.ext, you can now use 64-bit kernels. This extension uses secure Network File System (NFS) by encrypting time stamps sent between the client and the server, which allows each Remote Procedure Call (RPC) message to be authenticated.

For more information about the DES extension, see the Network File Systems security topic. (http://www.ibm.com/support/knowledgecenter/ssw_aix_72/com.ibm.aix.security/secure_nfs.htm).

The DES encryption kernel extension is available from the des fileset on the AIX Expansion Pack.

Certificate Authentication Services

Certificate Authentication Services are not included with the AIX Version 7.2 operating system.

IP Filter converted to the AIX operating system

IP Filter, Version 5.3.0.0 open source software is converted to the AIX operating system. The IP Filter software package can be used to provide network address translation (NAT) or firewall services. For more information about licensing, see the IP Filter website (http://coombs.anu.edu.au/~avalon/).

Network security options TCP Wrapper 1.1.0.0

TCP Wrapper is a simple open source tool to monitor and control incoming network traffic. For more information about the TCP Wrapper, see the Wietse's tools and papers website (ftp://ftp.porcupine.org/pub/security/index.html).

AIX Network Data Administration Facility

The AIX Network Data Administration Facility (AIX NDAF) for AIX Version 7.2 is not on the Expansion Pack media. It is on the base media.

Parameter setting for IBM Security Directory Server Version 6.4

GSKit version 8.0.50.44 is included on the AIX Version 7.2 Expansion Pack media. When you run GSKit version 8.0.50.44 with IBM Security Directory Server Version 6.4, if you set the ICC_IGNORE_FIPS parameter is set to a value of yes, the Security Directory Server does not start. To avoid this issue, set the ICC_IGNORE_FIPS parameter to a value of no by entering the following command:
export ICC_IGNORE_FIPS=no

Modern Cryptographic Library

The Modern Cryptographic Library is updated from version 6.1.0.2 to version 6.1.0.3.

The updates for Modern Cryptographic Library version 6.1.0.3 include the following modcrypt filesets:
  • modcrypt.base.lib
  • modcrypt.base.includes

The updated modcrypt filesets are required if the ACF and PKCS11 device driver version 7.1.3.30 (security.acf fileset) is installed on your system and you are using a Network File System (NFS) with Kerberos 5 authentication. If your system does not meet these requirements, it fails when the NFS gssd daemon starts.

IBM Security Directory Server

IBM Security Directory Server is no longer available on the AIX expansion pack media.

IBM Security Directory Server Version 6.4 is available on the AIX Version 7.2 base media. To upgrade to Security Directory Server Version 6.4, you must upgrade from Security Directory Server Version 6.3. For instructions about upgrading to Security Directory Server Version 6.4, see the Upgrade an instance of IBM Security Directory Server topic.

The following Security Directory Server Version 6.2 and Version 6.3 cryptography filesets are no longer provided on the AIX expansion pack media:
  • idsldap.clt_max_crypto32bit62
  • idsldap.clt_max_crypto64bit62
  • idsldap.srv_max_cryptobase64bit62
  • idsldap.webadmin_max_crypto62

IBM Network Authentication Service, Version 1.5.0.3 for AIX

IBM Network Authentication Service, Version 1.5.0.3 for the AIX environment is a network-authentication protocol based on the IETF RFC 1510 standards protocol for the Kerberos V5 IBM Network Authentication Service. The IBM Network Authentication Service includes the Generic Security Service API (GSSAPI), the Key Distribution Center (KDC) server, and the server. With IBM Network Authentication Service, AIX middleware and external application writers can use authenticated and optionally encrypted message flow between their respective components.

Documentation

Read the README.lang file for IBM Network Authentication Service, Version 1.5 before you configure or use the program, where lang is one of the following language locales:
  • Chinese (Simplified)
  • Chinese (Traditional)
  • English
  • Korean
  • Portuguese (Brazilian)

The README.lang file for the AIX environment is located in the /usr/lpp/krb5 directory after the krb5.client.rte fileset is installed from the krb5.client client installation package. The README.lang file can also be viewed by using the SMIT list_media_info command to list supplemental fileset information about the installation media for the krb5.client.rte fileset.

Documentation for IBM Network Authentication Service is available in the README.lang installation packages, where lang is one of the following language locales:
  • en_US (US English)
  • Ja_JP (Japanese)
  • ko_KR (Korean)
  • zh_CN (Simplified Chinese)

The documentation is in both HTML and PDF files. Install the krb5.doc.lang.html fileset for access to HTML documents and the krb5.doc.lang.pdf fileset for access to PDF documents.

The IBM Network Authentication Service Version 1.5 Administrator's and User's Guide is installed in the following directories:
  • HTML
    /usr/lpp/krb5/doc/html/lang/ADMINGD
  • PDF
    /usr/lpp/krb5/doc/pdf/lang/ADMINGD
The IBM Network Authentication Service Version 1.5 Application Development Reference is installed in the following directories:
  • HTML
    /usr/lpp/krb5/doc/html/lang/APDEVREF
  • PDF
    /usr/lpp/krb5/doc/pdf/lang/APDEVREF

Java Technology Edition

The following versions of Java™ Technology Edition are available on the AIX Expansion Pack media:
Table 1. Java versions
Java Version 32-bit 64-bit
Java Version 6 Yes Yes
Java Version 7 Yes No (on base media)
Java Version 7.1 Yes Yes
Java Version 8 Yes Yes
Note: Java 5 is not available on the AIX Version 7.2 base media or Expansion Pack media.

To check whether a more recent service refresh is available for a version of Java, see the AIX Download and service information website.

Reliable Scalable Cluster Technology (RSCT) CIM resource manager

The Common Information Model (CIM) resource manager is a Resource Monitoring and Control (RMC) resource manager that enables RMC to be used to query system configuration through CIM classes. CIM resource manager is contained in the rsct.exp package.

After installation, the CIM resource manager readme file is found in the /usr/sbin/rsct/README/rsct.exp.README directory.

For more information about the CIM resource manager, see the Resource classes defined by the CIM resource manager topic.