|
HP TCP/IP Services for OpenVMS Release Notes
3.14 SNMP problems and restrictions
This section describes restrictions to the SNMP component for this
release. For more information about using SNMP, refer to the
HP TCP/IP Services for OpenVMS SNMP Programming and Reference manual.
3.14.1 Incomplete restart
When the SNMP master agent and subagents fail or are stopped,
TCP/IP Services is often able to restart all processes automatically.
However, under certain conditions, subagent processes may not restart.
When this happens, the display from the DCL command SHOW SYSTEM does
not include TCPIP$OS_MIBS and TCPIP$HR_MIB. If this situation occurs,
restart SNMP by entering the following commands:
$ @SYS$STARTUP:TCPIP$SNMP_SHUTDOWN.COM
$ @SYS$STARTUP:TCPIP$SNMP_STARTUP.COM
|
3.14.2 SNMP IVP error
On slow systems, the SNMP Installation Verification Procedure can fail
because a subagent does not respond to the test query. The error
messages look like this:
.
.
.
Shutting down the SNMP service... done.
Creating temporary read/write community SNMPIVP_153.
Enabling SET operations.
Starting the SNMP service... done.
SNMPIVP: unexpected text in response to SNMP request:
"- no such name - returned for variable 1"
See file SYS$SYSDEVICE:[TCPIP$SNMP]TCPIP$SNMP_REQUEST.DAT for more
details.
sysContact could not be retrieved. Status = 0
The SNMP IVP has NOT completed successfully.
SNMP IVP request completed.
Press Return to continue ...
|
You can ignore these types of messages in the IVP.
3.14.3 Using existing MIB subagent modules
If an existing subagent does not execute properly, you may need to
relink it against the current version of TCP/IP Services to produce a
working image. Some subagents (such as those for HP Insight Management
Agents for OpenVMS) also require a minimum version of OpenVMS and a
minimum version of TCP/IP Services.
The following restrictions apply:
- In general, only executable images linked against the following
versions of the eSNMP shareable image are upward compatible with the
current version of TCP/IP Services:
- UCX$ESNMP_SHR.EXE from TCP/IP Services Version 4.2 ECO 4
- TCPIP$ESNMP_SHR.EXE from TCP/IP Services Version 5.0A ECO 1
Images built under versions other than these can be relinked with
one of the shareable images, or with TCPIP$ESNMP_SHR.EXE in the current
version of TCP/IP Services.
- The underlying eSNMP API changed from DPI in TCP/IP Services
Version 5.0 to AgentX in later versions of TCP/IP Services. Therefore,
executable images linked against older object library versions of the
API (*$ESNMP.OLB) must be relinked against either the new object
library or the new shareable image. Linking against the shareable image
ensures future upward compatibility and results in smaller image sizes.
Note
Although images may run without being relinked, backward compatibility
is not guaranteed. Such images can result in inaccurate data or
run-time problems.
|
- This version of TCP/IP Services provides an updated version of the
UCX$ESNMP_SHR.EXE shareable image to provide compatibility with
subagents linked under TCP/IP Services Version 4.2 ECO 4. Do not delete
this file.
- The SNMP server responds correctly to SNMP requests directed to a
cluster alias. Note, however, that an unexpected host may be reached
when querying from a TCP/IP Services Version 4.x system that
is a member of a cluster group but is not the current impersonator.
- The SNMP master agent and subagents do not start if the value of
the logical name TCPIP$INET_HOST does not yield the IP address of a
functional interface on the host when used in a DNS query. This problem
does not occur if the server host is configured correctly with a
permanent network connection (for example, Ethernet or FDDI). The
problem can occur when a host is connected through PPP and the IP
address used for the PPP connection does not match the IP address
associated with the TCPIP$INET_HOST logical name.
- Under certain conditions observed primarily on OpenVMS VAX systems,
the master agent or subagent exits with an error from an internal
select()
socket call. In most circumstances, looping does not occur. If looping
occurs, you can control the number of iterations by defining the
TCPIP$SNMP_SELECT_ERROR_LIMIT logical name.
- The MIB browser provided with TCP/IP Services
(TCPIP$SNMP_REQUEST.EXE) supports
getnext
processing of OIDs that include the 32-bit OpenVMS process ID as a
component. However, other MIB browsers may not provide this support.
For example, the following OIDs and values are supported on OpenVMS:
1.3.6.1.2.1.25.4.2.1.1.1321206828 = 1321206828
1.3.6.1.2.1.25.4.2.1.1.1321206829 = 1321206829
1.3.6.1.2.1.25.4.2.1.1.1321206830 = 1321206830
|
These examples are from
hrSWRunTable
; the
hrSWRunPerfTable
may be affected as well.
- You can ignore the following warning that appears in the log file
if a null OID value (0.0) is retrieved in response to a
Get
,
GetNext
, or
GetBulk
request:
o_oid; Null oid or oid->elements, or oid->nelem == 0
|
3.14.4 Upgrading SNMP
After upgrading to the current version of TCP/IP Services, you must
disable and then enable SNMP using the TCPIP$CONFIG.COM command
procedure. When prompted for "this node" or "all
nodes," select the option that reflects the previous configuration.
3.14.5 Communication controller data not completely updated
When you upgrade TCP/IP Services and then modify an existing
communication controller, programs that use the communication
controller might not have access to the updated information.
To ensure that programs like the MIB browser (SNMP_REQUEST) have access
to the new data about the communication controller, do the following:
- Delete the communication controller using the TCP/IP management
command DELETE COMMUNICATION_CONTROLLER.
- Reset the communication controller by running the TCPIP$CONFIG.COM
command procedure and exiting.
- Restart the program (such as SNMP) by entering the following
commands:
$ @SYS$STARTUP:SNMP_SHUTDOWN.COM
$ @SYS$STARTUP:SNMP_STARTUP.COM
|
- Use the TCP/IP management command LIST COMMUNICATION_CONTROLLER to
display the information.
3.14.6 SNMP MIB browser usage
If you use either the
-l
(loop mode) or
-t
(tree mode) flag, you cannot also specify the
-m
(maximum repetitions) flag or the
-n
(nonrepeaters) flag. The latter flags are incompatible with loop mode
and tree mode.
Incorrect use of the
-n
and
-m
flags results in the following types of messages:
$ snmp_request mynode.co.com public getbulk -v2c -n 20 -m 10 -t 1.3.6.1.2.1
Warning: -n reset to 0 since -l or -t flag is specified.
Warning: -m reset to 1 since -l or -t flag is specified.
1.3.6.1.2.1.1.1.0 = mynode.company.com
|
3.14.7 Duplicate subagent identifiers
With this version of TCP/IP Services, two subagents can have the same
identifier parameter. Be aware, however, that having two subagents with
the same name makes it difficult to determine the cause of problems
reported in the log file.
3.14.8 Community name restrictions
The following restrictions on community names are imposed by
TCPIP$CONFIG.COM:
- Do not specify community names that include a space character.
- A quotation mark (") specified as part of a community name might be
handled incorrectly. Check the validity of the name with the SHOW
CONFIGURATION SNMP command, and if necessary, correct the name with the
SET CONFIGURATION SNMP command.
3.14.9 eSNMP programming and subagent development
The following notes pertain to eSNMP programming and subagent
development.
- In the documentation, the terms "extension subagent",
"custom subagent", and "user-written subagent"
refer to any subagent other than the standard subagents for MIB-II and
the Host Resources MIB, which are provided as part of the TCP/IP
Services product.
- In the [.SNMP] subdirectory of TCPIP$EXAMPLES, files with the .C,
.H, .COM, .MY, and .AWK extensions contain additional comments and
documentation.
- The TCPIP$SNMP_REQUEST.EXE, TCPIP$SNMP_TRAPSND.EXE, and
TCPIP$SNMP_TRAPSND.EXE programs are useful for testing during extension
subagent development.
- For information about prototypes and definitions for the routines
in the eSNMP API, see the TCPIP$SNMP:ESNMP.H file.
3.14.10 SNMP installation verification program restriction
The SNMP Installation Verification Program will not run correctly if
debug
or
trace
options are turned on for any TCP/IP Services for OpenVMS component.
For example, including the line:
in
TCPIP$ETC:RESOLV.CONF
results in unsuccessful completion status.
The problem also exists if socket tracing is turned on and directed to
SYS$OUTPUT
with the following command:
$ DEFINE TCPIP$SOCKET_TRACE SYS$OUTPUT
|
The additional output produced by these and other
debug
or
trace
options can cause problems with the SNMP IVP because it was designed to
parse output from a standard configuration only.
Note
To run the SNMP IVP test either run the program directly:
$ RUN SYS$SYSROOT:[SYSTEST.TCPIP]TCPIP$SNMPIVP.EXE
|
or execute the TCPIP configuration menu:
$ @SYS$MANAGER:TCPIP$CONFIG
|
and then select option "7 - Run tests" and then option "2 - SNMP IVP".
|
3.15 SSH problems and restrictions
This section contains the following information:
Note
References to SSH, SCP, or SFTP commands also imply SSH2, SCP2, and
SFTP2, respectively.
|
3.15.1 SSH-Related security advisories
Computer Emergency Readiness Team (CERT®) advisories are issued by
the CERT Coordination Center (CERT/CC), a center of Internet security
expertise located at the Software Engineering Institute, a
federally-funded research and development center operated by Carnegie
Mellon University. CERT advisories are a core component of the
Technical Cyber Security Alerts document featured by the United States
Computer Emergency Readiness Team (US-CERT), which provides timely
information about current security issues, vulnerabilities, and
exploits.
CERT and HP Software Security Response Team (SSRT) security advisories
might be prompted by SSH activity. CERT advisories are documented at
the following CERT/CC web site:
http://www.cert.org/advisories.
|
Table 3-1 provides brief interpretations of several SSH-related
advisories:
Table 3-1 CERT/SSRT Network Security Advisories
Advisory |
Impact on OpenVMS |
CERT CA-2003-24
|
OpenSSH only; OpenVMS is not vulnerable.
|
CERT CA-2002-36
|
A worst case consequence of this vulnerability is a denial of service
(DoS) for a single connection of one of the following types:
- Server process handling a connection from a malicious client
- Client process connecting to a malicious server
In either case, a malicious remote host cannot gain access to the
OpenVMS host (for example, to execute arbitrary code), and the OpenVMS
server is still able to receive a new connection.
|
CERT-2001-35
|
OpenVMS is not vulnerable. Affects SSH Version 1 only, which is not
supported.
|
CERT CA-1999-15
|
RSAREF2 library is not used; OpenVMS is not vulnerable.
|
SSRT3629A/B
|
OpenVMS is not vulnerable.
|
3.15.2 SSH general notes and restrictions
This section includes general notes and restrictions that are not
specific to a particular SSH application.
- The UNIX path
/etc
is interpreted by the OpenVMS SSH server as
TCPIP$SSH_DEVICE:[TCPIP$SSH].
- The following images are not included in this release:
- TCPIP$SSH_SSH-CERTENROLL2.EXE
This image provides certificate
enrollment.
- TCPIP$SSH_SSH-DUMMY-SHELL.EXE
This image provides access to
systems where only file transfer functionality is permitted.
- TCPIP$SSH_SSH-PROBE2.EXE
This image provides the
ssh-probe2
command, which sends a query packet as a UDP datagram to servers and
then displays the address and the SSH version number of the servers
that respond to the query.
3.15.3 UNIX features that are not supported by SSH
This section describes features that are expected in a UNIX environment
but are not supported by SSH for OpenVMS.
- The server configuration parameter
PermitRootLogin
is not supported.
- The client configuration parameter
EnforceSecureRutils
is not supported.
- There is no automatic mapping from the UNIX ROOT account to the
OpenVMS SYSTEM account.
- The SSH1 protocol suite is not supported for terminal sessions,
remote command execution, and file transfer operations. Parameters
unique to SSH1 in the server and client configuration files are ignored.
3.15.4 SSH command syntax
This section includes notes and restrictions pertaining to command
syntax.
- From a non-OpenVMS client, if you use OpenVMS syntax for names
(such as device names), enclose the names in single quotation marks to
prevent certain characters from being interpreted as they would be on a
UNIX system.
For example, in the following command, UNIX interprets
the dollar sign ($) as a terminator in the device name
SYS$SYSDEVICE:[user], resulting in SYS:[user].
# ssh user@vmssystem directory SYS$SYSDEVICE:[user]
|
To avoid this problem, enter the command using the following format:
# ssh user@vmssystem directory 'SYS$SYSDEVICE:[user]'
|
3.15.5 SSH authentication
This section includes notes and restrictions pertaining to SSH
authentication.
- The location of the SHOSTS.EQUIV file has been moved from
TCPIP$SSH_DEVICE:[TCPIP$SSH] to TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2].
- If hostbased authentication does not work, the SSH server may have
failed to match the host name sent by the client with the one it finds
in DNS/BIND. You can check whether this problem exists by comparing the
output of the following commands (ignoring differences in case of the
output text):
- On the server host:
$ TCPIP
TCPIP> SHOW HOST client-ip-address
|
- On the client host:
$ write sys$output -
$_ "''f$trnlnm("TCPIP$INET_HOST")'.''f$trnlnm("TCPIP$INET_DOMAIN")'"
|
If the two strings do not match, you should check the host name
and domain configuration on the client host. It may be necessary to
reconfigure and restart TCP/IP Services on the client host.
- If the user default directory in the SYSUAF user record is
specified with angle brackets (for example, <user-name>)
instead of square brackets ([user-name]), hostkey
authentication fails. To solve this problem, change the user record to
use square brackets.
- The pairing of user name and UIC in the OpenVMS rights database, as
displayed by the AUTHORIZE utility's SHOW /IDENTIFIER command, must
match the pairing in the SYSUAF record for that user name. If the
pairings do not match, the following message error is displayed when
the user attempts to establish an SSH session:
$ ssh hosta
%SYSTEM-F-ACCVIO, access violation, reason mask=00,
virtual address=000000000000 0000, PC=FFFFFFFF811A88E8, PS=0000001B
Improperly handled condition, image exit forced.
Signal arguments: Number = 0000000000000005
Name = 000000000000000C
0000000000000000
0000000000000000
FFFFFFFF811A88E8
000000000000001B
Register dump:
R0 = FFFFFFFFFFFFFFFE R1 = 0000000000495D08 R2 = 000000000001DEE0
R3 = 00000000004ABE18 R4 = 0000000000000000 R5 = 0000000000000000
R6 = 0000000000000000 R7 = 0000000000000000 R8 = 0000000000000000
R9 = 0000000000000000 R10 = 0000000000000000 R11 = 00000000002F7C20
R12 = 0000000000000000 R13 = 0000000000498708 R14 = 00000000004EDF48
R15 = 000000007AECFE10 R16 = 0000000000000000 R17 = 0000000000000000
R18 = 0000000000000000 R19 = 000000007B624258 R20 = 0000000077770000
R21 = 0000000000000008 R22 = FFFFFFFF77774A00 R23 = 0000000300000000
R24 = 0000000000000001 R25 = 0000000000000001 R26 = 0000000000118A6C
R27 = 000000007C062700 R28 = 0000000000000000 R29 = 000000007ADEF290
SP = 000000007ADEF290 PC = FFFFFFFF811A88E8 PS = 100000000000001B
|
To solve this, use the AUTHORIZE utility to correct the pairing of
user name and UIC value in the OpenVMS rights database.
3.15.6 SSH keys
This section includes notes and restrictions pertaining to SSH keys.
- SSH client users can copy their own customized version of the
SSH2_CONFIG. file and modify the value of the variable
StrictHostKeyChecking
. By setting the value of this variable to "no," the user can
enable the client to automatically copy the public key (without being
prompted for confirmation) from an SSH server when contacting that
server for the first time.
A system manager can tighten security by
setting the
StrictHostKeyChecking
variable to "yes" in the systemwide SSH2_CONFIG. file, and
forcing users to use only the systemwide version of the file. In this
case, to copy the public key from the server, users (and the system
manager) must use another mechanism (for example, a privileged user can
manually copy the public key). To enforce this tighter security
response, the system manager can perform the following steps:
- Edit TCPIP$SSH_DEVICE:[TCPIP$SSH]SSH2_CONFIG. to include the
following line:
StrictHostKeyChecking yes
|
- Restrict user access to TCPIP$SSH_DEVICE:[TCPIP$SSH]SSH2_CONFIG.
For example:
$ SET SECURITY/PROTECTION=(G,W) TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSH2_CONFIG.;
|
- Edit the SYS$STARTUP:TCPIP$SSH_CLIENT_STARTUP.COM command procedure
to install the SSH server image with the READALL privilege. In the
following example, change the existing line to the replacement line, as
indicated:
.
.
.
$ image = f$edit("sys$system:tcpip$ssh_ssh2.exe","upcase")
$! call install_image 'image' "" <== existing line
$ call install_image 'image' "readall" <== replacement
.
.
.
|
- Enable the SSH client, as described in the HP TCP/IP Services for OpenVMS Guide to SSH.
Note
Steps 2 and 3 involve modification of system files. Therefore, it may
be necessary to repeat the modifications after a future update of
TCP/IP Services.
|
- If you do not specify the key file in the SSH_ADD command, and
SSH_ADD finds no INDENTIFICATION. file, it adds only the first private
key it finds in the [username.SSH2] directory.
- Do not use the SSH_KEYGEN
-e
option (used to edit the comment or passphrase of the key). This option
does not work.
- With this release, the default size of keys generated by the
SSH_KEYGEN utility is 2048 bits (for earlier releases, the default size
was 1024 bits). Consequently, generation of keys takes longer ---
sometimes five to ten times longer. On slow systems, or during SSH
configuration, key generation may seem to be hanging when it is not. No
progress indicator is displayed. During SSH configuration, the
following messages indicate the keys are being generated:
Creating private key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY
Creating public key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY.PUB
|
Note
While the keys are being generated, you might notice a delay. This does
not indicate a hang.
|
|