IBM AIX 7.2 with Technology Level 4 Expansion Pack Release Notes
- Read before installing
- Installation, migration, upgrade, and configuration
- Apache HTTP Server and Samba for AIX
- AIX 7 with 7200-04 Expansion Pack security
- IBM Network Authentication Service Version 22.214.171.124 for AIX
- New packages
- Java Technology Edition
- Reliable Scalable Cluster Technology (RSCT) CIM resource manager
Read before installing
Before you use this software, you should go to the Fix Central website and install the latest available fixes that address security vulnerabilities and other critical issues.
The Expansion Pack DVD contains programs that are provided by IBM® and other program suppliers. Each program is licensed under the terms and conditions of that specific program. These terms and conditions can vary depending on the specific program or the program supplier. Specific information about the content of this DVD and the terms and conditions under which these programs are licensed are contained in a readme file on the media.
- Log in as the root user.
- Insert the DVD into the media drive. If your media drive is not /dev/cd0, substitute the
correct device name and type the following
mount -v cdrfs -o ro /dev/cd0 /mnt cp /mnt/README* /tmp unmount /mnt
The /tmp/README and /tmp/README.html files contain the content or the Terms and Conditions under which these programs are licensed. View this information by using a web browser, or run the more command or the pg command.
Softcopy documentation for each product is included with the product. These Release Notes supplement the product documentation by outlining the steps for getting started and by pointing you to more product information.
Installation, migration, upgrade, and configuration
The IBM AIX® 7.2 with Technology Level 4 Expansion Pack is included with the IBM AIX 7.2 with Technology Level 4 operating system as a vehicle for delivering new IBM and non-IBM products. Most IBM AIX 7.2 with Technology Level 4 Expansion Pack products can be installed by using normal installation methods. Some Expansion Pack products cannot be installed by using normal installation methods. Their installation procedures are provided under their product descriptions.
The IBM AIX 7.2 with Technology Level 4 Expansion Pack might include products that contain a cryptographic function that is subject to special export-licensing requirements by the US Department of Commerce. Import restrictions can also apply to certain countries. Different packages of the IBM AIX 7.2 with Technology Level 4 Expansion Pack accommodate varying country export or import restrictions. To determine which package is appropriate for you, review the Ordering Information, which is located in the Expansion Pack announcement. Contact your IBM representative or IBM Business Partner to determine which type of encryption you are entitled to receive.
The contents of the Expansion Pack vary over time. New software products can be added, changed, or removed. Changes to the content of the IBM AIX 7.2 with Technology Level 4 Expansion Pack are announced either as part of an AIX announcement or independently of the release announcement.
Unless otherwise indicated, products can be installed from the DVD by using the System Management Interface Tool (SMIT). For more information about installing products, see the Installation and migration topic.
Listing and previewing installation software
You can list the available software products, packages, and filesets on AIX media, which can be a DVD or directory. The output shows the available packages and filesets on the media. The descriptions are provided at the fileset level.
You can perform a preview installation before performing the actual installation. A preview installation provides the preinstallation information that occurs during a regular installation, except that no software is installed.
When you select a package or fileset to be installed with the preview installation process, you can view a list that contains all of the requisite packages and filesets needed for the successful installation of the selected package or fileset.
Other information generated during the preinstallation process are required for the file system-size checking. The file systems are checked to ensure that there is enough free space available to install the selected package or fileset.
You can list the software and use the previewing software functions from the command line or the SMIT interface.
Listing and previewing software from the command line
- Log in as the root user.
- To list the software on the first DVD of the base media, insert the DVD into the media drive,
and type the following command:
installp -ld/dev/cd0 | pgA list similar to the following is displayed:
fileset Name Level I/U Q Content ==================================================================== ICU4C.adt 126.96.36.199 I N usr # ICU Application Developer's Toolkit ICU4C.man.en_US 188.8.131.52 I N usr # ICU Manual Pages - U.S. English
- To perform a preview installation at the command line, use the -p flag with
the installp command. For example, to preview the installation of the ICU4C.adt
fileset, enter the following command from the command line:
The preview option displays the requisite filesets, that are to be installed and the system resources that are being used.
installp -aXgq -p -d/dev/cd0 ICU4C.adt
Listing and previewing software from the ASCII SMIT interface
- Log in as the root user.
- From the command line, enter
- Select Install Software.
- Press F4 (List) to list the available input devices and select the appropriate device, or type the input device name in the blank field. Press Enter to continue.
- In the SOFTWARE to Install field, press F4 (List) to list all available software on the selected media.
- Scroll through the list of software by using the arrow keys or the Page Up and Page Down keys.
Note: The following listing shows the available software packages and filesets for that software product.The three packages are ICU4C.adt, ICU4C.man.en_US, and ICU4C.rte. The fileset in the ICU4C.adt package is the ICU Application Developer's Toolkit at level 184.108.40.206. The descriptions for the software product are provided at the fileset level. A package often consist of more than one fileset.
If the fileset is preceded by a plus sign (+), it is available to be installed. If the fileset is preceded by an at sign (@), the fileset is already installed.
In the following example output, the software product is
ICU4C.adt ALL + 220.127.116.11 ICU Application Developer's Toolkit ICU4C.man.en_US ALL + 18.104.22.168 ICU Manual Pages - U.S. English ICU4C.rte ALL + 22.214.171.124 International Components for Unicode
- Select the package or fileset you want to install and press the F7 (Edit). Press Enter to continue.
- To preview the installation of the package or fileset that you selected, press the Tab key and
select yes in the PREVIEW only? field. Press Enter to continue. Note: To obtain detailed information about the installation, select yes in the DETAILED output? field. The filesets that are being installed are displayed in parentheses.
Apache HTTP Server and Samba for AIX
# lslpp -Lc | grep httpd # lslpp -Lc | grep samba
# installp -e /tmp/preview.log -pu httpd samba
To install rpm formatted software, use the rpm or geninstall command or the SMIT installation menu options.
# installp -e /tmp/remove.log -u httpd samba
AIX 7 with 7200-04 Expansion Pack security
This section lists security restrictions and limitations for the AIX 7 with 7200-04 Expansion Pack.
OpenSSL version 1.0.2
OpenSSL 0.9.8 shared objects (libcrypto.so.0.9.8 and libssl.so.0.9.8) are also included in the OpenSSL 126.96.36.1991 fileset libraries for compatibility with earlier versions of OpenSSL.
OpenSSL versions 0.9.8 and 1.0.1 are no longer supported by IBM. The OpenSSL 0.9.8 shared objects are retained in the libraries as is. You should update your applications to use the newer version of the OpenSSL libraries.
Applications must use OpenSSL version 1.0.2 shared objects (libcrypto.so or libcrypto.so.1.0.0, and libssl.so or libssl.so.1.0.0) that are included in libraries of OpenSSL 188.8.131.521 fileset to continue using the supported version of OpenSSL.
Hardware cryptography capability and OpenSSL version 184.108.40.2061
- Any existing applications that use an older version of the OpenSSL fileset must be recompiled with the latest headers and relinked to the newer 1.0.2 libraries that are included with the OpenSSL 220.127.116.111 fileset.
- Applications that use the dlopen function to load the 0.9.8 version of the OpenSSL shared objects must be reconfigured to load the 1.0.2 version of the OpenSSL shared object.
- A future OpenSSL release that is incompatible must be recompiled with the latest headers and relinked with the newer binaries.
To download the latest version of the OpenSSL fileset, go to the AIX Web Download Pack Programs website.
Data Encryption Standard kernel extension 64-bit
You can now ues 64-bit kernels with the Data Encryption Standard (DES) kernel extension, nfs_kdes_full.ext. This extension uses secure Network File System (NFS) by encrypting time stamps sent between the client and the server, which allows each Remote Procedure Call (RPC) message to be authenticated.
For more information about the DES extension, see the Network File Systems security topic.
The DES encryption kernel extension is available from the des fileset on the AIX Expansion Pack.
Certificate Authentication Services
Certificate Authentication Services are not included with the AIX 7 with 7200-04 operating system.
IP Filter converted to the AIX operating system
IP Filter, Version 18.104.22.168 open source software is converted to the AIX operating system. The IP Filter software package can be used to provide network address translation (NAT) or firewall services.
Network security options TCP Wrapper 22.214.171.124
TCP Wrapper is a simple open source tool to monitor and control incoming network traffic. For more information about the TCP Wrapper, see the Wietse's tools and papers website.
AIX Network Data Administration Facility
The AIX Network Data Administration Facility (AIX NDAF) for AIX 7 with 7200-04 is not available on the Expansion Pack media. It is available on the base media.
IBM Security Directory Server
IBM Security Directory Server is no longer available on the AIX expansion pack media.
IBM Security Directory Server Version 6.4 is available on the AIX 7 with 7200-04 base media. To upgrade to Security Directory Server Version 6.4, you must upgrade from Security Directory Server Version 6.3. For instructions about upgrading to Security Directory Server Version 6.4, see the Upgrade an instance of IBM Security Directory Server topic.
Modern Cryptographic Library
The Modern Cryptographic Library is updated from version 126.96.36.199 to version 188.8.131.52.
The modcrypt filesets are required if the ACF and PKCS11 device driver version 184.108.40.206 (security.acf fileset) is installed on your system and if you are using a Network File System (NFS) with Kerberos 5 authentication. If your system does not meet these requirements, the system fails when the NFS gssd daemon starts.
The modcrypt fileset is compatible with Kerberos NAS 1.6.0.x, which is available in Expansion Pack and AIX Web Download Program web page, and the latest Kerberos version 1.16.1.x, which is available in the AIX Web Download Program.
IBM Network Authentication Service Version 220.127.116.11 for AIX
IBM Network Authentication Service Version 18.104.22.168 for the AIX environment is a network-authentication protocol based on the IETF RFC 1510 standards protocol for the Kerberos V5 IBM Network Authentication Service. The IBM Network Authentication Service includes the Generic Security Service API (GSSAPI) and the Key Distribution Center (KDC) server. With IBM Network Authentication Service, AIX middleware and external application writers can use authenticated and optionally encrypted message flow between their respective components.
- All of the impacted vulnerabilities reported until MIT Kerberos version 1.15.1 is back ported to this fileset.
- Additional packaging-related changes have been done in this fileset to remove redundant dependency on bos.net.tcp.client.
To download the latest version of NAS fileset, see the AIX Web Download Pack Programs website.
Network Authentication Service Documentation
- Chinese (Simplified)
- Chinese (Traditional)
- Portuguese (Brazilian)
The README.lang file for the AIX environment is located in the /usr/lpp/krb5 directory after the krb5.client.rte fileset is installed from the krb5.client client installation package. The README.lang file can also be viewed by using the SMIT list_media_info command to list supplemental fileset information about the installation media for the krb5.client.rte fileset.
- en_US (US English)
- Ja_JP (Japanese)
- ko_KR (Korean)
- zh_CN (Simplified Chinese)
The documentation is available in both HTML and PDF formats. Install the krb5.doc.lang.html fileset to access HTML documents and the krb5.doc.lang.pdf fileset to access PDF documents.
- zlibNX data compression library
The zlibNX library is an enhanced version of the zlib compression library that supports hardware-accelerated data compression and decompression by using co-processors called Nest accelerators (NX) on IBM POWER9™ processor-based servers. zlibNX is based on zlib version 1.2.11. For more information, see the Data compression by using the zlibNX library topic.
- Server Message Block (SMB) client file system
AIX Version 7.2 supports the SMB client file system that is based on the SMB protocol version 2.1. The SMB server is a server that runs on Windows Server 2012 or Windows Server 2016 server operating system. In each of these server operating system types, a directory can be exported as a share. This share can then be mounted on an AIX logical partition by using the SMB client file system. By using the SMB client file system, you can access the shares on SMB servers as local file systems on the AIX logical partition.
The SMB client file system in the AIX operating system requires Kerberos-based GSSAPI to start the user-authenticated session by using the SMB protocol version 2.1. In the AIX operating system, the GSSAPI is provided by a Userspace Library in the IBM Network Authentication Service (NAS) version 22.214.171.124, or later fileset. This fileset is included in AIX Expansion Pack.
To install the SMB client file system on the AIX LPAR, download the SMB client file system package from the AIX Web Download Program web page. Install the smbc.rte package on the AIX LPAR. For more information, see the SMB client file system topic.
Java Technology Edition
|Java Version 6||Yes||Yes|
|Java Version 7||Yes||No (on base media)|
|Java Version 7.1||Yes||Yes|
|Java Version 8||Yes||No (on base media)|
To check whether a more recent service refresh is available for a version of Java, see the AIX Download and service information website.
Reliable Scalable Cluster Technology (RSCT) CIM resource manager
The Common Information Model (CIM) resource manager is no longer shipped with AIX Version 7.2. If you have an older rsct.exp package installed from a previous release, you must uninstall it from AIX Version 7.2.