Patch Name: PHSS_20476 Patch Description: s700_800 10.24 VirtualVault 3.50 TGP Patch Creation Date: 99/11/18 Post Date: 99/12/08 Warning: 00/01/28 - This Non-Critical Warning has been issued by HP. - PHSS_20476 may introduce a problem with the VirtualVault Trusted Gateway Proxy (TGP). A 30 second delay may be experienced when the listening endpoint is the localhost and the connecting address is off the VirtualVault system. When the problem occurs, messages similar to the following are written to /tcb/files/tgp.log: Error: Failed to get peer attributes. error: 4 count XX (where XX ranges from 1 to 31) - HP recommends that PHSS_20476 be removed from all VirtualVault systems that are experiencing delays with the TGP or observe the error messages in the tgp.log file. PHSS_20476 should also be removed from all software depots that may be used to install patches on these systems. - The problem is corrected in patch PHSS_20958, which was released today. PHSS_20958 should be installed after PHSS_20476 is removed. - To prevent reverting back to PHSS_20476 if PHSS_20958 is removed in the future, HP recommends that PHSS_20476 be removed before PHSS_20958 is installed. If you choose not to remove PHSS_20476 before installing PHSS_20958, the system will still function properly after PHSS_20958 is installed. Hardware Platforms - OS Releases: s700: 10.24 s800: 10.24 Products: VirtualVault A.03.50 US/Canada Release; VirtualVault A.03.50 International Release Filesets: VaultTGP.TGP-CORE Automatic Reboot?: No Status: General Superseded With Warnings Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHSS_20476 Symptoms: PHSS_20476: Programs running on the VirtualVault may be proxied by the TGP without having the proper access. PHSS_17692: There is no way to run an application server that requires a platform other than VVOS, including those that require HP-UX 11.0. Currently there is a demand from customers for VirtualVault that will act as a front-end to provide security for such services, but the current implementation of the Trusted Gateway Proxy (TGP) prevents this type of configuration. The TGP requires that a server be local to the VirtualVault. Defect Description: PHSS_20476: TGP made the wrong assumptions about the sessions and requires more checking to validate privileges. PHSS_17692: The TGP does not adequately support communication between a secured plug-in for the Outside NES and a back end server on the Inside network. SR: 8606110533 4701417204 Patch Files: /tcb/lib/tgpd /var/opt/vaultTS/inside/vault/bin/tgp-edit /var/opt/vaultTS/inside/vault/loc/C/html/tgp-edit.html what(1) Output: /tcb/lib/tgpd: $Source: configuration.c, vaultTGP, vaultTGP_3.5 $Da te: 99/11/16 14:14:14 $ $Revision: 1.9.1.2 P ATCH_10.24 (PHSS_20476) $ $Source: proxy.c, vaultTGP, vaultTGP_3.5 $Date: 99/1 1/16 14:14:14 $ $Revision: 1.11.1.2 PATCH_10 .24 (PHSS_20476) $ $Source: security.c, vaultTGP, vaultTGP_3.5 $Date: 9 9/11/16 14:14:15 $ $Revision: 1.5.2.1 PATCH_ 10.24 (PHSS_20476) $ HP VirtualVault, tgpd, revision A.01.01 $Source: src/lib/conf/gpent.c, vaultTGP, vaultTGP_3. 5 $Date: 99/11/15 07:23:23 $ $Revision: 1.7 PATCH_10.24 (PHSS_17692) $ src/lib/conf/gpent.c, vaultTGP, vaultTGP_3.5 1.7 0 3/03/99 $Source: src/lib/conf/if_info.c, vaultTGP, vaultTGP_ 3.5 $Date: 99/11/15 07:23:23 $ $Revision: 1. 6 PATCH_10.24 (PHSS_17692) $ lib/libsecurity/identity.c, libsecurity_util, vvos_d avis, davis26 $Date: 97/10/01 15:16:15 $ $Re vision: 1.8 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/mandlib.c, libsecurity_macilb, vvos_ davis, davis26 $Date: 97/10/01 15:16:16 $ $R evision: 1.17 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/privileges.c, libsecurity_util, vvos _davis, davis26 $Date: 97/10/01 15:16:17 $ $ Revision: 1.1.1.12 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/authaudit.c, libsecurity_audit, vvos _davis, davis26 $Date: 97/10/01 15:16:11 $ $ Revision: 1.21 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/sec_conf.c, libsecurity_util, vvos_d avis, davis26 $Date: 97/10/01 15:18:19 $ $Re vision: 1.5 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/sec_nls.c, libsecurity, vvos_davis, davis60 $Date: 97/10/01 16:00:20 $ $Revision : 1.1.1.4 PATCH_10.24 (PHCO_12734) $ Internal_Unsupported_Version libc.a_ID@@/main/r10dav /libc_dav/15 /ux/libc/libs/libc/archive_pa1/libc.a_ID Jul 18 1997 15:26:17 /var/opt/vaultTS/inside/vault/bin/tgp-edit: $Source: tgp-edit.c, vaultTGP, vaultTGP_3.5 $Date: 9 9/11/16 14:14:58 $ $Revision: 1.9.1.2 PATCH_ 10.24 (PHSS_20476) $ HP VirtualVault, tgp-edit, revision A.01.00 $Source: src/lib/conf/gpent.c, vaultTGP, vaultTGP_3. 5 $Date: 99/11/15 07:23:23 $ $Revision: 1.7 PATCH_10.24 (PHSS_17692) $ src/lib/conf/gpent.c, vaultTGP, vaultTGP_3.5 1.7 0 3/03/99 $Source: src/lib/conf/if_info.c, vaultTGP, vaultTGP_ 3.5 $Date: 99/11/15 07:23:23 $ $Revision: 1. 6 PATCH_10.24 (PHSS_17692) $ /var/opt/vaultTS/inside/vault/loc/C/html/tgp-edit.html: src/admin/html/tgp-edit.html, vaultTGP, vaultTGP_3.5 1.6 03/03/99 -- cksum(1) Output: 1070523210 533972 /tcb/lib/tgpd 1676674989 65753 /var/opt/vaultTS/inside/vault/bin/tgp-edit 2721264787 27159 /var/opt/vaultTS/inside/vault/loc/C/html/ tgp-edit.html Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHSS_17692 Equivalent Patches: None Patch Package Size: 680 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_20476 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHSS_20476.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHSS_20476. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHSS_20476.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_20476.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: The patch installation replaces the Trusted Gateway Proxy Daemon (tgad) as well the tgp-edit CGI program. The TGP Daemon processes may be stopped during patch installation.