HPE SSL for OpenVMS V1.4 Release Notes February 2016 Based on OpenSSL 0.9.8zh HPE SSL V1.4 for OpenVMS Alpha and Itanium HP-AXPVMS-SSL-V0104-0503-1.PCSI HP-I64VMS-SSL-V0104-0503-1.PCSI ---------------------------------------------------------- Hewlett Packard Enterprise is pleased to provide you with the latest release of HPE SSL for OpenVMS. HPE SSL (Secure Sockets Layer) is based on the 0.9.8zh release from the Open Group. For more information, see the HPE SSL website at http://h71000.www7.hp.com/openvms/products/ssl/ssl.html and documentation at http://h71000.www7.hp.com/openvms/products/ssl/ssl_doc.html OpenVMS security and security product information can be located at http://h71000.www7.hp.com/openvms/security.html#ssl See http://www.openssl.org for information about OpenSSL. Documentation for this kit, including installation and configuration information, release notes, a programming tutorial and API reference, is included in "hp Open Source Security for OpenVMS Alpha Volume 2: hp SSL for OpenVMS Alpha" in HTML and PDF formats. That document is included on the OpenVMS documentation CD-ROM and on the OpenVMS website at http://www.hp.com/go/openvms/doc/. There are post installation activities that need to be performed. This includes the following items that are described in detail: - ensuring SSL startup and logical name creation files are executed - updating or copying the necessary startup, shutdown and configuration files from the installed template files - running the Installation Verification Program (IVP) SSL has created the following directory structure and files in PCSI$DESTINATION, which defaults to SYS$SYSDEVICE:[VMS$COMMON] [SSL] - Top-level SSL directory [SSL.ALPHA_EXE] - Contains the images for the Alpha platform* [SSL.IA64_EXE] - Contains the images for the Itanium platform* [SSL.COM] - Directory to hold the various command procedures [SSL.DEMOCA] - Directory structure to demo SSL's CA features [SSL.DEMOCA.CERTS] - Directory to hold the certificates and keys [SSL.DEMOCA.CONF] - Contains the configuration files [SSL.DEMOCA.CRL] - Contains revoked certificates and CRLs [SSL.DEMOCA.PRIVATE] - Directory for private keys and random data [SSL.DOC] - OpenSSL.org provided documentation & information [SSL.INCLUDE] - Contains the C Header (.H) files [SSL.TEST] - Contains the files used during the IVP [SYS$STARTUP] - Startup and shutdown templates and files [SYSHLP] - Release notes [SYSHLP.EXAMPLES.SSL] - SSL crypto and secure session examples [SYSLIB] - SSL shareable image files [SYSTEST] - SSL$IVP.COM test files * - Note : Each system will have only one xxx_EXE.DIR, depending on the architecture of the system. SSL Startup and Shutdown ------------------------ Once the installation is complete, add SSL$STARTUP.COM to SYS$MANAGER:SYSTARTUP_VMS.COM file with the following command: $ @SYS$STARTUP:SSL$STARTUP.COM If SSL was installed as part of the installation of OpenVMS, the SSL$STARTUP.COM will already be in the startup command procedure SYS$STARTUP:VMS$LPBEGIN-050_STARTUP.COM. When the system is rebooted, this will automatically define the SSL$ executive mode logical names in the SYSTEM logical name table, and install the SSL shareable images in memory that reside in the [SYSLIB] directory. Also, add SSL$SHUTDOWN.COM to the SYS$MANAGER:SYSHUTDWN.COM file to remove the installed images and deassign the SSL$ logical name definitions. Add one of the following command lines: $ @SYS$STARTUP:SSL$SHUTDOWN.COM Updated SSL Files Requiring Attention ------------------------------------- If you are upgrading from a previous version of HPE SSL, it is suggested that you copy the following SSL template files, renaming each to their respective command procedure (.COM) and configuration (.CNF) file. These files may change with each new version of SSL. A product upgrade or re-installation will not overwrite or create a new file version if the file has been modified. It will only create the template files. If you have customized the SSL command files for the site, compare the following template files with your existing command procedures and take the appropriate action to update your customized files. It is also suggested that the the site-specific SSL command procedures are utilized to tailor the SSL installation to the site. All of these files are discussed in the following section. - The SSL$STARTUP.TEMPLATE file is no longer provided. The startup file SSL$STARTUP.COM is placed into SYS$STARTUP. Any existing SSL$STARTUP.COM in SYS$STARTUP is renamed to SYS$STARTUP:SSL$STARTUP.COM_OLD. - The SSL$SHUTDOWN.TEMPLATE file is no longer provided. The shutdown file SSL$SHUTDOWN.COM is placed into SYS$STARTUP. Any existing SSL$SHUTDOWN.COM in SYS$STARTUP is renamed to SYS$STARTUP:SSL$SHUTDOWN.COM_OLD. - If there are system or site-specific SSL startup or shutdowm command procedure requirements, it is suggested that they are placed in the site-specific SSL files. These site-specific files are invoked by SSL$STARTUP.COM and SSL$SHUTDOWN.COM respectively. You may want to compare and/or copy the new installed template files to the command procedures in SSL$COM: SSL$COM:SSL$SYSTARTUP.COM , SSL$COM:SSL$SYSTARTUP.TEMPLATE SSL$COM:SSL$SYSHUTDOWN.COM , SSL$COM:SSL$SYSHUTDOWN.TEMPLATE - Compare SSL$EXAMPLES:SSL$EXAMPLES_SETUP.TEMPLATE to your existing SSL$EXAMPLES:SSL$EXAMPLES_SETUP.COM file, and rename the template file to SSL$EXAMPLES:SSL$EXAMPLES_SETUP.COM if you want to accept the changes. The new SSL$EXAMPLES_SETUP.TEMPLATE file executes SSL$COM:SSL$UTILS.COM to define SSL DCL commands. - If the SSL or OpenVMS configuration files have been modified for your site, compare (and copy) the new installed template files with the configuration files in the SSL root directory: SSL$ROOT:[000000]OPENSSL.CNF , OPENSSL.CNF_TEMPLATE SSL$ROOT:[000000]OPENSSL-VMS.CNF , OPENSSL-VMS.CNF_TEMPLATE SSL Logicals and Symbols ------------------------ SSL foreign symbols are defined with the SSL command procedures: SSL$STARTUP.COM and SSL$COM:SSL$UTILS.COM Installation Verification Program (IVP) --------------------------------------- Normally the Installation Verification Program (IVP) test is executed when SSL is installed. To run the SSL IVP test manually, type one of the following commands: $ @ SYS$TEST:SSL$IVP.COM The IVP test would not be executed at installation time if, for example, the PCSI qualifier /NOTEST was utilized. Removing SSL ------------ To remove SSL for the system disk or destination directory, type the following command: $ PRODUCT REMOVE SSL Note: some files may remain and will not be removed when the SSL product is removed. These are files that were created by running the IVP test program, such as SSL$IVP.LOG, and as a consequence, the SYSTEST.DIR directory. Other files may include certificates, such as those created by the certificate tool in the SSL$CERTS: directory.