HP Tru64 UNIX Version 5.1B and higher
Copyright © 2007 Hewlett-Packard Development Company, L.P.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
October 2007
These release notes describe potential, known, or unresolved problems, and suggest corrective action (when available).
This section contains release notes pertaining to installation of Internet Express.
Selective updating of a previous installation of Internet Express is supported, that is, you may choose to update some subsets but not others, and the Administration Utility (IAEADM subset) can be updated and administration pages of older components will still work (although help links may not), however if you update any component with administration pages, you must also update the IAEADM subset or it will not be able to use the newer administration pages.
If you have Enhanced (C2) Security enabled, you must log in as root before running the installation. Using the su root command is not sufficient. If you run the installation script (ix_install), it will check for this, but if you install subsets directly with the setld command, some subset installations will fail with C2 enabled unless you log in as root.
The ix_install script, as well as the IAEADM (Administration utility), IAEAPCH (Secure Web Server 1.3), IAEHTTPD (Secure Web Server 2.0), and IAESQD (Squid Proxy Server) subsets will check for the presence of user accounts named iass and httpd and, if they do not exist, they will be created with home directories in /usr/users/. If /usr/users is NFS mounted and not writeable by root, this will fail and cause the installation to fail.
To avoid this problem make sure that /usr/users is writeable by root before beginning the installation. If this is not practical, you could create the user accounts named iass and httpd before starting the installation and then there should be no need to write into /usr/users.
On a TruCluster Server running Tru64 UNIX Version 5.1B, during the installation of any subset that configures its service for failover, you may see error messages similar to this:
Configuring "Samba 2.2.5 File and Print Server for Windows" (IAESMB593) on member2 REBALANCE entry(ies) will be removed from clustercron Error when calling system(/var/cluster/caa/bin/caa_schedule UNREGISTER samba)
The service should still be correctly configured and these messages can be safely ignored.
If you choose to install the Internet Express Secure Web Server (IAEAPCH subset) by installing the latest version, and if you had installed any of the following dependent subsets from a previous version of Internet Express, you must also update those dependent subsets. The dependent subsets are:
| IAEADM - Internet Express Administration Utility |
| IAEAPAD - Secure Web Server Administration Utility |
| IAEMON - Internet Monitor |
| IAEIMP - IMP WebMail Email Utility |
| IAESOAP - Apache SOAP Server |
The internal data storage format changed starting with the version of PostgreSQL that was included with Internet Express Version 6.1. This change requires existing databases to be backed up before removing an existing installation and restored after the new installation is completed.
The installation procedure will detect if you have an IAEPSQL subset from an earlier version of Internet Express installed and will back up and restore your data automatically while upgrading PostgreSQL. The migration of data provided by PostgreSQL does not handle partial indices or large objects. This data will need to be migrated manually.
After the upgrade from Internet Express Version 6.5 or 6.6 is complete, you must verify that your databases have been migrated successfully. A copy of previous pgsql/data directory is located at /usr/internet/pgsql/data.preIAE6xx and the output of the database dump, performed during update, is saved at /usr/internet/pgsql/dumpout.IAExxx.restored. Once you have verified your new databases, these files may be removed.
If you delete your previous installation separately (not recommended), you need to manually back up and restore your data.
For more information, see the PostgreSQL documentation at the following Web site:
The Dante SOCKS server will not start until you specify the internal and external addresses to use in the /etc/sockd.conf file. Look for and uncomment the lines like these:
#internal: 10.1.1.1 port = 1080 #external: 192.168.1.1
Change the addresses to the actual IP addresses of your system's network interfaces. To be able to use the SOCKS server, you will also need to specify valid information for the “method,” “client pass,” and “pass” fields in /etc/sockd.conf. See the sockd(8) reference page.
If you have configured an IPv6 subnet using only link-local addresses for host names, TCP Wrapper will not deny client access from IPv6 hostnames specified in the /etc/hosts.allow file unless the host name includes the interface extension for the local link. For example, to deny all telnet connects to telnetd from IPv6 host myhost.mydomain.com configured on interface tu0, you must enter the following in /etc/hosts.allow:
telnetd:myhost.mydomain.com%tu0:DENY
The Vacation Mail feature available to users via the User Self-Administration interface does not work for Cyrus IMAP users. This is because Cyrus IMAP does not currently support the use of Procmail as a delivery agent. Users attempting to enable this feature will find their settings ignored, and that no auto-reply messages will be sent. It is therefore suggested that the Vacation Mail group under the User Self-Administration interface be disabled if your users consist primarily of Cyrus IMAP users. See the Administration Guide for instructions on disabling this feature.
Due to a threading issue in HP Tru64 UNIX Version 5.1a, Sendmail can drive CPU utilization to nearly 100 percent on some of the cluster nodes. To fix this problem, please apply the appropriate patch found at the following URL:
http://www1.itrc.hp.com/service/index.html
The SLP software kit described is included with Internet Express and contains the library, daemon, and examples that enable a system administrator to evaluate and implement the use of SLP on a Tru64 UNIX Version 5.1A or later operating system.
Asynchronous operation is not supported in this release.
The language-specific handle is ignored. If you register a service with a language-specific handle, when requesting services with a specified language handle you will receive all language handles.
The PostgreSQL shutdown routine /sbin/init.d/postgres stop may timeout and fail to shutdown the PostgreSQL server when the Internet Monitor is running. If the stop procedure outputs the message pg_ctl: postmaster does not shut down and there are still PostgreSQL connections to the dcs or dcsconfig database, then you must stop the Internet Monitor to allow the PostgreSQL server to finish shutting down.
To determine if there are connections to the dcs or dcsconfig databases, run the following command:
Look for commands similar to postgres: dcs dcs or postgres: dcs dcsconfig.
See the Internet Monitor Administrator's Guide for more information on how to shut down this service.
PHP session information is stored by default in the /tmp directory which, on a Tru64 UNIX cluster, is a CDSL path. Also, since the Secure Web Server is a multinode application, PHP sessions may appear to be dropped or session information may not be retrieved consistently between requests. Both IMP Webmail (IAEIMP subset), and User Self-Administration (IAEADM subset), use PHP session support. To eliminate this problem, set the session.save_path variable in the /usr/internet/httpd/conf/php.ini configuration file to a non-CDSL directory (one that is shared by all nodes of the cluster). After editing this file, you must restart the Secure Web Server by running /sbin/init.d/httpd_public cluster-restart.
If an existing Tomcat installation is updated, and Tomcat is configured to be a standalone server, it is likely that the Tomcat server will not have a default root context configured. If a default root context is not present, then Web browser request will return a HTTP status 500 - No Context configured to process this request. To correct this problem, modify the server.xml configuration file adding a default root context.
The Tomcat Java Servlet Engine configured as a standalone server and the Squid Proxy both have an default port of 8080 during installation. If both packages are to be installed, then care must be taken that both servers are not configured to use the same port.
The version of Tomcat shipped with this release contains Web-based applications for administering the Tomcat deployment and for managing the lifecycle of Web applications running within the Tomcat container. Links to these management applications can be found on the Tomcat management page within the Secure Web Server Administration utility. Links to the applications can also be found on the Tomcat start page that is installed by default at /tomcat beneath any public Web server root with which Tomcat has been associated. By default, access to these management applications is limited to browsers running on the local host and requires that users successfully authenticate themselves before access will be granted.
The local host restriction is established by access control valves in the files admin.xml and manager.xml, located in the /usr/internet/httpd/tomcat/webapps/tomcat/admin and /usr/internet/httpd/tomcat/webapps/tomcat/manager directories, respectively. To modify this restriction, edit these files and change the list of allowed hosts, or delete the Valve element entirely to remove host-based restrictions. Tomcat will need to be restarted for any changes to take effect. Note also that the default restriction requires that a browser on the local host must access the management applications using URLs that begin with http://localhost/. Attempts to access the applications with URLs that begin with http://<actual_hostname_of_local_host>/ will be rejected.
User authentication is provided by a custom realm that allows a user who successfully authenticates as the Secure Web Server administration user to be mapped to the Tomcat user roles admin and manager, which are the roles required to access the administration and Web application management utilities. If this initial authentication attempt fails, the realm then attempts to authenticate the user via Tomcat's default user authentication database, which is defined by the file /usr/internet/httpd/tomcat/conf/tomcat-users.xml. To change the behavior of this custom realm, modify the file /usr/internet/httpd/tomcat/conf/server.xml as necessary and then restart Tomcat.
When the Web-based Tomcat administration application is used to modify the Tomcat deployment, the /usr/internet/httpd/tomcat/conf/server.xml file is updated. In the process, any comments that were in the previous version of the file are stripped out. The ordering of elements within the file may also change, and some default elements that were not explicitly specified in the previous version of the file may be present in the newer version.
Saving changes made through the administration application will also cause Context elements for each deployed application to be written out to the main server.xml file. If the applications had been originally deployed as the result of the presence of application-specific xml files in the /usr/internet/httpd/tomcat/webapps directory, those files will thereafter be ignored and Tomcat will use the Context elements in the main server.xml file as the sole sources for application deployment information.
When using Axis with Java 1.4.x, client code may output the following exception:
NoClassDefFoundError: javax/servlet/ServletContext
Use Java 1.3.x or include an implementation of the Java Servlet API (servlet.jar) in your classpath. A servlet.jar file is installed with the Tomcat subset (IAETOMCAT) in the /usr/internet/httpd/tomcat/common/lib directory.
By default the Axis server is configured to only allow administration requests, that is, to deploy or undeploy services, from the localhost. This will cause Unauthorized error messages when the Axis administration request originates on a different node than that which the Tomcat instance is running.
To avoid this problem, make sure to run the AdminClient from the same node on which Tomcat is running. Alternatively, you may enable remote administration which will allow requests from all hosts. To enable remote administration, edit the file /usr/internet/xml/axis/webapp/WEB-INF/server-config.wsdd and change the parameter value for "enableRemoteAdmin" to "true" for the service "AdminService". Restart the Tomcat instance for the changes to take effect.
To enable IPV6 connectivity with other mail servers and clients, configure sendmail using the Internet Express Administrative utility. After finishing, edit the sendmail.cf file and change the value of the DaemonPortOptions line. The default value is inet. Change it to inet6. Then stop and restart sendmail.
Two connectors are provided to allow the HP Apache Web Server (powered by Apache 2.0) and the Secure Web Server (powered by Apache 1.3) to forward requests to the Tomcat servlet engine.
| Apache Module | Protocol | Tomcat Connector | Note |
|---|---|---|---|
| mod_jk | AJP 1.3 | JK Connector org.apache.ajp.tomcat4.Ajp13Connector | Deprecated |
| mod_jk2 | AJP 1.3 | Coyote/JK2 AJP 1.3 Connector | Default |
The default configuration files for Tomcat and the Web servers use the AJP 1.3 protocol with the Tomcat Coyote Connector and the Apache mod_jk2 module.
The Tomcat configuration file /usr/internet/httpd/tomcat/conf/server.xml
enables the AJP 1.3 Coyote Connector with the following clause:
<Connector debug="0" enableLookups="false" port="8009" protocol="AJP/1.3" redirectPort="8443"/>
Configuration information for the Tomcat AJP 1.3 Coyote connector is contained in the file /usr/internet/httpd/tomcat/conf/jk2.properties. The Web server loads the mod_jk2 module with the appropriate clause in one of the following configuration files:
| Web Server | Configuration File | Clause |
|---|---|---|
| Secure Web Server (powered by Apache 1.3) | /usr/internet/httpd/conf/httpd.conf | <IfDefine JK2>LoadModule jk2_module libexec/mod_jk2.so </IfDefine> |
| HP Apache Web Server (powered by Apache 2.0) | /usr/opt/hpapache2/conf/httpd.conf | <IfDefine JK2>LoadModule jk2_module modules/mod_jk2.so</IfDefine> |
Configuration information for the Web server mod_jk2 module is contained in the file workers2.properties. The location of this file is one of the following:
| Web Server | JK2 Configuration File |
|---|---|
| Secure Web Server (powered by Apache 1.3) | /usr/internet/httpd/conf/workers2.properties |
| HP Apache Web Server (powered by Apache 2.0) | /usr/opt/hpapache2/conf/workers2.properties |
Refer to the Tomcat documentation for additional information on configuring the connectors. The documentation is available at:
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/
On a system with Tomcat installed the documentation is available at http://localhost/tomcat/.tomcat-docs/.
The new release of Mailman provided in Internet ExpressVersion 6.7 does not support TruClusters, and should not be installed in a TruCluster environment. Mailman is restricted to running on a single member of a cluster.
Batik may abort with segmentation violations when using Java 1.4.1. To avoid potential issues, use Java versions 1.3.1 or 1.4.2.
You can use the IMP Webmail Administration utility to perform such tasks as enabling and disabling IMP Webmail, modifying the mail server, and modifying preference driver. This utility can be used to modify the configuration parameters of IMP Webmail. Configuration information is available on the Horde Web site in the Horde Administrator's FAQ at:
Tomcat Version 5.5.x (Tomcat version of Internet Express Version 6.7 release) is designed to run on J2SE 1.4. Therefore, you must make java14x as default java environment for Tomcat to work. If there are constraints for a user to have Java14x as the default Java environment, that user can edit /usr/internet/httpd/tomcat/bin/setenv.sh to change JAVA_HOME and JAVA_CMD to point to the java14x environment. After making this change, a restart of Tomcat is required.
It is possible that a remote attacker could use snoop.jsp to view internal IP addresses and other sensitive information of the server. Therefore, in Internet Express Version 6.5, HP has removed snoop.jsp from jsp-examples, retaining the source code for reference which is in simple HTML format. For the clients who are not willing to upgrade Tomcat, HP recommends removing snoop.jsp from the /usr/internet/httpd/tomcat/webapps/tomcat/jsp-examples/snp/ directory.
When configured with SOAP/Axis and Cocoon, Tomcat may not create desired logs. Logs can be initialized by following these steps:
Create a file called log4j.properties with the following content and save it into common/classes.
log4j.rootLogger=debug, R
log4j.appender.R=org.apache.log4j.RollingFileAppender
log4j.appender.R.File=${catalina.home}/logs/catalina.log
log4j.appender.R.MaxFileSize=10MB
log4j.appender.R.MaxBackupIndex=10
log4j.appender.R.layout=org.apache.log4j.PatternLayout
log4j.appender.R.layout.ConversionPattern=%p %t %c - %m%n
log4j.logger.org.apache.catalina=DEBUG, RBy default, this option is not enabled because it can produce a large debug log file, which can impact performance. This level should be used sparingly when you need to debug internal Tomcat operations.
The SmartFilter Web filtering software from Secure Computing has been removed from the Internet Express kit.
When using the new Sendmail administration that contains the open source administration methods, the update of the Sendmail configuration file (sendmail.cf) is not sufficient to stop mail forwarding. The Domain Name Service mail based records (mx) must also be disabled to enforce Standalone mode.
For PHP versions prior to Version 5.1.3-RC1, there is a security issue currently under review. If the magic_quotes_gpc flag is set to "Off" in the php.ini file, then the function html_entity_decode() does not parse properly possibly causing a memory leak to occur. The work around is to set the magic_quotes_gpc flag to "On", which is the default for the php.ini file for Internet Express.
Internet Express Version 6.7 includes the Mozilla SeaMonkey Application Suite, which replaces the Mozilla Application Suite that was part of previous releases of Internet Express.
To open the help, release notes, and links from Thunderbird, add a file named user.js in your thunderbird profile directory containing the following lines:
user_pref("network.protocol-handler.app.http", "/usr/bin/X11/firefox");
user_pref("network.protocol-handler.app.https", "/usr/bin/X11/firefox");
user_pref("network.protocol-handler.app.ftp", "/usr/bin/X11/firefox")These lines inserted into user.js use Firefox to open links from Thunderbird. An alternative method for opening links in Seamonkey is to use /usr/bin/X11/seamonkey .
The following issues are related to the use of the Sendmail server with the Open Source Configuration Rules.
The AntiSpam LDAP relay option Check for Blacklist Recipients in Access Database can be enabled successfully using the PHP link but the functionality does not work as expected.
To fully enable the Sendmail LDAP lookup option, the following section in the sendmail.cf file must be manually updated to include the sequence:luser option, as follows:
#location of alias file O AliasFile=btree:/var/adm/sendmail/aliases,sequence:luser
After updating the sendmail.cf file, stop and start Sendmail.
This procedure must be done apart from enabling the Configure LDAP option using the PHP link. Refer the Help page for more information on how to configure Sendmail LDAP lookup.
To enable milter functionality, the following section in the sendmail.cf file must be manually updated by uncommenting the O InputMailFilters configure option and specifying the name of the milter, as follows:
# Input mail filters O InputMailFilters=milter name
After updating the sendmail.cf file, stop and start Sendmail. This procedure must be done apart from enabling the Configure Milter option using the PHP link. Refer the Help page for more information on how to configure Milter.
The Enabling Masquerading feature does not work for local users (that is, users on the same system). The following masquerading options do not work for both local and non-local users (that is, Internet users):
Masquerading hosts/domains Exclude User Sub-domain masquerading
The Queue Performance PHP Page currently provides an option for modifying the following queue parameters only:
As of Internet Express Version 6.6, some of the documents are considered archived, and no future revisions are planned. The archived documents include the Internet Monitor Administrator's Guide and all of the Internet Express Best Practice documents. As Internet Express Version 6.7, the Best Practices documents have been removed from the kit.
While these documents are still technically accurate, they may contain cross-references to other documents which do not work. For example, the Internet Monitor Administrator's Guide contains cross-references to the Administration Guide, Installation Guide, and Read this First. If you are reading the HTML version of the Internet Monitor Administrator's Guide and click on a link to one of these documents, the link will not work. You can still access these other documents by choosing the appropriate title from the Documentation menu of the Internet Express Administration menu, or by accessing the Documentation and Sources CD-ROM.
During Sendmail startup, the following error message might be displayed: /usr/sbin/sendmail: /sbin/loader: Fatal Error: Cannot map library libdb-4.4.so
The following problem has been identified with the installation of Clam AntiVirus.
The following message might be displayed: /usr/internet/amavis/virusmails: No such file or directory.
In Internet Express Version 6.5, Version 6.6 and Version 6,7, , the IMP Webmail may not start because of incompatible configuration files. To fix this problem, replace the existing IMP Webmail configuration files located at /usr/internet/horde with the updated configuration files located at the following Web site:
http://h30097.www3.hp.com/internet/download.htm
Follow these steps:
Back up the existing configuration files using the following commands:
$ mv /usr/internet/horde/config/conf.php /usr/internet/horde/config/conf.php.orig
$ mv /usr/internet/horde/imp/config/conf.php /usr/internet/horde/imp/config/conf.php.orig
$ mv /usr/internet/horde/turba/config/conf.php /usr/internet/horde/turba/config/conf.php.orig
Copy the updated configuration files (downloaded from the Tru64 UNIX Web site) onto the existing configuration files using the following commands:
$ cp Horde-conf.php.dist /usr/internet/horde/config/conf.php
$ cp IMP-conf.php.dist /usr/internet/horde/imp/config/conf.php
$ cp Turba-conf.php.dist /usr/internet/horde/turba/config/conf.php
Change the entry $conf['sql']['hostspec'] in Horde configuration file (/usr/internet/horde/config/conf.php) with the host name of machine.
As of Internet Express Version 6.7, the following components are no longer on the Internet Express CD:
IRC Chat
TCP Wrappers
Internet Monitor
Thunderbird
These components can be downloaded from the following Web site: