------------------------------------------------------------ (C) 2008 SSH Communications Security Corp. This software is protected by international copyright laws. All Rights Reserved. ------------------------------------------------------------ Release Notes for SSH Tectia Manager 6.0.2 30 June 2008 Table of Contents 1 About This Release 2 CD Contents 2.1 Sun Solaris Binaries 2.2 Linux Binaries 2.3 AIX Binaries 2.4 HP-UX Binaries 2.5 Microsoft Windows Binaries 2.6 Documentation 2.7 Third-Party Software 3 SSH Tectia Manager 6.0.2 3.1 New Features 3.2 Fixes 3.3 Upgrade of SSH Tectia Manager 3.4 Known Issues 1 About This Release -------------------- SSH Tectia Manager is a security management platform designed for the centralized management of SSH Tectia software in large environments. It provides: - Efficient software deployment and upgrades throughout the environment - Centralized enforcement of configurations and security policies - Increased visibility for the administrators and auditors into the environment through detailed monitoring, logging, reporting, and statistics - Server host authentication management NOTE: Because of variations in the target hosts, the automatic initial deployment feature is not guaranteed to work for all hosts. In SSH Tectia Manager 6.0, the initial deployment is by default disabled from the administration interface and will be discontinued in the future releases. SSH Tectia Manager 6.0.2 is the first maintenance release on 6.0 series. 2 CD Contents ------------- The SSH Tectia Manager CD-ROM contains the following files: 2.1 Sun Solaris Binaries ssh-mgmt-agent-6.0.2.-solaris-2.6-10-sparc.pkg.Z ssh-mgmt-server-6.0.2.-solaris-8-10-sparc.pkg.Z ssh-mgmt-agent-6.0.2.-solaris-10-x86_64.pkg.Z 2.2 Linux Binaries ssh-mgmt-agent-6.0.2.-linux-x86.rpm ssh-mgmt-server-6.0.2.-linux-x86.rpm 2.3 AIX Binaries ssh-mgmt-agent-6.0.2.-aix-4.3-powerpc.bff.Z ssh-mgmt-agent-6.0.2.-aix-5.x-powerpc.bff.Z 2.4 HP-UX Binaries ssh-mgmt-agent-6.0.2.-hpux-11.x-hppa.depot.Z ssh-mgmt-agent-6.0.2.-hpux-11i-ia64.depot.Z 2.5 Microsoft Windows Binaries ssh-mgmt-agent-6.0.2.-windows-x86.msi 2.6 Documentation index.html (CD contents front page) SSHTectiaManager_AdminManual.pdf (+ .html) SSHTectiaManager_ProductDescription.pdf (+ .html) SSHTectia_DeploymentGuide.pdf (+ .html) 2.7 Third-Party Software Microsoft Windows redistributables /install/windows/psapi/psinst.EXE /install/windows/windows-installer/InstMsiW.exe 3. SSH Tectia Manager 6.0.2 ---------------------------- 3.1 New Features ---------------- New Features in SSH Tectia Manager 6.0.2 ---------------------------------------- * Support for new SSH Tectia 6.0.2 features and options * New Management Agent Platform: - VMware ESX 3.5 * New Management Server Platform: - Red Hat Enterprise Linux 5.1 New Features in SSH Tectia Manager 6.0.0 ----------------------------------------- * Support for the new SSH Tectia ConnectSecure 6.0 product * Support for SSH Tectia Client/Server 6.0 products * New SSH Tectia Client configuration GUI - New easier to use configuration interface - New configuration options: - FTP-SFTP conversion configuration - Transparent FTP tunneling configuration - Configuration deployment to individual and selected hosts * Solaris 10 Zones support on the Management Server and the Management Agent. * New Management Agent Platforms: - Microsoft Vista, Vista x64 (x86) - HP-UX 11i v3 (PA-RISC, IA64) - Sun Solaris 10 (x86-64) - Red Hat Enterprise Linux 5 and 5.1 (x86, x86-64) - SUSE Linux Enterprise Server 10 (x86, x86-64) - SUSE Linux Enterprise Desktop 10 (x86, x86-64) * A command-line tool option to export SSH Tectia Manager users' information from the database and output it in Tab Separated Values (TSV) format. 3.2 Fixes --------- In 6.0.2: - The filter engine tunnel configuration is now fixed to handle the address value 'Any' correctly. - Now all the transparent tunneling rules are allowed with no profile to allow Tectia Client and ConnectSecure to use the default profiles. - In previous versions SSH Tectia Manager required TLS certificate used on LDAP authentication to be valid at least for 7 days. This validity period is now changed to 5 minutes. - Internal CAs can now be deleted correctly. - Admin groups can now be edited correctly. - The password change rule for Unix platformsis now correctly handled in all cases. - Manager no longer overwrite configurations with local changes when autodeploying them after product installs/upgrades. In 6.0.0: - The Management Agent now detects correctly the products where a symlink to the binary and the binary itself are detected. Agent now also detects relocated products that are found only via symlink. - The management interface now has a check to prevent configuration of a certificate renew marginal longer than the certificate validity period. - The 'Secure Shell Summaries' report now shows the data in a table instead of a graph. - SSH Tectia Manager now has a new 'Secure Shell products' report, that shows the amounts of different "product packages" that are installed into the host group. - The number of tunneling elements in local-tunnel settings is now unlimited. In previous versions the limit was 20 elements. - The configuration delete action now gives a more verbose output in case the hosts or groups have assignments that prevent the delete action. - Changing the SSH Tectia Manager default TCP ports is now documented in SSH Tectia Manager Administrator Manual. - All the selector values in the configuration GUI are now validated. - The Management Agent upgrade now shuts down the old agent process correctly on AIX platforms. - New option has been added in the ssh-mgmt-db-isql tool to allow database backup even when the database validation fails. - The configuration GUI now creates correct host-based authentication server configurations. - Management Agent syslog pattern now works also on Solaris platforms. - SSH Tectia Client/Server installations and versions on Solaris 64-bit platforms are now reported correctly. - The configuration GUI now validates the contents of the attribute and element fields. - SSH Tectia Manager no longer creates or shows invalid certificates in the CA certificate selection list. - The 5.x server configuration revision numbers are now correctly shown in the version column. - SSH Tectia Manager now creates the password change rule automatically for every Unix host. - Viewing of the PKI configuration audit logs is now fixed. - The certificate enrollment functionality has been enhanced to handle shorter renewal margins. - SSH Tectia Manager can now be used to configure the Compression option of SSH Tectia Client, Connector and ConnectSecure. - On previous versions, configuration deployment occasionally showed wrong target host groups. This is now fixed. - The group name menu format is now unified everywhere in the GUI to be View:Group:Subgroup. - The Management Agent upgrades on Distribution Server hierarchy are now first executed on the highest level, and the lower levels will start the upgrade only after the higher level upgrade has been completed. This ensures that all Management Agents get upgraded and will function correctly. - The SFTP log messages can now be configured from the management configuration GUI. - SSH Tectia Manager now supports installation of the 'ft-only' and 'ftp-sftp' conversion options. - SSH Tectia Manager no longer allows multiple admin groups with the same name. - SSH Tectia Manager no longer allows multiple ICB files with the same name. - SSH Tectia Manager no longer allows multiple identically named groups under the same parent group. Now groups can also be moved to top level. - SSH Tectia Manager no longer omits the normal host key from server configuration file when a host certificate has been enrolled for the host. 3.3 Upgrade of SSH Tectia Manager --------------------------------- To upgrade SSH Tectia Manager to a new version, please see Section 2.6 Upgrading SSH Tectia Manager in the Administrator Manual. SSH Tectia Manager 2.4.x Management Agent is able to connect to SSH Tectia Manager 6.0.2 Management Server. SSH Tectia Manager 2.4.x Management Agents are centrally upgradeable to Management Agent 6.0.2. Upgrading is strongly recommended in order to gain full management functionality. The 5.x Client configuration GUI on Manager 2.4.x is not compatible with the new configuration interface on 6.0.2. Old 5.x Client configurations are stored under 'Legacy configs' and must be re-configured into the new G3 configuration interface. The 'Legacy configs' tab will be removed in future releases. The 5.x Server configurations on Manager 2.4.x are compatible with the new G3 configuration on 6.0.2 and can be used as before. The old 5.x server configurations on Manager 2.3 and earlier are not compatible with the new configuration interface on 6.0.2. All the old server configurations will be discarded during the upgrade. If OpenLink ODBC drivers (on SSH Tectia Manager 2.2. and earlier) have been used to connect to an Oracle Management Database, they will no longer be used after the upgrade. Instead, native support via Oracle Call Interface is used. The OpenLink drivers can be uninstalled after the upgrade. 3.4 Known Issues ---------------- Management Server and Database ------------------------------ - If the management engine process is stopped or killed in an unclean manner (SIGKILL for example), it may leave the database process running. This causes the management engine process restarting to fail. The dbeng8 process must be manually killed before restarting the engine process. - Running ssh-mgmt-engine with the -V or -h options causes temporarily high CPU load and may take several minutes to produce any output. Administration Web Interface ---------------------------- - Internet Explorer browser occasionally closes the Management Server GUI sessions when a user is authenticated with certificates. If the session is closed, a new session can be opened but all the unsaved session information is lost. Use other browsers or update your IE version to the latest one to get more reliable functionality. - If the Management GUI session times out, all unsaved information e.g. in the configuration page the user was editing is cleared. Save the configurations right after editing to avoid loosing data. - Host certificate enrollment and configuration deployment are not available as a host operation type in the Advanced Host Search parameters. Host Views and Groups --------------------- - There may be a delay of several minutes on Windows hosts before their Management Connection indicator is updated after they are shut down. Software Deployment and Detection (Management Agent / Managed Software) --------------------------------------------------------------------- - The management GUI might not report SSH Tectia Server 4.x installations correctly. - When software installation fails on Windows, the Management Agent does not remove the temporary directory where the installation packages were stored. The temporary directory is under C:\Program Files\SSH Communications Security\SSH Tectia Manager\. - Uninstallation of SSH Tectia Client with EFT Expansion Pack from Unix hosts does not uninstall the SDK. - Upgrading SSH Tectia Connector 4.x to 5.x may fail under some circumstances if the host also has SSH Tectia Client 4.x installed. - Due to an issue in SSH Tectia Server 5.x, starting the server will report success even if the server failed to start. The status of the server will be updated to "not running" after some time. - Running a Distribution Server on the same host as the Management Server is not supported. However, attempting to turn the Management Agent on the Management Server host into a Distribution Server is not prevented, but will result in a failure. - Upgrading the Management Agent via the Management Connection may in some circumstances leave temporary files in the system default /tmp/ directory, typically named /tmp/fileXXXXXX or /tmp/agent-XXXXXX. - Upgrading SSH Tectia Client 4.4.x to SSH Tectia 5.x/6.x on a Windows host which also has SSH Tectia Server 5.x will require a reboot. As a workaround, you can uninstall SSH Tectia Client 4.4.x before installing SSH Tectia Client 5.x/6.x. Configuration Management ------------------------ - If the FIPS mode is changed in a configuration update, the change is not reflected in the Host Info until the Management Agent performs a binary poll (the default interval is one hour). - SSH Tectia Connector/ConnectSecure tunneling configurations are also deployed to Unix hosts, if they belong to host groups defined as source hosts in the tunneling rules. - Setting a FIPS mode option is missing in SSH Tectia Client 4.x UNIX configuration. - Manager configuration GUI cannot be used to configure empty "passthrough applications" field. If empty "passthrough applications" field is defined, Windows Management Agent corrupts the passthrough field in Windows registry. Host Key Deployment ------------------- - Host key deployment for configuring host trust relationships for host- based authentication with SSH Tectia Client/Server 5.x is currently not supported. Host key deployment for server host authentication is supported.