Reflection for Secure IT UNIX Client and Server 7.1 Service Pack 2 (SP2) Release Notes

Reflection for Secure IT UNIX Client and Server 7.1 Service Pack 2 (SP2) is available for maintained customers. This technical note provides information about how to obtain your service pack and a list of fixes included in SP2, as well as those originally included in SP1.

Before you apply the service pack, note the following:

• This document references a Reflection service pack. Service packs are available to licensed Attachmate customers with current maintenance plans for these products.
• Reflection for Secure IT UNIX Client and Server version 7.1 SP2 is a full product installation and does not require 7.1 to be installed.
• For information about logins and accessing the Download Library, see KB 7021965.
• For a list of features originally included in Reflection for Secure IT UNIX Client and Server 7.1, see KB 7021943.
• For information about the Reflection PKI Services Manager 1.1 release, see KB 7021872.
• Reflection for Secure IT version 8.0 is available beginning in November 2012. For a list of new features in 8.0, see KB 7022091.

Obtaining Your Service Pack

Maintained customers are eligible to download the latest product releases from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/. For more information about logging into and using the Download Library, see KB 7021965.

Note: If you download a Sun Solaris, HP-UX, or IBM AIX package using Internet Explorer, the uppercase (.Z) extension is changed to lowercase (.z). You will need to rename the file name to use an uppercase Z before you can uncompress your files.

Installing Your Service Pack

Once you have downloaded your service pack, back up the /etc/ssh2 directory (which includes config files and host keys), uninstall your current version, and then install the service pack. Procedures for installing and uninstalling are available in the User Guide: https://docs.attachmate.com/reflection/rsit-ssh/7.1/unix/en/help/.

For more information about replacing an existing Secure Shell program (including using backup files to merge your non-default settings to the new configuration file), see KB 7021941 or the Help topic "Replace an Existing Secure Shell Program" in the User Guide, which is available from https://support.microfocus.com/manuals/rsit_unix.html.

New Features in 7.1 SP2

The following new features are included in Reflection for Secure IT UNIX Server and Client version 7.1 Service Pack 2.

Reflection for Secure IT UNIX Server

• Control smart file transfer options (Smart File Copy and Checkpoint Resume) with the SmartFileTransfer keyword.
• Support for subsystem specific PAM stacks using the PAMServiceNameForInternalProcesses and PAMServiceNameForSubsystems keywords.

Reflection for Secure IT UNIX Client

• Control whether or not an identical file will be transferred or skipped using the SmartFileCopy keyword.
• Control whether or not an interrupted file transfer will start over or continue from a partial transfer using the CheckpointResume keyword.
• Specify a command to use to connect to the server using the ProxyCommand keyword.

Additional Feature in 7.1 SP2

Reflection for Secure IT UNIX Server

• Support for Solaris Basic Security Model (BSM) Auditing.

Resolved Issues in 7.1 SP2

The following resolved issues are included in Reflection for Secure IT UNIX Server and Client version 7.1 Service Pack 2.

Reflection for Secure IT UNIX Server

• Running CDE and an X Server from the Console no longer produces a core dump.
• The server now starts when Solaris 10 is rebooted.
• The format Options allow-from="IP1", and allow-from="IP2" in the authorization file now work.
• The PamServiceName server keyword is now read in a user-specific subconfiguration file.
• The /etc/nologin file is now recognized on Solaris 10.
• Starting the UNIX server previously logged "sshd:" in the syslog on Red Hat Enterprise Linux 5, this message is now "sshd2: Startup complete."
• Stopping the UNIX server on Red Hat Enterprise Linux 5 no longer causes a "fatal Received signal 15; terminating" message in the syslog.
• Login attempts are now reset using the PAM module pam_tally.so.
• No longer see "sshd: -p shutdown failed" in /var/log/messages or /var/log/boot.log even though the server has shutdown successfully.
• Starting the server with the -i switch now results in an unknown option error and the server is not started.

Reflection for Secure IT UNIX Client

• Remote commands with spaces are correctly executed.
• Listing a file with the sftp client no longer fails when the file is under the directory with no read permission.
• Now able to change directories that have limited permissions with an sftp connection.
• "Can't get cwd" error no longer displays when attempting to transfer a file from the UNIX client v7.1 to a UNIX server v6.1.x using the scp client when there are no read permissions for the target directory.
• Sftp transfer method 'auto' now properly transfers files in ASCII or binary mode, depending on file extensions defined in the setext settings.

Supported Platforms in 7.1 SP2

For information about platform support in Reflection for Secure IT, see KB 7022010.

Note: The following platforms are no longer supported:

• Red Hat Enterprise Linux 3 (Intel x86)
• Red Hat Enterprise Linux 3 (x86-64)

Known Issue in 7.1 SP2

There is a known issue in Reflection for Secure IT UNIX Server 7.1 SP2 with scp commands and some scp clients, which results in an error message: "Error: unknown option -t" or "Error: unknown option -f." The problem description and resolution are provided in KB 7021955.

Resolved Issues in 7.1 SP1

The following resolved issues are included in the Reflection for Secure IT UNIX Server and/or Client version 7.1 Service Pack 1.

• The IgnoreRlogin server keyword, which is supported on AIX systems, now applies to all authentication methods and is no longer affected by the AIX ‘login’ user attribute.
• If the UNIX server is configured to run in FIPS mode, it will no longer start if the host key is a DSA key with an unsupported key size. (Previously, the server started, but connections failed as required by FIPS mode limitations.)
• Installation on Solaris 10 no longer reports pathname errors for man pages, which caused a partial installation.
• Changing the client LogLevel keyword no longer suppresses messages displayed to the client.
• The text contained in a banner message file is no longer logged to syslog as an error.
• The UNIX Server installation on AIX 6.1 no longer modifies the permissions of the /etc directory.
• The server now installs correctly to the non-global zones on Solaris.
• Global environment files are now read correctly when the server is installed to a non-default location.
• This upgrade fixes a problem that sometimes resulted in incorrect handling of end-of-line characters in ASCII file transfers.
• The ssh-add utility now writes informational messages to stdout. Previously these messages were sent to stderr.

Supported Platforms in 7.1 SP1

For information about platform support in Reflection for Secure IT, see KB 7022010.

Reflection PKI Services Manager 1.0 SP1

Attachmate Reflection PKI Services Manager 1.0 provides X.509 certificate validation services for Reflection for Secure IT 7.1. The PKI Services Manager service pack is available as a separate, optional download.

Note: For information about the current Reflection PKI Services Manager 1.1 release, see KB 7021872

Installing the Reflection PKI Services Manager Upgrade

Instructions for uninstalling and installing PKI Services Manager are available from the User Guide at https://docs.attachmate.com/reflection/PKI/1.0/en/help/pki_manager_install_unix_pr.htm.

If you are upgrading an existing copy of PKI Services Manager, note the following:

• You should uninstall the previous version before installing this upgrade.
• When you uninstall, your existing configuration directory is renamed based on the current date and time. For example, from:

• After you install the upgrade, copy any keys or configuration files that you want to continue to use from the back-up directory to the config directory, thereby replacing the default files created by the installation script.

Resolved Issue in PKI Services Manager SP1

• Unrecognized OIDs no longer cause an ASN error.

Legacy KB ID