Print | Rate this content

ADVISORY: Advisory for HP VMS SSL users on OpenVMS V8.4 for Integrity and Alpha platform

SUPPORT COMMUNICATION - CUSTOMER ADVISORY

Document ID: c02449766

Version: 1

ADVISORY: Advisory for HP VMS SSL users on OpenVMS V8.4 for Integrity and Alpha platform
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2010-07-29

Last Updated: 2010-07-29


DESCRIPTION

HP OpenVMS V8.4 includes HP VMS SSL V1.4 as a default system integrated product (layered product). Applications linked with HP VMS SSL V1.3 will not work as expected with the latest HP VMS SSL V1.4. Such applications need to be recompiled and then re-linked with HP VMS SSL V1.4 header files and libraries.

Why HP VMS SSL is not Backward Compatible?

The HP VMS SSL Version 1.4 for OpenVMS is based on the 0.9.8h base level of OpenSSL. HP VMS SSL Version 1.3 for OpenVMS is based on OpenSSL 0.9.7e. Some of the OpenSSL API’s, data structures and commands have changed from the version 0.9.7e to version 0.9.8h thus resulting in backward compatibility issues.

HP VMS engineering recommends the SSL dependent applications to be rebuilt with HP VMS SSL V1.4 shareable(s) as it includes the support for latest security updates.

In case of application noncompliance with the re-compilation/re-link requirement of HP VMS SSL V1.4 library, the OpenVMS operating system terminates the SSL dependent application processes with “ident mismatch with shareable image“ error as provided below:

$ run ssl_test

%DCL-W-ACTIMAGE, error activating image SSL$LIBSSL_SHR32

-CLI-E-IMGNAME, image file

DWLLNG$DKA500:[SYS0.SYSCOMMON.][SYSLIB]SSL$LIBSSL_SHR32.EXE

-SYSTEM-F-SHRIDMISMAT, ident mismatch with shareable image

$

The HP VMS SSL users on OpenVMS platform may benefit from this advisory as provided below if application migration from HP VMS SSL V1.3 to V1.4 is not possible immediately.

SCOPE

The following is the list of HP OpenVMS V8.4 products or components that are dependent on HP VMS SSL V1.4:
  • LDAP

  • ENCRYPT

  • Stunnel

  • HP System Management Homepage (HP SMH) for OpenVMS

  • HP WBEM Services for OpenVMS Integrity servers

  • HP OpenView Operations Agent for OpenVMS

  • OpenView Performance Agent (OVPA) for OpenVMS

  • Secure Web Server

  • ABS

  • HP Enterprise Directory

  • HPBINARYCHECKER

If OpenVMS V8.4 users choose to downgrade the HP VMS SSL version to V1.3, then the above listed products will not work. Also, HP VMS SSL V1.3 would not have the latest security patches/features.

RESOLUTION

If application migration to HP VMS SSL 1.4 is not possible immediately, a temporarily workaround solution is to define the process wide logicals for the application, to use the HP VMS SSL V1.3 shareable libraries. This could be done as stated below:
  1. Download SSL 1.3 kit from HP OpenVMS SSL website. Website link: http://h71000.www7.hp.com/openvms/products/ssl/ssl.html

  2. Extract the self extractable images

    $! For SSL V1.3 on an Integrity system

    $ RUN HP-I64VMS-SSL-V0103-0284-1.PCSI_SFX_I64EXE

    $! For SSL V1.3 on an Alpha system

    $ RUN HP-AXPVMS-SSL-V0103-0281-1.PCSI_SFX_AXPEXE

  3. The following files will get extracted:
    • On Alpha system

      • HP-AXPVMS-SSL-V0103-0281-1.PCSI$COMPRESSED
      • HP-AXPVMS-SSL-V0103-0281-1.PCSI$COMPRESSED_ESW
    • On Integrity system
      • HP-I64VMS-SSL-V0103-0284-1.PCSI$COMPRESSED
      • HP-I64VMS-SSL-V0103-0284-1.PCSI$COMPRESSED_ESW
  4. Extract SSL shareable libraries from the PCSI$COMPRESSED file

    $ PRODUCT EXTRACT FILE SSL /select= SSL$LIB*.exe /dest=[]/log

    The above command extracts the following four SSL shareable libraries in the current location.

    Example Output:

    %PCSI-I-CREFIL, created file

    DISK$I64SYS:[EXTRACTHERE.][000000]SSL$LIBCRYPTO_SHR.EXE;1

    %PCSI-I-CREFIL, created file

    DISK$I64SYS:[EXTRACTHERE.][000000]SSL$LIBCRYPTO_SHR32.EXE;1

    %PCSI-I-CREFIL, created file

    DISK$I64SYS:[EXTRACTHERE.][000000]SSL$LIBSSL_SHR.EXE;1

    %PCSI-I-CREFIL, created file

    DISK$I64SYS:[EXTRACTHERE.][000000]SSL$LIBSSL_SHR32.EXE;1

  5. Define the following four logicals that point to the V1.3 version of SSL shareable libraries in application startup procedure just before invoking the executable which is linked with HP VMS SSL V1.3. Please note that these are process wide logical and hence will not affect other applications.

    $ define SSL$LIBSSL_SHR32 -

    DISK$I64SYS:[EXTRACTHERE]SSL$LIBSSL_SHR32.EXE

    $ define SSL$LIBCRYPTO_SHR32 -

    DISK$I64SYS:[EXTRACTHERE]SSL$LIBCRYPTO_SHR32.EXE

    $ define SSL$LIBSSL_SHR -

    DISK$I64SYS:[EXTRACTHERE]SSL$LIBSSL_SHR.EXE

    $ define SSL$LIBCRYPTO_SHR -

    DISK$I64SYS:[EXTRACTHERE]SSL$LIBCRYPTO_SHR.EXE

    Here "DISK$I64SYS:[EXTRACTHERE]" is the location of the extracted files. Please change this to match to the appropriate directory where the files are extracted.

  6. De-assign the logicals after application completes the execution (unless the application is executed as a detached process )

    $ deassign SSL$LIBSSL_SHR32

    $ deassign SSL$LIBCRYPTO_SHR32

    $ deassign SSL$LIBSSL_SHR

    $ deassign SSL$LIBCRYPTO_SHR

Limitations:
  1. Using the V1.3 SSL shareable libraries will result in losing the latest security patches/features available in HP VMS SSL V1.4.

  2. This workaround solution will not work where application is also linked against a shareable library which uses different version of SSL. For example we have an application SAMPLEAPP.EXE which is linked with HP VMS SSL V1.3 libraries and also linked with TEST_SHR.EXE shareable library. TEST_SHR.EXE shareable library is internally linked with HP VMS SSL V1.4 on OpenVMS V8.4. If sampleapp.exe is executed by defining the process wide logical as explained above, the application might not work. This is because TEST_SHR.EXE image is linked with HP VMS SSL V1.4 library.

  3. This workaround will not work if the application has installed shareable libraries which use HP VMS SSL 1.3 shareable libraries.


Hardware Platforms Affected: HP OpenVMS, HP OpenVMS I64 Operating Systems
Components Affected: Not Applicable
Operating Systems Affected: HP OpenVMS
Software Affected: Not Applicable
Third Party Products Affected: Not Applicable
Support Communication Cross Reference ID: IA02449766
©Copyright 2016 Hewlett Packard Enterprise Company, L.P.
Hewlett Packard Enterprise Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Company and the names of Hewlett Packard Enterprise Company products referenced herein are trademarks of Hewlett Packard Enterprise Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!