HP TCP/IP Services for OpenVMS
Release Notes


Previous Contents

3.14 SNMP problems and restrictions

This section describes restrictions to the SNMP component for this release. For more information about using SNMP, refer to the HP TCP/IP Services for OpenVMS SNMP Programming and Reference manual.

3.14.1 Incomplete restart

When the SNMP master agent and subagents fail or are stopped, TCP/IP Services is often able to restart all processes automatically. However, under certain conditions, subagent processes may not restart. When this happens, the display from the DCL command SHOW SYSTEM does not include TCPIP$OS_MIBS and TCPIP$HR_MIB. If this situation occurs, restart SNMP by entering the following commands:


$ @SYS$STARTUP:TCPIP$SNMP_SHUTDOWN.COM 
 
$ @SYS$STARTUP:TCPIP$SNMP_STARTUP.COM 

3.14.2 SNMP IVP error

On slow systems, the SNMP Installation Verification Procedure can fail because a subagent does not respond to the test query. The error messages look like this:


   .
   .
   .
Shutting down the SNMP service... done. 
 
 
Creating temporary read/write community SNMPIVP_153. 
 
Enabling SET operations. 
 
Starting the SNMP service... done. 
 
SNMPIVP: unexpected text in response to SNMP request: 
"- no such name - returned for variable 1" 
See file SYS$SYSDEVICE:[TCPIP$SNMP]TCPIP$SNMP_REQUEST.DAT for more 
details. 
sysContact could not be retrieved.  Status = 0 
The SNMP IVP has NOT completed successfully. 
SNMP IVP request completed. 
Press Return to continue ... 

You can ignore these types of messages in the IVP.

3.14.3 Using existing MIB subagent modules

If an existing subagent does not execute properly, you may need to relink it against the current version of TCP/IP Services to produce a working image. Some subagents (such as those for HP Insight Management Agents for OpenVMS) also require a minimum version of OpenVMS and a minimum version of TCP/IP Services.

The following restrictions apply:

3.14.4 Upgrading SNMP

After upgrading to the current version of TCP/IP Services, you must disable and then enable SNMP using the TCPIP$CONFIG.COM command procedure. When prompted for "this node" or "all nodes," select the option that reflects the previous configuration.

3.14.5 Communication controller data not completely updated

When you upgrade TCP/IP Services and then modify an existing communication controller, programs that use the communication controller might not have access to the updated information.

To ensure that programs like the MIB browser (SNMP_REQUEST) have access to the new data about the communication controller, do the following:

  1. Delete the communication controller using the TCP/IP management command DELETE COMMUNICATION_CONTROLLER.
  2. Reset the communication controller by running the TCPIP$CONFIG.COM command procedure and exiting.
  3. Restart the program (such as SNMP) by entering the following commands:


    $ @SYS$STARTUP:SNMP_SHUTDOWN.COM 
     
    $ @SYS$STARTUP:SNMP_STARTUP.COM 
    

  4. Use the TCP/IP management command LIST COMMUNICATION_CONTROLLER to display the information.

3.14.6 SNMP MIB browser usage

If you use either the -l (loop mode) or -t (tree mode) flag, you cannot also specify the -m (maximum repetitions) flag or the -n (nonrepeaters) flag. The latter flags are incompatible with loop mode and tree mode.

Incorrect use of the -n and -m flags results in the following types of messages:


$ snmp_request mynode.co.com public getbulk -v2c -n 20 -m 10 -t 1.3.6.1.2.1 
Warning: -n reset to 0 since -l or -t flag is specified. 
Warning: -m reset to 1 since -l or -t flag is specified. 
1.3.6.1.2.1.1.1.0 = mynode.company.com 

3.14.7 Duplicate subagent identifiers

With this version of TCP/IP Services, two subagents can have the same identifier parameter. Be aware, however, that having two subagents with the same name makes it difficult to determine the cause of problems reported in the log file.

3.14.8 Community name restrictions

The following restrictions on community names are imposed by TCPIP$CONFIG.COM:

3.14.9 eSNMP programming and subagent development

The following notes pertain to eSNMP programming and subagent development.

3.14.10 SNMP installation verification program restriction

The SNMP Installation Verification Program will not run correctly if debug or trace options are turned on for any TCP/IP Services for OpenVMS component.

For example, including the line:


options debug 

in TCPIP$ETC:RESOLV.CONF results in unsuccessful completion status.

The problem also exists if socket tracing is turned on and directed to SYS$OUTPUT with the following command:


$ DEFINE TCPIP$SOCKET_TRACE SYS$OUTPUT 

The additional output produced by these and other debug or trace options can cause problems with the SNMP IVP because it was designed to parse output from a standard configuration only.

Note

To run the SNMP IVP test either run the program directly:


$ RUN SYS$SYSROOT:[SYSTEST.TCPIP]TCPIP$SNMPIVP.EXE 


or execute the TCPIP configuration menu:


$ @SYS$MANAGER:TCPIP$CONFIG 


and then select option "7 - Run tests" and then option "2 - SNMP IVP".

3.15 SSH problems and restrictions

This section contains the following information:

Note

References to SSH, SCP, or SFTP commands also imply SSH2, SCP2, and SFTP2, respectively.

3.15.1 SSH-Related security advisories

Computer Emergency Readiness Team (CERT®) advisories are issued by the CERT Coordination Center (CERT/CC), a center of Internet security expertise located at the Software Engineering Institute, a federally-funded research and development center operated by Carnegie Mellon University. CERT advisories are a core component of the Technical Cyber Security Alerts document featured by the United States Computer Emergency Readiness Team (US-CERT), which provides timely information about current security issues, vulnerabilities, and exploits.

CERT and HP Software Security Response Team (SSRT) security advisories might be prompted by SSH activity. CERT advisories are documented at the following CERT/CC web site:


http://www.cert.org/advisories. 

Table 3-1 provides brief interpretations of several SSH-related advisories:

Table 3-1 CERT/SSRT Network Security Advisories
Advisory Impact on OpenVMS
CERT CA-2003-24 OpenSSH only; OpenVMS is not vulnerable.
CERT CA-2002-36 A worst case consequence of this vulnerability is a denial of service (DoS) for a single connection of one of the following types:
  • Server process handling a connection from a malicious client
  • Client process connecting to a malicious server

In either case, a malicious remote host cannot gain access to the OpenVMS host (for example, to execute arbitrary code), and the OpenVMS server is still able to receive a new connection.

CERT-2001-35 OpenVMS is not vulnerable. Affects SSH Version 1 only, which is not supported.
CERT CA-1999-15 RSAREF2 library is not used; OpenVMS is not vulnerable.
SSRT3629A/B OpenVMS is not vulnerable.

3.15.2 SSH general notes and restrictions

This section includes general notes and restrictions that are not specific to a particular SSH application.

3.15.3 UNIX features that are not supported by SSH

This section describes features that are expected in a UNIX environment but are not supported by SSH for OpenVMS.

3.15.4 SSH command syntax

This section includes notes and restrictions pertaining to command syntax.

3.15.5 SSH authentication

This section includes notes and restrictions pertaining to SSH authentication.

3.15.6 SSH keys

This section includes notes and restrictions pertaining to SSH keys.


Previous Next Contents