IBM AIX 7.2 with Technology Level 2 Expansion Pack Release Notes

Edit online

Read this before installation

Edit online

Before you use this software, you should go to the Fix Central website and install the latest available fixes that address security vulnerabilities and other critical issues.

The Expansion Pack DVD contains programs that are provided by IBM® and other program suppliers. Each program is licensed under the terms and conditions of that specific program. These terms and conditions can vary depending on the specific program or the program supplier. Specific information about the content of this DVD and the terms and conditions under which these programs are licensed are contained in a readme file on the media.

To obtain the content and Terms and Conditions information:
  1. Log in as the root user.
  2. Insert the DVD into the media drive. If your media drive is not /dev/cd0, substitute the correct device name and type the following commands:
         mount -v cdrfs -o ro /dev/cd0 /mnt
     cp /mnt/README*  /tmp
     unmount  /mnt

    The /tmp/README and /tmp/README.html files contain the content or the Terms and Conditions under which these programs are licensed. View this information by using a web browser, or run the more command or the pg command.

Softcopy documentation for each product is included with the product. These Release Notes supplement the product documentation by outlining the steps for getting started and by pointing you to more product information.

Installation, migration, upgrade, and configuration information

Edit online

The AIX® 7 with 7200-02 Expansion Pack is included with the AIX 7 with 7200-02 operating system as a vehicle for delivering new IBM and non-IBM products. Most AIX 7 with 7200-02 Expansion Pack products can be installed by using normal installation methods. Some Expansion Pack products cannot be installed by using normal installation methods. Their installation procedures are provided under their product descriptions.

The AIX 7 with 7200-02 Expansion Pack might include products that contain a cryptographic function that is subject to special export-licensing requirements by the US Department of Commerce. Import restrictions can also apply to certain countries. Different packages of the AIX 7 with 7200-02 Expansion Pack accommodate varying country export or import restrictions. To determine which package is appropriate for you, review the Ordering Information which is located in the Expansion Pack announcement. Contact your IBM representative or IBM Business Partner to determine which type of encryption you are entitled to receive.

The contents of the Expansion Pack vary over time. New software products can be added, changed, or removed. Changes to the content of the AIX 7 with 7200-02 Expansion Pack are announced either as part of an AIX announcement or independently of the release announcement.

Unless otherwise indicated, products can be installed from the DVD by using the System Management Interface Tool (SMIT). For more information about installing products, see the Installation and migration topic.

Listing and previewing installation software

Edit online

You can list the available software products, packages, and filesets on AIX media, which can be a DVD or directory. The output shows the available packages and filesets on the media. The descriptions are provided at the fileset level.

You can perform a preview installation before performing the actual installation. A preview installation provides the preinstallation information that occurs during a regular installation, except that no software is installed.

When you select a package or fileset to be installed with the preview installation process, you can view a list that contains all of the requisite packages and filesets needed for the successful installation of the selected package or fileset.

Other information generated during the preinstallation process are required for the file system-size checking. The file systems are checked to ensure that there is enough free space available to install the selected package or fileset.

You can list the software and use the previewing software functions from the command line or the SMIT interface.

Listing and previewing software from the command line

Edit online
  1. Log in as the root user.
  2. To list the software on the first DVD of the base media, insert the DVD into the media drive, and type the following command: 
    installp -ld/dev/cd0 | pg
    A list similar to the following is displayed:
      fileset Name                Level                     I/U Q Content
  ====================================================================
  ICU4C.adt                   2.8.0.0                    I  N usr
#   ICU Application Developer's Toolkit

  ICU4C.man.en_US             2.8.0.0                    I  N usr
#   ICU Manual Pages - U.S. English
  3. To perform a preview installation at the command line, use the -p flag with the installp command. For example, to preview the installation of the ICU4C.adt fileset, enter the following command from the command line: 
    installp -aXgq -p -d/dev/cd0 ICU4C.adt
    The preview option displays the requisite filesets, that are to be installed and the system resources that are being used.

Listing and previewing software from the ASCII SMIT interface

Edit online
  1. Log in as the root user.
  2. From the command line, enter smitty install_update.
  3. Select Install Software.
  4. Press F4 (List) to list the available input devices and select the appropriate device, or type the input device name in the blank field. Press Enter to continue.
  5. In the SOFTWARE to Install field, press F4 (List) to list all available software on the selected media.
  6. Scroll through the list of software by using the arrow keys or the Page Up and Page Down keys.
    Note: The following listing shows the available software packages and filesets for that software product.

    If the fileset is preceded by a plus sign (+), it is available to be installed. If the fileset is preceded by an at sign (@), the fileset is already installed.

    In the following example output, the software product is ICU4C:

         ICU4C.adt                                                          ALL
      + 2.8.0.0  ICU Application Developer's Toolkit

     ICU4C.man.en_US                                                    ALL
      + 2.8.0.0  ICU Manual Pages - U.S. English

     ICU4C.rte                                                          ALL
      + 2.8.0.0  International Components for Unicode
    The three packages are ICU4C.adt, ICU4C.man.en_US, and ICU4C.rte. The fileset in the ICU4C.adt package is the ICU Application Developer's Toolkit at level 2.8.0.0. The descriptions for the software product are provided at the fileset level. A package often consist of more than one fileset.
  7. Select the package or fileset you want to install and press the F7 (Edit). Press Enter to continue.
  8. To preview the installation of the package or fileset that you selected, press the Tab key and select yes in the PREVIEW only? field. Press Enter to continue.
    Note: To obtain detailed information about the installation, select yes in the DETAILED output? field. The filesets that are being installed are displayed in parentheses.

Apache HTTP Server and Samba for AIX

Edit online
The software for Apache HTTP Server and Samba for AIX has changed from the installp format to the rpm format. The software has been removed from the expansion pack and it is now available in the AIX Toolbox. To determine whether an installation of this software is installed, enter the following commands in the command line: 
# lslpp -Lc | grep httpd 
# lslpp -Lc | grep samba
You must remove the installp formatted packages before installing the newer rpm formatted packages. To preview your removal and save the log file in the /tmp/preview.log directory, enter the following command: 
# installp -e /tmp/preview.log -pu httpd samba
To remove and save the output in the /tmp/remove.log directory, enter the following command: 
# installp -e /tmp/remove.log -u httpd samba
To install rpm formatted software, use the rpm or geninstall command or the SMIT installation menu options.

AIX 7 with 7200-02 Expansion Pack security

Edit online

This section lists security restrictions and limitations for the AIX 7 with 7200-02 Expansion Pack.

OpenSSL version 1.0.2

Edit online

OpenSSL 0.9.8 shared objects (libcrypto.so.0.9.8 and libssl.so.0.9.8) are also included in the OpenSSL 1.0.2.1100 fileset libraries for compatibility with earlier versions of OpenSSL.

OpenSSL versions 0.9.8 and 1.0.1 are no longer supported by IBM. The OpenSSL 0.9.8 shared objects are retained in the libraries as is. You should update your applications to use the newer version of the OpenSSL libraries.

Applications must use OpenSSL version 1.0.2 shared objects (libcrypto.so or libcrypto.so.1.0.0, and libssl.so or libssl.so.1.0.0) that are included in libraries of OpenSSL 1.0.2.1100 fileset to continue using the supported version of OpenSSL.

POWER8 hardware cryptography capability and OpenSSL version 1.0.2.1100

Edit online
The OpenSSL version 1.0.2.1100 fileset and AIX 7 with 7200-02 can use the in-core cryptographic function that is available with POWER8® systems. To use this function, the following conditions must be met:
  • Any existing applications that use an older version of the OpenSSL fileset must be recompiled with the latest headers and relinked to the newer 1.0.2 libraries that are included with the OpenSSL 1.0.2.1100 fileset.
  • Applications that use the dlopen function to load the 0.9.8 version of the OpenSSL shared objects must be reconfigured to load the 1.0.2 version of the OpenSSL shared object.
  • A future OpenSSL release that is incompatible must be recompiled with the latest headers and relinked with the newer binaries.
The following algorithms are implemented in OpenSSL version 1.0.2 that can use the POWER8 in-core cryptographic capabilities:
  • AES-128-CBC
  • AES-192-CBC
  • AES-256-CBC
  • AES-128-ECB
  • AES-192-ECB
  • AES-256-ECB
  • AES-128-GCM
  • AES-192-GCM
  • AES-256-GCM
  • AES-128-XTS
  • AES-192-XTS
  • AES-256-XTS
  • SHA1
  • SHA224
  • SHA256
  • SHA384
  • SHA512
Note: Applications that use earlier versions of the OpenSSL fileset continue to function and use the OpenSSL default software cryptographic modules on the POWER8 system.

To download the latest version of the OpenSSL fileset, go to the AIX Web Download Pack Programs website.

Data Encryption Standard kernel extension 64-bit

Edit online

You can now ues 64-bit kernels with the Data Encryption Standard (DES) kernel extension, nfs_kdes_full.ext. This extension uses secure Network File System (NFS) by encrypting time stamps sent between the client and the server, which allows each Remote Procedure Call (RPC) message to be authenticated.

For more information about the DES extension, see the Network File Systems security topic.

The DES encryption kernel extension is available from the des fileset on the AIX Expansion Pack.

Certificate Authentication Services

Edit online

Certificate Authentication Services are not included with the AIX 7 with 7200-02 operating system.

IP Filter converted to the AIX operating system

Edit online

IP Filter, Version 5.3.0.0 open source software is converted to the AIX operating system. The IP Filter software package can be used to provide network address translation (NAT) or firewall services.

Network security options TCP Wrapper 1.1.0.0

Edit online

TCP Wrapper is a simple open source tool to monitor and control incoming network traffic. For more information about the TCP Wrapper, see the Wietse's tools and papers website.

AIX Network Data Administration Facility

Edit online

The AIX Network Data Administration Facility (AIX NDAF) for AIX 7 with 7200-02 is not available on the Expansion Pack media. It is available on the base media.

IBM Security Directory Server

Edit online

IBM Security Directory Server is no longer available on the AIX expansion pack media.

IBM Security Directory Server Version 6.4 is available on the AIX 7 with 7200-02 base media. To upgrade to Security Directory Server Version 6.4, you must upgrade from Security Directory Server Version 6.3. For instructions about upgrading to Security Directory Server Version 6.4, see the Upgrade an instance of IBM Security Directory Server topic.

The following Security Directory Server Version 6.2 and Version 6.3 cryptography filesets are no longer provided on the AIX expansion pack media:
  • idsldap.clt_max_crypto32bit62
  • idsldap.clt_max_crypto64bit62
  • idsldap.srv_max_cryptobase64bit62
  • idsldap.webadmin_max_crypto62

Parameter setting for IBM Security Directory Server Version 6.4

Edit online
GSKit version 8.0.50.59 is included on the AIX 7 with 7200-02 Expansion Pack media. When you run GSKit version 8.0.50.59 with IBM Security Directory Server Version 6.4, if you set the ICC_IGNORE_FIPS parameter to a value of yes, the Security Directory Server does not start. To avoid this issue, set the ICC_IGNORE_FIPS parameter to a value of no by entering the following command:
export ICC_IGNORE_FIPS=no

Modern Cryptographic Library

Edit online

The Modern Cryptographic Library is updated from version 6.1.0.2 to version 6.1.0.3.

The updates for Modern Cryptographic Library version 6.1.0.3 include the following modcrypt filesets:
  • modcrypt.base.lib
  • modcrypt.base.includes

The updated modcrypt filesets are required if the ACF and PKCS11 device driver version 7.1.3.30 (security.acf fileset) is installed on your system and if you are using a Network File System (NFS) with Kerberos 5 authentication. If your system does not meet these requirements, the system fails when the NFS gssd daemon starts.

IBM Network Authentication Service Version 1.6.0.4 for AIX

Edit online

IBM Network Authentication Service Version 1.6.0.4 for the AIX environment is a network-authentication protocol based on the IETF RFC 1510 standards protocol for the Kerberos V5 IBM Network Authentication Service. The IBM Network Authentication Service includes the Generic Security Service API (GSSAPI) and the Key Distribution Center (KDC) server. With IBM Network Authentication Service, AIX middleware and external application writers can use authenticated and optionally encrypted message flow between their respective components.

The IBM Network Authentication Service (NAS) fileset is updated with AIX VRMF 16.0.4. The fileset also includes the SPNEGO feature.
  • All of the impacted vulnerabilities reported until MIT Kerberos version 1.15.1 is back ported to this fileset.
  • Additional packaging-related changes have been done in this fileset to remove redundant dependency on bos.net.tcp.client.

To download the latest version of NAS fileset, see the AIX Web Download Pack Programs website.

Network Authentication Service Documentation

Edit online
Read the README.lang file for IBM Network Authentication Service, Version 1.5 before you configure or use the program, where lang is one of the following language locales:
  • Chinese (Simplified)
  • Chinese (Traditional)
  • English
  • Korean
  • Portuguese (Brazilian)

The README.lang file for the AIX environment is located in the /usr/lpp/krb5 directory after the krb5.client.rte fileset is installed from the krb5.client client installation package. The README.lang file can also be viewed by using the SMIT list_media_info command to list supplemental fileset information about the installation media for the krb5.client.rte fileset.

Documentation for IBM Network Authentication Service is available in the README.lang installation packages, where lang is one of the following language locales:
  • en_US (US English)
  • Ja_JP (Japanese)
  • ko_KR (Korean)
  • zh_CN (Simplified Chinese)

The documentation is available in both HTML and PDF formats. Install the krb5.doc.lang.html fileset to access HTML documents and the krb5.doc.lang.pdf fileset to access PDF documents.

The IBM Network Authentication Service Version 1.5 Administrator's and User's Guide is installed in the following directories:
  • HTML
    /usr/lpp/krb5/doc/html/lang/ADMINGD
  • PDF
    /usr/lpp/krb5/doc/pdf/lang/ADMINGD
The IBM Network Authentication Service Version 1.5 Application Development Reference is installed in the following directories:
  • HTML
    /usr/lpp/krb5/doc/html/lang/APDEVREF
  • PDF
    /usr/lpp/krb5/doc/pdf/lang/APDEVREF

Java Technology Edition

Edit online
The following versions of Java™ Technology Edition are available on the AIX Expansion Pack media:
Table 1. Java versions
Java Version 32-bit 64-bit
Java Version 6 Yes Yes
Java Version 7 Yes No (on base media)
Java Version 7.1 Yes Yes
Java Version 8 Yes Yes
Note: Java 5 is not available on the AIX 7 with 7200-02 base media or Expansion Pack media.

To check whether a more recent service refresh is available for a version of Java, see the AIX Download and service information website.

Reliable Scalable Cluster Technology (RSCT) CIM resource manager

Edit online

The Common Information Model (CIM) resource manager is a Resource Monitoring and Control (RMC) resource manager that enables RMC to be used for querying system configuration through CIM classes. CIM resource manager is contained in the rsct.exp package.

After installation, the CIM resource manager readme file is located in the /opt/rsct/README/rsct.exp.README directory.

For more information about the CIM resource manager, see the Resource classes defined by the CIM resource manager topic.