------------------------------------------------------------ (C) 2006 SSH Communications Security Corp. This software is protected by international copyright laws. All Rights Reserved. ------------------------------------------------------------ Release Notes for SSH Tectia Manager 2.2.1 September 29, 2006 Table of Contents 1 About This Release 2 CD Contents 2.1 Sun Solaris Binaries 2.2 Linux Binaries 2.3 AIX Binaries 2.4 HP-UX Binaries 2.5 Microsoft Windows Binaries 2.6 Documentation 2.7 Third-Party Software 3 SSH Tectia Manager 2.2.1 3.1 New Features in SSH Tectia Manager 2.2.x 3.2 Upgrade of SSH Tectia Manager 3.3 Known Issues 1 About This Release SSH Tectia Manager is a security management platform designed for the centralized management of SSH Tectia software in large environments. It provides: - Efficient software deployment and upgrades throughout the environment - Centralized enforcement of security policies - Increased visibility for the administrators into the environment through detailed monitoring, logging, reporting, and statistics - Server host authentication management 2 CD Contents The SSH Tectia Manager CD-ROM contains the following files: 2.1 Sun Solaris Binaries ssh-mgmt-agent-2.2.1-sparc-solaris2.6-10.pkg.Z ssh-mgmt-server-2.2.1-sparc-solaris8-10.pkg.Z 2.2 Linux Binaries ssh-mgmt-agent-2.2.1-1.i386.rpm ssh-mgmt-server-2.2.1-1.i386.rpm 2.3 AIX Binaries ssh-mgmt-agent-2.2.1-aix4.3.bff.gz ssh-mgmt-agent-2.2.1-aix5.x.bff.gz 2.4 HP-UX Binaries ssh-mgmt-agent-2.2.1-sd-11.00.depot.gz ssh-mgmt-agent-2.2.1-sd-11.22.depot.gz 2.5 Microsoft Windows Binaries SSH Tectia Manager 2.2.1.msi 2.6 Documentation index.html (CD contents front page) SSHTectiaManager_AdminManual.pdf (+ .html) SSHTectiaManager_ProductDescription.pdf (+ .html) SSHTectia_DeploymentGuide.pdf (+ .html) 2.7 Third-Party Software Use of the Oracle 9.x database has been tested with a third-party driver from OpenLink Software (http://www.openlinksw.com) and requires Oracle client software to be installed on the Management Server. OpenLink Single-Tier ODBC driver installation packages are available for Sun Solaris (/install/openlink/solaris/) and Red Hat Linux (/install/openlink/linux/) platforms (require a separate license from OpenLink). Purchase details are described in Appendix A.5.2 Getting the OpenLink Software in the Administrator Manual. Microsoft Windows redistributables /install/windows/psapi/psinst.EXE /install/windows/windows-installer/InstMsiW.exe 3. SSH Tectia Manager 2.2.1 3.1 New Features in SSH Tectia Manager 2.2.x -------------------------------------------- - Management Support for SSH Tectia client/server 5.1.x software - Distribution Servers for environment scalability - New managed host platforms: -- HP-UX 11i v2 on PA-RISC -- Microsoft Windows 2003 Server x64 Edition - Precreated ICB to ease Initial Deployment - Host search results can now be saved for later use - Support for DNS aliases for managed hosts - Improved FQDN detection on Unix and Windows - Local host configuration file for reporting DNS aliases - Support for virtual network interfaces in IP address detection - Report on pending host jobs - Management Agents now find binary installations from behind symlinks - Performance enhancements to host certificate enrollment - SSH Tectia Client (F) can now be installed with or without the terminal component 3.2 Fixes --------- In 2.2.1 - All platforms: Fixed RSA signature forgery vulnerability in SSH Tectia Client, Connector, Server and Manager products (CERT reference number VU#845620). Updating the Management Server to version 2.2.1 is sufficient, the Management Agent is not vulnerable. In 2.2.0 - Host certificate enrollment is no longer attempted for hosts without an FQDN, if FQDN has been configured as a requirement for enrollment. - Administration interface responsiveness has been improved during mass deployments of SSH Tectia 5.x software. - SSH Tectia Connector tunnel configurations now properly support SSH Tectia Connector 4.4.x. - SSH Tectia Connector 5.1.x will no longer need to be manually restarted for it to recognize a newly deployed configuration. The issue still remains in SSH Tectia Connector 5.0.x, and upgrading to version 5.1.0 is recommended. - Initial deployment no longer fails if SSH Tectia Client 5.x is installed on the Management Server. - Configuration deployment to Client/Server version 5.0.1 now works again. - Host Info changes that have been reverted back to their original values after detection can now be approved and cleared. - The Windows command line client version 4.x now receives the PKI certificate authentication configurations assigned to it. - Fixed an issue which caused the initial deployment of Management Agent on Solaris hosts to fail in some circumstances. - Missing SSH Tectia Server installation is now correctly reported during certificate enrollment attempt. - Fixed an issue which caused a host to be reported as not connected, even though the Management Agent was active. - Improved the reliability of SSH Tectia Server status reporting and start/stop/restart operations on both Unix and Windows. - Software installation on 64-bit Windows and Red Hat Enterprise Linux now works. - Search/Refresh button now refreshes the host list. - SSH Tectia 5.x configuration files defined as XML are no longer truncated to about 4000 bytes. - Corrected default value for the GSSAPI dll-path in SSH Tectia Server 5.x configuration. - Fixed an issue causing failure when 30 or more concurrent certificate enrollments were being performed. - Improved Management Agent stability on Windows. If you still encounter unstable behavior with the Windows Agent, please report it to our technical support. - Initial deployment of Management Agent to slow Unix machines is now more likely to succeed. - Fixed an issue causing LDAP Bind based administrator authentication to not function on some Sun Solaris Management Server hosts. 3.2 Upgrade of SSH Tectia Manager To upgrade SSH Tectia Manager to a new version, please see Section 2.6 Upgrading SSH Tectia Manager in the Administrator Manual. It is recommended that the Sybase Management Database of SSH Tectia Manager version 1.x is internalized during the upgrade process to streamline future system maintenance operations. SSH Tectia Manager 2.1.x Management Agent is able to connect to SSH Tectia Manager 2.2.x Management Server. SSH Tectia Manager 2.1.x Management Agents are centrally upgradable to Management Agent 2.2.x. Upgrading is strongly recommended in order to gain full management functionality. As the FQDN detection has been improved to be more likely to return the FQDN on a variety of platforms and host configurations, the reported FQDN may change on some managed hosts due to the upgrade. This will result in Host Info changes, which may, depending on your configuration, need to be accepted in order to continue management operations on hosts. 3.3 Known Issues Management Server ================= Administration Web Interface ---------------------------- - When using TLS client authentication, the administrator may, under some circumstances, be kicked out from the web administration GUI after one or more hours of use. If this happens, the administrator needs to log in again. - Host certificate enrollment and configuration deployment are not available as a host operation type in the Advanced Host Search parameters. Host Views and Groups --------------------- - When deleting a host group, if one of its subgroups has an ICB file referencing it, an uninformative error message "Deleting the group failed." is given. - Attempting to delete hundreds of hosts from a host group at the same time, when using an Oracle Management Database, results in an error. As a workaround, delete a hundred hosts or less at a time. Software Deployment and Detection (Management Agent / Managed Software) ----------------------------------------------------------------------- - The finished Initial Deployment installation job progress bars may display a progress percentage higher than 100%, for instance if the Management Server is stopped and restarted during the installation job. - When software installation fails on Windows, the Management Agent does not remove the temporary directory where the installation packages were stored. The temporary directory is under C:\Program Files\SSH Communications Security\SSH Tectia Manager\. - Uninstallation of SSH Tectia Client with EFT Expansion Pack from unix hosts does not uninstall the SDK. Configuration Management ------------------------ - Space or other illegal characters in Server 5.x authentication settings cause a broken configuration to be deployed. - The sample configuration presented in Host info -> Configurations -> View is generated for a certain version of the managed software, and does not necessarily match the configuration that was last deployed to the host, or the version of the software that is currently on the host. - If the FIPS mode is changed in a configuration update, the change is not reflected in the Host Info until the Management Agent performs a binary poll (the default interval is one hour). - SSH Tectia Connector tunneling configurations are also deployed to unix hosts, if they belong to host groups defined as source hosts in the tunneling rules. Host Key Deployment =================== - Host key deployment for configuring host trust relationships for host-based authentication with SSH Tectia Client/Server 5.x is not currently supported. Host key deployment for host authentication is supported.