Patch-ID# 111891-10 Keywords: sun ray update patch security Synopsis: Sun Ray Server version 1.3 Patch Update Date: Aug/01/2003 Install Requirements: Additional instructions may be listed below Reboot immediately after patch is installed See Special Install Instructions Solaris Release: 2.6 7 8 SunOS Release: 5.6 5.7 5.8 Unbundled Product: Sun Ray Server Software Unbundled Release: 1.3 Xref: Topic: Relevant Architectures: sparc BugId's fixed with this patch: 4433854 4436983 4463574 4470054 4476245 4484759 4486704 4489566 4493511 4496966 4518444 4518568 4520208 4521702 4530019 4530420 4548753 4612368 4614182 4616249 4616446 4616447 4616450 4619491 4623388 4626041 4627096 4630220 4640827 4640929 4642695 4648409 4649533 4655041 4657147 4660438 4662521 4665447 4672695 4672787 4678927 4685177 4694781 4714470 4714473 4714474 4714475 4725172 4728375 4730071 4754200 4781165 4874498 Changes incorporated in this version: 4874498 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: 108919 or greater 109354 or greater 109887 or greater Obsoleted by: Files included with this patch: /etc/init.d/utsyscfg /etc/opt/SUNWut/smartcard/CommonAccessCard.cfg /etc/opt/SUNWut/smartcard/Payflex-All.cfg /etc/opt/SUNWut/smartcard/probe_order.conf /opt/SUNWbb/bin/bbkillproc /opt/SUNWbb/bin/bbrootsession /opt/SUNWbb/bin/bbstartd /opt/SUNWut/bin/utselect /opt/SUNWut/bin/utxconfig /opt/SUNWut/cgi-bin/desktop /opt/SUNWut/cgi-bin/status /opt/SUNWut/cgi-bin/user /opt/SUNWut/etc/template/utsservices.cfg /opt/SUNWut/lib/firmware/CoronaP1 /opt/SUNWut/lib/firmware/CoronaP2 /opt/SUNWut/lib/firmware/CoronaP3 /opt/SUNWut/lib/firmware/CoronaP4 /opt/SUNWut/lib/firmware/CoronaP5 /opt/SUNWut/lib/iu_modules/M25SunRayCore /opt/SUNWut/lib/libsrcom.so.2 /opt/SUNWut/lib/libutgrpmgr.so /opt/SUNWut/lib/libutjadmin.so /opt/SUNWut/lib/libutscr.so.2 /opt/SUNWut/lib/libutsession.so.1 /opt/SUNWut/lib/libutstatus.so.1 /opt/SUNWut/lib/modules/Registeredxlation.jar /opt/SUNWut/lib/modules/ServerSelect.jar /opt/SUNWut/lib/modules/StartSession.jar /opt/SUNWut/lib/modules/StartxlationSession.jar /opt/SUNWut/lib/modules/TerminalGroup.jar /opt/SUNWut/lib/modules/TerminalId.jar /opt/SUNWut/lib/nscloginGUI /opt/SUNWut/lib/ocf_termadmin /opt/SUNWut/lib/pam_sunray.so /opt/SUNWut/lib/prototype/Xreset.SUNWut.prototype /opt/SUNWut/lib/prototype/Xsetup.SUNWut.prototype /opt/SUNWut/lib/prototype/Xstartup.SUNWut.prototype /opt/SUNWut/lib/prototype/services.SUNWut.prototype /opt/SUNWut/lib/scloginGUI /opt/SUNWut/lib/sdk.jar /opt/SUNWut/lib/sunrayCTdriver.jar /opt/SUNWut/lib/utaction /opt/SUNWut/lib/utauthd.jar /opt/SUNWut/lib/utdevmgrd /opt/SUNWut/lib/utdmsession /opt/SUNWut/lib/utdtsession /opt/SUNWut/lib/utscrevent /opt/SUNWut/lib/utseriald /opt/SUNWut/sbin/utadm /opt/SUNWut/sbin/utdesktop /opt/SUNWut/sbin/utfwadm /opt/SUNWut/sbin/utuser /usr/openwin/server/modules/ddxSUNWsunray.so.1 Problem Description: 4874498 Sun/Fujitsu mouse rev(05c/06c) may fail to work in SunRay due to bad packets (from 111891-09) 4433854 Sometimes smartcard removal is not detected and session stays active (from 111891-08) 4470054 Find User by Token ID through admin GUI fails 4612368 Sunray port 7010 inaccessible after portscan with nmap 4655041 X server prints "Invalid cmd" messages in /var/dt/Xerrors and disconnects 4672695 provide support for P5 ( slim ) 4694781 utscrevent spews garbage 4725172 ATR isn't re-read in token reader mode. 4728375 No monitor power save mode with 111891-05 and "insert card" icon 4730071 New VID to be added for InsideOut Network Edgeport 4754200 Memory leaks in policy modules 4781165 JNI panic: JNI received a null string (from 111891-07) 4627096 terminating kiosk sessions leads to hung appliances 4665447 utselect at login truncates altDts list in dtgreet 4678927 Sun Ray DDX should play well with Xinerama pixmap caching 4685177 Smartcards are not accessible from token reader DTU by SCF 4714470 F/w doesn't return data if status code is 0x63XX 4714473 If the APDU length is smaller than GetResponse length, f/w goes with APDU length 4714474 F/w not attending to the card's request for more time 4714475 sunray can not be used to do longer APDU transactions. (from 111891-06) 4476245 getatr command returns Error for smartcards supported in 1.3 most of the time. 4484759 Broken appliance makes SRSS services dysfunctional after 3-5 hours 4518444 SUNWutps won't install on Solaris 9 systems 4518568 OCF server loops after Sun Ray Session Manager is restarted 4548753 If the primary is down, then the secondaries fail during an ldap add timeout 4616249 APDU exchange sometimes returns 0000 for SW1, SW2 4616446 Smartcards in readers become inaccessable if DM goes away and comes back 4616447 If DM is unavailable for more than SCbus retry time, SRCOM wedges 4616450 SUNWutscr packaging scripts need to properly configure OCF for Sun Ray 4623388 ut_sessionGetId needs to work during X server grab 4640827 Can not access devices using sessionID key during login 4640929 Device Manager has incorrect debug messages 4648409 Need fixes in SRSS to support smartcard operations on Solaris 8 4662521 Need to patch 1.3 release to support cbs / P4 4672787 GetResponse processing is broken (from 111891-05) 4614182 utselect fails to redirect to a server with a long (>16 chars) name 4642695 sunray ignores buttons 4, 5, and 6 from usb mice 4657147 utselect GUI Copyright notice overlaps buttons in some locales 4660438 Security: Possible to log in as a different user when NSCM is enabled (from 111891-04) 4486704 NSC login GUI is unusable at low display resolutions 4496966 "welcome" string contains username instead of server name in one case. 4630220 NSC login GUI screen is "squished" if you enable 8 bit pseudocolor mode. 4649533 authentication mgr crashes with JNI panic: native code passed a wrong class (from 111891-03) 4521702 UtselectAtlogin pop up window unreadable in Japanese. 4626041 utxconfig when run without $DISPLAY set affects system defaults (from 111891-02) 4489566 ut admin commands take 10 mins to produce output 4493511 utfwadm doesn't parse quotes from new-style dhtadm 4619491 Typo in README file of patches 110666 & 111891 (from 111891-01) 4436983 virtual resolution problem with SunRay 100, 1.2 and utxconfig -r 1152x900 4463574 Provide way to simultaneously use USB barcode scanner and USB keyboard 4520208 sunray boot hid driver accepts invalid interrupt packet length 4530019 Multihead secondaries get green newt when card is inserted or removed 4530420 waitForPrimary icon on secondaries while primary is connected Patch Installation Instructions: -------------------------------- For Solaris 2.6, 7 & 8 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/111891-10 The following example removes a patch from a standalone system: example# patchrm 111891-10 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- Required Patches ---------------- Solaris 8 users must install the following patches before attempting to install this patch. 108919-14 (or later) 109354-14 (or later) 109887-13 (or later) Solaris 2.6 & 7 users do not need to install any extra patches Warnings & Errors ----------------- ** WARNING: This patch should only be applied to systems which have Sun Ray Server Software 1.3 fully installed. Do not attempt to add this patch to the UFS image to be applied as part of the install process ** ** WARNING: Unconfiguring the Sun Ray Server Software before removal of this patch may lead to error messages and/or removal failure Performing the command /opt/SUNWut/sbin/utconfig -u before removing this patch may cause the following error messages to be output in the log file: ERROR: attribute verification of failed group name not found in group table(s) ERROR: attribute verification of failed group name not found in group table(s) The patch removal will fail and any subsequent attempts to remove the patch will fail with the error message Patch 111891-10 was installed without backing up the original files. It cannot be backed out. If this problem occurs, simply perform the steps documented below and the patch will remove successfully. 1. Reconfigure the Sun Ray Server Software, applying the settings used when the software was configure originally. $ /opt/SUNWut/sbin/utconfig 2. Add the 111891-10 patch and reboot the system $ /usr/sbin/patchadd 111891-10 3. Remove the 111891-10 patch $ /usr/sbin/patchrm 111891-10 4. Unconfigure the Sun Ray Server Software $ /opt/SUNWut/sbin/utconfig -u Sun Ray Firmware Upgrades ------------------------- This patch includes firmware updates for Sun Ray appliances. The updated firmware will be loaded by your Sun Ray appliances through the usual Sun Ray firmware download mechanism. The firmware changes are independent of the Sun Ray Server Software changes but are delivered in this patch for your convenience. If this patch is being applied to servers configured into a Sun Ray failover group it must be applied to all servers in the group at your earliest convenience. While some members of the group remain unpatched the restart time of your Sun Ray appliances may be noticeably longer than usual. The increased restart time can be avoided by taking the action described in step 1 below. The following additional steps are required when adding this patch on a live system: (before applying patch to system) 1. (optionally) Suppress firmware downloads from all servers in a Sun Ray failover group 2. Stop Sun Ray services on the server being patched (after applying patch) 3. Reboot the Sun Ray server To remove this patch, carry out these steps in the following order: (before removing the patch) 1. (optionally) Suppress firmware downloads from all servers in a Sun Ray failover group 2. Stop Sun Ray services on the server being patched (after removing the patch) 3. Reboot the Sun Ray server Detailed Steps -------------- 1. Suppress firmware downloads If the server being patched is not a member of a Sun Ray failover group you should skip this step. If the server being patched is a member of a Sun Ray failover group then this step is optional but is strongly recommended. At Patch Installation --------------------- Before adding this patch to servers configured into a Sun Ray failover group we advise that you disable Sun Ray firmware delivery from all unpatched hosts in the failover group. On each host in the group, execute the command: $ /opt/SUNWut/sbin/utfwadm -a -D -n Do this only one time, before adding this patch to any server in the group. The purpose of this step is to prevent unpatched servers from offering old firmware to Sun Ray appliances that have already accepted the new firmware delivered with this patch. If this patch is being applied to a Sun Ray failover group then omitting this step may result in increased restart times for your Sun Ray appliances. (A mixture of patched and unpatched servers advertising conflicting firmware versions may cause the appliance to download new firmware each time it restarts. The appliance automatically restarts itself after downloading fresh firmware so its overall restart cycle is longer in that case. The appliance may restart itself several times before establishing or reconnecting to a session.) The Sun Ray restart time will return to normal once the patch has been added to all servers in the failover group. At Patch Removal ---------------- Before removing this patch from servers configured into a Sun Ray failover group we advise that you disable firmware delivery from any hosts in the failover group that have this patch installed. On each already-patched host in the group, execute the command: $ /opt/SUNWut/sbin/utfwadm -a -D -n Do this only one time, before removing this patch from any of the already-patched servers in the group. The purpose of this step is to prevent already-patched servers from offering new firmware to Sun Ray appliances. If this patch is being removed to a Sun Ray failover group then omitting this step may result in increased restart times for your Sun Ray appliances. (A mixture of patched and unpatched servers advertising conflicting firmware versions may cause the appliance to download new firmware each time it restarts. The appliance automatically restarts itself after downloading fresh firmware so its overall restart cycle is longer in that case. The appliance may restart itself several times before establishing or reconnecting to a session.) The Sun Ray restart time will return to normal once the patch has been removed from all servers in the failover group. 2. Stopping Sun Ray services and login sessions Before applying this patch to a Sun Ray server or removing this patch from a Sun Ray server all users should be logged out of their Sun Ray sessions. Stop the Sun Ray services using the following command: $ /etc/init.d/utsvc stop This command will terminate any Sun Ray sessions that were not already logged out. Next, add or remove the patch using the instructions outlined above in the section "Patch Installation Instructions". Adding the patch automatically prepares the server to advertise new firmware to your Sun Ray appliances. Removing the patch automatically prepares the server to revert to advertising pre-patch firmware to your Sun Ray appliances. 3. Rebooting the Sun Ray server The Sun Ray server must be rebooted after the addition or removal of the patch. 4. Adding SunRay Card Terminals. Once the Sun Ray server comes back up and the sunray services are started, please look to see if there are existing Sun Ray card terminals configured. Run the command, # /opt/SUNWut/lib/ocf_termadmin -l The output of this command should include a line like: com.sun.opencard.terminal.sunray.SunRayCardTerminalFactory|SunRayDTU|SunRayDTU-InternalReader|DTU@ If not, to add Sun Ray card terminal run the command: # /opt/SUNWut/lib/ocf_termadmin -a "com.sun.opencard.terminal.sunray.SunRayCardTerminalFactory|SunRayDTU|SunRayDTU-InternalReader|DTU@" README -- Last modified date: Friday, August 1, 2003