OBSOLETE Patch-ID# 127554-06
Download this patch from My Oracle Support
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
For further information on patching best practices and resources, please
see the following links:
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: sun ray update patch security
Synopsis: Obsoleted by: 127554-07 Sun Ray Core Services version 4.0 Patch Update SunOS 5.10_x86
Date: Jul/10/2009
Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.
Solaris Release: 10_x86
SunOS Release: 5.10_x86
Unbundled Product: Sun Ray Core Services
Unbundled Release: 4.0
Xref: This patch available for SUNOS 5.10 as 127553-06 and for Linux as 127555-06
Topic:
Relevant Architectures: i386
Bugs fixed with this patch:
Changes incorporated in this version: 6578775 6672502 6706607 6727792 6730822 6739397 6740687 6745120 6747622 6756504 6760323 6773304 6775532 6781604 6785797 6786835 6788938 6800187 6808910 6812067
Patches accumulated and obsoleted by this patch:
Patches which conflict with this patch:
Patches required with this patch:
Obsoleted by:
Files included with this patch:
/etc/init.d/utacleanup
/etc/opt/SUNWut/noentry.start
/etc/opt/SUNWut/smartcard/GD-STARCOS.cfg
/etc/rc0.d/K51utacleanup
/etc/rc1.d/K51utacleanup
/etc/rc2.d/S51utacleanup
/etc/rcS.d/K51utacleanup
/opt/SUNWut/bin/utselect
/opt/SUNWut/etc/template/ldap/utdsd.acl.conf
/opt/SUNWut/lib/firmware/CoronaP1
/opt/SUNWut/lib/firmware/CoronaP2
/opt/SUNWut/lib/firmware/CoronaP3
/opt/SUNWut/lib/firmware/CoronaP4
/opt/SUNWut/lib/firmware/CoronaP5
/opt/SUNWut/lib/firmware/CoronaP6
/opt/SUNWut/lib/firmware/CoronaP7
/opt/SUNWut/lib/firmware/CoronaP8
/opt/SUNWut/lib/firmware_gui/CoronaP1
/opt/SUNWut/lib/firmware_gui/CoronaP2
/opt/SUNWut/lib/firmware_gui/CoronaP3
/opt/SUNWut/lib/firmware_gui/CoronaP4
/opt/SUNWut/lib/firmware_gui/CoronaP5
/opt/SUNWut/lib/firmware_gui/CoronaP6
/opt/SUNWut/lib/firmware_gui/CoronaP7
/opt/SUNWut/lib/firmware_gui/CoronaP8
/opt/SUNWut/lib/ifdh_scbus.so.1
/opt/SUNWut/lib/libsimpleRun.so
/opt/SUNWut/lib/libusbut.so.1
/opt/SUNWut/lib/libutadmin.so.1
/opt/SUNWut/lib/libutgrpmgr.so
/opt/SUNWut/lib/libutinfo.so.1
/opt/SUNWut/lib/pam_sunray_amgh.so.1
/opt/SUNWut/lib/utati
/opt/SUNWut/lib/utatilu
/opt/SUNWut/lib/utaudiod
/opt/SUNWut/lib/utauthd.jar
/opt/SUNWut/lib/utdevmgrd
/opt/SUNWut/lib/utdmevent
/opt/SUNWut/lib/utdmsession
/opt/SUNWut/lib/utdsupdate
/opt/SUNWut/lib/utkeyvet
/opt/SUNWut/lib/utprop
/opt/SUNWut/lib/utresexec
/opt/SUNWut/lib/utseriald
/opt/SUNWut/lib/xmgr/dtlogin/notify
/opt/SUNWut/lib/yuvfile
/opt/SUNWut/sbin/utadm
/opt/SUNWut/sbin/utatiscrub
/opt/SUNWut/sbin/utconfig
/opt/SUNWut/sbin/utgmtarget
/opt/SUNWut/sbin/utgroupsig
/opt/SUNWut/sbin/utreplica
/opt/SUNWut/sbin/utuser
/opt/SUNWut/share/man/man1m/utatiscrub.1m
/opt/SUNWut/share/man/man1m/utgmtarget.1m
/opt/SUNWut/share/man/man1m/utgroupsig.1m
/opt/SUNWut/share/man/man1m/utuser.1m
/opt/SUNWut/share/man/man3/ut_amgh_script_interface.3
/opt/SUNWut/share/man/man3/ut_ati_script_interface.3
/opt/SUNWut/share/man/man4/auth.props.4
/opt/SUNWutref/ati/utatiref_script
/usr/openwin/server/modules/ddxSUNWsunray.so.1
Problem Description:
6578775 Safesign app + PCSC Lite + JCOP-XX smart card + correct PIN = keypair/keyset not found error
6672502 utaudiod has resource leaks
6706607 utsession -k can cause 26 D icons
6727792 utseriald denies access to device after server switch
6730822 utauthd does not notice that sessions have been disconnected in certain circumstances
6739397 Add callme device allocation back into Sun Ray smart card IFD handler.
6740687 utdmsession can expose sensitive data
6745120 Sun Ray 2FS hangs at 26D (Xsun) or is black (Xnewt) when the resolution is set to 640x480
6747622 LAN-connected Sun Rays can't redirect to a server when its primary IP address is not reachable
6756504 Sun Ray doesn't know how to handle a request for 2 consecutive tokens from an ASA with RSA back end.
6760323 Entering any prompting dialog causes locks to be reset
6773304 PIX gateways no longer work for VPN with Sun Ray because of ID type change
6775532 Xnewt dumping core due to a divide by zero error.
6781604 AMGH fails on Sun Rays when server's Primary IP address is unreachable (sim. to CR#6747622)
6785797 Sun Ray firmware needs expanded network definition options
6786835 Need support for Siemens CardOS API 2.5 middleware added to PC/SC-Lite
6788938 4.1 utauthd has a crash and redirect issue.
6800187 utauthd in SRSS 4.0 on S10/TX appears to leave a number of defunct processes and open ports
6808910 Netscreen VPN connections don't come up if the gateway's version ID is not recognized.
6812067 Sun Ray VPN doesn't support AES 192 and 256 bit key sizes.
(from 127554-05)
6699511 Xsun hangs with OSD 26 on Sun Ray DTU with large time on poll() if under VMware and high speed net
6749640 Desire a way to use token data external to SRSS to control FOG session access
6754138 utuser deprecated "-k" (and -xdisplay and -tokenid) options should be eliminated
(from 127554-04)
6504027 Support smartcard configuration file for smartcards of type GD-STARCOS 3.0
6513377 Ctrl+Pause+cursor shortcuts for local volume control don't work
6616994 LDAP password exposed during configuration using utconfig
6618056 utgroupsig should read from stdin and write to stdout/stderr to allow utconfig to be scripted
6659871 Access restrictions need improvements
6667384 2FS doesn't receive second monitor utresadm override if DDC failed on second monitor
6672145 Lots of packets are dropped with the server port set to gigabit Ethernet through some switches
6674773 Remove spurious failure message from internal smart card reader IFD handler
6677259 Finnish ID card is not recognized on Sun Ray 2 on SRSS 4.0 (but is on Sun Ray 270)
6682321 Sunray 2FS not able to use second display with new Samsung monitors
6685185 Sun Ray VPN connection to Cisco ASA gateway doesn't rekey properly
6694424 Unitech barcode reader fails to work with Sun Ray
6716667 Sun Ray internal reader IFD Handler not able to allocate smart card reader in busy networks
6720776 Sun Ray 2s at low bandwidth suffer high packet losses
6721043 Maximum X server bandwidth is limited when high resolution clock tick is enabled.
6726120 Maximum rendering bandwidth use is throttled when hires timer is set.
6730748 Sun Ray DTU can't resolve hostnames
6737449 SYN|ACK retry during TCP passive open is broken
6738725 hotdesking and group manager does not appear to work w/ DTU's on multiple subnets when vni is used
(from 127554-03)
6625491 Running utadm -A on TX w/ vni config'd FAILS
6671517 SRSS failover groups (FOG) not working properly when group members are defined as CIPSO on TX
6675678 readdir_r parameters need storage allocation
6689004 Sun Ray datastore integration for group manager unicast target list
6689682 man page updates for group manager unicast target feature
(from 127554-02)
6542450 Sun Ray DTU responds to ping even if IP address is incorrect
6554391 DTU IFD handler should use oscompat library functions for portability.
6583348 Sun Ray: Apple Mighty Mouse vertical scroll not functioning properly
6609317 libusb's usb_bulk_read() doesn't return an error when a CCID reader is removed.
6622089 pcscd instance Core dump is seen once on Solaris 10 X86
6623150 TCSETA / TCSETAW / TCSETAF not supported on Sun Ray serial subsystem
6625203 External smartcard reader does not get detected in a hotdesked session
6626955 uttsc exited with error messages with PCSClite 1.1 _01 after multiple hotdesks
6629028 uttsc exited with error messages and PCSC core dump after rebooting DTU.
6630054 xmgr/dtlogin/notify needs to defend against corrupted dtlogin PID file
6632737 IFD handler RDD low-level I/O should be re-startable after disruption
6636671 If a Sun Ray terminal gets TFTPsrvN (option 66) it should try sunray-config-servers if this fails
6638831 ifd handler should log clear reasons for init failure to syslog
6641754 Sun Ray 2/2FS/270 smart card readers sometimes drop bytes at bauds greater than 9600.
6645003 svcevts.c`svc_finder_add() has bug in sessid keyword
6645009 libusb has problems with release_interface() after detach
6645010 libusb needs to be made session-based hotdesking aware
6655178 Smartcard Philips SmartMX doesn't work anymore in SRSS4.0
6662969 keyboard hangs on lossy network
(from 127554-01)
6407231 Sun Ray USB implementation does not present bcdDevice value in BCD
6492879 Typo in description of SUNWutfw rpm
6573093 1400x1050 res doesn't work if native panel resolution
6587725 uttsc hangs (up to 2 min) on multiple hotdesking while smart card LED is glowing
6592372 channels switch when playing audio on SR2FS and SR2 DTUs
6596045 Audio record not working on 4.0 b48 on Sun Ray 2 family
6596686 DDR2 graphics memory support needed for future SR2, SR270 boards
6600065 SRSS libusb improperly blocks root from accessing DTU's USB devices
6605645 SRSS 4.0 network bandwidth is much higher than 3.1.1
6607591 Use the Sun Ray Data Store (SRDS) to host the VDA configuration
6610233 Sun Ray firmware problem with 2048bit key
6612710 Scbus IFD handler mishandles T=1 APDUs with no return data.
6623818 Firmware load prevented by barrier on new SR270 DTUs
Detailed Installation Steps
---------------------------
1. Suppress firmware downloads
If the server being patched is not a member of a Sun Ray
failover group you should skip this step.
If the server being patched is a member of a Sun Ray failover
group then this step is optional but is strongly recommended.
At Patch Installation
---------------------
Before adding this patch to servers configured into a Sun
Ray failover group we advise that you disable Sun Ray
firmware delivery from all unpatched hosts in the failover
group. On each host in the group:
For config parameters (.parms) file:
$ /opt/SUNWut/sbin/utfwadm -D -a -V
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -n all
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -N all
Do this only one time, before adding this patch to any
server in the group.
The purpose of this step is to prevent unpatched servers
from offering old firmware to Sun Ray appliances.
At Patch Removal
----------------
Before removing this patch from servers configured into a
Sun Ray failover group we advise that you disable firmware
delivery from any hosts in the failover group that have
this patch installed. On each already-patched host in the
group:
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -n all
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -D -a -N all
For config parameters (.parms) file:
$ /opt/SUNWut/sbin/utfwadm -D -a -V
Do this only one time, before removing this patch from any
of the already-patched servers in the group.
The purpose of this step is to prevent already-patched
servers from offering new firmware to Sun Ray appliances.
If this patch is being removed from a Sun Ray failover group
then omitting this step may result in increased restart
times for your Sun Ray appliances. (A mixture of patched
and unpatched servers advertising conflicting firmware
versions may cause the appliance to download new firmware
each time it restarts. The appliance automatically
restarts itself after downloading fresh firmware so its
overall restart cycle is longer in that case. The
appliance may restart itself several times before
establishing or reconnecting to a session.) The Sun Ray
restart time will return to normal once the patch has been
removed from all servers in the failover group.
2. Stopping Sun Ray services and login sessions
Before the addition or removal of this patch to a Sun Ray server
all users should be logged out of their Sun Ray sessions.
Stop the Sun Ray services using the following commands:
$ /etc/init.d/utstorage stop
$ /etc/init.d/utsvc stop
These commands will terminate any Sun Ray sessions that were not
already logged out.
Next, use the instructions outlined below in the section
"Patch Installation Instructions" for the addition or removal
of this patch.
3. Rebooting the Sun Ray server
The Sun Ray server must be rebooted after the addition or removal
of the patch.
4. Enable firmware downloads
After the addition or removal of this patch on all Sun Ray
servers in a failover group, enable firmware downloads
using one of the following methods:
1) If all Sun Ray servers in the failover group provide default
(non GUI) firmware downloads run this command on one of the servers:
$ /opt/SUNWut/sbin/utfwsync
After which the Sun Ray DTU's will reboot themselves and load
the new firmware.
2) If only some of the Sun Ray servers in the failover group provide
firmware downloads to the DTU's, run the following command
on the servers that do provide firmware:
For default (non GUI) firmware.
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -n all
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -N all
For GUI firmware.
For dedicated network interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -n all -f \
/opt/SUNWut/lib/firmware_gui
For shared subnetwork interconnects:
$ /opt/SUNWut/sbin/utfwadm -A -a -N all -f \
/opt/SUNWut/lib/firmware_gui
3) Upgrading firmware via the config parameter (.parms) file
For default (non GUI) firmware.
$ /opt/SUNWut/sbin/utfwadm -A -a -V
For GUI firmware.
$ /opt/SUNWut/sbin/utfwadm -A -a -V -f \
/opt/SUNWut/lib/firmware_gui
Then restart services on all servers in the failover group by
executing the following command on a server in the group:
$ /opt/SUNWut/sbin/utfwsync -d
5. Optionally increase system clock frequency
The fix for CR 6672145 improves the performance of some switches
that drop a lot of packets when the downlink from the server is
run at 1 Gbps. For the fix to be effective, the clock frequency
on the server has to be increased.
This is accomplished by adding the following line to /etc/system
set hires_tick = 1
and rebooting the server. To confirm that the change has taken
effect, "getconf CLK_TCK" should print a value of 1000.
Patch Installation Instructions:
--------------------------------
Refer to the man pages for instructions on using 'patchadd' and 'patchrm'
scripts provided with Solaris. Any other special or non-generic installation
instructions should be described below as special instructions. The following
example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/<patchid-rev>
The following example removes a patch from a standalone system:
example# patchrm <patchid-rev>
patchadd may give some messages while installing on a system
with zones. To suppress these messages "-G" option can be used.
example# patchadd -G /var/spool/patch/<patchid-rev>
For additional examples please see the appropriate man pages.
Special Install Instructions:
-----------------------------
NOTE 1: This patch is for the Sun Ray Core Services 4.0 component
that is part of Sun Ray Server Software 4.0.
NOTE 2: This SRSS patch does not support Live Upgrade. Please do not
install this patch via live upgrade.
NOTE 3: The DTU firmware delivered in this patch has an increased
downgrade "barrier" of '325' to prevent accidental downgrades to
firmware from earlier releases. If you wish to revert a unit back to an
earlier release of firmware after upgrading to this version of firmware,
please see the admin guide for information on overriding the
barrier/barrierLevel mechanism.
NOTE 4: Be sure to install the latest Kiosk 4.0 patch 128166 on your system.
NOTE 5: The DTU firmware delivered in this patch has the following version
identification string
4.1_139548-02_2009.05.13.18.59
GUI4.1_139548-02_2009.05.13.18.59
Required Patches
----------------
Warnings & Errors
-----------------
** WARNING: This patch should only be applied to systems which have
Sun Ray Server Software 4.0 fully installed.
Do not attempt to add this patch to the UFS image to be
applied as part of the install process.
Post-Patch Installation Notes:
------------------------------
Updated Smartcard Config Files
The fix for 6504027 (Support smartcard configuration file for smartcards
of type GD-STARCOS 3.0) that is included with this patch provides an
updated GD-STARCOS.cfg smartcard config file. This file provides support
for using the G&D (Giesecke & Devrient) STARCOS SPK 3.0 smartcard for
Sun Ray session mobility. This card type has not been tested for any
other use on Sun Ray. Specifically PIN/PKI login and other cryptographic
operations that this card can perform have not been tested on Sun Ray.
Such uses of this card type are unsupported.
If you maintain your smartcard configuration files on the local Sun Ray
server, then no action is necessary after installation of this patch and
reboot. If you maintain your smartcard configuration files in the Sun
Ray Data Store (DS), you will need to update the DS with this updated
version of the GD-STARCOS.cfg file after installation of this patch and
reboot. You can update the DS with this updated config file using the
"utcard" CLI or via the Sun Ray Administration GUI.
Automated Token Importation (ATI)
A feature has been added in this patch which allows
controlling session access based on information stored in
customer data sources. In addition to man pages delivered
with this patch, a description has been added to the
Sun Ray Server Software 4.0 Release Notes available at:
Solaris: http://docs.sun.com/app/docs/doc/820-0417
Linux: http://docs.sun.com/app/docs/doc/820-0418
Regression fix for Cisco PIX gateways
Sun Ray firmware for this patch is drawn from the SRSS 4.1
patch release. The addition of support for the Netscreen
family of VPN gateways in the SRSS 4.1 release caused the Cisco
PIX family of VPN gateways to stop working, though ASA and 3000
series continue to function correctly. Unfortunately, the fix
for this requires that the VPN configuration now include an
item to specify what type of VPN gateway the Sun Ray will be
connecting to. This configuration can be done using the local
GUI tool available on the Sun Ray, or through the download of a
configuration file, using the "Download Configuration" option
of the GUI tool. A couple of other useful options have been
added to the VPN configuration, including the PFS group to use,
the IPsec phase 2 lifetime, and a switch to enable Dead Peer
Detection. (Dead Peer Detection was also introduced in SRSS
4.1, and was on by default. Unfortunately, having it enabled
also causes the PIX gateways to fail, so it must be disabled
for PIX.)
The new values in the configuration file use these keywords and
value types:
vpn.peertype integer/string (0 or "cisco" = Cisco,
1 or "netscreen" = Netscreen)
vpn.pfsgroup integer Diffie-Hellman group for Perfect
Forward Secrecy
vpn.ipsectime integer IPsec SA lifetime for phase 2 proposals
in seconds
vpn.dpdswitch integer non-zero -> enable DPD
Other than the peertype, these values may also be set using the
"Advanced" submenu of the VPN configuration menu.
README -- Last modified date: Saturday, November 10, 2012