AIX

 View Only
Expand all | Collapse all

Duration of support for AIX service packs?

  • 1.  Duration of support for AIX service packs?

    Posted Tue January 16, 2024 04:09 AM

    Hi!

    Does anyone know, how long IBM provides support for a certain AIX Service Pack?  I only found the AIX support lifecycle for tecnology levels.

    My actual problem:  We have a system, which is currently on oslevel 7200-05-03-2148.  We can't upgrade it to TL5 SP7, as that would break some software we use there requiring the ancient openssl 0.9.8 - which is no longer available on SP7.

    Luckily it is foreseeable, that we can decommission the server in about a year.  The only question would be, if we would still receive support / security fixes for SP6 (or even SP3) till then.



    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------


  • 2.  RE: Duration of support for AIX service packs?

    Posted Wed January 17, 2024 03:06 AM

    $ for a in $(lslpp -f openssl.base | grep '\.a$'); do echo "=== $a"; ar -vt $a; done
    === /usr/lib/libcrypto_compat.a
    rwxr-xr-x     0/0     2186744 May 15 00:49 2018 libcrypto.so
    rwxr-xr-x     0/0     2186744 May 15 00:49 2018 libcrypto.so.0.9.8
    === /usr/lib/libssl.a
    rwxr-xr-x     0/0     728648 Feb 16 17:57 2023 libssl.so
    rwxr-xr-x     0/0     510766 Feb 16 17:57 2023 libssl.so.0.9.8
    rwxr-xr-x     0/0     728648 Feb 16 17:57 2023 libssl.so.1.0.0
    rwxr-xr-x     0/0     728648 Feb 16 17:57 2023 libssl.so.1.0.2
    === /usr/lib/libssl_compat.a
    rwxr-xr-x     0/0     510766 May 15 01:09 2018 libssl.so
    rwxr-xr-x     0/0     510766 May 15 01:09 2018 libssl.so.0.9.8
    === /usr/lib/libcrypto.a
    rwxr-xr-x     0/0     3069375 Feb 16 17:57 2023 libcrypto.so
    rwxr-xr-x     0/0     2186744 Feb 16 17:57 2023 libcrypto.so.0.9.8
    rwxr-xr-x     0/0     3069375 Feb 16 17:57 2023 libcrypto.so.1.0.0
    rwxr-xr-x     0/0     3069375 Feb 16 17:57 2023 libcrypto.so.1.0.2

    Quick and dirty solution proposal (it might work or not, I have not tested it):

    • extract *.so.0.8.9 files from existing library files
    • put them into one nre library file (with a name that would not conflict iwth any file existing in /usr/lib in 7.2.5.7)
    • create new installation package containing just one fileset that contains just this file (make sure fileset name does not conflict with any fileset in 7.2.5.7)
    • upgrade to 7.2.5.7
    • install the fileset you created earlier
    • test your application (first with ldd, then running it)


    ------------------------------
    Lech Szychowski
    ------------------------------



  • 3.  RE: Duration of support for AIX service packs?

    Posted Wed January 17, 2024 03:27 AM

    Hi,

    Fixes and ifixes will be generated for TLs that have not reached "End of Fix Support" (aka "End of Service Pack SUpport EoSPS"). Therefor an ifix can be created for any SP within the TL. You may need, however, order an ifix for each Security or other issue individually what will take some time. 

    Regards,

    Bertram 



    ------------------------------
    Bertram Begau
    ------------------------------



  • 4.  RE: Duration of support for AIX service packs?

    IBM Champion
    Posted Wed January 17, 2024 04:55 AM

    As Bertram wrote, you must order fixes through IBM support for earlier SPs.

    Optimizing Lech's solution, you can copy libssl.a and libcrypto*.a to the directory with your application and write a small wrapper script like:

    export LIBPATH=/path/to/my/old/openssl

    start_app

    By setting LIBPATH variable you redefine where the application will search for libraries. Just don't do it globally in /etc/environment, but only for the application start.

    https://www.ibm.com/support/pages/libpath-environment-variables-aix-platforms



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------



  • 5.  RE: Duration of support for AIX service packs?

    Posted Wed January 17, 2024 06:06 AM

    Beware of possible side effects.

    Archives libssl.a and libcrypto*.a contain more than *0.8.9.so files. Suppose we do what you proposed and later we install an efix for OpenSSL. It could change files in /usr/lib/, but of course will not change copies of these files in /path/to/my/old/openssl. So if dynamic linker loading the application (or any other binary this application wants to spawn/exec) wants to load some other OpenSSL library it will pick up the unpatched copy in /path/to/my/old/openssl, not the patched copy in /usr/lib (as contents of LIBPATH takes precedence over the standard library search path).



    ------------------------------
    Lech Szychowski
    ------------------------------



  • 6.  RE: Duration of support for AIX service packs?

    IBM Champion
    Posted Wed January 17, 2024 06:31 AM

    This is exactly the reason why you shouldn't define LIBPATH globally or in a user's profile. Only for the application you need.

    P.S. You can't expect seriously an efix for OpenSSL 0.9.8 which is out of date since many years. 



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------



  • 7.  RE: Duration of support for AIX service packs?

    Posted Wed January 17, 2024 06:54 AM

    > P.S. You can't expect seriously an efix for OpenSSL 0.9.8 which is out of date since many years.

    I am talkig about efixes not for 0.8.9, but for newer versions (that happen to be inside the *.a files copied to /path/to/my/old).

    > This is exactly the reason why you shouldn't define LIBPATH globally or in a user's profile. Only for the application you need.

    Exported LIBPATH will be used also by any processess spawned/executed by your apllication. Some of these might be using OpenSSL libraries newer than 0.8.9 - and these ones will use not the patched copies in /usr/lib, but the unpatched copies in /path/to/my/old.



    ------------------------------
    Lech Szychowski
    ------------------------------



  • 8.  RE: Duration of support for AIX service packs?

    IBM Champion
    Posted Wed January 17, 2024 07:18 AM

    > I am talkig about efixes not for 0.8.9, but for newer versions (that happen to be inside the *.a files copied to /path/to/my/old).

    If you copied files outisde of the standard path, how would AIX (installp/emgr) find it there? They will not be touched by emgr and you can freely install newer OpenSSL versions. The older libraries will not be affected by any update or efix anyway.

    > Exported LIBPATH will be used also by any processess spawned/executed by your apllication.

    Yes, it is so. The new forked process inherits the environment of the parent process unless something else is specified. 



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------



  • 9.  RE: Duration of support for AIX service packs?

    Posted Wed January 17, 2024 07:45 AM

    Let me make myself as clear as possible.

    Suppose we have a /usr/lib/libssl.a file that contains these libraries: libssl.so, libssl.so.0.9.8, libssl.so.1.0.0 and libssl.so.1.0.2. You copy this file to  /path/to/my/old, set exported LIBPATH to  /path/to/my/old and start your application in this environment.

    Then some time later you install an efix for OpenSSL 1.0.2. This efix replaces libssl.so.1.0.2 in /usr/lib/libssl.a and of course leaves /path/to/my/old/libssl.a intact. Your application does not care because it uses version 0.8.9.

    And then your application that has exported LIBPATH=/path/to/my/old in its env spawns a short lived process that needs OpenSSL 1.0.2. This spawned process will use libssl.so.1.0.2 coming from /path/to/my/old/libssl.a, ie the one that was not modified by the efix, right?

    Preserving just libssl.so.0.9.8 lets us avoid this problem.



    ------------------------------
    Lech Szychowski
    ------------------------------



  • 10.  RE: Duration of support for AIX service packs?

    IBM Champion
    Posted Thu January 18, 2024 05:37 AM
    Edited by José Pina Coelho Thu January 18, 2024 05:46 AM

    Likely no support.  To avoid the issue with copied libraries+libpath (inherited by children), you may want to do the following:

    - Check the used libraries (ldd /app/appbinary) - the ones before '/unix'
    - Copy the libraries that are about to be changed to /app/patch/libname...
    - Extract the 32&64 bit members that are about to disapear (e.g. libcrypto.so.0.9.8 from libcrypto.a)
    - Install the updated versions
    - Copy the updated versions to /app/patch
    - Add the 32&64 bit members that were removed (e.g. libcrypto.so.0.9.8 from libcrypto.a)  N.B. there will be no support at all for this library, or anything linked with it, but the rest of the system will be supported
    - relink /app/appbinary with the back-patched library.  This will store the path to the library in the binary header.
    - Call the patched binary (No LIBPATH needed)

    Example:  Relink sshd with libcrypto.a on a different path:

    # ldd sshd
    sshd needs:
             /usr/lib/libc.a(shr.o)
             /usr/lib/libcrypto.a(libcrypto.so.1.1)  <=== sshd searches for the corresponding member, your app will be looking for libcrypt.so.0.9.8
             /usr/lib/libdl.a(shr.o)
             /usr/lib/libpam.a(shr.o)
             /unix      <=== This is where you stop looking for libraries.
             /usr/lib/libcrypt.a(shr.o)
             /usr/lib/libpthreads.a(shr_xpg5.o)
             /usr/lib/librtl.a(shr.o)
             /usr/lib/libmls.a(shr.o)
             /usr/lib/libpthreads.a(shr_comm.o)
             /usr/lib/libmlsenc.a(shr.o)
             /usr/lib/libodm.a(shr.o)

    Relink:
    # ld -o patched.sshd -L $PWD -l crypto -l dl -l pam -l c sshd
    (get a bunch of warnings about duplicate symbols and "ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.")

    Check the relinked binary:
    # ldd patched.sshd
    patched.sshd needs:
             /usr/lib/libc.a(shr.o)
             /home/myuser/relink/libcrypto.a(libcrypto.so.1.1) <=== your application will be linked with the libcrypto.so.0.9.8, note that the library path was store in the binary header, making LIBPATH unnecessary.
             /usr/lib/libdl.a(shr.o)
             /usr/lib/libpam.a(shr.o)
             /unix
             /usr/lib/libcrypt.a(shr.o)
             /usr/lib/libpthreads.a(shr_xpg5.o)
             /usr/lib/librtl.a(shr.o)
             /usr/lib/libmls.a(shr.o)
             /usr/lib/libpthreads.a(shr_comm.o)
             /usr/lib/libmlsenc.a(shr.o)
             /usr/lib/libodm.a(shr.o)


    I wasn't clear enough: it isn't the path of the specific library that is stashed, it's the location+/usr/lib that is set in the header.  (Works exactly the same as LIBPATH, but doesn't persist in the environment)


    ------------------------------
    José Pina Coelho
    IT Specialist at Kyndryl
    ------------------------------