Patch Name: PHSS_27635 Patch Description: s700_800 11.04 VirtualVault 4.0 TGP IP Aliasing fix Creation Date: 02/08/01 Post Date: 02/08/30 Hardware Platforms - OS Releases: s700: 11.04 s800: 11.04 Products: VirtualVault A.04.00 US/Canada Release VirtualVault A.04.00 International Release Filesets: VaultTGP.TGP-CORE,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP Automatic Reboot?: No Status: General Release Critical: No Category Tags: defect_repair general_release Path Name: /hp-ux_patches/s700_800/11.X/PHSS_27635 Symptoms: PHSS_27635: When IP aliasing is configured, trying to create/modify TGP service entries through 'Trusted Gateway Proxy Administration' screen results in an error, "Sufficient memory can not be allocated to create the CREATE screen." The same kind of error occurs while trying to modify a TGP service entry. PHSS_21597: When IP aliasing is configured via ifconfig, TGP fails to use the default IP associated with each network interface. Also, TGP will only recognize one network interface if more than one network interface for a given sensitivity level is configured. Note: if TGP fails to initialize when IP aliasing is configured, patch PHNE_21261 or its successor is required. PHSS_21013: Two symptoms are addressed in this patch: 1) When adding a TGP proxy entry using the VirtualVault administration interface, the browser may see an error 500 and the /tcb/files/tgp.conf file is corrupted. 2) When proxying from localhost to an external IP (off the VirtualVault), the following error messages is written to the /tcb/files/tgp.log file: Error: Failed to get peer attributes. error: 4 count XX where XX ranges from 1 to 31. After a 30 second wait, the data is proxied. Defect Description: PHSS_27635: The tgp-edit cgi fails to fetch the MAC label for a lan interface when that interface is configured with multiple IP addresses (IP aliasing). Resolution: Since the MAC label associated with a lan interface must be the same for all aliases of that interface, query the interface without the alias name (use lan0 instead of lan0:1). PHSS_21597: When IP aliasing is configured on VirtualVault, there is no practical way to configure which inside or outside IP TGP will listen at, or connect to. If more than one interface is configured for a given sensitivity level (e.g. multiple outside network interface cards), TGP will use only the first network interface found. There is no way to configure the other network interfaces for that sensitivity level. Resolution: Modify the tgp-edit CGI to allow for the configuration of all inside and outside IPs. Modify the TGP daemon to read this new configuration and to establish proxies between these IPs. PHSS_21013: This patch addresses two defects within TGP: 1) The tgp-edit and tgp-global code may not correctly process TGP entries under certain conditions, which result in configuration file corruption. Resolution: Fix method used to process TGP array entries. 2) If TGP receives an error when checking a peer's attributes, it will invoke a 30 count wait loop. This loop produces an error message and waits 1 second per iteration. When TGP is proxying from localhost to an external IP, TGP will always receive a socket not connected error (errno 235). This causes the loop to be executed and hence a 30 second hang before establishing the connection. Resolution: Make use of the new get_peer_attributes routine provided in VVOS patch PHNE_20707 or its successor to avoid the loop. Enhancement: No SR: 8606270675 8606136484 8606127920 8606127287 Patch Files: VaultTGP.TGP-CORE,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: /tcb/lib/tgpd /var/opt/vaultTS/inside/vault/bin/tgp-edit /var/opt/vaultTS/inside/vault/bin/tgp-global /var/opt/vaultTS/inside/vault/loc/C/html/tgp-edit.html /etc/auth/system/files.fcdb/25.patches/21597_PHSS.fcdb what(1) Output: VaultTGP.TGP-CORE,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: /tcb/lib/tgpd: $Source: src/tgproxy/configuration.c, vaultTGP, vaul tTGP_4.0 $ $Date: 00/05/02 10:29:41 $ $Revis ion: 1.12 PATCH_11.04 (PHSS_21597) $ $Source: src/tgproxy/proxy.c, vaultTGP, vaultTGP_4.0 $ $Date: 00/05/02 10:29:43 $ $Revision: 1.1 5 PATCH_11.04 (PHSS_21597) $ $Source: src/tgproxy/security.c, vaultTGP, vaultTGP_ 4.0 $ $Date: 00/02/09 14:05:05 $ $Revision: 1.5.1.3 PATCH_11.04 (PHSS_21013) $ HP VirtualVault, tgpd, revision A.01.01 $Source: src/lib/conf/gpent.c, vaultTGP, vaultTGP_4. 0 $ $Date: 00/05/03 13:49:47 $ $Revision: 1. 11 PATCH_11.04 (PHSS_21597) $ src/lib/conf/gpent.c, vaultTGP, vaultTGP_4.0 1.11 05/03/00 $Source: src/lib/conf/if_info.c, vaultTGP, vaultTGP_ 4.0 $ $Date: 00/06/01 10:14:52 $ $Revision: 1.9 PATCH_11.04 (PHSS_21597) $ $Source: lib/libsecalarm/app_audit.c, libsecalarm, v vos_rose, rose0007 $ $Date: 99/06/03 11:09:4 2 $ $Revision: 1.7 PATCH_11.04 (PHCO_18729) $ /var/opt/vaultTS/inside/vault/bin/tgp-edit: $Source: src/admin/cgi/tgp-edit/tgp-edit.c, vaultTGP , vaultTGP_4.0 $ $Date: 02/08/20 06:01:31 $ $Revision: 1.16 PATCH_11.04 (PHSS_27635) $ $Source: src/admin/cgi/tgp-edit/construct.c, vaultTG P, vaultTGP_4.0 $ $Date: 00/05/04 07:28:58 $ $Revision: 1.2.1.3 PATCH_11.04 (PHSS_21597) $ $Source: src/lib/conf/gpent.c, vaultTGP, vaultTGP_4. 0 $ $Date: 00/05/03 13:49:47 $ $Revision: 1. 11 PATCH_11.04 (PHSS_21597) $ src/lib/conf/gpent.c, vaultTGP, vaultTGP_4.0 1.11 05/03/00 $Source: src/lib/conf/port.c, vaultTGP, vaultTGP_4.0 $ $Date: 00/05/02 10:30:10 $ $Revision: 1.1 1 PATCH_11.04 (PHSS_21597) $ $Source: src/lib/conf/if_info.c, vaultTGP, vaultTGP_ 4.0 $ $Date: 00/06/01 10:14:52 $ $Revision: 1.9 PATCH_11.04 (PHSS_21597) $ /var/opt/vaultTS/inside/vault/bin/tgp-global: HP VirtualVault, tgp-global, revision A.01.00 $Source: src/lib/conf/gpent.c, vaultTGP, vaultTGP_4. 0 $ $Date: 00/05/03 13:49:47 $ $Revision: 1. 11 PATCH_11.04 (PHSS_21597) $ src/lib/conf/gpent.c, vaultTGP, vaultTGP_4.0 1.11 05/03/00 $Source: src/lib/conf/if_info.c, vaultTGP, vaultTGP_ 4.0 $ $Date: 00/06/01 10:14:52 $ $Revision: 1.9 PATCH_11.04 (PHSS_21597) $ /var/opt/vaultTS/inside/vault/loc/C/html/tgp-edit.html: src/admin/html/tgp-edit.html, vaultTGP, vaultTGP_4.0 1.8 05/31/00 -- /etc/auth/system/files.fcdb/25.patches/21597_PHSS.fcdb: src/host/21597_PHSS.fcdb, vaultTGP, vaultTGP_4.0 1. 1 06/01/00 cksum(1) Output: VaultTGP.TGP-CORE,fr=A.04.00,fa=HP-UX_B.11.04_32/64,v=HP: 618101940 94547 /tcb/lib/tgpd 1864871561 78057 /var/opt/vaultTS/inside/vault/bin/tgp-edit 3417962499 57500 /var/opt/vaultTS/inside/vault/bin/ tgp-global 3527759841 27202 /var/opt/vaultTS/inside/vault/loc/C/html/ tgp-edit.html 2121157413 454 /etc/auth/system/files.fcdb/25.patches/ 21597_PHSS.fcdb Patch Conflicts: None Patch Dependencies: s700: 11.04: PHNE_21261 s800: 11.04: PHNE_21261 Hardware Dependencies: None Other Dependencies: None Supersedes: PHSS_21013 PHSS_21597 Equivalent Patches: PHSS_27636: s700: 11.04 s800: 11.04 Patch Package Size: 290 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_27635 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHSS_27635.depot By default swinstall will archive the original software in /var/adm/sw/save/PHSS_27635. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHSS_27635.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHSS_27635.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_27635.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: PHSS_21013: The patch installation replaces the Trusted Gateway Proxy Daemon (tgpd) as well the tgp-edit and tgp-global CGI programs. Use the 'Start or Stop Trusted Gateway Proxy' interface to stop the daemon before installing the patch and to restart it after installing the patch. NOTE: For VirtualVault 4.0, this patch is dependent on the VVOS patch PHNE_21261 or its successor.