Patch Name: PHSS_16761

Patch Description: s700_800 10.20 Praesidium/Security Service V1.0 Y2K cumul

Creation Date: 98/12/23

Post Date:  98/12/23

Hardware Platforms - OS Releases:
	s700: 10.20
	s800: 10.20

Products:
	B5406AA_APZ Praesidium/Security Service V1.0

Filesets:
	DESS-Core.DESS-CORE-RUN,B.10.20
	DESS-CoreAdmin.DESS-ACCT-MGR,B.10.20
	DESS-SEC-Srvr.DESS-SEC-SRVR,B.10.20
	DESS-SrvMonExt.DESS-SM-INTEG,B.10.20

Automatic Reboot?: No

Status: General Release

Critical: No

Path Name: /hp-ux_patches/s700_800/10.X/PHSS_16761

Symptoms:
	PHSS_16761:
	1.  Executing "dcecp>principal catalog" command with
	    cell name that does not exist followed by
	    "dcecp> errtext $_e" command dumps core.
	2.  dcecp memory leaks while modifying acls.
	3.  account manager mishandles ERA attrset with more
	    that one uuid
	4.  dced hangs on startup when "starton boot" servers
	    are configured
	5.  secd dumps core with too long names for principal,
	    which  results  in Denial of Service Attack.
	6.  dcecp dumps core when modifying acls of dced
	    objects in local mode
	7.  secd dumps core when client requests
	    authentication but with wrong password in a
	    keytab. This cumulates till the secd reaches the
	    maxdsize of about 70-80 MB and then cores.

	PHSS_16171:
	1. klist  display  of year  2000 and  beyond  is  incorrect.

	PHSS_7877:
	1. When configuring   an   initial   security   server using
	   dess_config, if the user enters something other than  the
	   default  cell_admin  password when  prompted,  the script
	   will fail and give an error on the "dcecp account create"
	   command to create the krb5 host account.  The error  that
	   dess_config  will  give  is  "Data integrity error"  from
	   dcecp. This patch fixes dess_config to allow the  user to
	   enter  something  other   than  the  default   cell_admin
	   password when prompted.
	2. The  dess_config  script does  not configure the Kerberos
	   beta 5  configuration  file, /etc/krb5.conf,   correctly.
	   More specifically, there is a missing "=" sign  in    the
	   domain_realm   section of the  configuration file.   This
	   patch   contains  a   fix to  dess_config  to  create the
	   Kerberos beta 5  configuration   file  with   the correct
	   contents.
	3. The  dess_pwd_strengthd   server  is not properly stopped
	   when the user selects "3. STOP - Stop   daemons" from the
	   dess_config menu. This problem is also seen by the system
	   shutdown    script,    init.d/dess,        where      the
	   dess_pwd_strengthd server is not  shut down automatically
	   when the   system is being shut down. This patch contains
	   a fix to properly shut down the dess_pwd_strengthd server
	   in both cases.
	4. If the number of    hosts    being discovered is big, the
	   Distributed  Enterprise/server  monitor (DE/sm) extension
	   for Praesidium/Security     Service  will cause the DE/sm
	   Discovery  engine  to abort. This patch contains a fix to
	   make the extension work with a large number of hosts.

Defect Description:
	PHSS_16761:
	1.  Executing "dcecp>principal catalog" command with
	    cell name that does not exist followed by
	    "dcecp> errtext $_e" command dumps core.
	2.  dcecp memory leaks while modifying acls.
	3.  account manager mishandles ERA attrset with more
	    that one uuid
	4.  dced hangs on startup when "starton boot" servers
	    are configured
	5.  secd dumps core with too long names for principal,
	    which  results  in Denial of Service Attack.
	6.  dcecp dumps core when modifying acls of dced
	    objects in local mode
	7.  secd dumps core when client requests
	    authentication but with wrong password in a
	    keytab. This cumulates till the secd reaches the
	    maxdsize of about 70-80 MB and then cores.

	PHSS_16171:
	1. klist  display  of year  2000 and  beyond  is  incorrect.

	PHSS_7877:
	1. When configuring  an   initial   security  server   using
	   dess_config, if the user enters something other than  the
	   default  cell_admin  password when  prompted,  the script
	   will fail and give an error on the "dcecp account create"
	   command to create the krb5 host account.  The error  that
	   dess_config  will  give  is  "Data integrity error"  from
	   dcecp. This patch fixes dess_config to allow the  user to
	   enter  something  other   than  the  default   cell_admin
	   password when prompted.
	2. The  dess_config  script does  not configure the Kerberos
	   beta 5  configuration  file, /etc/krb5.conf,   correctly.
	   More specifically, there is a missing "=" sign  in    the
	   domain_realm   section of the  configuration file.   This
	   patch   contains  a   fix to  dess_config  to  create the
	   Kerberos beta 5  configuration   file  with   the correct
	   contents.
	3. The  dess_pwd_strengthd   server  is not properly stopped
	   when the user selects "3. STOP - Stop   daemons" from the
	   dess_config menu. This problem is also seen by the system
	   shutdown    script,    init.d/dess,        where      the
	   dess_pwd_strengthd server is not  shut down automatically
	   when the   system is being shut down. This patch contains
	   a fix to properly shut down the dess_pwd_strengthd server
	   in both cases.
	4. If the number of    hosts    being discovered is big, the
	   Distributed  Enterprise/server  monitor (DE/sm) extension
	   for Praesidium/Security     Service  will cause the DE/sm
	   Discovery  engine  to abort. This patch contains a fix to
	   make the extension work with a large number of hosts.

SR:
	0000000000 4701332114

Patch Files:
	/opt/dcadmin/desm/exts/de/dess_disc.10.tcl
	/opt/dce/bin/css/klist.css
	/opt/dce/bin/dess_config
	/opt/dce/bin/css/pwd_config.css
	/opt/dce/bin/dess_shutdown
	/opt/dce/bin/css/dcecp.css
	/usr/lib/libdcecpcss.1
	/opt/dce/bin/css/acctmgrcss
	/usr/lib/libdcedpvtcss.1
	/opt/dce/sbin/css/secd.css

what(1) Output:
	/opt/dcadmin/desm/exts/de/dess_disc.10.tcl:
		None
	/opt/dce/bin/css/klist.css:
		HP92453-02A.10.00 HP-UX SYMBOLIC DEBUGGER (END.O) $R
			evision: 74.03 $
		krb5rpc.c 3 - 10/10/91
		krb5-manual-glue.c 13 - 12/12/91
		rc_base.c 3 - 10/24/91
		localaddr.c 3 - 10/24/91
		locate_kdc.c 3 - 10/24/91
		Praesidium/Security Service 1.0 PHSS_16761 Module: k
			list.css (Export) Date: Oct 27 1998 01:19:51
		$RCSfile: environment.c,v $ $Revision: /main/HPDCE02
			/2 $ (OSF) $Date: 1994/12/05 19:53 UTC $
	/opt/dce/bin/dess_config:
		Module: dce_config $Revision: /main/HPDCE02/HPDESS02
			/2 $ $Date: 1997/10/15 13:39 UTC $
	/opt/dce/bin/css/pwd_config.css:
		None
	/opt/dce/bin/dess_shutdown:
		Module: dce_shutdown $Revision: /main/HPDCE02/HPDESS
			02/1 $ $Date: 1997/10/06 12:35 UTC $
	/opt/dce/bin/css/dcecp.css:
		HP92453-02A.10.00 HP-UX SYMBOLIC DEBUGGER (END.O) $R
			evision: 74.03 $
		Praesidium/Security Service 1.0 PHSS_16761 Module: d
			cecp.css (Export) Date: Nov  4 1998 19:55:56
	/usr/lib/libdcecpcss.1:
		Praesidium/Security Service 1.0 PHSS_16761 Module: l
			ibdcecpcss.sl (Export) Date: Nov  4 1998 19:
			15:35
	/opt/dce/bin/css/acctmgrcss:
		Praesidium/Security Server 1.0 Module: Praesidium/Se
			curity Server Account Manager Date: Tue Oct
			13 22:52:02 IST 1998
		main.tcl         $Revision: /main/HPDESS01/4 $ $Date
			: 1996/06/13 16:06 UTC $
		acledit.tcl      $Revision: /main/HPDESS01/2 $ $Date
			: 1996/05/17 14:25 UTC $
		secmgr.tcl      $Revision: /main/HPDESS01/4 $ $Date:
			 1996/06/13 16:19 UTC $
		fbrowse.tcl      $Revision: /main/HPDESS01/2 $ $Date
			: 1996/04/11 15:43 UTC $
	/usr/lib/libdcedpvtcss.1:
		Praesidium/Security Service 1.0 PHSS_16761 Module: l
			ibdcedpvtcss.sl (Export) Date: Oct 27 1998 0
			0:53:21
	/opt/dce/sbin/css/secd.css:
		HP92453-02A.10.00 HP-UX SYMBOLIC DEBUGGER (END.O) $R
			evision: 74.03 $
		kdb_rsdb.c 25 - 12/05/91
		krb5rpc.c 3 - 10/10/91
		krb5-manual-glue.c 13 - 12/12/91
		rc_base.c 3 - 10/24/91
		localaddr.c 3 - 10/24/91
		locate_kdc.c 3 - 10/24/91
		Praesidium/Security Service 1.0 PHSS_16761 Module: s
			ecd.css (Export) Date: Oct 27 1998 01:17:23
		$RCSfile: environment.c,v $ $Revision: /main/HPDCE02
			/2 $ (OSF) $Date: 1994/12/05 19:53 UTC $

cksum(1) Output:
	2177025505 34347 /opt/dcadmin/desm/exts/de/dess_disc.10.tcl
	325528791 1388160 /opt/dce/bin/css/klist.css
	2248972384 121769 /opt/dce/bin/dess_config
	2891558745 26570 /opt/dce/bin/css/pwd_config.css
	358280774 12332 /opt/dce/bin/dess_shutdown
	1924084459 646784 /opt/dce/bin/css/dcecp.css
	3328577185 1359872 /usr/lib/libdcecpcss.1
	929166692 626098 /opt/dce/bin/css/acctmgrcss
	1399401848 176128 /usr/lib/libdcedpvtcss.1
	5208061 2436736 /opt/dce/sbin/css/secd.css

Patch Conflicts: None

Patch Dependencies:
	s700: 10.20: PHSS_15731
	s800: 10.20: PHSS_15731

Hardware Dependencies: None

Other Dependencies: None

Supersedes:
	PHSS_7877 PHSS_16171

Equivalent Patches: None

Patch Package Size: 6740 KBytes

Installation Instructions:
	Please review all instructions and the Hewlett-Packard
	SupportLine User Guide or your Hewlett-Packard support terms
	and conditions for precautions, scope of license,
	restrictions, and, limitation of liability and warranties,
	before installing this patch.
	------------------------------------------------------------
	1. Back up your system before installing a patch.

	2. Login as root.

	3. Copy the patch to the /tmp directory.

	4. Move to the /tmp directory and unshar the patch:

		cd /tmp
		sh PHSS_16761

	5a. For a standalone system, run swinstall to install the
	    patch:

		swinstall -x autoreboot=true -x match_target=true \
			-s /tmp/PHSS_16761.depot

	5b. For a homogeneous NFS Diskless cluster run swcluster on the
	    server to install the patch on the server and the clients:

		swcluster -i -b

	    This will invoke swcluster in the interactive mode and
	    force all clients to be shut down.

	    WARNING: All cluster clients must be shut down prior to the
		     patch installation.  Installing the patch while the
		     clients are booted is unsupported and can lead to
		     serious problems.

	    The swcluster command will invoke an swinstall session in which
	    you must specify:

		alternate root path  -  default is /export/shared_root/OS_700
		source depot path    -  /tmp/PHSS_16761.depot

	    To complete the installation, select the patch by choosing
	    "Actions -> Match What Target Has" and then "Actions -> Install"
	    from the Menubar.

	5c. For a heterogeneous NFS Diskless cluster:

		- run swinstall on the server as in step 5a to install
		  the patch on the cluster server.

		- run swcluster on the server as in step 5b to install
		  the patch on the cluster clients.

	By default swinstall will archive the original software in
	/var/adm/sw/patch/PHSS_16761.  If you do not wish to retain a
	copy of the original software, you can create an empty file
	named /var/adm/sw/patch/PATCH_NOSAVE.

	Warning: If this file exists when a patch is installed, the
	         patch cannot be deinstalled.  Please be careful
		 when using this feature.

	It is recommended that you move the PHSS_16761.text file to
	/var/adm/sw/patch for future reference.

	To put this patch on a magnetic tape and install from the
	tape drive, use the command:

		dd if=/tmp/PHSS_16761.depot of=/dev/rmt/0m bs=2k

Special Installation Instructions:
	This patch(PHSS_16761)  requires the DCE patch PHSS_15731 as
	a  pre-requisite.  Use "Match What Target Has" option  while
	installing  the DCE  patch  PHSS_15731.  You may  choose  to
	ignore the dependency  errors for the filesets which are not
	required  for Pr/SS while  installing  PHSS_15731.  Also, If
	PHSS_16761  is to be removed,  DCE patch  PHSS_15731  should
	also     be     removed     as     the     previous     DESS
	product(B5406AA_APZ)/patch(PHSS_7877)   are  not  compatible
	with DCE patch PHSS_15731.