Proventia Server for Linux 1.5.2 Fix Pack 1 README ======================================================================== ======================================================================== ABSTRACT ======================================================================== Proventia Server for Linux 1.5.2 fix pack 1 installation package. This cumulative installation increments the agent version to 1.5.2.1. ======================================================================== SUMMARY ======================================================================== Readme file for: Proventia Server for Linux Product/Component Release: 1.5.2.1 Update Name: 1.5.2-ISS-PSL-LinuxIntel-FP001 Platforms: All Intel architecture platforms Publication date: May 25, 2012 Last Modification date: May 25, 2012 © Copyright IBM Corporation 2012. Please read this document in its entirety. ======================================================================== CONTENTS ======================================================================== * List of enhancements * List of APARs addressed * List of internally identified defects addressed * Installation information * Additional information * Files included in this update * Contacting IBM Support ======================================================================== LIST OF ENHANCEMENTS ======================================================================== 1. Web server SSL traffic inspection is extended to support the following Web servers. A leading '*' indicates a newly supported Web server. o Apache 2.0 32-bit (on 32-bit operating systems) o Apache 2.2 32-bit (on 32-bit operating systems) o * Apache 2.2 32-bit (on 64-bit operating systems) o * Apache 2.2 64-bit o * IBM HTTP Server 7.0 32-bit (on 32-bit or 64-bit operating systems) o * IBM HTTP Server 8.0 32-bit (on 32-bit or 64-bit operating systems) o * IBM HTTP Server 8.0 64-bit Support for Web server SSL traffic inspection for newly supported Web servers is enabled after installing the fix pack by running a new command, /opt/ISS/etc/configure_mod_rs. Information for running this command can be found in the section below "CONFIGURING WEB SERVER SSL TRAFFIC INSPECTION INFORMATION" ======================================================================== LIST OF APARS ADDRESSED ======================================================================== No APARs are addressed by this fix pack. ======================================================================== LIST OF INTERNALLY IDENTIFIED DEFECTS ADDRESSED ======================================================================== The following internally identified defects are resolved by this fix pack: 14070 32-bit Web servers running on 64-bit platforms can not be protected with the SSL protection module. 14079 Web server module does not handle PAM tuning parameters. ======================================================================== INSTALLATION INFORMATION ======================================================================== The fix pack is provided as two self-extracting shell archives (shars). One is specific to RedHat distributions and one is specific to SuSE distributions. Each shar applies the fix pack to an existing Proventia Server for Linux 1.5.2 installation. Do not install the fix pack on a system that does not already have Proventia Server for Linux 1.5.2 installed. To install the fix pack: As the root user run the shar file corresponding to the Linux distribution you have Proventia Server for Linux 1.5.2 already installed on. On RedHat systems: # sh ./1.5.2-ISS-PSL-LinuxIntel-RHEL-FP001.sh On SuSE systems: # sh ./1.5.2-ISS-PSL-LinuxIntel-SLES-FP001.sh For complete information about hardware and software compatibility, see the detailed system requirements document at http://publib.boulder.ibm.com/infocenter/sprotect/v2r8m0/topic/com.ibm.psl.doc_1.5/concepts/psl_pdf_container.htm If the Proventia Server services are running when the fix pack is installed, then the services are automatically stopped and restarted. The agent version might be displayed as 1.5.2 because the iss-spa service can be started to send a heartbeat to SiteProtector while Fix Pack 1 is being installed. After Fix Pack 1 is installed and the iss-spa service sends another heartbeat to SiteProtector, the agent version will appear correctly as 1.5.2.1. ======================================================================== CONFIGURING WEB SERVER SSL TRAFFIC INSPECTION INFORMATION ======================================================================== Support for Web server SSL traffic inspection for newly supported Web servers is enabled after installing the fix pack by running a new command. The new command has the following syntax: # /opt/ISS/etc/configure_mod_rs APACHE_BIN APACHE_CONF where: APACHE_BIN is the full path to the Web server's apachectl or httpd programs. For IBM HTTP Server specify the apachectl program. For Apache specify the httpd program. APACHE_CONF is the full path to the Web server's configuration file. For example, to enable SSL traffic inspection for an IBM HTTP Server Web server installed to the /opt/IBM/HTTPServer directory the configure_mod_rs command should be executed as: # /opt/ISS/etc/configure_mod_rs /opt/IBM/HTTPServer/bin/apachectl \ /opt/IBM/HTTPServer/conf/httpd.conf The Web server must then be restarted. ======================================================================== ADDITIONAL INFORMATION ======================================================================== Packet data is stored in the socket receive buffer of the kernel. If this buffer becomes full, PSL receives ENOBUF errors on the socket and the packet is dropped. To prevent this situation from occurring, you can use the following tuning parameters to increase the socket buffer size: net.core.rmem_default net.core.rmem_max Implement these parameters when you install the fix pack. You must restart the Proventia Server for Linux sensor to ensure that the new socket buffer size is used by the sensor. If your network performance continues to degrade after you install this fix pack, then you must implement and tune these parameters. System Administrators can determine whether these parameters need to be tuned by monitoring the /proc/net/ip_queue file for the amount of "netlink drops" received. To implement the tuning parameters: 1. Verify existing settings by using the command: # sysctl -a | grep core.rmem 2. Ensure that the minimum recommendation of 4194304 is set: # sysctl -w net.core.rmem_max=4194304 # sysctl -w net.core.rmem_default=4194304 NOTE: This setting is fine for most scenarios, but if you determine that it is inadequate for your system, then increase it in 1 MB increments. 3. Repeat Step 1 to verify the setting. 4. Restart the sensor. This procedure will not be persistent across reboots of the system. To ensure that these settings stay persistent, add the new values to the file /etc/sysctl.conf. Example: Edit /etc/sysctl.conf Add net.core.rmem_default = 4194304 net.core.rmem_max = 4194304 ======================================================================== FILES INCLUDED IN THIS UPDATE ======================================================================== The files included in this update and their MD5 check sums are: a65c413d0c62d551c4a2e12b363c7356 *1.5.2-ISS-PSL-LinuxIntel-RHEL-FP001.sh 2fa82ef3c4c51d2790772a583ecec2ff *1.5.2-ISS-PSL-LinuxIntel-SLES-FP001.sh ======================================================================== CONTACTING IBM SUPPORT ======================================================================== To Contact IBM Support Worldwide Phone: Call IBM Support by selecting phone number from this location: http://www.ibm.com/planetwide When prompted for type of support, select option 2 for Software Support. You will need to provide your IBM Customer Number (ICN). Electronically: Go to https://www.ibm.com/support/servicerequest and open a new service request. ===========================================================================