Proventia Server for Linux 1.5.2 fix pack 3 installation package. This cumulative installation increments the agent version to 126.96.36.199
Important: When performing administration tasks via ssh or local console, configuration changes made to your IBM appliance by any user other than admin could degrade appliance performance. Installing or activating other services or applications may also impact appliance performance or security. IBM Infrastructure Security Support will not support configuration changes made using the root user account unless specifically directed by a support engineer or IBM documentation. The following DCF Technote content is supported. Any further changes made that are not included in this document will place your product into an unsupported state and IBM product support may require you to reimage your appliance to restore it to a supported state.
Proventia Server for Linux 1.5.2 Fix Pack 3 README
Readme file for: Proventia Server for Linux
Product/Component Release: 188.8.131.52
Update Name: 184.108.40.206-ISS-PSL-FP003
Platforms: All supported platforms
Publication date: November 30, 2012
Last Modification date: November 30, 2012
© Copyright IBM Corporation 2012.
Please read this document in its entirety.
* List of enhancements
* List of APARs addressed
* List of internally identified defects addressed
* Installation information
* Post-installation information
* Additional information
* Files included in this update
* Contacting IBM Support
LIST OF ENHANCEMENTS
Enhancements new to 220.127.116.11:
Enhancements new to 18.104.22.168 (limited availability):
Enhancements new to 22.214.171.124:
- Web server SSL traffic inspection is extended to support the following Web servers. A leading '*' indicates a newly supported Web server.
- Apache 2.0 32-bit (on 32-bit operating systems)
- Apache 2.2 32-bit (on 32-bit operating systems)
- Apache 2.2 32-bit (on 64-bit operating systems)
- Apache 2.2 64-bit
- IBM HTTP Server 7.0 32-bit (on 32-bit or 64-bit operating systems)
- IBM HTTP Server 8.0 32-bit (on 32-bit or 64-bit operating systems)
- IBM HTTP Server 8.0 64-bit
Note: Web server SSL traffic inspection support remains limited to Intel architecture platforms.
Support for Web server SSL traffic inspection for newly supported Web servers is enabled after installing the fix pack by running a new command, /opt/ISS/etc/configure_mod_rs. Information for running this command can be found in the section below "CONFIGURING WEB SERVER SSL TRAFFIC INSPECTION INFORMATION"
LIST OF APARS ADDRESSED
APARs addressed by 126.96.36.199:
IV26032 Need to move /tmp/isslum-ctrl file to the /var/run directory
The agent relied on the persistence of the isslum-ctrl and other files in /tmp. The agent components that rely on this persistence now utilize the /var/run directory hierarchy for such files.
APARs addressed by 188.8.131.52 (limited availability):
APARs addressed by 184.108.40.206:
LIST OF INTERNALLY IDENTIFIED DEFECTS ADDRESSED
Internally identified defects addressed by 220.127.116.11:
17108 - Web plug-in does not always pass sufficient data to PAM.
17133 - In limited circumstances, the PSL agent may not block TCP traffic that should be blocked.
17944 - Enhanced apache module logging. Logging performed by the PSL module is now better integrated to the apache logging subsystem.
19166 - Performance enhancements to network traffic inspection
20044 - In limited circumstances, TCP reset packets for connections closed by the agent would not be transmitted.
Internally identified defects addressed by 18.104.22.168 (limited availability):
16881 - Fix pack installation would partially succeed and then fail silently if the security content (PAM) RPM was at the same or later level than the security content included in the fix pack.
17125 - Fix pack installation would not install 64-bit security content (PAM) on a 64-bit system if the existing 32-bit PAM was at the same or later level than the security content included in the fix pack.
17191 - The pslconfig utility does not validate port ranges correctly. Ranges where the end port comes lexically before the start port are rejected even though when compared numerically they should be considered valid. For example the range 80-100 was rejected when it should have been accepted.
Internally identified defects addressed by 22.214.171.124:
14070 - 32-bit Web servers running on 64-bit platforms can not be protected with the SSL protection module.
14079 - Web server module does not handle PAM tuning parameters.
The fix pack is available both as an X-Press Update (XPU) from the IBM Security download center and a self-extracting shell archive (shar) from IBM Support Fix Central.
The XPU package can be applied to any existing Proventia Server for Linux installation from version 1.5 provided the platform requirements are met. Please review the current System Requirements Document for details of platform requirements. A link to this document is provided at the end of this section.
The shar package can be applied to any existing Proventia Server for Linux installation from version 1.5.2.
To install the shell archive fix pack:
As the root user run the shar file corresponding to the Linux distribution you have Proventia Server for Linux 1.5.2 already installed.
On Intel systems:
# sh ./126.96.36.199-ISS-PSL-LinuxIntel-RHEL-FP003.sh
# sh ./188.8.131.52-ISS-PSL-LinuxIntel-SLES-FP003.sh
On zSeries systems:
# sh ./184.108.40.206-ISS-PSL-LinuxS390-RHEL-FP003.sh
# sh ./220.127.116.11-ISS-PSL-LinuxS390-SLES-FP003.sh
For complete information about hardware and software compatibility, see the detailed system requirements document at:
If the Proventia Server services are running when the fix pack is installed, then the services are automatically stopped and restarted.
The agent version might be displayed as an earlier version than 18.104.22.168 because the iss-spa service can be started to send a heartbeat to SiteProtector while Fix Pack 3 is being installed. After Fix Pack 3 is installed and the iss-spa service sends another heartbeat to SiteProtector, the agent version will appear correctly as 22.214.171.124.
If you are making use of the SSL traffic inspection support of Proventia Server for Linux then you will need to restart any integrated Web servers after application of the fix pack.
This must be done manually after the fix pack has been installed either as an X-Press Update or as a shell archive.
To identify the set of Web servers integrated with Proventia Server for Linux on a particular system examine the file:
CONFIGURING WEB SERVER SSL TRAFFIC INSPECTION INFORMATION
Support for Web server SSL traffic inspection for newly supported Web servers is enabled after installing the fix pack by running a new command. The new command has the following syntax:
NOTE: Web server SSL traffic inspection support remains limited to Intel architecture platforms.
# /opt/ISS/etc/configure_mod_rs APACHE_BIN APACHE_CONF
APACHE_BIN is the full path to the Web server's apachectl or httpd programs. For IBM HTTP Server specify the apachectl program. For Apache specify the httpd program.
APACHE_CONF is the full path to the Web server's configuration file.
For example, to enable SSL traffic inspection for an IBM HTTP Server Web server installed to the /opt/IBM/HTTPServer directory the configure_mod_rs command should be executed as follows (NOTE: the following line is intended as a single command line though formatting may display it on multiple lines):
# /opt/ISS/etc/configure_mod_rs /opt/IBM/HTTPServer/bin/apachectl/opt/IBM/HTTPServer/conf/httpd.conf
The Web server must then be restarted.
Packet data is stored in the socket receive buffer of the kernel. If this buffer becomes full, PSL receives ENOBUF errors on the socket and the packet is dropped.
To prevent this situation from occurring, you can use the following tuning parameters to increase the socket buffer size:
Implement these parameters when you install the fix pack. You must restart the Proventia Server for Linux sensor to ensure that the new socket buffer size is used by the sensor.
If your network performance continues to degrade after you install this fix pack, then you must implement and tune these parameters. System Administrators can determine whether these parameters need to be tuned by monitoring the /proc/net/ip_queue file for the amount of "netlink drops" received.
To implement the tuning parameters:
1. Verify existing settings by using the command:
# sysctl -a | grep core.rmem
2. Ensure that the minimum recommendation of 4194304 is set:
# sysctl -w net.core.rmem_max=4194304
# sysctl -w net.core.rmem_default=4194304
NOTE: This setting is fine for most scenarios, but if you determine that it is inadequate for your system, then increase it in 1 MB increments.
3. Repeat Step 1 to verify the setting.
4. Restart the sensor.
This procedure will not be persistent across reboots of the system. To ensure that these settings stay persistent, add the new values to the file /etc/sysctl.conf.
net.core.rmem_default = 4194304
net.core.rmem_max = 4194304
FILES INCLUDED IN THIS UPDATE
The files included in this update and their check sums are:
CONTACTING IBM SUPPORT
To Contact IBM Support Worldwide
Call IBM Support by selecting phone number from this location:
When prompted for type of support, select option 2 for Software Support.
You will need to provide your IBM Customer Number (ICN).
Go to https://www.ibm.com/support/servicerequest
and open a new service request.