Patch Name: PHSS_20958 Patch Description: s700_800 10.24 VirtualVault 3.50 TGP Patch Creation Date: 00/01/28 Post Date: 00/01/28 Hardware Platforms - OS Releases: s700: 10.24 s800: 10.24 Products: VirtualVault A.03.50 US/Canada Release; VirtualVault A.03.50 International Release Filesets: VaultTGP.TGP-CORE Automatic Reboot?: No Status: General Superseded Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHSS_20958 Symptoms: PHSS_20958: When proxying from localhost to an external IP (off the VirtualVault), the following error messages is written to the /tcb/files/tgp.log file: Error: Failed to get peer attributes. error: 4 count XX where XX ranges from 1 to 31. After a 30 second wait, the data is proxied. PHSS_20476: Programs running on the VirtualVault may be proxied by the TGP without having the proper access. PHSS_17692: There is no way to run an application server that requires a platform other than VVOS, including those that require HP-UX 11.0. Currently there is a demand from customers for VirtualVault that will act as a front-end to provide security for such services, but the current implementation of the Trusted Gateway Proxy (TGP) prevents this type of configuration. The TGP requires that a server be local to the VirtualVault. Defect Description: PHSS_20958: If TGP receives an error when checking a peer's attributes, it will invoke a 30 count wait loop. This loop produces an error message and waits 1 second per iteration. When TGP is proxying from localhost to an external IP, TGP will always receive a socket not connected error (errno 235). This causes the loop to be executed and hence a 30 second hang before establishing the connection. PHSS_20476: TGP made the wrong assumptions about the sessions and requires more checking to validate privileges. PHSS_17692: The TGP does not adequately support communication between a secured plug-in for the Outside NES and a back end server on the Inside network. SR: 8606127287 8606110533 4701417204 Patch Files: /tcb/lib/tgpd /var/opt/vaultTS/inside/vault/bin/tgp-edit /var/opt/vaultTS/inside/vault/loc/C/html/tgp-edit.html what(1) Output: /tcb/lib/tgpd: $Source: configuration.c, vaultTGP, vaultTGP_3.5 $Da te: 00/01/27 10:24:34 $ $Revision: 1.9.1.2 P ATCH_10.24 (PHSS_20476) $ $Source: proxy.c, vaultTGP, vaultTGP_3.5 $Date: 00/0 1/27 10:24:33 $ $Revision: 1.11.1.2 PATCH_10 .24 (PHSS_20476) $ $Source: security.c, vaultTGP, vaultTGP_3.5 $Date: 0 0/01/27 13:46:36 $ $Revision: 1.5.2.3 PATCH_ 10.24 (PHSS_20958) $ HP VirtualVault, tgpd, revision A.01.01 $Source: src/lib/conf/gpent.c, vaultTGP, vaultTGP_3. 5 $Date: 00/01/25 13:49:25 $ $Revision: 1.7 PATCH_10.24 (PHSS_17692) $ src/lib/conf/gpent.c, vaultTGP, vaultTGP_3.5 1.7 0 3/03/99 $Source: src/lib/conf/if_info.c, vaultTGP, vaultTGP_ 3.5 $Date: 00/01/25 13:49:26 $ $Revision: 1. 6 PATCH_10.24 (PHSS_17692) $ lib/libsecurity/identity.c, libsecurity_util, vvos_d avis, davis26 $Date: 97/10/01 15:16:15 $ $Re vision: 1.8 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/mandlib.c, libsecurity_macilb, vvos_ davis, davis26 $Date: 97/10/01 15:16:16 $ $R evision: 1.17 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/privileges.c, libsecurity_util, vvos _davis, davis26 $Date: 97/10/01 15:16:17 $ $ Revision: 1.1.1.12 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/authaudit.c, libsecurity_audit, vvos _davis, davis26 $Date: 97/10/01 15:16:11 $ $ Revision: 1.21 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/sec_conf.c, libsecurity_util, vvos_d avis, davis26 $Date: 97/10/01 15:18:19 $ $Re vision: 1.5 PATCH_10.24 (PHCO_11251) $ lib/libsecurity/sec_nls.c, libsecurity, vvos_davis, davis60 $Date: 97/10/01 16:00:20 $ $Revision : 1.1.1.4 PATCH_10.24 (PHCO_12734) $ Internal_Unsupported_Version libc.a_ID@@/main/r10dav /libc_dav/15 /ux/libc/libs/libc/archive_pa1/libc.a_ID Jul 18 1997 15:26:17 /var/opt/vaultTS/inside/vault/bin/tgp-edit: $Source: tgp-edit.c, vaultTGP, vaultTGP_3.5 $Date: 9 9/11/16 14:14:58 $ $Revision: 1.9.1.2 PATCH_ 10.24 (PHSS_20476) $ HP VirtualVault, tgp-edit, revision A.01.00 $Source: src/lib/conf/gpent.c, vaultTGP, vaultTGP_3. 5 $Date: 99/11/15 07:23:23 $ $Revision: 1.7 PATCH_10.24 (PHSS_17692) $ src/lib/conf/gpent.c, vaultTGP, vaultTGP_3.5 1.7 0 3/03/99 $Source: src/lib/conf/if_info.c, vaultTGP, vaultTGP_ 3.5 $Date: 99/11/15 07:23:23 $ $Revision: 1. 6 PATCH_10.24 (PHSS_17692) $ /var/opt/vaultTS/inside/vault/loc/C/html/tgp-edit.html: src/admin/html/tgp-edit.html, vaultTGP, vaultTGP_3.5 1.6 03/03/99 -- cksum(1) Output: 3973438203 533972 /tcb/lib/tgpd 1676674989 65753 /var/opt/vaultTS/inside/vault/bin/tgp-edit 2721264787 27159 /var/opt/vaultTS/inside/vault/loc/C/html/ tgp-edit.html Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHSS_17692 PHSS_20476 Equivalent Patches: None Patch Package Size: 680 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHSS_20958 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHSS_20958.depot By default swinstall will archive the original software in /var/adm/sw/patch/PHSS_20958. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. WARNING: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHSS_20958.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHSS_20958.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: The patch installation replaces the Trusted Gateway Proxy Daemon (tgpd) as well the tgp-edit CGI program. The TGP Daemon processes must be stopped prior to the installation of the patch and restarted after installation completes.