AIX 7.3 Expansion Pack Release Notes

Review the latest changes and issues for the IBM AIX® 7.3 Expansion Pack.

Contents

Read before installing
Installation, migration, upgrade, and configuration
AIX 7.3 Expansion Pack security
IBM Network Authentication Service Version 1.16.1.5 for AIX
SMB enhancements
Java Technology Edition
Reliable Scalable Cluster Technology (RSCT) CIM resource manager

Read before installing

Before you use this software, you should go to the Fix Central website and install the latest available fixes that address security vulnerabilities and other critical issues.

The Expansion Pack DVD contains programs that are provided by IBM® and other program suppliers. Each program is licensed under the terms and conditions of that specific program. These terms and conditions can vary depending on the specific program or the program supplier. Specific information about the content of this DVD and the terms and conditions under which these programs are licensed are contained in a readme file on the media.

To obtain the content and Terms and Conditions information:

Log in as the root user.
Insert the DVD into the media drive. If your media drive is not /dev/cd0, substitute the correct device name and type the following commands:
```
     mount -v cdrfs -o ro /dev/cd0 /mnt
     cp /mnt/README*  /tmp
     unmount  /mnt
```
The /tmp/README and /tmp/README.html files contain the content or the Terms and Conditions under which these programs are licensed. View this information by using a web browser, or run the more command or the pg command.

Softcopy documentation for each product is included with the product. These Release Notes supplement the product documentation by outlining the steps for getting started and by pointing you to more product information.

Installation, migration, upgrade, and configuration

The AIX 7.3 Expansion Pack is included with the AIX 7.3 operating system as a vehicle for delivering new IBM and non-IBM products. Most AIX 7.3 Expansion Pack products can be installed by using normal installation methods. Some Expansion Pack products cannot be installed by using normal installation methods. Their installation procedures are provided under their product descriptions.

The AIX 7.3 Expansion Pack might include products that contain a cryptographic function that is subject to special export-licensing requirements by the US Department of Commerce. Import restrictions can also apply to certain countries. Different packages of the AIX 7.3 Expansion Pack accommodate varying country export or import restrictions. To determine which package is appropriate for you, review the Ordering Information, which is located in the Expansion Pack announcement. Contact your IBM representative or IBM Business Partner to determine which type of encryption you are entitled to receive.

The contents of the Expansion Pack vary over time. New software products can be added, changed, or removed. Changes to the content of the AIX 7.3 Expansion Pack are announced either as part of an AIX announcement or independently of the release announcement.

Unless otherwise indicated, products can be installed from the DVD by using the System Management Interface Tool (SMIT). For more information about installing products, see the Installation and Migration topic.

Listing and previewing installation software

You can list the available software products, packages, and filesets on AIX media, which can be a DVD or directory. The output shows the available packages and filesets on the media. The descriptions are provided at the fileset level.

You can perform a preview installation before performing the actual installation. A preview installation provides the preinstallation information that occurs during a regular installation, except that no software is installed.

When you select a package or fileset to be installed with the preview installation process, you can view a list that contains all of the requisite packages and filesets needed for the successful installation of the selected package or fileset.

Other information generated during the preinstallation process are required for the file system-size checking. The file systems are checked to ensure that there is enough free space available to install the selected package or fileset.

You can list the software and use the previewing software functions from the command line or the SMIT interface.

Listing and previewing software from the command line

Log in as the root user.

To list the software on the first DVD of the base media, insert the DVD into the media drive, and type the following command:

installp -ld/dev/cd0 | pg

A list similar to the following is displayed:

  fileset Name                Level                     I/U Q Content
  ====================================================================
  ICU4C.adt                   2.8.0.0                    I  N usr
#   ICU Application Developer's Toolkit

  ICU4C.man.en_US             2.8.0.0                    I  N usr
#   ICU Manual Pages - U.S. English

To perform a preview installation at the command line, use the -p flag with the installp command. For example, to preview the installation of the ICU4C.adt fileset, enter the following command from the command line:
```
installp -aXgq -p -d/dev/cd0 ICU4C.adt
```
The preview option displays the requisite filesets, that are to be installed and the system resources that are being used.

Listing and previewing software from the ASCII SMIT interface

Log in as the root user.
From the command line, enter smitty install_update.
Select Install Software.
Press F4 (List) to list the available input devices and select the appropriate device, or type the input device name in the blank field. Press Enter to continue.
In the SOFTWARE to Install field, press F4 (List) to list all available software on the selected media.
Scroll through the list of software by using the arrow keys or the Page Up and Page Down keys.
Note: The following listing shows the available software packages and filesets for that software product.
If the fileset is preceded by a plus sign (+), it is available to be installed. If the fileset is preceded by an at sign (@), the fileset is already installed.

In the following example output, the software product is ICU4C:
```
     ICU4C.adt                                                          ALL
      + 2.8.0.0  ICU Application Developer's Toolkit

     ICU4C.man.en_US                                                    ALL
      + 2.8.0.0  ICU Manual Pages - U.S. English

     ICU4C.rte                                                          ALL
      + 2.8.0.0  International Components for Unicode
```
The three packages are ICU4C.adt, ICU4C.man.en_US, and ICU4C.rte. The fileset in the ICU4C.adt package is the ICU Application Developer's Toolkit at level 2.8.0.0. The descriptions for the software product are provided at the fileset level. A package often consist of more than one fileset.
Select the package or fileset you want to install and press the F7 (Edit). Press Enter to continue.
To preview the installation of the package or fileset that you selected, press the Tab key and select yes in the PREVIEW only? field. Press Enter to continue.
Note: To obtain detailed information about the installation, select yes in the DETAILED output? field. The filesets that are being installed are displayed in parentheses.

AIX 7.3 Expansion Pack security

This section lists security restrictions and limitations for the AIX 7.3 Expansion Pack.

OpenSSL version 1.0.2

OpenSSL 0.9.8 shared objects (libcrypto.so.0.9.8 and libssl.so.0.9.8) are also included in the OpenSSL 1.0.2.2102 fileset libraries for compatibility with earlier versions of OpenSSL.

OpenSSL versions 0.9.8 and 1.0.1 are no longer supported by IBM. The OpenSSL 0.9.8 shared objects are retained in the libraries as is. You should update your applications to use the newer version of the OpenSSL libraries.

Applications must use OpenSSL version 1.0.2 shared objects (libcrypto.so or libcrypto.so.1.0.0, and libssl.so or libssl.so.1.0.0) that are included in libraries of OpenSSL 1.0.2.2102 fileset to continue using the supported version of OpenSSL.

Hardware cryptography capability and OpenSSL version 1.0.2.2100

The OpenSSL version 1.0.2.2102 fileset and AIX 7.3 can use the in-core cryptographic function that is available with POWER8 processor-based systems, or later. To use this function, the following conditions must be met:

Any existing applications that use an older version of the OpenSSL fileset must be recompiled with the latest headers and relinked to the newer 1.0.2 libraries that are included with the OpenSSL 1.0.2.2102 fileset.
Applications that use the dlopen function to load the 0.9.8 version of the OpenSSL shared objects must be reconfigured to load the 1.0.2 version of the OpenSSL shared object.
A future OpenSSL release that is incompatible must be recompiled with the latest headers and relinked with the newer binaries.

The following algorithms are implemented in OpenSSL version 1.0.2 that can use the in-core cryptographic capabilities of POWER8 processor-based systems, or later:

AES-128-CBC
AES-192-CBC
AES-256-CBC
AES-128-ECB
AES-192-ECB
AES-256-ECB
AES-128-GCM
AES-192-GCM
AES-256-GCM
AES-128-XTS
AES-192-XTS
AES-256-XTS
SHA1
SHA224
SHA256
SHA384
SHA512

Note: Applications that use earlier versions of the OpenSSL fileset continue to function and use the OpenSSL default software cryptographic modules on the POWER8 processor-based systems, or later.

To download the latest version of the OpenSSL fileset, go to the AIX Web Download Pack Programs website.

Data Encryption Standard kernel extension 64-bit

You can now ues 64-bit kernels with the Data Encryption Standard (DES) kernel extension, nfs_kdes_full.ext. This extension uses secure Network File System (NFS) by encrypting time stamps sent between the client and the server, which allows each Remote Procedure Call (RPC) message to be authenticated.

For more information about the DES extension, see the Network File Systems security topic.

The DES encryption kernel extension is available from the des fileset on the AIX Expansion Pack.

Network security options TCP Wrapper 1.1.0.0

TCP Wrapper is a simple open source tool to monitor and control incoming network traffic. For more information about the TCP Wrapper, see the Wietse's tools and papers website.

AIX Network Data Administration Facility

The AIX Network Data Administration Facility (AIX NDAF) for AIX 7.3 is not available on the Expansion Pack media. It is available on the base media.

IBM Security Directory Server

IBM Security Directory Server is no longer available on the AIX expansion pack media.

IBM Security Directory Server Version 6.4 is available on the AIX 7.3 base media. To upgrade to Security Directory Server Version 6.4, you must upgrade from Security Directory Server Version 6.3. For instructions about upgrading to Security Directory Server Version 6.4, see the Upgrade an instance of IBM Security Directory Server topic.

The following Security Directory Server Version 6.2 and Version 6.3 cryptography filesets are no longer provided on the AIX expansion pack media:

idsldap.clt_max_crypto32bit62
idsldap.clt_max_crypto64bit62
idsldap.srv_max_cryptobase64bit62
idsldap.webadmin_max_crypto62

Modern Cryptographic Library

The Modern Cryptographic Library is updated from version 6.1.0.3 to version 6.1.0.4.

The updates for Modern Cryptographic Library version 6.1.0.4 include the following modcrypt filesets:

modcrypt.base.lib
modcrypt.base.includes

The modcrypt filesets are required if the ACF and PKCS11 device driver version 7.1.3.30 (security.acf fileset) is installed on your system and if you are using a Network File System (NFS) with Kerberos 5 authentication. If your system does not meet these requirements, the system fails when the NFS gssd daemon starts.

The modcrypt fileset is compatible with Kerberos NAS 1.6.0.x, which is available in Expansion Pack and AIX Web Download Program web page, and the latest Kerberos version 1.16.1.x, which is available in the AIX Web Download Program.

IBM Network Authentication Service Version 1.16.1.5 for AIX

IBM Network Authentication Service (NAS) Version 1.16.1.5 for the AIX environment is a network-authentication protocol based on the IETF RFC 1510 standards protocol for the Kerberos V5 IBM NAS. The IBM NAS includes the Generic Security Service API (GSSAPI) and the Key Distribution Center (KDC) server. With IBM Network Authentication Service, AIX middleware and external application writers can use authenticated and optionally encrypted message flow between their respective components.

The IBM NAS fileset is updated with AIX VRMF 1.16.1.5. Some of the fileset enhancements are as follows:

The fileset includes the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) feature.
All of the impacted vulnerabilities reported until MIT Kerberos version 1.16.1 is back ported to this fileset.
Additional packaging-related changes have been done in this fileset to remove redundant dependency on bos.net.tcp.client.

Note: `

To download the latest version of NAS fileset, see the AIX Web Download Pack Programs website.
NAS version 1.5.0.xxxx is no longer supported on AIX.

Network Authentication Service Documentation

Read the README.lang file for IBM Network Authentication Service (NAS), Version 1.5 before you configure or use the program, where lang is one of the following language locales:

Chinese (Simplified)
Chinese (Traditional)
English
Korean
Portuguese (Brazilian)

The README.lang file for the AIX environment is located in the /usr/lpp/krb5 directory after the krb5.client.rte fileset is installed from the krb5.client client installation package. The README.lang file can also be viewed by using the SMIT list_media_info command to list supplemental fileset information about the installation media for the krb5.client.rte fileset.

Documentation for IBM Network Authentication Service is available in the README.lang installation packages, where lang is one of the following language locales:

en_US (US English)
Ja_JP (Japanese)
ko_KR (Korean)
zh_CN (Simplified Chinese)

The documentation is available in both HTML and PDF formats. Install the krb5.doc.lang.html fileset to access HTML documents and the krb5.doc.lang.pdf fileset to access PDF documents.

The IBM Network Authentication Service Version 1.5 Administrator's and User's Guide is installed in the following directories:

HTML
/usr/lpp/krb5/doc/html/lang/ADMINGD
PDF
/usr/lpp/krb5/doc/pdf/lang/ADMINGD

The IBM Network Authentication Service Version 1.5 Application Development Reference is installed in the following directories:

HTML
/usr/lpp/krb5/doc/html/lang/APDEVREF
PDF
/usr/lpp/krb5/doc/pdf/lang/APDEVREF

As mentioned in the ADMINGD.pdf, which is provided in the krb5.doc.en_US.pdf fileset, the config.krb5 command is used to configure secondary server with the LDAP backend server. However, in Network Authentication Service 1.16.1.5 version, arguments that are specified with the -L flag are not accepted and hence you do not need to specify these arguments.

Additional commands, like the kdb5_ldap_util command, is provided in Network Authentication Service 1.16.1.5 version, which can be used to configure NAS server with the LDAP backend server. The usage of the kdb5_ldap_util command is available in MIT admin command document.

SMB enhancements

Server Message Block (SMB) client file system

AIX 7.3 supports the SMB client file system that is based on the SMB protocol version 3.0.2 and 2.1. The SMB server runs on Windows™ Server 2012, Windows Server 2016, or Windows Server 2019 server operating system. In each of these server operating system types, a directory can be exported as a share. This share can then be mounted on an AIX logical partition by using the SMB client file system. You can use the SMB client system to access shares on SMB servers as local file systems on the AIX logical partition.

The SMB client file system in the AIX operating system requires Kerberos-based GSSAPI to start the user-authenticated session by using the SMB protocol version 3.0.2 or 2.1, based on the selection. In the AIX operating system, the GSSAPI is provided by a Userspace Library in the IBM Network Authentication Service (NAS) version 1.16.1.0, or later fileset. This fileset is included in AIX Expansion Pack.

The SMB protocol version 3.0.2 uses AIX OpenSSL library to generate keys to sign and encrypt the fileset. You must have openssl.base fileset version 1.0.2.2002, or later installed in the AIX operating system to use the SMB protocol. This fileset is included in AIX Expansion Pack.

The SMB client file system facilitates compatibility of SMB protocol version 3.0.2 with the SMB protocol version 2.1 and supports all functions of SMB protocol version 2.1 along with the additional features of the SMB protocol version 3.0.2. Earlier filesets (version 7.1.0.*) of SMB protocol are not supported.

To install the SMB client file system on the AIX LPAR, download the SMB client file system package from the AIX Web Download Program web page. Install the smbc.rte package on the AIX LPAR. For more information, see the SMB client file system topic.

Java Technology Edition

The following versions of Java™ Technology Edition are available on the AIX Expansion Pack media:

Table 1. Java versions
Java Version	32-bit	64-bit
Java Version 7	Yes	No (on base media)
Java Version 8	Yes	No (on base media)

Note: Java 5, Java 6, and Java 7.1 are not available on the AIX 7.3 base media or Expansion Pack media.

To check whether a more recent service refresh is available for a version of Java, see the AIX Download and service information website.

Reliable Scalable Cluster Technology (RSCT) CIM resource manager

The Common Information Model (CIM) resource manager is no longer shipped with AIX 7.3. If you have an older rsct.exp package installed from a previous release, you must uninstall it from AIX 7.3.