Read this before installation
Before you use this software, you should go to the Fix Central website and install the latest available fixes that address security vulnerabilities and other critical issues.
The Expansion Pack DVD contains programs that are provided by IBM® and other program suppliers. Each program is licensed under the terms and conditions of that specific program. These terms and conditions can vary depending on the specific program or the program supplier. Specific information about the content of this DVD and the terms and conditions under which these programs are licensed are contained in a readme file on the media.
To obtain the content and Terms and Conditions information:
- Log in as the root user.
- Insert the DVD into the media drive. If your media drive is not /dev/cd0, substitute the
correct device name and type the following
commands:
mount -v cdrfs -o ro /dev/cd0 /mnt cp /mnt/README* /tmp unmount /mntThe /tmp/README and /tmp/README.html files contain the content or the Terms and Conditions under which these programs are licensed. View this information by using a web browser, or run the more command or the pg command.
Softcopy documentation for each product is included with the product. These Release Notes supplement the product documentation by outlining the steps for getting started and by pointing you to more product information.
Installation, migration, upgrade, and configuration information
The AIX® 7 with 7100-05 Expansion Pack is included with the AIX 7 with 7100-05 operating system as a vehicle for delivering new IBM and non-IBM products. Most AIX 7 with 7100-05 Expansion Pack products can be installed by using normal installation methods. Some Expansion Pack products cannot be installed by using normal installation methods. Their installation procedures are provided under their product descriptions.
The AIX 7 with 7100-05 Expansion Pack might include products that contain a cryptographic function that is subject to special export-licensing requirements by the US Department of Commerce. Import restrictions can also apply to certain countries. Different packages of the AIX 7 with 7100-05 Expansion Pack accommodate varying country export or import restrictions. To determine which package is appropriate for you, review the Ordering Information which is located in the Expansion Pack announcement. Contact your IBM representative or IBM Business Partner to determine which type of encryption you are entitled to receive.
The contents of the Expansion Pack vary over time. New software products can be added, changed, or removed. Changes to the content of the AIX 7 with 7100-05 Expansion Pack are announced either as part of an AIX announcement or independently of the release announcement.
Unless otherwise indicated, products can be installed from the DVD by using the System Management Interface Tool (SMIT). For more information about installing products, see the Installation and migration topic.
Listing and previewing installation software
You can list the available software products, packages, and filesets on AIX media, which can be a DVD or directory. The output shows the available packages and filesets on the media. The descriptions are provided at the fileset level.
You can perform a preview installation before doing the actual installation. A preview installation provides the preinstallation information that occurs during a regular installation, except that no software is installed.
When you select a package or fileset to be installed with the preview installation process, you see a list that contains all of the requisite packages and filesets needed by the selected package or fileset to be successfully installed.
Other information generated during the preinstallation process concerns the file system-size checking. The file systems are checked to ensure that there is enough free space available to install the selected package or fileset.
You can list the software and use the previewing software functions from the command line or the SMIT interface.
Listing and previewing software from the command line
- Log in as the root user.
- To list the software on the first DVD of the base media, insert the DVD into the media drive,
and type the following command:
installp -ld/dev/cd0 | pgA list similar to the following is displayed:fileset Name Level I/U Q Content ==================================================================== ICU4C.adt 2.8.0.0 I N usr # ICU Application Developer's Toolkit ICU4C.man.en_US 2.8.0.0 I N usr # ICU Manual Pages - U.S. English - To perform a preview installation at the command line, use the -p flag with
the installp command. For example, to preview the installation of the ICU4C.adt
fileset, enter the following command from the command line:
The preview option displays the requisite filesets, that are to be installed and the system resources that are being used.installp -aXgq -p -d/dev/cd0 ICU4C.adt
Listing and previewing software from the ASCII SMIT interface
- Log in as the root user.
- From the command line, enter
smitty install_update. - Select Install Software.
- Press F4 (List) to list the available input devices and select the appropriate one, or type the input device name in the blank field. Press Enter to continue.
- In the SOFTWARE to Install field, press F4 (List) to list all available software on the selected media.
- Scroll through the list of software by using the arrow keys or the Page Up or Page Down keys.
Note: The following listing shows the available software packages and filesets for that software product.The three packages are ICU4C.adt, ICU4C.man.en_US, and ICU4C.rte. The fileset in the ICU4C.adt package is the ICU Application Developer's Toolkit at the 2.8.0.0 level. The descriptions for the software product are provided at the fileset level. There is often more than one fileset per package.
If the fileset is preceded by a plus sign (+), it is available to be installed. If the fileset is preceded by an at sign (@), the fileset is already installed.
For example, in the following output example, the software product is ICU4C:
ICU4C.adt ALL + 2.8.0.0 ICU Application Developer's Toolkit ICU4C.man.en_US ALL + 2.8.0.0 ICU Manual Pages - U.S. English ICU4C.rte ALL + 2.8.0.0 International Components for Unicode - Select the package or fileset you want to install and press the F7 (Edit). Press Enter to continue.
- To preview the installation of the package or fileset that you selected, press the Tab key and
select yes in the PREVIEW only? field. Press Enter to continue. Note: To obtain detailed information about the installation, select yes in the DETAILED output? field. The filesets being installed are displayed in parentheses.
Apache HTTP Server and Samba for AIX
The software for Apache HTTP Server and Samba for AIX has changed from the
installp format to the rpm format. The software has been
removed from the expansion pack and it is now available in the AIX Toolbox. To determine whether an installation of this software is
installed, enter the following commands in the command line:
# lslpp -Lc | grep httpd
# lslpp -Lc | grep sambaYou must remove the installp formatted packages before installing the newer
rpm formatted packages. To preview your removal and save the log file in the
/tmp/preview.log directory, enter the following command:
# installp -e /tmp/preview.log -pu httpd sambaTo remove and save the output in the /tmp/remove.log directory, enter the
following command:
# installp -e /tmp/remove.log -u httpd sambaAIX 7 with 7100-05 Expansion Pack security
This section lists security restrictions and limitations for the AIX 7 with 7100-05 Expansion Pack.
OpenSSL version 1.0.2
OpenSSL 0.9.8 shared objects (libcrypto.so.0.9.8 and libssl.so.0.9.8) are also included in the OpenSSL 1.0.2.1100 fileset libraries for compatibility with earlier versions of OpenSSL.
OpenSSL versions 0.9.8 and 1.0.1 are no longer supported by IBM. The OpenSSL 0.9.8 shared objects are retained in the libraries as is. You must update your applications to use the newer version of the OpenSSL libraries.
Applications must use OpenSSL version 1.0.2 shared objects (libcrypto.so or libcrypto.so.1.0.0, and libssl.so or libssl.so.1.0.0) that are included in libraries of OpenSSL 1.0.2.1100 fileset to continue using the supported version of OpenSSL.
POWER8 hardware cryptography capability and OpenSSL version 1.0.2.1100
The OpenSSL version 1.0.2.1100 fileset and AIX 7 with 7100-05 can use the in-core cryptographic function that is
available with POWER8® systems. To use this function, the
following conditions must be met:
- Any existing applications that use an older version of the OpenSSL fileset must be recompiled with the latest headers and relinked to the newer 1.0.2 libraries that are included with the OpenSSL 1.0.2.1100 fileset.
- Applications that use the dlopen function to load the 0.9.8 version of the OpenSSL shared objects must be reconfigured to load the 1.0.2 version of the OpenSSL shared object.
- A future OpenSSL release that is incompatible must be recompiled with the latest headers and relinked with the newer binaries.
The following algorithms are implemented in OpenSSL version 1.0.2 that can use the POWER8 in-core cryptographic capabilities:
- AES-128-CBC
- AES-192-CBC
- AES-256-CBC
- AES-128-ECB
- AES-192-ECB
- AES-256-ECB
- AES-128-GCM
- AES-192-GCM
- AES-256-GCM
- AES-128-XTS
- AES-192-XTS
- AES-256-XTS
- SHA1
- SHA224
- SHA256
- SHA384
- SHA512
Note: Applications that use earlier versions of the OpenSSL fileset continue to function and use the
OpenSSL default software cryptographic modules on POWER8
systems.
To download the latest version of the OpenSSL fileset, go to the AIX Web Download Pack Programs website.
Data Encryption Standard kernel extension 64-bit
With the Data Encryption Standard (DES) kernel extension, nfs_kdes_full.ext, you can now use 64-bit kernels. This extension uses secure Network File System (NFS) by encrypting time stamps sent between the client and the server, which allows each Remote Procedure Call (RPC) message to be authenticated.
For more information about the DES extension, see the Network File Systems security topic.
The DES encryption kernel extension is available from the des fileset on the AIX Expansion Pack.
Certificate Authentication Services
Certificate Authentication Services are not included with the AIX 7 with 7100-05 operating system.
IP Filter converted to the AIX operating system
IP Filter, Version 5.3.0.0 open source software is converted to the AIX operating system. The IP Filter software package can be used to provide network address translation (NAT) or firewall services. For more information about licensing, see the IP Filter website.
Network security options TCP Wrapper 1.1.0.0
TCP Wrapper is a simple open source tool to monitor and control incoming network traffic. For more information about the TCP Wrapper, see the Wietse's tools and papers website.
AIX Network Data Administration Facility
The AIX Network Data Administration Facility (AIX NDAF) for AIX 7 with 7100-05 is not on the Expansion Pack media. It is on the base media.
Required parameter setting for IBM Security Directory Server Version 6.4, when you use it with GSKit version 8.0.50.44
GSKit version 8.0.50.44 is included on the AIX 7 with 7100-05 Expansion Pack media. When you run GSKit version
8.0.50.44 with IBM Security Directory Server Version 6.4, if
you set the ICC_IGNORE_FIPS parameter is set to a value of
yes, the Security Directory Server does not start. To avoid this issue, set the
ICC_IGNORE_FIPS parameter to a value of no by entering the
following command:
export ICC_IGNORE_FIPS=noModern Cryptographic Library
The Modern Cryptographic Library is updated from version 6.1.0.2 to version 6.1.0.3.
The updates for Modern Cryptographic Library version 6.1.0.3 include the following
modcrypt filesets:
- modcrypt.base.lib
- modcrypt.base.includes
The updated modcrypt filesets are required if the ACF and PKCS11 device driver version 7.1.3.30 (security.acf fileset) is installed on your system and you are using a Network File System (NFS) with Kerberos 5 authentication. If your system does not meet these requirements, it fails when the NFS gssd daemon starts.
IBM Security Directory Server
IBM Security Directory Server is not available on the AIX 7.1.5 Expansion Pack media.
IBM Security Directory Server Version 6.4 is available on the AIX 7.1.5 base media. To upgrade to Security Directory Server Version 6.4, you must upgrade from Security Directory Server Version 6.3. For instructions about upgrading to Security Directory Server Version 6.4, see the Upgrade an instance of IBM Security Directory Server topic.
The following Security Directory Server Version 6.2 and Version 6.3 cryptography filesets are no
longer provided on the AIX Expansion Pack media:
- idsldap.clt_max_crypto32bit62
- idsldap.clt_max_crypto64bit62
- idsldap.srv_max_cryptobase64bit62
- idsldap.webadmin_max_crypto62
IBM Network Authentication Service Version 1.6.0.4 for AIX
IBM Network Authentication Service, Version 1.6.0.4 for the AIX environment is a network-authentication protocol based on the IETF RFC 1510 standards protocol for the Kerberos V5 IBM Network Authentication Service. The IBM Network Authentication Service includes the Generic Security Service API (GSSAPI), the Key Distribution Center (KDC) server, and the server. With IBM Network Authentication Service, AIX middleware and external application writers can use authenticated and optionally encrypted message flow between their respective components.
The IBM Network Authentication Service (NAS)
fileset is updated with AIX VRMF 16.0.4. The fileset also
includes the SPNEGO feature.
- All of the impacted vulnerabilities reported until MIT Kerberos version 1.15.1 is back ported to this fileset.
- Additional packaging-related changes have been done in this fileset to remove redundant dependency on bos.net.tcp.client.
To download the latest version of NAS fileset, see the AIX Web Download Pack Programs website.
Network Authentication Service Documentation
Read the README.lang file for IBM Network Authentication Service, Version 1.5 before you configure or use the program, where
lang is one of the following language locales:
- Chinese (Simplified)
- Chinese (Traditional)
- English
- Korean
- Portuguese (Brazilian)
The README.lang file for the AIX environment is located in the /usr/lpp/krb5 directory after the krb5.client.rte fileset is installed from the krb5.client client installation package. The README.lang file can also be viewed by using the SMIT list_media_info command to list supplemental fileset information about the installation media for the krb5.client.rte fileset.
Documentation for IBM Network Authentication Service is
available in the README.lang installation packages, where lang is
one of the following language locales:
- en_US (US English)
- Ja_JP (Japanese)
- ko_KR (Korean)
- zh_CN (Simplified Chinese)
The documentation is in both HTML and PDF files. Install the krb5.doc.lang.html fileset for access to HTML documents and the krb5.doc.lang.pdf fileset for access to PDF documents.
The IBM Network Authentication Service Version 1.5
Administrator's and User's Guide is installed in the following directories:
- HTML/usr/lpp/krb5/doc/html/lang/ADMINGD
- PDF/usr/lpp/krb5/doc/pdf/lang/ADMINGD
The IBM Network Authentication Service Version 1.5
Application Development Reference is installed in the following directories:
- HTML/usr/lpp/krb5/doc/html/lang/APDEVREF
- PDF/usr/lpp/krb5/doc/pdf/lang/APDEVREF
New features
- Server Message Block (SMB) client file system
-
AIX Version 7.2 supports the SMB client file system that is based on the SMB protocol version 3.0.2 and 2.1. The SMB server runs on Windows Server 2012 or Windows Server 2016 server operating system. In each of these server operating system types, a directory can be exported as a share. This share can then be mounted on an AIX logical partition by using the SMB client file system. You can use the SMB client system to access shares on SMB servers as local file systems on the AIX logical partition.
The SMB client file system in the AIX operating system requires Kerberos-based GSSAPI to start the user-authenticated session by using the SMB protocol version 3.0.2 or 2.1, based on the selection. In the AIX operating system, the GSSAPI is provided by a Userspace Library in the IBM Network Authentication Service (NAS) version 1.16.1.0, or later fileset. This fileset is included in AIX Expansion Pack.
The SMB protocol version 3.0.2 uses AIX OpenSSL library to generate keys to sign and encrypt the fileset. You must have openssl.base fileset version 1.0.2.2002, or later installed in the AIX operating system to use the SMB protocol. This fileset is included in AIX Expansion Pack.
The SMB client file system facilitates compatibility of SMB protocol version 3.0.2 with the SMB protocol version 2.1 and supports all functions of SMB protocol version 2.1 along with the additional features of the SMB protocol version 3.0.2. Earlier filesets (version 7.1.0.*) of SMB protocol are not supported.
To install the SMB client file system on the AIX LPAR, download the SMB client file system package from the AIX Web Download Program web page. Install the smbc.rte package on the AIX LPAR. For more information, see the SMB client file system topic.
Java Technology Edition
The following versions of Java™ Technology Edition are
available on the AIX
7.1.5 Expansion Pack media:
| Java Version | 32-bit | 64-bit |
|---|---|---|
| Java Version 5 | No (on base media) | Yes |
| Java Version 6 | Yes | No (on base media) |
| Java Version 7.1 | Yes | Yes |
| Java Version 8 | Yes | Yes |
To check whether a more recent service refresh is available for a version of Java, see the AIX Download and service information website.
Reliable Scalable Cluster Technology (RSCT) CIM resource manager
The Common Information Model (CIM) resource manager is a Resource Monitoring and Control (RMC) resource manager that enables RMC to be used to query system configuration through CIM classes. CIM resource manager is contained in the rsct.exp package.
After installation, the CIM resource manager readme file is located in the /opt/rsct/README/rsct.exp.README directory.
For more information about the CIM resource manager, see the Resource classes defined by the CIM resource manager topic.