LDAP V5.0 ECO Kit for VSI OpenVMS IA-64

INSTALL_2: To be installed by all customers using the following feature(s):

This installation rating serves as a guide to which customers should apply this remedial kit.

Reference the Disclaimer of Warranty and Limitation of Liability Statement.

No reboot is necessary after installation of this kit.

However, there are additional steps that must be performed to use the images provided by this kit on all nodes of a VMSCluster using a common system disk. Refer to Special Installation Instructions for required post-installation actions.

• VSI OpenVMS IA-64 Version 8.4-2L1

• VSI OpenVMS IA-64 Version 8.4-2L3

The images and files in this kit apply to any of these VSI OpenVMS versions. Because patch kits are removed by PCSI during upgrades to newer OpenVMS versions, the kit will need to be reinstalled if an upgrade is done from an older listed version to any newer listed version.

Problem Description

When configured for external authentication, attempting to login with a username string that ends in the separator character "\" triggers errant audits and possibly an ACME Server restart.

Username: SALES\

This problem is corrected with this ECO kit.

Images and/or Files Affected

• [SYSLIB]LDAPACME$LDAP-STD_ACMESHR.EXE

VSI Case Identifier

Release Version of VSI OpenVMS That Will Contain This Change

Next VSI OpenVMS IA-64 release after V8.4-2L3

Workaround

Do not end a username with "\".

Problem Description

Processes which repeatedly call into the LDAP sharable image, [SYSLIB]LDAP$SHR.EXE, will experience a slow but steady consumption of virtual memory. Over a sufficient amount of time, the process can reach its working set limit. If that occurs, additional attempts to allocate virtual memory will fail and image or process termination may result.

Several memory leaks identified in the LDAP shareable image are corrected in this kit.

Images and/or Files Affected

• [SYSLIB]LDAP$SHR.EXE

Quix and/or Bugzilla Cases Reporting This Problem:

VSI Bugzilla 1011

Release Version of VSI OpenVMS That Will Contain This Change

VSI OpenVMS IA-64 V8.4-2L3

Workaround

If feasible within the application design, any process which repeatedly calls the LDAP shareable image could be restarted before reaching its working set limit.

The ACME_SERVER, when configured for external authentication and using the ACME LDAP Agent, can be periodically restarted to avoid any unexpected request failures. However, any authentication requests currently in progress at that time could fail, and any requests occurring while the server is restarting could be rejected. Therefore, care should be taken when choosing the time for such a restart.

Problem Description

The ACME_SERVER process leaks a small amount of virtual memory with each external authentication request which uses the ACME LDAP Agent.

Should the virtual memory limits of the server be exceeded, the server will restart itself. However, any login requests that were currently in progress will fail, and new login requests will be rejected until the server restarts. New or retried login requests will perform correctly once the server has restarted.

OPCOM may report the failure with messages similar to these:

%%%%%%%%%%%  OPCOM  11-FEB-2018 10:12:41.40  %%%%%%%%%%%    (FROM NODE <nodename>  AT 11-FEB-2018 10:12:41.40)
MESSAGE FROM USER AUDIT$SERVER ON <nodename>
SECURITY ALARM (SECURITY) AND SECURITY AUDIT (SECURITY) ON <nodename>, SYSTEM ID: 1234
AUDITABLE EVENT:          REMOTE INTERACTIVE LOGIN FAILURE
EVENT TIME:               11-FEB-2018 10:12:41.40
PID:                      21C66B52
PROCESS NAME:             _TNA1400:
USERNAME:                 <LOGIN>
TERMINAL NAME:            TNA1400:, _TNA1400, HOST: NODE.COM PORT: 58621
IMAGE NAME:               DKA100:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
STATUS:                   %ACME-E-FAILURE, OPERATION FAILURE; IF LOGGING IS ENABLED, SEE DETAILS IN THE ACME$SERVER LOG FILE

Entries in the Acme Server log file will be similar to these:

%ACME-I-LOGAGENT, agent initiated log event on 11-FEB-2018 10:12:41.35
-ACME-I-THREAD, thread: id = 28, type = EXECUTION
-ACME-I-REQUEST, request information, id = 8, function = AUTHENTICATE_PRINCIPAL
-ACME-I-CLIENT, client information, PID = 21C66B52
-ACME-I-AGENT, agent information, ACME id = 2, name = LDAP-STD
-ACME-I-CALLOUT, active callout routine = acme$co_accept_principal
-ACME-I-CALLBACK, active callback routine = acme$cb_send_logfile
-ACME-I-TRACE,  MESSAGE FROM THE MESSAGE FILE: acmekcv$cb_allocate_wqe_vm() for principal with domain name failed

Several memory leaks found in the ACME LDAP Agent are corrected in this kit.

Images and/or Files Affected

• [SYSLIB]LDAPACME$LDAP-STD_ACMESHR.EXE

Quix and/or Bugzilla Cases Reporting This Problem

VSI Bugzilla 1011

Release Version of OpenVMS That Will Contain This Change

VSI OpenVMS IA-64 V8.4-2L3

Workaround

The ACME_SERVER can be periodically restarted to avoid any unexpected request failures. However, any authentication requests currently in progress at that time could fail, and any requests occurring while the server is restarting could be rejected. Therefore, care should be taken when choosing the time for such a restart.

Problem Description

This is an update to the issue described above in Section 6.2.

Additional memory leaks were identified which caused the same behavior as described above in Section 6.2.1. With this ECO kit, all known memory leaks in the LDAPACME$LDAP-STD_ACMESHR image have been corrected. No further memory leaks or any continuously growing virtual address space have been observed during testing.

A new image, LDAPACME$LDAP-STD_ACMESHR_TRACE, is provided for debug analysis by support personnel should any new leaks or other issues be found in the future.

Images and/or Files Affected

• [SYSLIB]LDAPACME$LDAP-STD_ACMESHR.EXE
• [SYSLIB]LDAPACME$LDAP-STD_ACMESHR_TRACE.EXE (new)

Quix and/or Bugzilla Cases Reporting This Problem

VSI Bugzilla 1497

Release Version of OpenVMS That Will Contain This Change

VSI OpenVMS IA-64 V8.4-2L3

Workaround

See Section 6.2.5

Problem Description

Externally authenticated login attempts may spuriously fail and the ACME_SERVER may crash and restart during any of these failures.

The ACME LDAP Agent could incorrectly release an LDAP data buffer before the processing of that buffer is complete. Should the buffer content change during the remaining processing, the results are unpredictable and may include failed login attempts and ACME_SERVER crashes and restarts.

With this ECO kit, the buffer processing is corrected.

Images and/or Files Affected

• [SYSLIB]LDAPACME$LDAP-STD_ACMESHR.EXE
• [SYSLIB]LDAPACME$LDAP-STD_ACMESHR_TRACE.EXE

Quix and/or Bugzilla Cases Reporting This Problem

VSI Bugzilla 2149

Release Version of OpenVMS That Will Contain This Change

VSI OpenVMS IA-64 V8.4-2L3

Problem Description

The OpenVMS LDAP client protocol handling was out of date.

This change allows a program to select any of the latest TLS protocols available on OpenVMS. If no protocol is selected, the LDAP client will now negotiate to the highest supported protocol instead of defaulting to SSLV3.

Protocol support is provided by the VSI SSL1 product that supports protocols up to TLSV1.2.

New constants have been defined in the standard system library <ldap.h> to specify the protocols available to the client.

These values can be passed to the client via the ldap_set_options() function specifying the LDAP_OPT_TLS_VERSION option.

The following constants are defined for C and C++ language users. Other languages can build their own definitions using the associated decimal values as shown.

• LDAP_PORT_SECURITY_NEGOTIATE = 23
• LDAP_PORT_SECURITY_SSLV3 = 30
• LDAP_PORT_SECURITY_TLSV10 = 31
• LDAP_PORT_SECURITY_TLSV11 = 32
• LDAP_PORT_SECURITY_TLSV12 = 33

Images and/or Files Affected

• [SYSLIB]LDAP$SHR.EXE
• [SYSLIB]SYS$STARLET_C.TLB

Quix and/or Bugzilla Cases Reporting This Problem

VSI Bugzilla 2191

Release Version of VSI OpenVMS That Will Contain This Change

VSI OpenVMS IA-64 V8.4-2L3

Problem Description

The ACME LDAP Agent was limited by the LDAP client to TLS encryption options on StartTLS connections only (port 389). These types of connections are susceptible to man-in-the-middle attacks and may be a security risk in certain environments.

This change expands TLS encryption options to include targeted TLS versions and allows TLS encryption for LDAPS connections (port 636) that do not risk the same security exposure.

The ACME LDAP Agent is now able to select the desired combination of encryption and connection type.

The following port security options are now accepted by the ACME LDAP Agent:

Existing options:

New LDAPS options (default port 636):

New StartTLS options (default port 389):

Images and/or Files Affected

• [SYSLIB]LDAP$SHR.EXE
• [SYSLIB]LDAPACME$LDAP-STD_ACMESHR.EXE
• [SYSLIB]LDAPACME$LDAP-STD_ACMESHR_TRACE.EXE

Quix and/or Bugzilla Cases Reporting This Problem

VSI Bugzilla 3407

Release Version of VSI OpenVMS That Will Contain This Change

VSI OpenVMS IA-64 V8.4-2L3

This kit is provided for download within a ZIP archive container file.

The kit files may be extracted on any system with UNZIP and copied to your OpenVMS system, or extracted on your OpenVMS system directly.

Assuming you have created an UNZIP symbol to invoke the UNZIP image, you can invoke UNZIP to unpack the kit on OpenVMS using the command:

$ UNZIP VMS842L3I_LDAP-V0500

This will extract the installable PCSI product kit file and its associated signed manifest (_VNC file), used for kit validation during PRODUCT commands.

VSI strongly recommends always using the manifest to validate the kit content during any PRODUCT commands. This will occur automatically if the files are both contained in the same directory.

Install this kit with the POLYCENTER Software Installation Utility by logging into the SYSTEM account and typing the following command at the DCL prompt:

$ PRODUCT INSTALL VMS842L3I_LDAP [/SOURCE=location_of_kit]

The kit location may be a tape drive, CD/DVD, or a disk directory that contains the kit. The /SOURCE qualifier is not needed if the PRODUCT INSTALL command is executed from the same directory as the kit location.

This kit requires the use of /RECOVERY_MODE and /SAVE_RECOVERY_DATA and will automatically set them; they do not need to be present on the command line.

The release notes for any kit may be extracted prior to kit installation using the PRODUCT EXTRACT RELEASE_NOTES command.

User-selectable options for installation behavior and scripting are available in this kit, refer to Appendix A, "User-Selectable Control Options and Scripting Considerations" for further details.

Additional help on installing PCSI kits can be found by typing HELP PRODUCT INSTALL at the system prompt.

While this kit does not require a system reboot, additional steps may be necessary to insure that active applications begin to use the newly supplied images. For most environments, this means restarting the ACME_SERVER if it is configured for external authentication. If there are other applications which use LDAP directly, they may need to be restarted as well according to their own instructions.

To restart the ACME_SERVER, use the command:

$ SET SERVER ACME_SERVER /RESTART

In a VMScluster with a shared system disk, this command should also be performed on each node sharing the system disk with the installation system.

Note that authentication requests currently in progress when the ACME_SERVER is restarted could fail, and any requests occurring while the server is restarting could be rejected. Therefore, care should be taken when choosing the time for such a restart

Similarly, the ACME_SERVER should be restarted if this ECO kit is removed using PRODUCT UNDO PATCH.