OBSOLETE Patch-ID# 127554-06


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: sun ray update patch security
Synopsis: Obsoleted by: 127554-07 Sun Ray Core Services version 4.0 Patch Update SunOS 5.10_x86
Date: Jul/10/2009


Install Requirements: Reboot after installing this patch to activate the changes delivered. An alternative may be specified in the Special Install Instructions.

Solaris Release: 10_x86

SunOS Release: 5.10_x86

Unbundled Product: Sun Ray Core Services

Unbundled Release: 4.0

Xref: This patch available for SUNOS 5.10 as 127553-06 and for Linux as 127555-06

Topic:

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #
640723112159389
649287912184334
650402712187617
651337712190065
654245012197566
655439112200554
657309312204825
657877512206213
658334812207189
658772512208135
659237212209288
659604512210117
659668612210232
660006512211049
660564512212347
660759112212804
660931712213167
661023312213345
661271012213855
661699412214876
661805612215110
662208912216054
662315012216220
662381812216381
662520312216754
662549112216838
662695512217206
662902812217753
663005412218042
663273712218794
663667112220045
663883112220612
664175412221343
664500312222109
664500912222110
664501012222111
665517812225230
665987112226542
666296912227398
666738412228598
667151712229733
667214512229948
667250212230031
667477312230684
667567812230947
667725912231406
668232112232677
668518512233504
668900412234602
668968212234821
669442412236175
669951112237451
670660712239006
671666712241686
672077612242488
672104312242530
672612012243767
672779212244130
673074812244618
673082212244643
673744912245933
673872512246213
673939712246339
674068712246594
674512012247402
674762212247871
674964012248326
675413812249397
675650412249834
676032312250768
677330412253775
677553212254282
678160412256481
678579712257539
678683512257766
678893812258268
680018712261108
680891012263005
681206712263789


Changes incorporated in this version: 6578775 6672502 6706607 6727792 6730822 6739397 6740687 6745120 6747622 6756504 6760323 6773304 6775532 6781604 6785797 6786835 6788938 6800187 6808910 6812067

Patches accumulated and obsoleted by this patch:

Patches which conflict with this patch:

Patches required with this patch:

Obsoleted by:

Files included with this patch:

/etc/init.d/utacleanup
/etc/opt/SUNWut/noentry.start
/etc/opt/SUNWut/smartcard/GD-STARCOS.cfg
/etc/rc0.d/K51utacleanup
/etc/rc1.d/K51utacleanup
/etc/rc2.d/S51utacleanup
/etc/rcS.d/K51utacleanup
/opt/SUNWut/bin/utselect
/opt/SUNWut/etc/template/ldap/utdsd.acl.conf
/opt/SUNWut/lib/firmware/CoronaP1
/opt/SUNWut/lib/firmware/CoronaP2
/opt/SUNWut/lib/firmware/CoronaP3
/opt/SUNWut/lib/firmware/CoronaP4
/opt/SUNWut/lib/firmware/CoronaP5
/opt/SUNWut/lib/firmware/CoronaP6
/opt/SUNWut/lib/firmware/CoronaP7
/opt/SUNWut/lib/firmware/CoronaP8
/opt/SUNWut/lib/firmware_gui/CoronaP1
/opt/SUNWut/lib/firmware_gui/CoronaP2
/opt/SUNWut/lib/firmware_gui/CoronaP3
/opt/SUNWut/lib/firmware_gui/CoronaP4
/opt/SUNWut/lib/firmware_gui/CoronaP5
/opt/SUNWut/lib/firmware_gui/CoronaP6
/opt/SUNWut/lib/firmware_gui/CoronaP7
/opt/SUNWut/lib/firmware_gui/CoronaP8
/opt/SUNWut/lib/ifdh_scbus.so.1
/opt/SUNWut/lib/libsimpleRun.so
/opt/SUNWut/lib/libusbut.so.1
/opt/SUNWut/lib/libutadmin.so.1
/opt/SUNWut/lib/libutgrpmgr.so
/opt/SUNWut/lib/libutinfo.so.1
/opt/SUNWut/lib/pam_sunray_amgh.so.1
/opt/SUNWut/lib/utati
/opt/SUNWut/lib/utatilu
/opt/SUNWut/lib/utaudiod
/opt/SUNWut/lib/utauthd.jar
/opt/SUNWut/lib/utdevmgrd
/opt/SUNWut/lib/utdmevent
/opt/SUNWut/lib/utdmsession
/opt/SUNWut/lib/utdsupdate
/opt/SUNWut/lib/utkeyvet
/opt/SUNWut/lib/utprop
/opt/SUNWut/lib/utresexec
/opt/SUNWut/lib/utseriald
/opt/SUNWut/lib/xmgr/dtlogin/notify
/opt/SUNWut/lib/yuvfile
/opt/SUNWut/sbin/utadm
/opt/SUNWut/sbin/utatiscrub
/opt/SUNWut/sbin/utconfig
/opt/SUNWut/sbin/utgmtarget
/opt/SUNWut/sbin/utgroupsig
/opt/SUNWut/sbin/utreplica
/opt/SUNWut/sbin/utuser
/opt/SUNWut/share/man/man1m/utatiscrub.1m
/opt/SUNWut/share/man/man1m/utgmtarget.1m
/opt/SUNWut/share/man/man1m/utgroupsig.1m
/opt/SUNWut/share/man/man1m/utuser.1m
/opt/SUNWut/share/man/man3/ut_amgh_script_interface.3
/opt/SUNWut/share/man/man3/ut_ati_script_interface.3
/opt/SUNWut/share/man/man4/auth.props.4
/opt/SUNWutref/ati/utatiref_script
/usr/openwin/server/modules/ddxSUNWsunray.so.1

Problem Description:

6578775 Safesign app + PCSC Lite + JCOP-XX smart card + correct PIN = keypair/keyset not found error
6672502 utaudiod has resource leaks
6706607 utsession -k can cause 26 D icons
6727792 utseriald denies access to device after server switch
6730822 utauthd does not notice that sessions have been disconnected in certain circumstances
6739397 Add callme device allocation back into Sun Ray smart card IFD handler.
6740687 utdmsession can expose sensitive data
6745120 Sun Ray 2FS hangs at 26D (Xsun) or is black (Xnewt) when the resolution is set to 640x480
6747622 LAN-connected Sun Rays can't redirect to a server when its primary IP address is not reachable
6756504 Sun Ray doesn't know how to handle a request for 2 consecutive tokens from an ASA with RSA back end.
6760323 Entering any prompting dialog causes locks to be reset
6773304 PIX gateways no longer work for VPN with Sun Ray because of ID type change
6775532 Xnewt dumping core due to a divide by zero error.
6781604 AMGH fails on Sun Rays when server's Primary IP address is unreachable (sim. to CR#6747622)
6785797 Sun Ray firmware needs expanded network definition options
6786835 Need support for Siemens CardOS API 2.5 middleware added to PC/SC-Lite
6788938 4.1 utauthd has a crash and redirect issue.
6800187 utauthd in SRSS 4.0 on S10/TX appears to leave a number of defunct processes and open ports
6808910 Netscreen VPN connections don't come up if the gateway's version ID is not recognized.
6812067 Sun Ray VPN doesn't support AES 192 and 256 bit key sizes.
 
(from 127554-05)
 
6699511 Xsun hangs with OSD 26 on Sun Ray DTU with large time on poll() if under VMware and high speed net
6749640 Desire a way to use token data external to SRSS to control FOG session access
6754138 utuser deprecated "-k" (and -xdisplay and -tokenid) options should be eliminated
 
(from 127554-04)
 
6504027 Support smartcard configuration file for smartcards of type GD-STARCOS 3.0
6513377 Ctrl+Pause+cursor shortcuts for local volume control don't work
6616994 LDAP password exposed during configuration using utconfig
6618056 utgroupsig should read from stdin and write to stdout/stderr to allow utconfig to be scripted
6659871 Access restrictions need improvements
6667384 2FS doesn't receive second monitor utresadm override if DDC failed on second monitor
6672145 Lots of packets are dropped with the server port set to gigabit Ethernet through some switches
6674773 Remove spurious failure message from internal smart card reader IFD handler
6677259 Finnish ID card is not recognized on Sun Ray 2 on SRSS 4.0 (but is on Sun Ray 270)
6682321 Sunray 2FS not able to use second display with new Samsung monitors
6685185 Sun Ray VPN connection to Cisco ASA gateway doesn't rekey properly
6694424 Unitech barcode reader fails to work with Sun Ray
6716667 Sun Ray internal reader IFD Handler not able to allocate smart card reader in busy networks
6720776 Sun Ray 2s at low bandwidth suffer high packet losses
6721043 Maximum X server bandwidth is limited when high resolution clock tick is enabled.
6726120 Maximum rendering bandwidth use is throttled when hires timer is set.
6730748 Sun Ray DTU can't resolve hostnames
6737449 SYN|ACK retry during TCP passive open is broken
6738725 hotdesking and group manager does not appear to work w/ DTU's on multiple subnets when vni is used
 
(from 127554-03)
 
6625491 Running utadm -A on TX w/ vni config'd FAILS
6671517 SRSS failover groups (FOG) not working properly when group members are defined as CIPSO on TX
6675678 readdir_r parameters need storage allocation
6689004 Sun Ray datastore integration for group manager unicast target list
6689682 man page updates for group manager unicast target feature
 
(from 127554-02)
 
6542450 Sun Ray DTU responds to ping even if IP address is incorrect
6554391 DTU IFD handler should use oscompat library functions for portability.
6583348 Sun Ray: Apple Mighty Mouse vertical scroll not functioning properly
6609317 libusb's usb_bulk_read() doesn't return an error when a CCID reader is removed.
6622089 pcscd instance Core dump is seen once on Solaris 10 X86
6623150 TCSETA / TCSETAW / TCSETAF not supported on Sun Ray serial subsystem
6625203 External smartcard reader does not get detected in a hotdesked session
6626955 uttsc exited  with error messages with PCSClite 1.1 _01 after multiple hotdesks
6629028 uttsc exited with error messages and PCSC core dump after rebooting DTU.
6630054 xmgr/dtlogin/notify needs to defend against corrupted dtlogin PID file
6632737 IFD handler RDD low-level I/O should be re-startable after disruption
6636671 If a Sun Ray terminal gets TFTPsrvN (option 66) it should try sunray-config-servers if this fails
6638831 ifd handler should log clear reasons for init failure to syslog
6641754 Sun Ray 2/2FS/270 smart card readers sometimes drop bytes at bauds greater than 9600.
6645003 svcevts.c`svc_finder_add() has bug in sessid keyword
6645009 libusb has problems with release_interface() after detach
6645010 libusb needs to be made session-based hotdesking aware
6655178 Smartcard Philips SmartMX doesn't work anymore in SRSS4.0
6662969 keyboard hangs on lossy network
 
(from 127554-01)
 
6407231 Sun Ray USB implementation does not present bcdDevice value in BCD
6492879 Typo in description of SUNWutfw rpm
6573093 1400x1050 res doesn't work if native panel resolution
6587725 uttsc hangs (up to 2 min) on multiple hotdesking while smart card LED is glowing
6592372 channels switch when playing audio on SR2FS and SR2 DTUs
6596045 Audio record not working on 4.0 b48 on Sun Ray 2 family
6596686 DDR2 graphics memory support needed for future SR2, SR270 boards
6600065 SRSS libusb improperly blocks root from accessing DTU's USB devices
6605645 SRSS 4.0 network bandwidth is much higher than 3.1.1
6607591 Use the Sun Ray Data Store (SRDS) to host the VDA configuration
6610233 Sun Ray firmware problem with 2048bit key
6612710 Scbus IFD handler mishandles T=1 APDUs with no return data.
6623818 Firmware load prevented by barrier on new SR270 DTUs
 
Detailed Installation Steps
---------------------------
 
1. Suppress firmware downloads
 
	If the server being patched is not a member of a Sun Ray
	failover group you should skip this step.
 
	If the server being patched is a member of a Sun Ray failover
	group then this step is optional but is strongly recommended.
 
	At Patch Installation
	---------------------
 
	    Before adding this patch to servers configured into a Sun
	    Ray failover group we advise that you disable Sun Ray
	    firmware delivery from all unpatched hosts in the failover
	    group.  On each host in the group:
 
		For config parameters (.parms) file:
 
		    $ /opt/SUNWut/sbin/utfwadm -D -a -V
 
		For dedicated network interconnects:
 
		    $ /opt/SUNWut/sbin/utfwadm -D -a -n all
 
		For shared subnetwork interconnects:
 
		    $ /opt/SUNWut/sbin/utfwadm -D -a -N all
 
	    Do this only one time, before adding this patch to any
	    server in the group.
 
	    The purpose of this step is to prevent unpatched servers
	    from offering old firmware to Sun Ray appliances.
 
	At Patch Removal
	----------------
 
	    Before removing this patch from servers configured into a
	    Sun Ray failover group we advise that you disable firmware
	    delivery from any hosts in the failover group that have
	    this patch installed.  On each already-patched host in the
	    group:
 
		For dedicated network interconnects:
 
		    $ /opt/SUNWut/sbin/utfwadm -D -a -n all
 
		For shared subnetwork interconnects:
 
		    $ /opt/SUNWut/sbin/utfwadm -D -a -N all
 
		For config parameters (.parms) file:
 
		    $ /opt/SUNWut/sbin/utfwadm -D -a -V
 
	    Do this only one time, before removing this patch from any
	    of the already-patched servers in the group.
 
	    The purpose of this step is to prevent already-patched
	    servers from offering new firmware to Sun Ray appliances.
 
	    If this patch is being removed from a Sun Ray failover group
	    then omitting this step may result in increased restart
	    times for your Sun Ray appliances.  (A mixture of patched
	    and unpatched servers advertising conflicting firmware
	    versions may cause the appliance to download new firmware
	    each time it restarts.  The appliance automatically
	    restarts itself after downloading fresh firmware so its
	    overall restart cycle is longer in that case.  The
	    appliance may restart itself several times before
	    establishing or reconnecting to a session.)  The Sun Ray
	    restart time will return to normal once the patch has been
	    removed from all servers in the failover group.
 
 
2. Stopping Sun Ray services and login sessions
 
	Before the addition or removal of this patch to a Sun Ray server
	all users should be logged out of their Sun Ray sessions.
 
	Stop the Sun Ray services using the following commands:
 
                $ /etc/init.d/utstorage stop
                $ /etc/init.d/utsvc stop
 
	These commands will terminate any Sun Ray sessions that were not
	already logged out.
 
	Next, use the instructions outlined below in the section
	"Patch Installation Instructions" for the addition or removal
	of this patch.
 
3. Rebooting the Sun Ray server
 
	 The Sun Ray server must be rebooted after the addition or removal
	 of the patch.
 
4. Enable firmware downloads
 
	After the addition or removal of this patch on all Sun Ray
	servers in a failover group, enable firmware downloads
	using one of the following methods:
 
	1) If all Sun Ray servers in the failover group provide default
	   (non GUI) firmware downloads run this command on one of the servers:
 
		$ /opt/SUNWut/sbin/utfwsync
 
	   After which the Sun Ray DTU's will reboot themselves and load
	   the new firmware.
 
	2) If only some of the Sun Ray servers in the failover group provide
	   firmware downloads to the DTU's, run the following command
	   on the servers that do provide firmware:
 
	   For default (non GUI) firmware.
 
		For dedicated network interconnects:
 
		  $ /opt/SUNWut/sbin/utfwadm -A -a -n all
 
		For shared subnetwork interconnects:
 
		  $ /opt/SUNWut/sbin/utfwadm -A -a -N all
 
	   For GUI firmware.
 
		For dedicated network interconnects:
 
		  $ /opt/SUNWut/sbin/utfwadm -A -a -n all -f \
		    /opt/SUNWut/lib/firmware_gui
 
		For shared subnetwork interconnects:
 
		  $ /opt/SUNWut/sbin/utfwadm -A -a -N all -f \
		    /opt/SUNWut/lib/firmware_gui
 
	3) Upgrading firmware via the config parameter (.parms) file
 
	   For default (non GUI) firmware.
 
		  $ /opt/SUNWut/sbin/utfwadm -A -a -V
 
	   For GUI firmware.
 
		  $ /opt/SUNWut/sbin/utfwadm -A -a -V -f \
		    /opt/SUNWut/lib/firmware_gui
 
	   Then restart services on all servers in the failover group by
	   executing the following command on a server in the group:
 
		  $ /opt/SUNWut/sbin/utfwsync -d 
 
5. Optionally increase system clock frequency
 
	The fix for CR 6672145 improves the performance of some switches
	that drop a lot of packets when the downlink from the server is
	run at 1 Gbps. For the fix to be effective, the clock frequency
	on the server has to be increased. 
	This is accomplished by adding the following line to /etc/system
 
		set hires_tick = 1
 
	and rebooting the server. To confirm that the change has taken
	effect, "getconf CLK_TCK" should print a value of 1000.


Patch Installation Instructions:
-------------------------------- 
Refer to the man pages for instructions on using 'patchadd' and 'patchrm'
scripts provided with Solaris.  Any other special or non-generic installation
instructions should be described below as special instructions.  The following
example installs a patch to a standalone machine:
 
	example# patchadd /var/spool/patch/<patchid-rev>
 
The following example removes a patch from a standalone system:
 
	example# patchrm <patchid-rev>
 
patchadd may give some messages while installing on a system
with zones.  To suppress these messages "-G" option can be used.
 
	example# patchadd -G /var/spool/patch/<patchid-rev>
 
For additional examples please see the appropriate man pages.


Special Install Instructions:
----------------------------- 
NOTE 1: This patch is for the Sun Ray Core Services 4.0 component
that is part of Sun Ray Server Software 4.0.
 
NOTE 2: This SRSS patch does not support Live Upgrade.  Please do not
install this patch via live upgrade.
 
NOTE 3: The DTU firmware delivered in this patch has an increased
downgrade "barrier" of '325' to prevent accidental downgrades to
firmware from earlier releases.  If you wish to revert a unit back to an
earlier release of firmware after upgrading to this version of firmware,
please see the admin guide for information on overriding the
barrier/barrierLevel mechanism.
 
NOTE 4: Be sure to install the latest Kiosk 4.0 patch  128166 on your system.
 
NOTE 5: The DTU firmware delivered in this patch has the following version
identification string
 
    4.1_139548-02_2009.05.13.18.59
    GUI4.1_139548-02_2009.05.13.18.59
 
Required Patches
----------------
 
Warnings & Errors
-----------------
** WARNING: This patch should only be applied to systems which have
	    Sun Ray Server Software 4.0 fully installed.
	    Do not attempt to add this patch to the UFS image to be
	    applied as part of the install process.
 
Post-Patch Installation Notes:
------------------------------
 
    Updated Smartcard Config Files
 
    	The fix for 6504027 (Support smartcard configuration file for smartcards
    	of type GD-STARCOS 3.0) that is included with this patch provides an
    	updated GD-STARCOS.cfg smartcard config file. This file provides support
    	for using the G&D (Giesecke & Devrient) STARCOS SPK 3.0 smartcard for
    	Sun Ray session mobility. This card type has not been tested for any
    	other use on Sun Ray. Specifically PIN/PKI login and other cryptographic
    	operations that this card can perform have not been tested on Sun Ray.
    	Such uses of this card type are unsupported.
 
	If you maintain your smartcard configuration files on the local Sun Ray
	server, then no action is necessary after installation of this patch and
	reboot. If you maintain your smartcard configuration files in the Sun
	Ray Data Store (DS), you will need to update the DS with this updated
	version of the GD-STARCOS.cfg file after installation of this patch and
	reboot. You can update the DS with this updated config file using the
	"utcard" CLI or via the Sun Ray Administration GUI.
 
    Automated Token Importation (ATI)
 
	A feature has been added in this patch which allows
	controlling session access based on information stored in
	customer data sources.  In addition to man pages delivered
	with this patch, a description has been added to the
	Sun Ray Server Software 4.0 Release Notes available at:
	Solaris: http://docs.sun.com/app/docs/doc/820-0417
	Linux:   http://docs.sun.com/app/docs/doc/820-0418
 
    Regression fix for Cisco PIX gateways
 
	Sun Ray firmware for this patch is drawn from the SRSS 4.1
	patch release.  The addition of support for the Netscreen
	family of VPN gateways in the SRSS 4.1 release caused the Cisco
	PIX family of VPN gateways to stop working, though ASA and 3000
	series continue to function correctly. Unfortunately, the fix
	for this requires that the VPN configuration now include an
	item to specify what type of VPN gateway the Sun Ray will be
	connecting to. This configuration can be done using the local
	GUI tool available on the Sun Ray, or through the download of a
	configuration file, using the "Download Configuration" option
	of the GUI tool. A couple of other useful options have been
	added to the VPN configuration, including the PFS group to use,
	the IPsec phase 2 lifetime, and a switch to enable Dead Peer
	Detection. (Dead Peer Detection was also introduced in SRSS
	4.1, and was on by default. Unfortunately, having it enabled
	also causes the PIX gateways to fail, so it must be disabled
	for PIX.)
 
	The new values in the configuration file use these keywords and
	value types:
 
	vpn.peertype    integer/string  (0 or "cisco" = Cisco,
					1 or "netscreen" = Netscreen)
	vpn.pfsgroup    integer         Diffie-Hellman group for Perfect
					Forward Secrecy
	vpn.ipsectime   integer         IPsec SA lifetime for phase 2 proposals
					in seconds
	vpn.dpdswitch   integer         non-zero -> enable DPD
 
	Other than the peertype, these values may also be set using the
	"Advanced" submenu of the VPN configuration menu.


README -- Last modified date: Saturday, November 10, 2012