CDU ReleaseNotes PDF
CDU ReleaseNotes PDF
Release Notes
V ersion 4.1
Release Notes
V ersion 4.1
Note Before using this information and the product it supports, read the information in Notices on page 21.
This edition applies to version 4.1 of IBM Sterling Connect:Direct for UNIX and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 1999, 2013. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Release Notes . . . . . . . . . . . . 1
Overview . . . . . . . . . . . . . Hardware and Software Requirements . . . . Supported Interfaces . . . . . . . . . . Password Storage . . . . . . . . . . . Libraries to Install . . . . . . . . . . New Features and Enhancements . . . . . Support Requests Resolved for This Release . . Special Considerations. . . . . . . . . Special Considerations for Using Sterling File Accelerator (UDT) . . . . . . . . . . . . . . . . . . . 1 . 1 . 3 . 3 . 3 . 4 . 6 . 14 . 15 Special Considerations for Using Sterling Connect:Direct for UNIX in FIPS 140-2 Mode . Special Considerations for Connectivity with the HP NonStop Kernel Operating System . . . Known Restrictions . . . . . . . . . . . Upgrading Sterling Connect:Direct File Agent on AIX . . . . . . . . . . . . . . . . Sterling Connect:Direct for UNIX Guidelines . . Upgrade Considerations . . . . . . . . . . 15 . 16 . 16 . 18 . 18 . 18
Notices . . . . . . . . . . . . . . 21
iii
iv
Release Notes
Overview
The IBM Sterling Connect:Direct for UNIX Release Notes document supplements Sterling Connect:Direct for UNIX documentation. Release notes are updated with each release of the product and contain last-minute changes and product requirements, as well as other information pertinent to installing and implementing Sterling Connect:Direct for UNIX.
Hardware
RAM (min.) 2 GB
Sterling HP PA-RISC Connect:Direct for UNIX with TCP/IP or IBM Sterling File Accelerator connectivity HP Integrity system with Intel Itanium processor IBM System pSeries Sun SPARC system Intel and AMD x86/x86-64 Intel and AMD x86/x86-64
HP-UX version 11iv2 September 2004 Update or higher or 11iv3 AIX 5L version 5.3, 6.1, or 7 Solaris version 9, 10, or 11 Solaris version 10 (patch level (REV) dated 23 Aug 2011 or later) or 11 Any point release of Red Hat Enterprise Linux version 4, 5, or 6 AS or ES distribution SuSE SLES version 9, 10, or 11
2 GB
50 MB
2 GB 2 GB 2 GB
50 MB 50 MB 50 MB
2 GB
50 MB
2 GB
50 MB
Component or Functionality
Hardware
Software Any point release of Oracle Linux 5 or 6 that includes the following statement in Oracle's Certification document: "Oracle Linux is fully compatible both source and binary with Red Hat Enterprise Linux (RHEL)."
RAM (min.) 2 GB
Linux zSeries
Any point release of Red Hat Enterprise Linux version 4, 5, or 6 AS or ES distribution SuSE SLES version 9, 10, or 11
2 GB
50 MB
2 GB 2 GB
50 MB 275 MB
Sterling Same as Connect:Direct requirements File Agent for Sterling Connect:Direct for UNIX
Same as requirements for Sterling Connect:Direct for UNIX Java Standard Edition 6, installed with Sterling Connect:Direct File Agent Note: On Linux zSeries, the JRE is not bundled with Sterling Connect:Direct File Agent. You must obtain and install Java Standard Edition 6 before you install Sterling Connect:Direct File Agent. Same as requirements for Sterling Connect:Direct for UNIX Java Standard Edition 6, installed with Sterling Connect:Direct Secure Plus HP MC/Service Guard IBM HACMP SunCluster 2.2, 3.0 or 3.2 Install and configure Communications Server for AIX V6. For HP-UX 11i, you must install and configure both of the following v SNAplus2 Link version R7 v SNAplus2API version R7
Sterling Same as Connect:Direct requirements Secure Plus for Sterling Connect:Direct for UNIX
2 GB
70 MB
HighAvailability support
SNA connectivity
Component or Functionality
Software Install and configure SNAP-IX Gateware software DATA Connection Limited
RAM (min.)
Supported Interfaces
Sterling Connect:Direct for UNIX supports the following interfaces: v Ethernet v SDLC v X.25 (QLLC)
Password Storage
Sterling Connect:Direct for UNIX enables you to use any of the following for password storage: v /etc/passwd file v /etc/shadow file when supported by the operating system v HP-UX trusted security v Network Information Service (NIS), formerly known as Yellow Pages v Digital UNIX Enhanced Security v Pluggable Authentication Modules (PAM)
Libraries to Install
Ensure that you have the following libraries installed:
UNIX Platform Software Library
Intel and AMD All supported Linux libstdc++.so.5 x86/x86-64, Linux Tip: You can acquire this library by applying the zSeries compat-libstdc++-33 package. Intel and AMD x86/x86-64 Red Hat Enterprise Linux version 6 For Red Hat Enterprise Linux version 6, the following libraries need to be installed: v libXtst-1.0.99.2-3.el6.i686 v libXmu-1.0.5-1.el6.i686 v libXt-1.0.7-1.el6.i686 v libXft-2.1.13-4.1.el6.i686 v libX11-1.3-2.el6.i686 v libXi-1.3-3.el6.i686 v libXext-1.1-3.el6.i686 v libXau-1.0.5-1.el6.i686 v libXrender-0.9.5-1.el6.i686 Linux zSeries Red Hat Advanced Server compat-libstdc++-33.3.2.3-47.3 (or later)
Release Notes
Software AIX
Library IBM C Set ++ Runtime Libraries for AIX version 8 or later bos.rte.libpthreads 5.3.7.0 or later These libraries can be accessed at: http://www.ibm.com/developerworks/aix Note: After you install these libraries, rerun the Sterling Connect:Direct for UNIX installation program.
Feature or Enhancement Provides new fsync.after.receive initialization parameter that calls the fsync function to flush all data to disk before you close the file. Files that are written and closed by Sterling Connect:Direct on an NFS destination might not be immediately ready for processing because of NFS-delayed writes. The fsync.after.receive initialization parameter is part of the copy.parms record of the initparm.cfg file. Valid values are y (yes) to call fsync before you close a data file that was received, and n (no). Default value is n. Version 4.1.0.1 or later (requires fix pack). Provides outgoing Process netmap checking capability. The netmap.check parameter values now include the following settings: v Y - Checks the network map for all nodes that Sterling Connect:Direct communicates with to validate the node name and IP address. Attention: This is an expanded definition to the previous meaning of Y for this parameter. v L - Checks the network map only for nodes that the local Sterling Connect:Direct initiates sessions with to validate the node name and IP address. v R - Checks the network map only for remote nodes that communicate with the local node to validate the node name and IP address. v N - Does not validate any session establishment requests in the network map. Provides new daily keyword that, when specified with an elapsed time in the startt parameter of a submit command, schedules the Process for the next day at the specified time. Sterling File Accelerator - supporting UDT (UDP-based Data Transport) for higher file transfer throughput rates on high-speed networks with latency. Improves and expands use by: v Providing a configuration checking utility to validate configuration files offline to help find syntax errors before putting configuration changes into production. (SR 1355197) v Providing 64-bit API libraries and source files for the Sterling Connect:Direct API so that customers can build programs using the Sterling Connect:Direct SDK/API in 64-bit mode. (SR 1362740) Provides a sample Quiesce and Resume parameter table customers can customize for their environment to enable a testing mode that terminates any active production work until testing is complete. Provides new select statistics parameters that allow customers to access statistics information based on source and destination file names. Provides stand-alone command line configuration utility (cdcustrpt) that produces a report containing configuration information for the system and the product, and for Sterling Connect:Direct Secure Plus and Sterling Connect:Direct for SWIFTNet for UNIX if they are installed. The information in this report can be sent to IBM Customer Support to assist in troubleshooting. Provides a stand-alone compression utility (cdsacomp) that enables offline pre-compression of a file that can either be decompressed on-the-fly as it is received by the remote Sterling Connect:Direct node or be received in a pre-compressed format and later decompressed offline using the cdsacomp utility. (SR 134976) Provides TCQ compacting automatically at server startup to free up unused records to reduce the TCQ file size and improve the efficiency of Sterling Connect:Direct. (SR 1341291) Provides a new API inactivity timeout parameter in the .Local node record of the netmap file so that when a CMGR has not received a command from a client for the specified amount of time, it exits to help prevent resource leaks caused when a client terminates abruptly. (SR 1366885)
Release Notes
Feature or Enhancement Extends communications support by: v Supporting the IPv6 protocol, which allows a much larger address range than IPv4 and complies with US Federal Government implementation requirements. v Providing the ability to listen on multiple server addresses for inbound node connections using the rnode.listen parameter, comm.info sub-parameter in the initialization parameters file. v Providing the ability to use the existing tcp.api parameter in the local.node record of the netmap to define multiple TCP/IP addresses for inbound API connections for flexibility in communications configuration. (SR 1350818) Enhances visibility of netmap check failures by placing Processes in the Hold queue rather than the Timer queue. Enhances interoperability with Sterling Control Center by: v Using the time zone differential key to prevent statistics problems in Sterling Control Center. v Adding new initparms and a user authority to support remote Sterling Connect:Direct Secure Plus configuration. Simplifies set up by initializing Sterling Connect:Direct Secure Plus during installation. Improves visibility of the statistics max.age parameter by creating this parameter in the initparms.cfg file with a default value of 8 days during installation. Enhances TCQ compacting by renaming the tcqhdr.ind backup file to tcqhdr.ind.old and retaining this backup file after compacting. Removes support for SNMP. Enhances security by providing the IBM Sterling Crypto-C module that provides a FIPS 140-2 validated cryptographic module for HP-UX, PA-RISC, HP-UX Itanium, AIX, and Solaris SPARC UNIX. (Sterling Connect:Direct Secure Plus)
APAR IC87996 The Partitioned Data Set (PDS) member name, key word PPMN, is listed twice in the Copy Termination Record (record id CTRC) that is logged to statistics when copying a file to or from a zSeries PDS member. APAR IC86881 Secure cdpmgr initialization procedure to sanitize inherited environment variables, added for APAR IC82150, may prevent run task steps that depend on one or more of the inherited environment variables from working properly. APAR IC89092 Upgrading to 4.1.0 from a release previous to 4.1.0 configured with Secure+ generates some inappropriate messages indicating that the initialize Secure+ operation failed APAR IC88093 Certain business scenarios may require the need to specify a nonstandard record delimiter for UNIX text files. Added new copy step sysopt called RECDL. APAR IC89513 On some Solaris systems, CLI may fail to connect, reporting XSEC016I message. ndmauthc or ndmauths may also generate a core file when this happens. APAR IC89667 Secure+ SSL connection initiated to Sterling Connect:Direct for z/OS uses a 16k buffer even when both sides have larger buffer sizes specified. APAR IC91661 Custom program using the Sterling Connect:Direct for UNIX API may generate XCMG000I errors when submitting a command. Server may show an XSEC012I error concurrently. APAR IC91973 Greater than two gig file transfers fail with XSQF006I on Linux systems with kernel version 3.x.
Version 4.1.0.3
QC19725 Process with snodeid override specified submitted on Sterling Connect:Direct for UNIX node via a submit statement within another Sterling Connect:Direct Process may fail to pass snode security. QC19758 Sterling Connect:Direct for HP NonStop reports an invalid feedback code in the completion status for a run task step submitted to Sterling Connect:Direct for UNIX. QC19832 On AIX systems, temporary work files are created in /tmp instead of {install dir}/work/{node name} directory for Processes submitted by a user without write permission in the {install dir}/work/{node name} directory. QC19857 View Process command may hang and generate many XUPC023I errors when viewing a submitted Process that includes a submit step with an snodeid or pnodeid override.
Release Notes
QC20035 An LCCA082I error is generated after cdpmgr has been started by root and a Secure+ configuration command is issued from a KQV client, like Sterling Control Center. QC20041 Possible denial of service if attacker can play back multiple simulated sessions that include large malformed session control packets that generate lots of errors. QC20043 Stack overflow vulnerability in ndmauthc. An attacker could exploit the vulnerability to execute commands with Sterling Connect:Direct for UNIX installer authority. QC20044 Stack overflow vulnerability in modules that read the initparm.cfg file, like cdpmgr and ndmsmgr. QC20157 Null pointer dereference vulnerability in ndmsmgr for Secure+ connections. Vulnerability could enable denial of service attack. QC20158 ndmsmgr segmentation violation during Secure+ connection attempt using a malicious certificate with an inordinately long subject. Possible denial of service. QC20403 Potential for XPMR018I error when client such as Sterling Control Center attempts to update the initparm.cfg file. QC20473 Some records on z/OS VB destination file are not filled to LRECL specification when sending a UNIX file with datatype=binary and codepage conversion specified. QC20638 ndmcmgr aborts with signal 11 when Sterling Control Center attempts to add a local user. RTC 103045 When Secure+ is installed on a node for the first time, it must be initialized. The initialization procedure requires the Sterling Connect:Direct node name, but it is not offered by default. RTC 140646 Clients like Sterling Control Center or Sterling Connect:Direct Browser User Interface are able to set an invalid tcp.api value in the local.node netmap entry causing future api connections to be rejected. APAR IC82150 Improved safe initialization procedures for suid files ndmauthc, ndmauths, and cdpmgr. APAR IC81358 Statistics archive files may be owned by root. RTC 315406 cdinstall indication of disk space requirement to install File Agent is too low
APAR IC83460 When SSL/TLS is enabled, updating the .SEAServer entry in Secure+ would fail even when External Authentication is disabled: "Error: The .SEAServer host name must be specified." APAR IC83593 On exit, cdcust may give an inappropriate warning about incomplete root authority configurations. APAR IC84027 spcli may display resolved symbolic link values for pathnames entered with symbolic links specified. APAR IC84003 When Sterling Connect:Direct for UNIX receives a redirect message, SCPA007I, from Sterling Connect:Direct for z/OS Plex environment, Sterling Connect:Direct for UNIX inappropriately records a nonzero completion code. Plex redirection is a normal operational flow.
Version 4.1.0.2
QC19065 XSMG605I error when copy step to i5/OS node fails and connection is via Secure+ STS with digital signatures enabled. QC19079 XSMG271I error on restarted wildcard copy step when local user on sending node is other than the Sterling Connect:Direct installer. QC19299 SVSJ032I error sending a binary file to a z/OS destination file with V or VB record format. QC19324 Scheduled Process fails with XSQF009I error if cdpmgr is recycled before the scheduled Process start time. QC19414 cdcust option to run "Configurations requiring root privilege" is ineffective when root user is configured with a nologin shell. QC19435 Files written and closed by Sterling Connect:Direct on NFS destination may not be immediately ready for processing due to NFS delayed writes. QC19633 cdinstall fails to detect and provide notice when the installed Sterling Connect:Direct version is newer than the installing version.
Version 4.1.0.1
QC18587 Null pointer dereference vulnerability in ndmsmgr. QC18588 Stack overflow exploit potential in ndmsmgr. QC18972 Added "daily" keyword that when specified in the startt parameter with an elapsed time will schedule the Process for the next day at the specified time.
Release Notes
QC18999 XIPT011I error when Sterling Control Center attempts to import a large (greater than 16k) trusted certificate file. QC19021 Trailing blanks are not stripped from first record of a text file received with strip.blanks=yes and codepage conversion. QC19050 Added functionality to allow server connections to strongly secure sensitive information in session overhead and leave data which may not be sensitive unencrypted to enhance performance. Documentation for this feature and how to use it is available on our IBMconref="product_names.dita#variables/SterlingCommerce-l"> Support Center website.
Version 4.1.0.0
1351573 Copy step fails to checkpoint and restarts from beginning after Process is suspended (flush/hold) and restarted. 1365363 TCP comm errors (XIPT errors) are not returned in a select statistics by pnumber response. 1369148 Customer client applications coded with the Sterling Connect:Direct API would core dump after successive connection failures. 1370676 Wildcard send gets file read permission error when user should have read access via supplementary group permissions. 1370745 "Bytes Read" counter may be incorrect in the Copy Termination Record (CTRC) of select statistics output when sending a text file with strip.blanks=yes. 1370775 CTRC stat record does not reflect XSQF006I generated when small text file received on filesystem that is at full capacity. 1370824 ndmsmgr persisting and using high percentage of CPU in some cases after pnode=snode Process is completed. 1371040 Proxy record that begins with the '#' character causes XSMG242I error for incoming Processes. 1371229 Select statistics command response time improvement. 1371264 Message SVSG005I missing from msgfile.cfg.
10
1371409 Add methods GetProcessRC and GetProcessMsgID to the C++ sdk API for Process submitted with maxdelay=unlimited. 1371934 XCPS009I error when LRECL specification exactly equal actual text file record length. 1372112 Flush Process ineffective when run task step is running on remote node. Restriction: Processes running a run task step on a remote node can now be flushed; however, the Process will not be flushed on the remote node side. The task will continue to completion and then the remote node Process will fail with a communication error. 1372125 XUPC035I errors on view Process command when Process specifies sysopts string with embedded quotes. 1372165 XSMG240I error after successful step completion. 1372245 XSMG015I Process error on HP-UX systems configured with long node names. 1372292 Netmap record names longer than 16 characters cause configuration problems in spadmin and spcli. 1372394 Default session class specified in adjacent node record fails to override session class defined in local node record. 1372833 PRED record message id short text shows generic Process completed message, not specific text of PRED record message id. 1372865 Wildcard copy fails to send file that user has read access to via Access Control List. QC13457 Netmap not checked for outgoing Processes. QC13793 Potential for small cdpmgr memory leak when select Process detail command is processed. QC13827 Ndmcmgr memory leak causes File Agent to generate a NullPointerException after repeatedly submitting Processes. QC14076 cfgcheck '-f' parameter does not restrict check to named file only.
Release Notes
11
QC14185 Allow underscore characters in hostnames. QC14341 Sterling Control Center update of local.node record removes tcp.api value. QC14470 Wild card copy step would inappropriately report success when some but not all matching files were not readable by the user. Added new error message XSMG277I to indicate this condition. QC14572 After upgrading node with Secure+ option, connections may fail with CSPA016E or CSPA317E errors. QC14577 XPAE003I syntax error submitting Process coded with several symbolics defined with long symbolic names and values. QC14599 Install on AIX 5.3 with Service Pack 10 applied fails indicating unsupported pthreads library version. QC14670 MBCS002E error receiving file using codepage conversion and strip.blanks=yes. QC14782 XUPC028I error when a view Process command is attempted on a Process with a run task/job step that includes '|' and '=' characters. QC14860 Potential for client application using API to dump core after ndmapi_sendcmd function call. QC15020 Expired passwords pass security check on shadow password security enabled systems. QC15507 While processing a large number of Sterling Connect:Direct Processes, a 'select process pnumber=*' command will intermittently return a truncated list of Processes. QC15570 When Sterling Connect:Direct for UNIX is at maximum API capacity (as specified by api.max.connects), a Java API call to instantiate (create and connect) to a new node will complete successfully, but subsequent execute commands will fail with the messages "Error: Connection Exception!" and "Unexpected IOException in CommunicationBuffer::Receive()" or "Error: Connection Exception! End of file in CommunicationBuffer::Receive()". QC15647 XAPI006I errors with Substitution="Specified file could not be opened", with api submit "submit file=filename;" with no space between end of command text and ';'. QC15740 Change Process command issued for large amount of Processes on TCQ takes a long time to complete and generates many XLKL004I errors.
12
QC16086 Select Process command while many Processes are in tcq causes CLI to exit with XCMG000I error. QC16177 CLI abruptly exits with various error indications (depending on operating system) when a select statistics command is issued with a stopt parameter value previous to any existing statistics. Current statistics shows an ndmcmgr terminating with signal SEGV. QC16235 cfgcheck doesn't indicate line number of errors reported. QC16242 Sessions fail with CSPA311E and CSPA309E when Secure+ configured with certificates using SHA-2 based signatures. QC16338 CSPE003E error generated when attempting to submit a Process. Preceded by CSPE008E error with fdbk=9 on cdpmgr startup. QC16418 When a KQV client (Sterling Connect:Direct Browser User Interface, Sterling Connect:Direct File Agent, etc.) submits a Process, the submitted time reported to the KQV client is the UNIX Epoch, 31 Dec 1969. QC16538 The XSEC007I message generated when a CLI connection fails due to improper directory permissions of the security subdirectory has misleading text. QC16620 Apparent hang in spadmin on HP platforms when DISPLAY is directed to Attachmate Reflection X server. QC16622 No statistic record logged when a non-executing Process is deleted from the TCQ by user. QC16726 CSPE007E, error=Lock Failed, when a submit within Process step is run on snode with local snode authority other than the Sterling Connect:Direct installer ID. QC16794 If a wildcard copy step ends with an error condition code, subsequent successful wildcard copy steps will erroneously report step failure. QC16797 Processes submitted from Sterling Connect:Direct Requester fail to retry connections specified in alt.comm.outbound. QC16938 No statistic record logged when Secure+ is installed, and a Secure+ session attempt fails due to a Secure+ library load attempt failure. QC17049 XXDR012I message referring to Key=SER generated for incoming connections from i5/OS. QC17370 ndmsmgr executable may hang and burn CPU when non-Sterling
Release Notes
13
Connect:Direct component (possibly a denial of service attack contrivance) sends a buffer to the server port attempting to emulate a Sterling Connect:Direct component. QC17371 ndmumgr is vulnerable to a stack overflow exploit which could allow a non-root user root authority. QC17372 ndmumgr can be exploited by a non root user to create a root owned file. QC17439 tcp.max.time.to.wait parameter is not honored for initial connection attempt. QC17694 XUPC035I and XUPC066I messages missing from msgfile.cfg. QC17727 SPAdmin/SPCli execution fails with error opening audit log. QC17761 XCPS009I error generated due to inappropriate record length check by Sterling Connect:Direct for UNIX when sending a file. QC17763 Select statistics command specified with startt=(day of the week) fails with "XPAS009I - STARTT has a future date." QC18309 If Sterling Connect:Direct File Agent 1.3 has been previously applied to a Sterling Connect:Direct for UNIX installation, a cdinstall operation in upgrade mode fails when upgrade attempted for File Agent. QC18378 Trace cmgr command only effects ndmcmgr of client that issued the command and new ndmcmgrs started after the command is issued. Ndmcmgrs that are running at the time the command is issued are not affected. QC18772 On some systems, such as RHEL 6, Sterling Connect:Direct API client connect fails with XAPI005I and XSEC015I. Server statistics show XIPT016I.
Special Considerations
This section contains considerations in addition to the procedures defined. Refer to the following notes before installing the product. v Although Sterling Connect:Direct for UNIX Process names can be up to 255 characters long, some Sterling Connect:Direct platforms, such as Sterling Connect:Direct for z/OS limit Process names to eight characters. Processes running between UNIX and platforms that limit Process names to eight characters can have unpredictable results if longer names are specified. v If you install Sterling Connect:Direct for UNIX on an HP Integrity system, you cannot use the Sterling Connect:Direct Secure Plus parameter file generated on a PA-RISC computer. You must create a new parameter file. v Defining SSL as the preferred protocol in the Sterling Connect:Direct Secure Plus does not always result in the use of SSL as the handshake-verification method. If both nodes have the ability to use TLS for authentication, Sterling Connect:Direct
14
Secure Plus determines the most secure handshake available to both nodes and uses the secure protocol. You can view the statistics record to determine which protocol was used to verify each node. v The Sterling Connect:Direct Secure Plus initparms record and the user authority that have been added to Sterling Connect:Direct for UNIX version 4.1.00 support remote configuration of Sterling Connect:Direct Secure Plus. These configuration options are needed when using the Central Management feature available in Sterling Control Center 5.0 and later. v If you are using a certificate that was created with an older version of Sterling Certificate Wizard, the certificate may contain a blank line between the "BEGIN" and "END" statements that define a private key. This version cannot process the blank line, resulting in an error. If a certificate generates an error, delete the blank line in the certificate.
For more information, see Determining When to Use UDT (Sterling File Accelerator) white paper available with the Sterling Connect:Direct for UNIX product documentation on the IBM Support portal.
Special Considerations for Using Sterling Connect:Direct for UNIX in FIPS 140-2 Mode
This version of Sterling Connect:Direct Secure Plus for UNIX offers a FIPS mode of operation. Refer to the following notes when configuring it: The following cipher suites are supported in FIPS mode: v v v v v TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA
15
The following cipher suites are not supported in FIPS mode: v SSL_RSA_WITH_RC4_128_SHA v SSL_RSA_WITH_RC4_128_MD5 v SSL_RSA_EXPORT_WITH_RC4_40_MD5 v SSL_RSA_EXPORT_WITH_DES40_CBC_SHA v SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 v SSL_RSA_WITH_NULL_SHA v SSL_RSA_WITH_NULL_MD5 If you have private keys generated by Sterling Certificate Wizard version 1.2.03 or earlier, they are not encrypted with a FIPS-approved algorithm. Use the OpenSSL utility provided with Sterling Connect:Direct for UNIX to convert existing private keys to FIPS-approved keys. This utility is located in the <d_dir>/ndm/bin directory. For more information on converting keys, see the Sterling Connect:Direct Secure Plus Implementation Guide.
Special Considerations for Connectivity with the HP NonStop Kernel Operating System
This version of Sterling Connect:Direct for UNIX offers connectivity to Sterling Connect:Direct for HP NonStop Kernel version 3.2.00 or later using TCP/IP. Refer to the following notes when transferring files from the UNIX operating system to the HP NonStop Kernel operating system: v Do not define the sysopts parameter with continuation marks. Type the text in a continuous string, with blanks separating each subparameter. The sysopts parameter is valid for the copy statement. v When copying files from the UNIX operating system to the HP NonStop Kernel operating system, define the dcb parameter to allocate destination files. Define any additional options using the sysopts parameter. The dcb and sysopts parameters are valid for the copy statement. Use of the dcb parameter ensures that the attributes of the file being sent match the attributes of the file that is created on the remote node. If you do not define the dcb parameter, the default file types on the destination node are as follows: If you are transferring a text file, the file type on the HP NonStop Kernel node defaults to an unstructured file, code 101. If you are transferring a binary file, the file type on the HP NonStop Kernel node defaults to an unstructured file, code 0. v When copying files from the HP NonStop Kernel operating system to the UNIX operating system, define the sysopts parameter to allocate destination files. For syntax and parameter descriptions for Process statements, see the Sterling Connect:Direct Processes Web site.
Known Restrictions
Sterling Connect:Direct for UNIX has the following restrictions when using third-party hardware or software: v UDT Under conditions of high CPU usage, a Sterling Connect:Direct Process running over UDT may be interrupted by a lost connection. If the connection is lost, the Process is retried. The frequency of connections lost due to high
16
CPU usage can be reduced by restricting the number of concurrent UDT sessions through netmap session limits. All UDT SNODE connections must be defined in your netmap so that the node name can be used to specify the SNODE in a Process statement. You cannot use an IP address and port number to specify the SNODE in a Process statement if you want to connect to a remote node using UDT. UDT is not supported in a load balancing environment. v If you are using the file allocation retry function when communicating with a remote node on an operating system that is not UNIX, identify operating system retry codes using formats and code values defined by the remote node. v A copy operation from Sterling Connect:Direct for UNIX to Sterling Connect:Direct for z/OS completes successfully, but generates an SNA error in the iSeries log. v If you use the Hummingbird Exceed terminal emulator to access a Solaris workstation, you may not have all of the fonts needed to use Sterling Connect:Direct Secure Plus. Add the following command to the spadmin.sh file:
xset fp default
This command maps all unknown fonts to a default value and prevents Sterling Connect:Direct from performing a core dump if it is unable to locate a font. v Sterling Connect:Direct Secure Plus is administered through Java and a graphical user interface (GUI). The standard UNIX telnet server does not support a GUI client session. To use the UNIX GUI you must be connected to the UNIX server via an X Windows client session, such as xterm. If you are connected to the UNIX server using a telnet session, you will not be able to run the GUI sessions required to install and administer Sterling Connect:Direct. If you do not have access to X Windows, you can use the Sterling Connect:Direct Secure Plus Command Line Interface (Secure+ CLI). v Sterling Connect:Direct Secure Plus does not support server gated crypto (SGC) certificates. v The Secure+ CLI does not support using $HOME or the tilde (~) to specify the path to your home directory. v Sterling Connect:Direct Secure Plus supports FIPS mode on the following platforms: Sun Solaris 10 (SPARC) IBM AIX 5L 5.3 HP-UX 11iv2 (HP Integrity) HP-UX 11iv2 (PA_RISC) v When using the Secure+ CLI on the Solaris platform, command entries may be limited by the buffer size. To resolve this limitation, add line breaks to a command entry. For example, enter the following command with line breaks:
Release Notes
17
v On the HP-UX, IBM System pSeries, and Linux platforms, when a run task defines an invalid UNIX command, the operating system return code is 127 and the completion code (CCOD) reported by Sterling Connect:Direct for UNIX is displayed in hexadecimal (7F) in the statistics output. This return code is correct for the error received, even though most return codes are defined as 0, 4, 8, or 16. If the return code value of 127 is the highest step return code, the Process End (PRED) statistics record message ID is set to the Message ID of the run task step. On other platforms, the run task return code is 1, resulting in the message ID of XSMG252I in the PRED statistics record. v Sterling Connect:Direct Browser User Interface is not supported running on HP Integrity systems with Intel Itanium processors. v Installation on Linux platforms displays the following message:
awk: cmd. line:6: warning: escape sequence `\.' treated as plain `.'
This is a known issue with Install Anywhere and does not effect installation or functionality of Sterling Connect:Direct File Agent on Linux.
Upgrade Considerations
If you are upgrading from an existing version of Sterling Connect:Direct for UNIX, observe the following guidelines:
18
v SNMP is no longer supported. If you are using SNMP and upgrade to this version, other functionality will not be negatively impacted. However, you will no longer receive SNMP messages. v Change the ownership on the statistics files in your work directory so that these files are owned by the user who starts the cdpmgr daemon. Use the following command sequence to change the ownership of the statistics files:
$ su root Password: root_password # cd cddir/work/node # chown user_who_starts_cdpmgr S*.???
The following variable definitions apply: root_password - Root user's password cddir - Directory in which Sterling Connect:Direct for UNIX is installed node - Your Sterling Connect:Direct node name user_who_starts_cdpmgr - User name of the user who will start the cdpmgr daemon v If you are upgrading to Sterling Connect:Direct for UNIX from version 3.6, 3.7, or 3.8, you must replace the TCQ file with a file in the new format. The upgrade process automatically converts the existing TCQ file to the new format and preserves existing TCQ information. The program to convert the existing TCQ file is included on the installation media. This program, tcq_convert, is extracted to the d_dir/etc/ directory, where d_dir is the directory where Sterling Connect:Direct for UNIX is installed and runs automatically during the installation. If the Process information cannot be converted, the program will display an error and provide instructions to correct the problem. You can also run this program manually from the system prompt, as described in the sections that follow. Assuming that the d_dir/etc/ directory is in your path, the format for the tcq_convert program follows:
tcq_convert input_filename output_filename
Provide the following required parameters: input_filename - TCQ file in the format from a previous version of Sterling Connect:Direct for UNIX output_filename - TCQ file in the format for Sterling Connect:Direct for UNIX version 4.1.00 v If you are upgrading a collection of Sterling Connect:Direct for UNIX nodes in a load-balancing environment, stop all of the nodes before you begin the upgrade. You can restart the nodes after they have been upgraded.
Release Notes
19
20
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-ku Tokyo 103-8510, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be
Copyright IBM Corp. 1999, 2013
21
incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation J46A/G4 555 Bailey Avenue San Jose, CA 95141-1003 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary.
22
This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample programs. Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows: IBM 2013. Portions of this code are derived from IBM Corp. Sample Programs. Copyright IBM Corp. 2013. If you are viewing this information softcopy, the photographs and color illustrations may not appear.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at http://www.ibm.com/legal/copytrade.shtml. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Notices
23
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Linear Tape-Open, LTO, the LTO Logo, Ultrium and the Ultrium Logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries. Connect Control Center, Connect:Direct, Connect:Enterprise, Gentran, Gentran:Basic, Gentran:Control, Gentran:Director, Gentran:Plus, Gentran:Realtime, Gentran:Server, Gentran:Viewpoint, Sterling Commerce, Sterling Information Broker, and Sterling Integrator are trademarks or registered trademarks of Sterling Commerce, Inc., an IBM Company. Other company, product, and service names may be trademarks or service marks of others.
24
Printed in USA