dear list members,
the eight Sun Ray Core Services Patch for SRSS 4.0 is available for
download from sunsolve.sun.com.
127553-08 - Solaris SPARC
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-127553-08-1
127554-08 - Solaris 10 x86
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-127554-08-1
127555-08 - Linux
http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-127555-08-1
you may always find information regarding the latest SRS/SRSS patches on
the list's web page: http://www.sun-rays.org/srss.html#patches
below is the README for the SPARC platform patch.
README's for other platforms can be found at:
http://www.sun-rays.org/patches/README/README.<patch_id>
happy patching :P,
Stoyan Angelov
Patch-ID# 127553-08
NOTE:
***********************************************************************
READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT
FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU
AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE
TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE.
***********************************************************************
For further information on patching best practices and resources, please
see the Big Admin Patching Center, http://www.sun.com/bigadmin/patches/
***********************************************************************
Keywords: sun ray update patch security
Synopsis: Sun Ray Core Services version 4.0 Patch Update
Date: Feb/24/2010
Install Requirements: Reboot after installing this patch to activate the
changes delivered. An alternative may be specified in the Special
Install Instructions.
Solaris Release: 10
SunOS Release: 5.10
Unbundled Product: Sun Ray Core Services
Unbundled Release: 4.0
Xref: This patch available for 5.10_x86 as 127554-08 and for Linux as
127555-08
Topic:
Relevant Architectures: sparc
BugId's fixed with this patch: 6407231 6492879 6497875 6504027 6513377
6542450 6554391 6573093 6578775 6583348 6587725 6592372 6596045 6596686
6600065 6605645 6607591 6609317 6610233 6612710 6616994 6618056 6622089
6623150 6623818 6625203 6625491 6626955 6629028 6630054 6632737 6636671
6638831 6641754 6645003 6645009 6645010 6655178 6659871 6662969 6667384
6671517 6672145 6672502 6674773 6675678 6677259 6682321 6685185 6688127
6689004 6689682 6694424 6699511 6706607 6716667 6720776 6721043 6726120
6727792 6730748 6730822 6737449 6738725 6739397 6740563 6740687 6744049
6745120 6747622 6749640 6754138 6756504 6760323 6773304 6775532 6781604
6785797 6786835 6788938 6794261 6800187 6803522 6805880 6808910 6809619
6812067 6830214 6838464 6847290 6849054 6852457 6854647 6856022 6856191
6874418 6902328
Changes incorporated in this version: 6902328
Patches accumulated and obsoleted by this patch:
Patches which conflict with this patch:
Patches required with this patch:
Obsoleted by:
Files included with this patch:
/etc/init.d/utacleanup
/etc/opt/SUNWut/noentry.start
/etc/opt/SUNWut/smartcard/GD-STARCOS.cfg
/etc/rc0.d/K51utacleanup
/etc/rc1.d/K51utacleanup
/etc/rc2.d/S51utacleanup
/etc/rcS.d/K51utacleanup
/opt/SUNWut/bin/utselect
/opt/SUNWut/etc/template/ldap/utdsd.acl.conf
/opt/SUNWut/lib/admin.jar
/opt/SUNWut/lib/firmware/CoronaP1
/opt/SUNWut/lib/firmware/CoronaP2
/opt/SUNWut/lib/firmware/CoronaP3
/opt/SUNWut/lib/firmware/CoronaP4
/opt/SUNWut/lib/firmware/CoronaP5
/opt/SUNWut/lib/firmware/CoronaP6
/opt/SUNWut/lib/firmware/CoronaP7
/opt/SUNWut/lib/firmware/CoronaP8
/opt/SUNWut/lib/firmware_gui/CoronaP1
/opt/SUNWut/lib/firmware_gui/CoronaP2
/opt/SUNWut/lib/firmware_gui/CoronaP3
/opt/SUNWut/lib/firmware_gui/CoronaP4
/opt/SUNWut/lib/firmware_gui/CoronaP5
/opt/SUNWut/lib/firmware_gui/CoronaP6
/opt/SUNWut/lib/firmware_gui/CoronaP7
/opt/SUNWut/lib/firmware_gui/CoronaP8
/opt/SUNWut/lib/ifdh_scbus.so.1
/opt/SUNWut/lib/libsimpleRun.so
/opt/SUNWut/lib/libusbut.so.1
/opt/SUNWut/lib/libutadmin.so.1
/opt/SUNWut/lib/libutgrpmgr.so
/opt/SUNWut/lib/libutinfo.so.1
/opt/SUNWut/lib/libutjadmin.so
/opt/SUNWut/lib/libutoscompat.so.1
/opt/SUNWut/lib/modules/Authxlation.jar
/opt/SUNWut/lib/pam_sunray_amgh.so.1
/opt/SUNWut/lib/protocol.jar
/opt/SUNWut/lib/sdk.jar
/opt/SUNWut/lib/usb/ttykeyspan.so.1
/opt/SUNWut/lib/utati
/opt/SUNWut/lib/utatilu
/opt/SUNWut/lib/utaudiod
/opt/SUNWut/lib/utauthd.jar
/opt/SUNWut/lib/utdevmgrd
/opt/SUNWut/lib/utdmevent
/opt/SUNWut/lib/utdmsession
/opt/SUNWut/lib/utdsupdate
/opt/SUNWut/lib/utkeyvet
/opt/SUNWut/lib/utparalleld
/opt/SUNWut/lib/utprop
/opt/SUNWut/lib/utresexec
/opt/SUNWut/lib/utseriald
/opt/SUNWut/lib/utstoraged
/opt/SUNWut/lib/xmgr/dtlogin/notify
/opt/SUNWut/lib/yuvfile
/opt/SUNWut/sbin/utadm
/opt/SUNWut/sbin/utatiscrub
/opt/SUNWut/sbin/utconfig
/opt/SUNWut/sbin/utgmtarget
/opt/SUNWut/sbin/utgroupsig
/opt/SUNWut/sbin/utreplica
/opt/SUNWut/sbin/utuser
/opt/SUNWut/share/man/man1m/utatiscrub.1m
/opt/SUNWut/share/man/man1m/utgmtarget.1m
/opt/SUNWut/share/man/man1m/utgroupsig.1m
/opt/SUNWut/share/man/man1m/utuser.1m
/opt/SUNWut/share/man/man3/ut_amgh_script_interface.3
/opt/SUNWut/share/man/man3/ut_ati_script_interface.3
/opt/SUNWut/share/man/man4/auth.props.4
/opt/SUNWutref/ati/utatiref_script
/usr/openwin/server/modules/ddxSUNWsunray.so.1
Problem Description:
6902328 memory problems in the Sun Ray Session Server
(from 127553-07)
6497875 Device nodes are not getting created for Edgeport/1
6688127 Printers connected directly to DTUs USB port stop working after
a while
6740563 utparalleld needs to reap (thr_join()) its threads when they
thr_exit().
6744049 DM needs to be able to force use of "callme" protocol even when
DTU is not behind a NAT gateway
6794261 Multiple NSCM logins with different capitalisation
6803522 AMGH (to target FOGs running older SRSS) and Token Reader
functionality in FOGs broken by bestip fix
6805880 Pen data transfer doesn't happen for the second time in same session
6809619 Add 1280x800 screen resolution support
6830214 need to disable the source button on the Sun Ray 270
6838464 utauthd remote denial of service attack
6847290 Add GUI option to set videoindisable switch for Sun Ray 270
6849054 Customer expects option 43 offer to be accepted even if include
option 43 in an invalid string
6852457 Clients DSA private key are not unique
6854647 Sun Ray keyboard becomes unresponsive while mouse events are OK
6856022 Sun Rays can come up at 10 Mbps if switch port is not up when
Sun Ray boots
6856191 Retrieving data using Pc/ScLite 1.1 from Siemens CardOS4.01a
smartcard fails with FW 4.1_139548
6874418 In a slow network a new socket connection fails frequently when
polling for tcp connection
(from 127553-06)
6578775 Safesign app + PCSC Lite + JCOP-XX smart card + correct PIN =
keypair/keyset not found error
6672502 utaudiod has resource leaks
6706607 utsession -k can cause 26 D icons
6727792 utseriald denies access to device after server switch
6730822 utauthd does not notice that sessions have been disconnected in
certain circumstances
6739397 Add callme device allocation back into Sun Ray smart card IFD
handler.
6740687 utdmsession can expose sensitive data
6745120 Sun Ray 2FS hangs at 26D (Xsun) or is black (Xnewt) when the
resolution is set to 640x480
6747622 LAN-connected Sun Rays can't redirect to a server when its
primary IP address is not reachable
6756504 Sun Ray doesn't know how to handle a request for 2 consecutive
tokens from an ASA with RSA back end.
6760323 Entering any prompting dialog causes locks to be reset
6773304 PIX gateways no longer work for VPN with Sun Ray because of ID
type change
6775532 Xnewt dumping core due to a divide by zero error.
6781604 AMGH fails on Sun Rays when server's Primary IP address is
unreachable (sim. to CR#6747622)
6785797 Sun Ray firmware needs expanded network definition options
6786835 Need support for Siemens CardOS API 2.5 middleware added to
PC/SC-Lite
6788938 4.1 utauthd has a crash and redirect issue.
6800187 utauthd in SRSS 4.0 on S10/TX appears to leave a number of
defunct processes and open ports
6808910 Netscreen VPN connections don't come up if the gateway's version
ID is not recognized.
6812067 Sun Ray VPN doesn't support AES 192 and 256 bit key sizes.
(from 127553-05)
6699511 Xsun hangs with OSD 26 on Sun Ray DTU with large time on poll()
if under VMware and high speed net
6749640 Desire a way to use token data external to SRSS to control FOG
session access
6754138 utuser deprecated "-k" (and -xdisplay and -tokenid) options
should be eliminated
(from 127553-04)
6504027 Support smartcard configuration file for smartcards of type
GD-STARCOS 3.0
6513377 Ctrl+Pause+cursor shortcuts for local volume control don't work
6616994 LDAP password exposed during configuration using utconfig
6618056 utgroupsig should read from stdin and write to stdout/stderr to
allow utconfig to be scripted
6659871 Access restrictions need improvements
6667384 2FS doesn't receive second monitor utresadm override if DDC
failed on second monitor
6672145 Lots of packets are dropped with the server port set to gigabit
Ethernet through some switches
6674773 Remove spurious failure message from internal smart card reader
IFD handler
6677259 Finnish ID card is not recognized on Sun Ray 2 on SRSS 4.0 (but
is on Sun Ray 270)
6682321 Sunray 2FS not able to use second display with new Samsung monitors
6685185 Sun Ray VPN connection to Cisco ASA gateway doesn't rekey properly
6694424 Unitech barcode reader fails to work with Sun Ray
6716667 Sun Ray internal reader IFD Handler not able to allocate smart
card reader in busy networks
6720776 Sun Ray 2s at low bandwidth suffer high packet losses
6721043 Maximum X server bandwidth is limited when high resolution clock
tick is enabled.
6726120 Maximum rendering bandwidth use is throttled when hires timer is
set.
6730748 Sun Ray DTU can't resolve hostnames
6737449 SYN|ACK retry during TCP passive open is broken
6738725 hotdesking and group manager does not appear to work w/ DTU's on
multiple subnets when vni is used
(from 127553-03)
6625491 Running utadm -A on TX w/ vni config'd FAILS
6671517 SRSS failover groups (FOG) not working properly when group
members are defined as CIPSO on TX
6675678 readdir_r parameters need storage allocation
6689004 Sun Ray datastore integration for group manager unicast target list
6689682 man page updates for group manager unicast target feature
(from 127553-02)
6542450 Sun Ray DTU responds to ping even if IP address is incorrect
6554391 DTU IFD handler should use oscompat library functions for
portability.
6583348 Sun Ray: Apple Mighty Mouse vertical scroll not functioning properly
6609317 libusb's usb_bulk_read() doesn't return an error when a CCID
reader is removed.
6622089 pcscd instance Core dump is seen once on Solaris 10 X86
6623150 TCSETA / TCSETAW / TCSETAF not supported on Sun Ray serial subsystem
6625203 External smartcard reader does not get detected in a hotdesked
session
6626955 uttsc exited with error messages with PCSClite 1.1 _01 after
multiple hotdesks
6629028 uttsc exited with error messages and PCSC core dump after
rebooting DTU.
6630054 xmgr/dtlogin/notify needs to defend against corrupted dtlogin
PID file
6632737 IFD handler RDD low-level I/O should be re-startable after
disruption
6636671 If a Sun Ray terminal gets TFTPsrvN (option 66) it should try
sunray-config-servers if this fails
6638831 ifd handler should log clear reasons for init failure to syslog
6641754 Sun Ray 2/2FS/270 smart card readers sometimes drop bytes at
bauds greater than 9600.
6645003 svcevts.c`svc_finder_add() has bug in sessid keyword
6645009 libusb has problems with release_interface() after detach
6645010 libusb needs to be made session-based hotdesking aware
6655178 Smartcard Philips SmartMX doesn't work anymore in SRSS4.0
6662969 keyboard hangs on lossy network
(from 127553-01)
6407231 Sun Ray USB implementation does not present bcdDevice value in BCD
6492879 Typo in description of SUNWutfw rpm
6573093 1400x1050 res doesn't work if native panel resolution
6587725 uttsc hangs (up to 2 min) on multiple hotdesking while smart
card LED is glowing
6592372 channels switch when playing audio on SR2FS and SR2 DTUs
6596045 Audio record not working on 4.0 b48 on Sun Ray 2 family
6596686 DDR2 graphics memory support needed for future SR2, SR270 boards
6600065 SRSS libusb improperly blocks root from accessing DTU's USB devices
6605645 SRSS 4.0 network bandwidth is much higher than 3.1.1
6607591 Use the Sun Ray Data Store (SRDS) to host the VDA configuration
6610233 Sun Ray firmware problem with 2048bit key
6612710 Scbus IFD handler mishandles T=1 APDUs with no return data.
6623818 Firmware load prevented by barrier on new SR270 DTUs
Detailed Installation Steps
---------------------------
1. Suppress firmware downloads
If the server being patched is not a member of a Sun Ray
failover group you should skip this step.
If the server being patched is a member of a Sun Ray failover
group then this step is optional but is strongly recommended.
At Patch Installation
---------------------
Before adding this patch to servers configured into a Sun
Ray failover group we advise that you disable Sun Ray
firmware delivery from all unpatched hosts in the failover
group. On each host in the group:
For config parameters (.parms) file:
$ /opt/SUNWut/sbin/utfwadm -D -a -V
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -n all
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -N all
Do this only one time, before adding this patch to any
server in the group.
The purpose of this step is to prevent unpatched servers
from offering old firmware to Sun Ray appliances.
At Patch Removal
----------------
Before removing this patch from servers configured into a
Sun Ray failover group we advise that you disable firmware
delivery from any hosts in the failover group that have
this patch installed. On each already-patched host in the
group:
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -n all
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -N all
For config parameters (.parms) file:
$ /opt/SUNWut/sbin/utfwadm -D -a -V
Do this only one time, before removing this patch from any
of the already-patched servers in the group.
The purpose of this step is to prevent already-patched
servers from offering new firmware to Sun Ray appliances.
If this patch is being removed from a Sun Ray failover group
then omitting this step may result in increased restart
times for your Sun Ray appliances. (A mixture of patched
and unpatched servers advertising conflicting firmware
versions may cause the appliance to download new firmware
each time it restarts. The appliance automatically
restarts itself after downloading fresh firmware so its
overall restart cycle is longer in that case. The
appliance may restart itself several times before
establishing or reconnecting to a session.) The Sun Ray
restart time will return to normal once the patch has been
removed from all servers in the failover group.
2. Stopping Sun Ray services and login sessions
Before the addition or removal of this patch to a Sun Ray server
all users should be logged out of their Sun Ray sessions.
Stop the Sun Ray services using the following commands:
$ /etc/init.d/utstorage stop
$ /etc/init.d/utsvc stop
These commands will terminate any Sun Ray sessions that were not
already logged out.
Next, use the instructions outlined below in the section
"Patch Installation Instructions" for the addition or removal
of this patch.
3. Rebooting the Sun Ray server
The Sun Ray server must be rebooted after the addition or removal
of the patch.
4. Enable firmware downloads
After the addition or removal of this patch on all Sun Ray
servers in a failover group, enable firmware downloads
using one of the following methods:
1) If all Sun Ray servers in the failover group provide default
(non GUI) firmware downloads run this command on one of the servers:
$ /opt/SUNWut/sbin/utfwsync
After which the Sun Ray DTU's will reboot themselves and load
the new firmware.
2) If only some of the Sun Ray servers in the failover group provide
firmware downloads to the DTU's, run the following command
on the servers that do provide firmware:
For default (non GUI) firmware.
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -n all
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -N all
For GUI firmware.
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -n all -f \
/opt/SUNWut/lib/firmware_gui
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -N all -f \
/opt/SUNWut/lib/firmware_gui
3) Upgrading firmware via the config parameter (.parms) file
For default (non GUI) firmware.
$ /opt/SUNWut/sbin/utfwadm -A -a -V
For GUI firmware.
$ /opt/SUNWut/sbin/utfwadm -A -a -V -f \
/opt/SUNWut/lib/firmware_gui
Then restart services on all servers in the failover group by
executing the following command on a server in the group:
$ /opt/SUNWut/sbin/utfwsync -d
5. Optionally increase system clock frequency
The fix for CR 6672145 improves the performance of some switches
that drop a lot of packets when the downlink from the server is
run at 1 Gbps. For the fix to be effective, the clock frequency
on the server has to be increased.
This is accomplished by adding the following line to /etc/system
set hires_tick = 1
and rebooting the server. To confirm that the change has taken
effect, "getconf CLK_TCK" should print a value of 1000.
Patch Installation Instructions:
--------------------------------
Refer to the man pages for instructions on using 'patchadd' and 'patchrm'
scripts provided with Solaris. Any other special or non-generic
installation
instructions should be described below as special instructions. The
following
example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/<patchid-rev>
The following example removes a patch from a standalone system:
example# patchrm <patchid-rev>
patchadd may give some messages while installing on a system
with zones. To suppress these messages "-G" option can be used.
example# patchadd -G /var/spool/patch/<patchid-rev>
For additional examples please see the appropriate man pages.
Special Install Instructions:
-----------------------------
NOTE 1: This patch is for the Sun Ray Core Services 4.0 component
that is part of Sun Ray Server Software 4.0.
NOTE 2: This SRSS patch does not support Live Upgrade. Please do not
install this patch via live upgrade.
NOTE 3: The DTU firmware delivered in this patch has an increased
downgrade "barrier" of '325' to prevent accidental downgrades to
firmware from earlier releases. If you wish to revert a unit back to an
earlier release of firmware after upgrading to this version of firmware,
please see the admin guide for information on overriding the
barrier/barrierLevel mechanism.
NOTE 4: Be sure to install the latest Kiosk 4.0 patch 128165 on your
system.
NOTE 5: The DTU firmware delivered in this patch has the following version
identification string
4.1_139548-03_2009.10.26.15.43
GUI4.1_139548-03_2009.10.26.15.43
Required Patches
----------------
Warnings & Errors
-----------------
** WARNING: This patch should only be applied to systems which have
Sun Ray Server Software 4.0 fully installed.
Do not attempt to add this patch to the UFS image to be
applied as part of the install process.
Post-Patch Installation Notes:
------------------------------
Updated Smartcard Config Files
The fix for 6504027 (Support smartcard configuration file for
smartcards
of type GD-STARCOS 3.0) that is included with this patch provides an
updated GD-STARCOS.cfg smartcard config file. This file provides
support
for using the G&D (Giesecke & Devrient) STARCOS SPK 3.0 smartcard for
Sun Ray session mobility. This card type has not been tested for any
other use on Sun Ray. Specifically PIN/PKI login and other
cryptographic
operations that this card can perform have not been tested on Sun Ray.
Such uses of this card type are unsupported.
If you maintain your smartcard configuration files on the local Sun Ray
server, then no action is necessary after installation of this patch and
reboot. If you maintain your smartcard configuration files in the Sun
Ray Data Store (DS), you will need to update the DS with this updated
version of the GD-STARCOS.cfg file after installation of this patch and
reboot. You can update the DS with this updated config file using the
"utcard" CLI or via the Sun Ray Administration GUI.
Automated Token Importation (ATI)
A feature has been added in this patch which allows
controlling session access based on information stored in
customer data sources. In addition to man pages delivered
with this patch, a description has been added to the
Sun Ray Server Software 4.0 Release Notes available at:
Solaris: http://docs.sun.com/app/docs/doc/820-0417
Linux: http://docs.sun.com/app/docs/doc/820-0418
Regression fix for Cisco PIX gateways
Sun Ray firmware for this patch is drawn from the SRSS 4.1
patch release. The addition of support for the Netscreen
family of VPN gateways in the SRSS 4.1 release caused the Cisco
PIX family of VPN gateways to stop working, though ASA and 3000
series continue to function correctly. Unfortunately, the fix
for this requires that the VPN configuration now include an
item to specify what type of VPN gateway the Sun Ray will be
connecting to. This configuration can be done using the local
GUI tool available on the Sun Ray, or through the download of a
configuration file, using the "Download Configuration" option
of the GUI tool. A couple of other useful options have been
added to the VPN configuration, including the PFS group to use,
the IPsec phase 2 lifetime, and a switch to enable Dead Peer
Detection. (Dead Peer Detection was also introduced in SRSS
4.1, and was on by default. Unfortunately, having it enabled
also causes the PIX gateways to fail, so it must be disabled
for PIX.)
The new values in the configuration file use these keywords and
value types:
vpn.peertype integer/string (0 or "cisco" = Cisco,
1 or "netscreen" = Netscreen)
vpn.pfsgroup integer Diffie-Hellman group for Perfect
Forward Secrecy
vpn.ipsectime integer IPsec SA lifetime for phase 2 proposals
in seconds
vpn.dpdswitch integer non-zero -> enable DPD
Other than the peertype, these values may also be set using the
"Advanced" submenu of the VPN configuration menu.
README -- Last modified date: Wednesday, February 24, 2010
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
