APAR: IY30463 COMPID: 5765E8300 REL: 320
ABSTRACT: UPDATE DCED USAGE FOR -T AND -N

PROBLEM DESCRIPTION:
The -t and -n syntax was not correct or not shown at all.

PROBLEM CONCLUSION:
Change the dced syntax to include and correctly document
the -t and -n parameters.

------

APAR: IY30464 COMPID: 5765E8300 REL: 320
ABSTRACT: A PROPER MSG NEEDS TO BE DISPLAYED FOR KEYRING OPTIONS MISSING

PROBLEM DESCRIPTION:
When the "registry migrate" dcecp command is run specifying
ssl, if both -keyring and -keyring_pw are not specified on
the command line, an error message will be displayed that
these options are required, but not why.

PROBLEM CONCLUSION:
Add a message that indicates that both the -keyring and
-keyring_pw options are required if -ssl or "-auth ssl"
is specified.

------

APAR: IY30465 COMPID: 5765E8300 REL: 320
ABSTRACT: A PROPER MSG NEEDS TO BE DISPLAYED FOR KEYRING OPTIONS MISSING

PROBLEM DESCRIPTION:
When -ssl=yes, or auth=ssl is specified on the config
command line, the keyring and keyring_pw options need to be
specified also.

PROBLEM CONCLUSION:
Check if SSL is specified - if it is make sure that they
keyring options are supplied. If not, issue a message that
indicates that it is required.

------

APAR: IY30471 COMPID: 5765E8300 REL: 320
ABSTRACT: LDAP:SHOULDNT UNCONFIG MIG SERV WITH LDAP REPS

PROBLEM DESCRIPTION:
The unconfig.dce command allowed the LDAP Migration Security
server to be unconfigured while there were still LDAP
Security Replica servers in the cell. The data that these
servers would retrieve from LDAP could get out of date since
no server is updating it.

PROBLEM CONCLUSION:
unconfig.dce had code added to check for LDAP Security
Replica servers before allowing the unconfiguation of an
LDAP Migration Security server.

------

APAR: IY30474 COMPID: 5765E8300 REL: 320
ABSTRACT: BLANK SPACE MISSING FROM SOME MESSAGES IN SEC.SAMS

PROBLEM DESCRIPTION:
Messages will be hard to read.

PROBLEM CONCLUSION:
Add the space to several messages in the sec.sams

------

APAR: IY30475 COMPID: 5765E8300 REL: 320
ABSTRACT: SVT: CONFIG.DCE CMD, NO LDAP SLAVE EXAMPLE.

PROBLEM DESCRIPTION:
When you issue the command "config.dce" to see the syntax,
there are no examples given of how to configure an LDAP
slave into an LDAP cell.

PROBLEM CONCLUSION:
Added an example of how to configure an LDAP slave into an
LDAP cell.

------

APAR: IY30484 COMPID: 5765E8300 REL: 320
ABSTRACT: PAUL HENSON WANTED A NEW FUNCTION TO RETURN CACHE FILENAME

PROBLEM DESCRIPTION:
DCE 3.1 for Solaris changes the behavior of the
sec_login_valid_and_cert call. Under DCE 2.0 for Solaris,
this call chowns the credential files to the appropriate
local uid. Under DCE 3.1, this no longer occurs. I
disagreed with this change at the time, but having upgraded
to DCE 3.1, I now need a workaround.
There are some cases where a workaround is apparent. For
example, a process that calls sec_login_setup_identity,
sec_login_valid_and_cert_ident, and sec_login_set_context
as root can chown the files before calling setuid. I
believe the PAM module for DCE 3.1 fits this category. It
seems the only way to determine the name of the cred files
is to check the KRB5CCNAME env variable after calling
set_context? Can you verify if this is the method the PAM
module uses?
Unfortunately, there are other cases where a workaround is
not clear. Consider a process that calls
sec_login_setup_identity, sec_login_valid_and_cert_ident,
then setuid before sec_login_set_context. Given that there
is no apparent way to determine the name of the credential
files before calling set_context, how would this process
chown the credentials?
Another case is a process that calls setup_identity,
sec_login_valid_and_cert_ident, but never calls set_context
and uses the context directly to establish authentication
for RPC handles.
Please provide a workaround for the new behavior of
sec_login_and_cert_ident that will allow programs that used
to work under DCE 2.0 to operate under DCE 3.1.
I still assert that the old behavior was correct and that
the supposed security issue "fixed" by the change wasn't an
issue unless the API was abused.

PROBLEM CONCLUSION:
Introduced a new function sec_login_return_cred_file_name
which will return the cred file name. So the customer can
chown the filename. But the customer has to free the
pointer returned with the filename.

------

APAR: IY30487 COMPID: 5765E8300 REL: 320
ABSTRACT: PURIFY: UMR IN OUTPUT_CACHE_LINE(), SECIDMAP.C

PROBLEM DESCRIPTION:
Customer sees "UMR: output_cache_line..." in Purify

PROBLEM CONCLUSION:
Necessary change made in code.

------

APAR: IY30504 COMPID: 5765E8300 REL: 320
ABSTRACT: DON'T ALLOW -DCE_MASTER_KEY/-MASTER_KEY_IN_LDAP ON LDAPSLAVE

PROBLEM DESCRIPTION:
If, when migrating a slave or master security server to
LDAP, the administrator specified a different location
for the master key file (either in LDAP or not, or a
different location on the file system) than was specified
on the LDAP migration server, the migration will not
complete successfully or the security server will not
function.

PROBLEM CONCLUSION:
Remove the -dce_master_key and -master_key_in_ldap options
from the "registry migrate" dcecp command when the
-ldap_slave or -ldap_master options are also specified on
the command line. This will force the administrator to
use the same location that was specified on the LDAP
migration security server.

------

APAR: IY30505 COMPID: 5765E8300 REL: 320
ABSTRACT: ADD LDAPMASTERKEY REGISTRY SUBCOMMAND TO MOVE MASTER KEY

PROBLEM DESCRIPTION:
The administrator will not be able to change the master key
location either to/from LDAP or the location in the file
system.

PROBLEM CONCLUSION:
A new dcecp registry subcommand called ldapmasterkey was
added to allow the user to change the master key location
to/from ldap. This command will only be able to run on a
migration server or ldap master.

------

APAR: IY30506 COMPID: 5765E8300 REL: 320
ABSTRACT: ADD LOGINMGMT COMMAND TO DCECP FOR PAINE WEBBER

PROBLEM DESCRIPTION:
If an administrator has the max_invalid_attempts and
disable_time_interval ERAs set for an account, if the
account has been disabled because of too many invalid
login attempts, there is no way for the administrator
to override the disable_time_interval and re-enable the
account right away.

PROBLEM CONCLUSION:
New dcecp account subcommands called loginshow and
loginreset. loginshow will display the login attributes
associated with an account for a specific replica in
addition to wether the account is disabled or not.
loginreset will re-enable an account on a specific replica
that has been disabled by too many invalid login
attempts.

------

APAR: IY30507 COMPID: 5765E8300 REL: 320
ABSTRACT: LDAP:ADD CACHE KEYWORDS TO .LDAP_DATA FILE

PROBLEM DESCRIPTION:
The customer will not be able to enable or customize the
new DCE security LDAP caches.

PROBLEM CONCLUSION:
Put keywords in the .ldap_data file that enable and
customize the new DCE security LDAP caches.

------

APAR: IY30508 COMPID: 5765E8300 REL: 320
ABSTRACT: REMOVE LDAP MASTER KEY LOCATION OPTIONS FROM CONFIG.DCE

PROBLEM DESCRIPTION:
The DCE master key location, in and LDAP cell, should only
be set on an LDAP Migration Security server or LDAP Master
Security server.
Need to remove the
 -ldap_master_key_in_ldap ( yes | no )
and
 -ldap_dce_master_key <ldap_master_key_file>
options from config.dce

PROBLEM CONCLUSION:
Removed the -ldap_master_key_in_ldap and
-ldap_dce_master_key options from config.dce. If either
of these options is specified, a message indicating that
they will be ignored is logged and displayed. The
config.dce command will not fail if these options are
specified.

------

APAR: IY31708 COMPID: 5765D5100 REL: 340
ABSTRACT: PESSL LEQS WITH NON-BLOCKING CCL CALLS HANG

PROBLEM DESCRIPTION:
pessl leqs with non-blocking ccl calls hang

PROBLEM SUMMARY:
PESSL LEQS WITH NON-BLOCKING CCL CALLS HANG

PROBLEM CONCLUSION:
PESSL LEQS WITH NON-BLOCKING CCL CALLS HANG

------

APAR: IY31759 COMPID: 5765E2600 REL: 502
ABSTRACT: DLOPEN LOADS LIBPTHREADS.A AND APP IS NOT LINKED WITH

PROBLEM DESCRIPTION:
The problem is when dlopen is used to load libpthreads.a when
the application is not linked with libpthreads.a when it was
built. The application coredumps at program termination time.
Here is a testcase:
/* testcase.c */
#include <dlfcn.h>
int main()
{
   void* ptr = 0;
   ptr = dlopen("/usr/lib/libpthreads.a(shr.o)", RTLD_NOW |
RTLD_MEMBER );
   dlclose(ptr);
   return 0;
}
Compile using:
xlc testcase.c
Here is the callstack:
spin_lock_global_ppc_up() at 0xd0132b44
_rec_mutex_lock(??) at 0xd017f668
_Wait__Q2_3std5_LockFv(??) at 0x200382f8
__ct__Q2_3std7_LockitFi(??,??) at 0x20038288
__dt__Q2_3std6_WinitFv(??,??) at 0x2004fed0
__sdrterm__16__Fv() at -x2004fe74
exit(??) at 0xd01870a0

LOCAL FIX:
link with libpthreads.a

PROBLEM CONCLUSION:
The problem is when dlopen is used to load
libpthreads.a when the application is not linked with
libpthreads.a when it was built. The application segfaults
at termination because the static destruction of libC.a makes
use of mutex objects that weren't initialized. The fix is to
put a check in to confirm if the mutex's are initialized. If
not, then the runtime now initializes them before it uses
them.

------

APAR: IY31947 COMPID: 5724C3505 REL: 310
ABSTRACT: ISDN BUFFERS NOT FREED ON SHORT CALL TRANSFER

PROBLEM DESCRIPTION:
Environment Services Buffers will become depleted if call B hang
hangs up before call A can send a FACILITY message to the
switch.

PROBLEM SUMMARY:
Environment Services Buffers will become
depleted if call B hangs up before call A can send a
FACILITY message to the switch.

PROBLEM CONCLUSION:
The fix was to free the buffer if the
message is not sent.

------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]