Symantec™ Product

Authentication Service

Release Notes

Linux, Microsoft Windows, and UNIX

5.0

Symantec Product Authentication Service Release Notes

Copyright © 2008 Symantec Corporation. All rights reserved.

Symantec Product Authentication Service Release Notes

Doc Version: 4.1

Symantec, the Symantec logo, Symantec Product Authentication Service are trademarks

or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other

countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use,

copying, distribution, and decompilation/reverse engineering. No part of this document

may be reproduced in any form by any means without prior written authorization of

Symantec Corporation and its licensors, if any.

THIS DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED

CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED

WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-

INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH

DISCLAIMERS ARE HELD TO BE LEGALLY INVALID, SYMANTEC CORPORATION SHALL

NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION

WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE

INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE

WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be “commercial computer

software” and “commercial computer software documentation” as defined in FAR

Sections 12.212 and DFARS Section 227.7202.

Symantec Corporation

20330 Stevens Creek Blvd.

Cupertino, CA 95014

www.symantec.com

Printed in the United States of America.

Third-party legal notices

Third-party software may be recommended, distributed, embedded, or bundled

with this Symantec product. Such third-party software is licensed separately by

its copyright holder. All third-party copyrights associated with this product are

listed in the accompanying release notes.

AIX is a registered trademark of IBM Corporation.

HP-UX is a registered trademark of Hewlett-Packard Development Company,

L.P.

Linux is a registered trademark of Linus Torvalds.

Solaris is a trademark of Sun Microsystems, Inc.

Windows is a registered trademark of Microsoft Corporation.

Technical support

For technical assistance, visit http://support.veritas.com (rather than http://support/symantec.com) and select phone or email support. Use the

Knowledge Base search feature to access resources such as TechNotes, product

alerts, software downloads, hardware compatibility lists, and our customer

email notification service.

Contents

Release Notes i

Chapter 1 Release notes 1

Installation notes ................................................................................................... 2

Supported platforms ..................................................................................... 2

Other supports ............................................................................................... 3

No longer supported ...................................................................................... 3

Required patches and service packs ........................................................... 4

Patches that are required for HP 11.xx .............................................. 4

TOUR package required for HP11i ...................................................... 4

Required Solaris patches ...................................................................... 4

Required AIX patches ............................................................................ 4

Required Windows service packs ........................................................ 5

Additional requirements ............................................................................... 5

Recommended memory ........................................................................ 5

Additional requirement for Linux RedHat 5.0 .................................. 6

Additional requirement for SunOS 5.8 ............................................... 6

Additional requirement for HP Tru64 ................................................ 6

C++ runtime requirement for AIX 5.x ................................................. 6

Requirement for upgrade on Linux ............................................................. 6

Authentication broker dependency on PBX ............................................... 6

Requirement before upgrading .................................................................... 7

Solaris zone support ...................................................................................... 7

Known Issues .......................................................................................................... 7

Requirement to set LD_PRELOAD (1005736) ............................................ 7

Workaround ............................................................................................ 7

UUID support for Guest OS on Xen is not supported (1157449) ............ 8

AT configuration data is not copied to the passive nodes on HACMP

(1156854) ................................................................................................. 8

vssat pullbrokerattribs command fails on HP-UX (1142196) ................. 8

Workaround ............................................................................................ 8

vssat pushbrokerattribs command fails (1044022) .................................. 8

Workaround ............................................................................................ 8

Password is exposed in logs when package is executed (1016853) ........ 8

Workaround ............................................................................................ 8

A failover of AT on VCS Windows might hang (1160154) ....................... 9

vi

Workaround ............................................................................................ 9

vssat pullbrokerattribs is not getting the trusted credentials (1160143) 9

Authentication of localhost for homeless user with user name and password

fails (1151462) ........................................................................................ 9

Workaround ............................................................................................ 9

Configuration fails when password is required to communicate with remote

root broker through rsh (1153161) ..................................................... 9

Workaround .......................................................................................... 10

vrtsAtWebCredentialVerify fails (1237514) ............................................ 10

vssat validateprpl crashes (1232434) ....................................................... 10

On Native Chinese Windows 2008 with doublebyte username, vrtsAtInit is

failing (1237918) .................................................................................. 10

LDAP authentication for duplicate user entries across LDAP

subdomains(1368778) ......................................................................... 10

SSLv2 not working properly with AT (1655849) .................................... 11

CLIs do not work when x86_64 Client is uninstalled after upgrading to AT 5.0

(1735165) ............................................................................................... 11

VxATD process does not come up during minor upgrades (1741043) 11

listpd and showpd CLIs show updated hostname in output (1745453) 11

Timing issue during “shutdown –i6 –g0 -y” (1786889) ......................... 11

Available documentation ................................................................................... 13

Documentation addenda and corrections ........................................................ 13

Correction of syntax given for setloglevel command ............................ 13

Simplified restore method .......................................................................... 13

Change in AT upgrade and uninstall procedures on non-secure clusters 14

Chapter

1

Release notes

These Release Notes for Symantec Product Authentication Service (AT) pertain

to the following:

Build 5.0.x for the EAT client

Build 5.0.x for the broker

They contain the following sections:

“Installation notes”

“Known Issues”

“Available documentation”

“Documentation addenda and corrections”

2 Release notes

Installation notes

Installation notesThis topic describes supported platforms and system requirements for running

Symantec Product Authentication Service.

Supported platformsTable 1-1 shows a list of supported platforms:

Table 1-1 Supported Platforms

----------Platforms---------- ----------Components----------

OS architecture (os version)

Supported Broker type

Supported Clients

AIX Power PC “RISC” (5.1, 5.2, 5.3,

5.4), 6.1

RISC RISC

AIX Power PC 64bit “RIS C64” (5.1,

5.2, 5.3, 5.4), 6.1

RISC RISC, RISC-64

Free BSD x86 (5.3) x86

HP_UX Itanium 64bit “ia64” (11.23,

11.31)

pa32 pa32, pa64, ia64, ia32

(32bit build for

Itanium)

HP-UX PA-RISC 32bit “pa32” (11.11,

11.23, 11.31)

pa32 pa32

HP-UX PA-RISC 64bit “pa64” (11.11.,

11.23, 11.31)

pa32 pa32, pa64

Irix mips 32 bit (7.3) mips

Irix mips 64 bit (7.3) mips, mips64

Linux Power pc 32 bit "ppc" (SuSe 9,10

& RH EL 4.0,5.0)

ppc ppc

Linux Power pc 64 bit “ppc64” (SuSe 9,

10 & RH EL 4.0, 5.0

ppc ppc, ppc64

Linux x86 (AS 3.0) x86

Linux x86 (SuSe 9, 10 & RH EL 4.0, 5.0) x86 x86

Linux x86_64 (SuSe, 9, 10 & RH EL 4.0,

5.0)

x86_64 x86 & x86_64

3Release notes

Installation notes

Other supportsAT also supports Sun JRE 1.6 from build 5.0.27.0 onwards.

No longer supportedThe following platforms are no longer supported in this release and higher

versions from now onwards:

Solaris 7 on sparc & sparc-v9

AIX 4.3 on Power PC (32-bit & 64-bit)

Linux AS 2.1 and 3.0 on x86, x86_64 & IA-64

HP-UX 11.0 on PA-RISC (32-bit)

FreeBSD 4.9 on x86

Service pack 2 for Windows 2000

HP 11.00 in AT 5.0.

Linux ia64 (SuSe 9, 10 & RH EL 4.0, 5.0) ia64 ia64

Mac Power PC “ppc” 10.3) Ppc

Solaris sparc (5.8, 5.9, 5.10) sparc sparc

Solaris sparc v9 (5.8, 5.9, 5.10) sparc sparc, sparc v9

Solaris x86 (5.8, 5.9, 5.10) x86 x86

Solaris x86_64 (5.10) x86 x86, x86_64

Tru64 alpha (5.1, 5.2) alpha alpha

Windows x86 (2000, 2003, sp, vista) x86 x86

Windows ia64 (2003) x86 x86, ia64

Windows x86_64 (2003) x86 x86, x86_64

----------Platforms---------- ----------Components----------

OS architecture (os version)

Supported Broker type

Supported Clients

4 Release notes

Installation notes

Required patches and service packs

Patches that are required for HP 11.xx

Table 1-2‚ ”Patches for HP 11.xx” lists patches for HP 11.xx

TOUR package required for HP11i

TOUR package is needed on HP 11i to support IPv6 functionality. It can be

obtained from https://h20293.www2.hp.com/portal/swdepot/

try.do?productNumber=TOUR

Required Solaris patches

On Solaris x86, users must install the latest GSS-API patches in order for GSS-

API to work. These include the following:

Solaris 8 SPARC 108434-17, 108435-17 109147-07

Solaris 8 x86 108436-15

Solaris x82 patch 108436-15 or higher

Solaris 9 SPARC 111711-11, 111712-11

Solaris 9 x86 111713-08

Required AIX patches

The following patches are required for AIX.

Table 1-2 Patches for HP 11.xx

Patch ID Patch Description

PHSS_26560 1.0 ld(1) and linker tools

PHSS_26946 1.0 ld(1) HO aC++ run-time libraries a3.37

PHSS_27740 libc cumulative patch

Table 1-3 Required AIX patches

Package Level Shipped Resolved Fix Package Level Resolved APAR

6100 TL2 SP3 6100-02-03-0909 NA NA IZ52720

6100 TL1 SP4 6100-01-04-0909 NA NA IZ52975

6100 TL0 SP8 6100-00-08-0909 NA NA IZ52988

5Release notes

Installation notes

These packages are required beause vxatd crashes after a couple of unixpwd

authentication on AIX5.3 and 6.1.

The is due to the “IZ52585: GETGRENT_R" ROUTINE CAUSES HEAP

CORRUPTION” bug in AIX. See,

http://www-01.ibm.com/support/docview.wss?uid=isg1IZ52585

This is a regression that was introduced due to “IZ17022: GETGRENT FAILING

WHEN /ETC/GROUP HAS LARGE NUMBER OF USERS” fix. See,

http://www-01.ibm.com/support/docview.wss?uid=isg1IZ17022

For information about the affected AIX versions, see

http://www-01.ibm.com/support/docview.wss?uid=isg1fixinfo110313

Note: After applying the patch, reboot the machine or else the fix does not work.

Required Windows service packs

The following service packs are required for successful installation of AT on the

Windows platform:

AT no longer supports service pack 2 for Windows 2000

For Windows 64 bit machines, you should have Service Pack 1

Additional requirements

Recommended memory

We recommend 100MB disk space.

We recommend 256MB memory.

5300 TL9 SP3 5300-09-03-0918 5300 TL9 SP4 5300-09-04-0920 IZ52719

5300 TL8 SP6 5300-08-06-0918 5300 TL8 SP7 5300-08-07-0920 IZ52585

5300 TL7 SP8 5300-07-08-0918 5300 TL7 SP9 5300-07-09-0920 IZ52906

5300 TL6 SP11 5300-06-11-0918 5300 TL6 SP12 5300-06-12-0920 IZ52944

Table 1-3 Required AIX patches

Package Level Shipped Resolved Fix Package Level Resolved APAR

6 Release notes

Installation notes

Additional requirement for Linux RedHat 5.0

AT requires the standard C++ version 5.0. You must install the following C++

compat library rpm before installing the AT rpms:

compat-libstdc++-33-3.2.3-61.i386.rpm

You can obtain the compat libraries from the following URL:

http://rpmfind.net/linux/RPM/System_Environment_Libraries.html

Additional requirement for SunOS 5.8

For SunOS 5.8, you should install patch 108820-03.

Additional requirement for HP Tru64

CXX 7.1 runtime libraries must be installed on the HP Tru64 UNIX host. To

download these libraries, copy and paste the following link into a web browser:

ftp://ftp.compaq.com/pub/products/C-CXX/tru64/cxx/CXXREDIST710.tar

C++ runtime requirement for AIX 5.x

On all AIX 5.x versions, the required C++ runtime is 8.0 and above. To download

this patch, use the following URL:

http://www-1.ibm.com/support/docview.wss?uid=swg24015076

Requirement for upgrade on LinuxOn Linux, while upgrading you need to pass these parameters:

rpm -U --nopreun <RPM_NAME>

Authentication broker dependency on PBXThe AT 5.0 authentication broker can operate with any version of PBX. There

are no specific version dependencies.

The authentication broker can operate behind a PBX service when the host is

behind a fire wall. This is also required to enable the broker's remote

administration capabilities. The authentication broker will automatically hook

up with the PBX service if the PBX is up and running during the broker

installation time. It can also be hooked up manually with PBX using the vssat

setispbxexchflag CLI.

7Release notes

Known Issues

Requirement before upgrading

Note: Before you perform an upgrade of AT or AZ, shut down local Symantec

applications that are using AT or AZ services. Otherwise, the upgrade process

imposes a short outage that could impact the applications that need those

services.

Solaris zone supportAT 5.0 packages may be installed to both global and local zones on Solaris.

Previous restrictions in AT 4.x limiting installation to only global zones do not

apply in AT 5.0.

If a broker is installed on a global zone, it may not be started or stopped from a

local zone. The service requires writing to a file system that cannot be modified

from local zones. If a broker is installed in the global zone, local zones should

only access it over the wire.

AT packages contain the following package parameters:

SUNW_PKG_ALLZONES=false

SUNW_PKG_THISZONE=true

SUNW_PKG_HOLLOW=false

Known IssuesThis section explains issues that are still remaining in this release of the

Symantec Product Authentication Service.

Requirement to set LD_PRELOAD (1005736)On Redhat Linux running on Itanium 64bit processor, when we try to create the

JVM in the parent process after the memory-mapping and before the fork, we

get signal 11> errors because apparently there is not enough memory for the

JVM to start.

Workaround

If a Java application uses our APIs, you must set LD_PRELOAD in order for the

application to work. If, for example, AT installed in /opt/VRTSat, then do as

follows:

export LD_PRELOAD=/opt/VRTSat/lib/libvrtsat_t.so

Then run the Java application. For example:

java TestDriver

8 Release notes

Known Issues

UUID support for Guest OS on Xen is not supported (1157449)UUID support for Guest OS on Xen is not supported in this release of AT.

AT configuration data is not copied to the passive nodes on HACMP (1156854)

The cluster configuration script hacmp_at_config is not copying the data in

the VRTSatlocal.conf file to the passive nodes on HACMP clusters.

vssat pullbrokerattribs command fails on HP-UX (1142196)The vssat pullbrokerattribs -b FullyQualifiedHostName:2821

command fails to run on HP-UX.

Workaround

Use the existing AT CLIs to manually add the Domain-Broker maps of the

remote host.

vssat pushbrokerattribs command fails (1044022)The vssat pushbrokerattribs -b HostName:2821 command fails to run

on the root broker machine.

Workaround

Automatic pull and push broker attributes is working. You can also use the AT

CLIs to do the same.

Password is exposed in logs when package is executed (1016853)When configuring a broker in authentication broker only mode using execpkg,

the password that is being supplied is shown on the console when Debug logs are

enabled. This happens even if the package supplied is obfuscated.

Workaround

To work around this problem, do one of the following:

Disable debug logs before you run the execpkg command

Delete the log file after you run the execpkg command

9Release notes

Known Issues

A failover of AT on VCS Windows might hang (1160154)When AT is made highly available, a shared directory is created on all of the

cluster nodes. As the AT service runs on all the nodes, in case of VCS 4.1, any

command that is run on a passive node creates lock files in the shared directory.

After these lock files are created, when a failover to another node occurs, the

failover hangs because the lock files cause the mount of the shared directory to

fail.

Workaround

To work around this problem

1 Delete the lock files from the shared directory.

2 Manually perform the failover.

vssat pullbrokerattribs is not getting the trusted credentials (1160143)

The vssat pullbrokerattribs command is not getting the trusted

credentials from the root broker.

Workaround

Use vssat setuptrust CLI.

Authentication of localhost for homeless user with user name and password fails (1151462)

The vssat authenticate command fails to authenticate localhost with a

user name and password for a homeless user.

Workaround

Use the following command to acquire the localhost credential without a user

name and password:

vssat --domain localhost

Configuration fails when password is required to communicate with remote root broker through rsh (1153161)

When configuring AT to use a remote root broker, the vssat command will fail if

a password is required to communicate with the remote root broker through rsh.

10 Release notes

Known Issues

Workaround

Reconfigure rsh/ssh to not require a password.

vrtsAtWebCredentialVerify fails (1237514)vrtsAtWebCredentialVerify fails if "Not Before" property of the cred is before

current time/date.

Workaround

Correct the system clock on both client and the broker hosts. They should be in

sync.

vssat validateprpl crashes (1232434)vssat validateprpl crashes when wild characters are passed as username for ldap

domain.

Workaround

Use the complete user name and domain name. Wild characters are not

supported in the CLIs.

On Native Chinese Windows 2008 with doublebyte username, vrtsAtInit is failing (1237918)

vrtsAtInit is failing on native Chinese Windows 2008 with doublebyte username.

Workaround

Do not use non-ascii characters in usernames (Windows users) and ensure there

are no non-ascii characters in current user appdata path.

LDAP authentication for duplicate user entries across LDAP subdomains(1368778)

When there is same user entry under domain and subdomain in LDAP, the useris

authenticated using top level domain entry, which is configured with

LDAPdomain. For example, if user “Harry” exists in “testdomain.com” and

“my.testdomain.com” domains, and if LDAP domain in AT is configured

withuserbaseDN as “testdomain.com”, user“Harry” is authenticated

from“testdomain.com”. If user “Tom” exists in “my1.testdomain.com”

and“my2.testdomain.com” but does not exists in “testdomain.com”,

authentication fails as “testdomain.com” is UserBaseDNconfigured in AT where

user “Tom” does not exists.

11Release notes

Known Issues

Configure separate domain for "my1.testdomain.com" and

“my2.testdomain.com” with respective userBaseDN to authenticate user Tom in

respective domains.

SSLv2 not working properly with AT (1655849)This is a windows specific issue, where SSLv2 is not working with EAT.

CLIs do not work when x86_64 Client is uninstalled after upgrading to AT 5.0 (1735165)

When AT is upgraded to 5.0 and the AT 4.3 x86_64 Client is uninstalled, the AT

Clis do not work.

VxATD process does not come up during minor upgrades (1741043)VxATD process does not come up during minor upgrades.

Workaround

Get the process up manually by running the following script:

/opt/vrtsat/bin/vxatd

listpd and showpd CLIs show updated hostname in output (1745453)After configuring AT 5.0.31.0 in basic mode, the listpd and showpdr cli’s show

the updated host name, instead of showing the actual root or auth broker tag in

the output.

Timing issue during “shutdown –i6 –g0 -y” (1786889)This issue is specific to Oakmont:VxAT5.0.31.

Due to a timing issue during “shutdown –i6 –g0 -y”, VCS reports the following

VxAT error in /var/adm/messages, and /var/VRTSvcs/log/

engine_A.log files, and the VxSS service group becomes faulted.

============================================================

VCS ERROR V-16-1-13067 (host_name) Agent is calling clean

for resource

(vxatd) because the resource became OFFLINE unexpectedly, on

its own.

VxSS State s245sf2 |OFFLINE|FAULTED|

VxSS State s245sf3 |ONLINE|

============================================================

12 Release notes

Known Issues

This error message can be safely ignored, and it will be addressed in the next

VxAT patch release.

13Release notes

Available documentation

Available documentationThe Symantec Product Authentication Service Administrator’s Guide provides

information on how to administer the AT. This document is included with your

Symantec product documentation.

Documentation addenda and correctionsThis section is intended to hold corrections and addenda to documents that were

already frozen when the product release was made.

Correction of syntax given for setloglevel commandThe -b broker parameter that is given for the setloglevel CLI command is not

yet supported.

Proper usage for the command is as follows:

vssat setloglevel -l <0|1|2|3|4> [ -f <filename>]

Simplified restore methodThe method for restoring broker data is now simpler than that which is detailed

in the “Backup, Restore, and Other Tasks” chapter in the Administrator’s Guide.

The vssat restorebroker command restores the broker from the archived

snapshot directory, assuming that it contains the good configuration that was

last backed up by running vssat showbackuplist. The CLI checks whether

the snapshot directory is present. If it is present, vssat restorebroker

restores it back to the original position.

To restore the broker's data

1 Shutdown the broker by running the following command:

2 Navigate to where the vssat CLI commands reside.

3 Run the following command, without line breaks:

vssat restorebroker [-a <complete path>] [-s]

On Windows net stop vrtsat

On UNIX pkill vxatd

If pkill is not supported, run the following command without line

breaks:

ps -fe | grep vxatd | grep -v grep | awk '{print $2}'

| xargs kill -9

14 Release notes

Documentation addenda and corrections

Acceptable arguments are the following:

4 Start the broker by running the following command:

On Windows: net start vrtsat

On UNIX: vxatd -<option>

Change in AT upgrade and uninstall procedures on non-secure clusters

When you upgrade or uninstall the AT on a non-secure cluster, you must first

offline the AT service group before you perform the upgrade or uninstall the AT.

In the case of an upgrade, after the upgrade is complete, you must online the AT

service group.

To offline the AT service group before an AT upgrade or uninstallation, use the

commands shown in Table 1-4 for your cluster platform.

-a Complete

Path

The complete path of the archived material. If you use this

option, the command ignores the location in the

VRTSatlocal.conf file.

For example:

vssat restorebroker -archivedloc /var/

VRTSatSnapShotDirectory

-s Runs the command silently, without any prompt for restore.

Default location is picked up from the VRTSatlocal.conf file.

For example:

vssat restorebroker -s

Table 1-4 Commands to offline the AT service group

Cluster platform Command to offline the AT service group

VCS (non-secure) hagrp -offline vxss_service -sys <Node name>

VCS (secure) hagrp -offline VxSS -sys <Node name>

hagrp -offline vxss_service -sys <Node name>

MCSG (HP-SG) cmhaltpkg -v -n <Node Name> vxsspackage

Tru Cluster caa_stop VRTSat

Sun Cluster scswitch -F -g vxss_resources

HACMP /usr/es/sbin/cluster/utilities/clRGmove -s

'false' -d -i -g vxss_service -n <Node Name>

15Release notes

Documentation addenda and corrections

To online the AT service group after an upgrade, use the commands shown in

Table 1-5 for your cluster platform.

Refer to the installation documentation for the remaining steps that you must

perform to upgrade or uninstall the AT.

MSCS cluster . group VxSS-ClusterGroup /OFFLINE /

WAIT:50

Table 1-5 Commands to online the AT service group

Cluster platform Command to offline the AT service group

VCS (non-secure) hagrp -online vxss_service -sys <Node name>

VCS (secure) hagrp -online VxSS -sys <Node name>

hagrp -online vxss_service -sys <Node name>

MCSG (HP-SG) cmrunpkg -v -n <Node Name> vxsspackage

Tru Cluster caa_start VRTSat

Sun Cluster scswitch -R -g vxss_resources -h <Node Name>

HACMP /usr/es/sbin/cluster/utilities/clRGmove -s

'false' -u -i -g vxss_service -n <Node Name>

MSCS cluster . group VxSS-ClusterGroup /ONLINE /

WAIT:50

Table 1-4 Commands to offline the AT service group

Cluster platform Command to offline the AT service group

16 Release notes

Documentation addenda and corrections