AlterPath
OnSite Release Notes
This document outlines the new features and bug fixes for AlterPath
OnSite family of products (including BETA releases that are designated
with a letter after the
version number).
V_1.1.0 May/15/06
(official
initial release; upgrade from v_1.0.0)
UPGRADING
FROM VERSION 1.0.0
Before upgrading the OnSite running firmware version 1.0.0,
a patch must be applied. A problem in the upgrade procedure was
found that may cause loss of new files or permission. The
patch will be available for downloading by way of FTP, from
the same URL, as the new OnSite firmware. The
upgrading steps are as follows:
- Open a root shell session in the OnSite (ssh, telnet, or
console).
- Using FTP, download the file "patch_ons_v100.gz" from the
Cyclades FTP site into the /tmp directory
- Make /tmp the current directory (cd /tmp).
- Decompress the file "patch_ons_v100.gz" (tar -tvzf
patch_ons_v100.gz)
- Execute the command /tmp/patch_ons_v100.sh
- Open a admin WMI session and click "Management" in the top menu.
- Click Firmware Upgrade in the left menu and enter all
required data, then submit.
- If a pop-up window appears with the message "[WARNING]There were errors when patching the configuration files.....", it means
that changes made by Cyclades could not be merged because they
conflict with changes done by the OnSite administrator. Before rebooting,
the OnSite administrator should check to see if the
changes made by Cyclades conflict or not. Normally, Cyclades adds
comments describing new parameters.
a) New features
- Security Enhancements
- More control over the services that are active at any time;
- Pre Defined Security Profiles";
- Web Manager login page is redesigned for a "plain vanilla"
screen featuring generic username and password fields;
- A Security Advisory message alerts the root user of
security impacts.
- LAN Bonding (Active Backup only)
- Achieves redundancy on the Ethernet devices;
- The standard Ethernet interface and one PCMCIA card act as
one unique interface, answering for the same IP address with the same MAC
address;
- No manual intervention is required when the primary
connection is lost or recovered;
- the failover is transparent and all connection sessions continue working with
no interruption.
- Display the MAC-48 address of the built-in Ethernet interface in the
Information/General menu
- Implement the PrintScreen menu key function for the OSD
- Allow the internal modem (AUX ports) to be disabled in the WMI
and from the CLI.
- Support the Adaptive KVM feature (RDP)
- Implemented ACS syslog message/SNMP trap on DCD functionality.
- Implemented an ftp/tftp server on the OnSite. The ftp/tftp server
are disabled by default.
- Linux new command: sudo command allows users from the
admin
group to execute commands, utilities and edit configuration files
registered
into sudoers file for configuring ONS features.
- Timezone Enhancements
- The script set_timezone was removed from the image.
- There is a new "Custom" option to the Timezone
drop-down field on the Time/Date page. It allows the administrator to
configure the following parameters :
- Zone Label (for example: "Pacific")
- Standard Time Acronym (for example: "PST")
- GMT Off - The time in hours offset from GMT (plus or
minus) to get the standard time in the target time zone
- Daylight Saving Time Acronym (for example: "PDT")
- Save time - The length of time added to local standard
time to get daylight savings time in the target time zone
- Start Date - The month, day and time when daylight
savings starts in the target time zone
- End Date - The month, day and time when daylight
savinsg ends in the target time zone
- One Time Password (OTP): A new authentication type for
serial port access and for the dial-in modem PCMCIA card.
- Active Directory (AD) and VeriSign two-factor Radius
(LdapDownLocal-Radius) authentication: A new authentication type for access to
serial port and to the box itself by way of SSH or Telnet. It will not
work for any Web access.
To log on to an ACS, the user will need to be
successfully authenticated on the AD server first (Windows Server
2003)and then on the VeriSign two-factor Radius server.
- PPPD upgrade from 2.4.1 version to 2.4.3 version.
- This version has support for Extensible Authentication Protocol
(EAP) :
- EAP MD5-Challenge method
- EAP SRP-SHA1 method
- The EAP is the default when no authentication method is
configured. If having the peer authenticate itself is not required, the
option "noauth" in the PPPD configuration will have to be
included.
- OpenSSH upgrade from 4.1p1 to 4.3.p1.
- The following INFO syslog message is generated when one CAS
session is established:
- APPLICATION: User [<username>] connected to port
[<number of serial port>] (ttyS<number of serial port>) via
socket ssh
- X.509
- support for X.509
certificates
- the SSHD keys are generated in the first boot of this version
(the SSHD will able to accept connetions after the generation of the
keys).
- If you use PuTTY, you need to upgrade its version to 0.58 (the
PuTTY had one bug that was fixed in the current
version).
- Data Buffering Enhancements:
- New parameter "sXX.data_buffering_sess" in the PortSlave
configuration determines whether or not data is buffered when a user is
connected to the port
- New option for the "sXX.dont_show_dbmenu" parameter. When it is
configured, the data buffering menu is not shown, but the data
buffering file is displayed (if not empty) and the file is erased.
- Group Authorization Enhancement: Retrieves "group" information from the
authentication servers (TACACS+, RADIUS and LDAP) in order to perform a
kind of "network-based" authorization.
- Power Management Enhancements:
- The admin can control the state of one group (multi-outlet device) as well as contolling the state of individual outlets in that group.This results in a better way to control and monitor the state of the outlets for such devices
- In the Web interface, power management has been implemented in a new page called
"Multi-Outlet Control" located under IPDU Power Mgmt.
- In the command line interface, when the pm command is called
without providing a parameter, the following menu appears (when a number is used
as argument it will behave as it always has):
- Exit
- Individual ipdus
- Multi-outlet devices
- Info
- IPMI Enhancements:
- Management of IPMI devices is done using the ipmitool 1.6.0.
- New page has been implemented in the Web interface. "IPMI Power
Mgmt" is located in the Applications Menu.
- The device configuration has been implemented in the CLI command.
- Web Interface - new or changed pages
- Ports Menu
- Ports Statistics - Table where the columns
represent the following fields: serial port number, serial port alias,
baud rate, tx bytes (bytes sent), rx bytes (bytes received),
frame (error), parity (error), and overrun (error).
- Applications Menu
- IPDU Multi-Outlet Ctrl - Manages groups of outlets (multi-outlet devices)
- IPMI Power Mgmt. - Adds IPMI devices and manages them.
- Connect - A pop-up window with 3.000 lines of scroll and
with the Copy/Paste functionality
- Network Menu
- Syslog - Allows the admin to configure filters by level
- PCMCIA Management in Configure Pop-up - Have added CDMA as card
type
- Help Buttons have been removed temporarily.
- PortSlave - new protocols
- Console (telnetSSH) - Allows the client to access the serial
port using Telnet or SSH connection. For example, it allows any Telnet or SSH
connection to access the serial port.
- Bidirectional Telnet (dynamic mode) - Support for “socket_server” and “login” mode. When the enter key is typed on the terminal connected to the serial port, ACS presents the login banner and promptsthe user at the terminal. When idle, the ACS accepts
Console(telnet).
- generic_dial - Generic Dial Framework will control this
port.
- Upgrade of OpenSSL to 0.9.8
- This product is not affected by the vulnerability "SSL 2.0
Rollback (CAN-2005-2969)"
- Upgrade of ZLIB to 1.2.3 - Version 1.2.3 eliminates
potential security vulnerabilities in zlib 1.2.1 and 1.2.2
(CAN-2005-1849).
- Eliminates a potential security vulnerability when decoding
invalid compressed data
- Eliminates a potential security vulnerability when decoding
specially crafted compressed data
- Kerberos - Patch applied that fixes potential security
vulnerability (CAN-2005-1689, VU#623332)
- Have included support for the following PCMCIA cards:
- Xircom-XE2000 10/100 Network PC Card Adaptor
- Option Wireless-GlobeTrotter Universal Tri-band GPRS/GSM
PC-Radio Card
- Growell-iCARD800 CDMA 1XRTT GW-1031C
b) Bug fixes
- All known bugs from previous version.
- SSH connections to the box/unit are being dropped after one
minute of idle (bug#5915)
- The information in the Radius's configuration file
(/etc/raddb/server file) is not enough to configure the server editing
the file (bug#5414).
- Web Interface:
- Wizard mode: "Step 3 : Port Profile" does not have any way to
enable the serial ports (bug#5854)
- The limit for the LDAP server field was increased from 15 to 39
(bug#5612)
- The NTP server field accepts only IP addresses (bug#5389)
- The "IPDU Power Mgmt - Users Manager" screen crashes the Web
Interface when there are too many users (bug#6211)
- After the secure profile has been configured, the Access Tab
shows Kerberos as selected in the Type field (bug#6256)
- The hostname configuration is not working well (bug#6040).
- Multiple-sessions (CAS profile)
- All sessions are blocked when the TCP window is "0" for one
session (bug#5994)
- The menu is shown when it is configured as RW_session
(bug#6245)
- TIMEZONE: Issues occurring with the timezone
configuration (bug#5416).
- Kerberos Tickets with ts_menu is not working (bug#5922)
- The change of an outlet's state is not being registered as a
notification event (bug#6251)
- DHCP active plus 1.) data buffering or 2.) DCD regards or 3.)
multiple session: The run configuration drops all CAS sessions
(bug#6271 and bug#6521)
- CAS session: IPMI power menu gets stuck if an invalid
option/choice is selected. (bug#5681)
- If "regard DCD" is configured in serial port XX, the first
attempt to access XX will always fail (bug#6133)
- When using RSA SecurID server as the Radius server, "next
tokencode" mode is no longer working (bug#5892)
- During data transfer to a serial port using the ts_menu program,
some data get lost (bug#6527).
- SLIP protocol does not work (bug#6567)
c) Known Bugs
d) Change Log
- PPP upgrade : The EAP is the default when no authentication
method is configured. If you do not require the peer to authenticate
itself, you need to include the option "noauth" in the PPPD
configuration.
- The script set_timezone was removed from the image.
- The /etc/ssh/sshd_config file was changed to configure the
parameter LoginGraceTime (the ACS disconnects after this time if the
user has not successfully logged in) to 3m (three minutes). This is
necessary for clients who use the RSA SecurID server as the Radius Server.
- In the CLI, the label to configure the "sXX.syslog_sess"
parameter was changed from "buffersyslogeverytime" to
"buffersyslogonlynosession" to be consistent with
the WebUI checkbox.
Configure the "sXX.syslog_sess" parameter using the following command:
cli>config physicalports ['all' | range] databuffering
buffersyslogonlynosession ['yes' | 'no']
where: "yes" = The syslog message will be generate only when
there is no connection to the port
"no" = The syslog message will be generated every time.
e) Warning
- Support for RTS legacy half duplex will be obsolete in
future versions. The values "rs232_half" and "rs232_half_cts" for the
media parameter will not be supported in future versions.
V_1.0.0 Jun/13/05
(official
initial release)
a) Bug fixes
N/A
b) Known
Bugs
- BTS #3946: OID value cannot be skipped
when configuring SNMP v3 through OSD.
Workaround: use web interface to configure SNMP v3 with optional OID.
- BTS #3623: Aux port configuration
cannot be done through OSD.
Workaround: use web interface to configure auxports.
- BTS #3941: Resetting KVM terminator
while IP viewer is open locks up the web manager.
Workaround: close the IP viewer first before doing microcode reset.
- BTS #3897: Same power outlet can be
assigned to more than on KVM port.
- BTS #3788: Physical insertion of
PCMCIA card cannot be detected by card manager.
- BTS #3901, #3928, #3929: IPDU power
management shows wrong information when PM unit is removed.
Workaround: restart pmd process.
- BTS #3884: Suspending zoom modem card
causes kernel panic.
- BTS #3692: The option –auth of ts_menu
does not work properly.
- BTS #3728: Port name length is not
consistent between OSD and Web management interface.
- BTS #3878: Help pages of “Microcode
Reset” and “Microcode Upgrade” and “KVM User Status” pages contains
invalid information.
- BTS #3612: Syslog will show syntax
error if invalid power management outlet is assigned to kvm port.
Workaround: assign port with valid outlet number.
- BTS #3840: Syslog shows syntax error
if dhcp is disabled, but no IP address is given to the box.
Workaround: assign a valid IP after dhcp is disabled.
- BTS #3874: No horizontal scale in
temperature history.
- BTS #4057: When deleting an action in
the terminal menu configuration of CLI, it causes segmentation fault.
- BTS #4062: Date info is missing from
OSD “System Info”.
- BTS #3966: Changes made through WMI
corrupt values in OSD configuration.
- BTS #4049: There is no option to
configure data buffering destination through CLI.
- BTS #4055: “.” in the beginning of OID
values cannot be read back correctly when editing.
- BTS #4046: Duplicated power outlet
numbers can be assigned to the serial port.
- BTS #4060: Power outlet configuration
assigned to KVM port is lost when reboot without PM connected.
- BTS #4045: “reload” button in WebUI
power management form does not work correctly.
- BTS #4044: The power outlet configured
through WebUI cannot be changed in OSD.
- BTS #4058: “ACS” reference in the file
/etc/hosts.lpd.
- BTS #3723: Menush can not handle error
input properly.