Professional Documents
Culture Documents
Release Notes For Application Enablement Services (AES) Release 4.2 Service Pack 4 PDF
Release Notes For Application Enablement Services (AES) Release 4.2 Service Pack 4 PDF
Release Notes For Application Enablement Services (AES) Release 4.2 Service Pack 4 PDF
PSN # PSN002964u
Original publication date: 09-Aug-10. This is Issue #2, published date: 18- Severity/risk level Medium Urgency When convenient
Oct-10.
Name of problem Release Notes for Application Enablement Services (AES) Release: 4.2 Service Pack 4
Products affected
Application Enablement Services (AES): Release: 4.2.4
Problem description
Application Enablement Services Release 4.2.4 – Software Only Server, Bundled Server, and Client
Release Notes
This document introduces the Generally Available release of the Application Enablement (AE) Services Release 4.2.4 and provides
important notes and describes known issues. The Avaya MultiVantage® Application Enablement Services Overview has a complete
list of 4.X features.
Release History
Date Build Change(s)
03/2007 47-3 General Availability R4.0
06/2007 50-1 General Availability R4.0.1
12/2007 31-2 General Availability R4.1
04/2008 4.1.16 General Availability R4.1.1 JTAPI Client/SDK
05/2008 19-4 General Availability R4.2
08/2008 20-5 Service Pack R4.2.1
06/2009 31 Service Pack R4.2.2
09/2009 33 Service Pack R4.2.3
08/2010 35 Service Pack R4.2.4
• DLG Links
DLG links may be OFFLINE after recovery from an abnormal shutdown.
The LCS/OCS AE Services integration uses Mutual TLS (MTLS) to authenticate server to server SIP communication. On an
MTLS connection, the server originating a message and the server receiving it exchange certificates from a mutually trusted CA
to prove the identity of each server to the other.
The server certificate used for MTLS on both servers must either not specify an Extended Key Usage (EKU) or specify an EKU
for Server and Client Auth. When the EKU is not specified the certificate is not restricted to a particular usage. However, when
the Key Usage field is specified and the EKU is specified as Server and Client Auth, the certificate can only be used by the server
for mutual server and client based authentication purposes. If an EKU with only Server Auth is specified, in this scenario, the
connecting server certificate will fail authentication and the MTLS connection will not be established.
The Standalone CA, which may also be used (but is not Microsoft recommended), does not provide configurable templates
including some additional features and must adhere to the same certificate generation rules in regards to the EKU field.
Note that this statement doesn't preclude administrators from using non-Microsoft CAs (e.g. VeriSign).
Note: If the OAM page cannot be accessed, check status of httpd / tomcat5 processes via “/sbin/service httpd status” and
“/sbin/service tomcat5 status”, and start if not running.
• Sametime Upgrade from 8.0 to 8.0.2 Loses the Telephony Service Provider Policy Setting
When Sametime is upgraded from 8.0.0 to 8.0.2, the telephony service provider is not enabled as a default. Re-enable the
Telephony Service Provider field in the Sametime Policy. The IBM SPR is SLEE7NKJRJ.
• Sametime Connect 8.0.2 – Calls Cannot be Made to the Client When “Display Incoming Invitation” is
Unchecked
When a Sametime client unchecks "Preferences > Notifications > Telephony notifications > Display incoming invitation" in
Sametime Connect 8.0.2, Sametime calls cannot be made to that particular client. IBM has provided Hotfix # DAMD-7NJKJA.
• SIP Issues
o When using 3rd party call control to make a call on a SIP endpoint to a VDN that has a vector step to collect digits after
an announcement, the announcement will not be played and the digits entered will not be forwarded.
o When using 3rd party call control to make a direct agent call to a busy agent on a SIP endpoint the call drops. The
workaround is to place the call manually.
o When using 3rd party call control to make a call using a TAC, the call will fail on a SIP phone if the Communication
Manager does not have a TN2602AP board.
o When using 3rd party call control to answer and place a call on hold on a SIP endpoint any attempt to make another call
from that SIP endpoint will fail.
o If Communication Manager does not have a TN2602AP board, the media encryption on the SIP endpoint should be
disabled. The SIP endpoint transport type must be set to TCP or UDP. If transport type is set to TLS, the 3rd party call
control application may fail during transfer and conference.
o The Single Step Transfer service does not work reliably for SIP stations.
o DTMF Tones are not supported on SIP endpoints.
o User classified call does not generate an ALERTING event over domain control association.
o Going off-hook on a SIP station followed by on-hook does not generate an INITIATED event.
o Using Third party Call control when a call is made from a SIP station, the INITIATED event is slightly delayed as
compared to other station types. Subsequent events are not delayed.
o ACD calls that are delivered to SIP endpoints are generating Alerting Event reports that do NOT contain the split/skill
extension from the associated call.
Locate the Enterprise Web Licensing WebLM Patch. The name of the file is ImportCertToWebLM.zip in the patch directory on
the Bundled ISO and in the root directory of the SW-Only ISO.
1. Download importCertToWebLm.zip files to your EWL server.
2. Unzip the file
3. Follow the directions in the README to install
© 2010 Avaya Inc. All Rights Reserved. Page 5
• WebLM Session May Hang
Performing one of the following actions on WebLM may hang the session.
1. Repeatedly uninstall and install licenses
2. Repeatedly refreshing license page
The current session should be closed and a new session opened.
• DMCC:
• The TelephonyService session timeout has been changed from 24 hours to 30 minutes. When a user initially creates a
TelephonyService session (either explicitly by the user invoking attach() or implicitly by invoking a TelephonyService
request), a user session is created within AE Services. Once created, the session continues to exist until it is explicitly closed
(by the user invoking release()) or the session times out. This change reduces the session timeout from 24 hours to 30
minutes. By reducing the session timeout to 30 minutes, AE Services system resources are released in a timely manner, and
are made available for other users. If the users use multiple Telephony Service sessions in their applications (or multiple
Telephony Service applications), they should see increased performance and response times.
• DMCC licenses for deprecated RegisterDevice API call are supported in R4.2.4. Between R4.2.0 and R5.2.0, only the
RegisterTerminalRequest XML message (equivalent to the Java API method "registerTerminal()") was capable of using
either DMCC licenses from WebLM or IP_API_A licenses from Communication Manager. The older (deprecated)
RegisterDevice XML message (equivalent to the Java API method "registerDevice()") always acquired an IP_API_A license.
However, with AES R4.2.4, R5.2.1 and later releases, both types of registration requests will attempt to acquire a DMCC
license from WebLM, as the preferred license. If the DMCC license acquisition fails, then an attempt to acquire an IP_API_A
license from Communication Manager will be made. The effect on the user is that applications using the older (deprecated)
RegisterDevice XML (or Java registerDevice() method) can now make use of the DMCC licenses on WebLM.
Reference Product Support Notification: PSN002851U.
• If Communication Manager is slow to respond to an AE Services request to register a device, it is possible for the AE
Services request to time-out, before the request is completed. In such a case, the application can't be sure if the registration
succeeded or failed and is likely to assume that it failed. However, in some cases, the registration may have actually
succeeded, while the request timed-out. The change for this issue was to ensure that, if the registration request times out,
then the device registration will fail. The effect on the user is that applications that receive a time-out indication for the
RegisterTerminalRequest or RegisterDevice XML messages (or Java equivalents) can be sure that the device registration
failed and can thus act accordingly.
• The backoff algorithm used to thwart a TLS denial of service attack by a client application with an invalid certificate. It is
now executed on a separate thread. This ensures that a client application with a valid certificate achieves a successful TLS
connection to the AE Server SIP stack, in a timely manner.
• An internal Java Hashmap declaration was replaced with a thread safe version. This prevents a race condition where
concurrent RegisterTerminal requests were not handled in sequential order resulting in registrations failing at a high rate.
• JTAPI Client/SDK:
• In previous releases, it was found that JTAPI had issues operating with the certificate encoding algorithm used in IBM
Websphere 7.0. This has been fixed.
• Making a call using Unified Communications Center (UCC) caused a phantom call appearance on the JTAPI application.
This issue has been resolved.
• OA&M
The OA&M Security Data Base (SDB) feature was not able to import an exported SDB file. The imported file used the incorrect
file format. The format of the file needed to be converted by the SDB import process from UNIX to DOS. This issue has been
resolved.
• Security:
The following Red Hat Linux security issues have been incorporated into Release 4.2.4:
• [RHSA-2010:0141-01] Moderate: tar security update
• [RHSA-2009:1077-01] Important: kernel security and bug fix update
• [RHSA-2009:0981-01] Low: util-linux security and bug fix update
• [RHSA-2010:0163-01] Moderate: openssl security update
• [RHSA-2009:1463-01] Moderate: newt security update
• [RHSA-2009:0409-01] Important: krb5 security update
• [RHSA-2009:0341-01] Moderate: curl security update
• [RHSA-2009:0331-01] Important: kernel security and bug fix update
• [RHSA-2009:0046-01] Moderate: ntp security update
• [RHSA-2009:1541-1] Important: kernel security update
• [RHSA-2009:1206-01] Moderate: libxml and libxml2 security update
• [RHSA-2010:0020-01] Important: kernel security update
• [RHSA-2009:1471-01] Important: elinks security update
• [RHSA-2009:1580-02] Moderate: httpd security update
• [RHSA-2009:0459-01] Important: kernel security and bug fix update
• [RHSA-2009:1040-02] Critical: ntp security update
• [RHSA-2010:0273-05] Moderate: curl security, bug fix and enhancement update
• [RHSA-2009:1107-01] Moderate: apr-util security update
• [RHSA-2009:1204-01] Moderate: apr and apr-util security update
• Server
• During the AES ISO upgrade process, the installer will automatically backup the server data before the upgrade starts and
restore the server data once the upgrade completes. In previous releases, the backup was optional.
• For the time period between 00:00:00 and 00:20:00, the CPU occupancy monitoring script was unable to properly calculate
the CPU occupancy since the sar command was unable to obtain enough CPU based occupancy samples. During this period
of time, a smaller sample will be used to resolve the issue.
• On the AE Services Bundled Server, the root account authentication token was configured to expire after 60 days. This token
has been configured to never expire.
• The database called “postgres” was not being vacuumed and reached its transaction id wrap-around high-water mark which
caused the PostgreSQL database service to shutdown. The database vacuum cron script was modified to account for the
“postgres” database.
• Anonymous binding to the local AE Services LDAP server has been disabled.
• SNMP
• When attempting multiple simultaneous SNMP requests to an AE Server, the subagent eventually exits. Multiple Network
Management System (NMS) requests were causing the SNMP AgentX process to timeout waiting for a response. The default
timeouts were modified to account for multiple NMS requests.
• After upgrading to 4.2.2, the alarm “Upgrade not committed after 30 days” continued to be generated either after a server
reboot or after the upgrade was made permanent. The upgrade script was modified to properly account for both scenarios.
• Prior to AE Services 4.2.4, if a TSAPI application passed a device ID with more than 64 characters to a TSAPI function, the
TSAPI client library could cause the application to crash.
• Prior to AE Services 4.2.4, when using an encrypted Tlink, an intermittent error condition could cause the TSAPI Windows
client library to close a stream with ACS error TSERVER STREAM FAILED.
• The Windows TSAPI Spy application and the CSTATRACE mechanism for the Linux TSAPI client library have been
enhanced to include milliseconds in each time stamp.
• Prior to AE Services 4.2.4, after selecting “Start | Programs | Avaya AE Services | SDKs | TSAPI | Read Me”, the Read
Me file for the Windows TSAPI SDK was not displayed properly.
openssl097a-0.9.7a-9.el5_4.2.i386.rpm.
This RPM may be available with your Red Hat Linux installation media (e.g. the fourth CD in the server directory), and is also
available for download at http://rpm.pbone.net.
• TSAPI Service
• Prior to AE Services 4.2.4, when a call was transferred to a monitored station by an attendant, the connection list in the
CSTA Transferred event for the transfer might not contain all of the parties on the call.
• Prior to AE Services 4.2.4, in some scenarios the TSAPI Service would incorrectly provide device ID type EXPLICIT
PRIVATE LOCAL NUMBER for a device on the public network. For AE Services 4.2.4, the device ID types provided by
the TSAPI Service are more closely aligned with address type and numbering plan information provided by Avaya
Communication Manager’s (CM) Adjunct Switch Application Interface (ASAI).
• Prior to AE Services 4.2.4, in some scenarios the TSAPI Service would report the wrong device ID type in the Device
History associated with a CSTA Connection Cleared event.
• Prior to AE Services 4.2.4, for TSAPI CTI links administered with ASAI link version 5, the TSAPI Service did not always
provide the correct trunk ID in private data.
© 2010 Avaya Inc. All Rights Reserved. Page 8
• Prior to AE Services 4.2.4, when there are multiple AE Servers monitoring the same station device, in some transfer
scenarios the TSAPI Service would not relinquish the ASAI station domain control for the station quickly enough, causing
subsequent call control requests on that device to fail with CSTA error 44 (Outstanding Request Limit Exceeded).
• Prior to AE Services 4.2.4, if a call is transferred multiple times using the TSAPI single-step transfer call service, in some
scenarios the TSAPI Service would provide the wrong calling device in TSAPI events (Note: The TSAPI single-step transfer
call service is used by Microsoft Office Communicator).
• Prior to AE Services 4.2.4, the value of the acdSplit field in the private data accompanying a CSTA Delivered event was not
always consistent with the value reported by Avaya Communication Manager.
• Prior to AE Services 4.2.4, for private data versions 2-5 the TSAPI Service did not supply the correct private data Protocol
Data Unit (PDU) value in the private data accompanying a CSTA Originated event; the TSAPI Service supplied PDU value
ATT_ORIGINATED instead of ATTV5_ORIGINATED.
• Prior to AE Services 4.2.4, the TSAPI System Status Start service did not provide CTI link status events with a System Status
of “Normal” when a TSAPI CTI link recovered.
• Prior to AE Services 4.2.4, if a TSAPI application aborted a stream while there were outstanding TSAPI requests, the TSAPI
Service would log a critical error. For AE Services 4.2.4, a warning message is logged instead. The message has also been
reworded to provide a clearer description of the error condition.
• The TSAPI Service is restarted if the system time is changed by more than five minutes. Prior to AE Services 4.2.4, the
TSAPI Service might create a core file while it was restarting.
• Prior to AE Services 4.2.4, if an error occurred while the TSAPI Service was receiving a message from a TSAPI client, the
TSAPI Service might log the incorrect error number in the error log.
• The TSAPI Service has been enhanced to log many of its parameter settings in the error log during its initialization.
• Within the TSAPI Service, the default value for the TCP Send Retry Timer has been increased from 100 ms to 300 ms.
• The TSAPI parameter shell script (tsapiparam.sh) has been enhanced to allow the following TSAPI parameter values to be
set:
– The TCP Send Wait Time
– The number of TCP Send Retries
– Whether the Persistent AAOs feature is enabled
– The Persistent AAO Audit Interval
– The Persistent AAO Maximum Age
• The TSAPI Service has been enhanced to report client connections and disconnections in the security log.
“On the Firewall Configuration screen, the Security Enhanced Linux (SELinux) features are active by default. You must
disable SELinux or AE Services will not work correctly. Locate the Enable SELinux option and select Disabled.
! CAUTION:
If you fail to disable SELinux before you install the AE Services software, someAE Services will not start and other
problems will occur. To resolve the AE Services problems, you must disable SELinux and then reboot the server. For more
information about SELinux, see Administering SELinux on page 17”
“On the Firewall Configuration screen, the Security Enhanced Linux (SELinux) features are active by default. You must
disable SELinux and the firewall as part of the initial AE Services installation or upgrade process. Locate the Enable
SELinux option and select Disabled. In addition, locate the Enable Firewall option and select Disabled. After the
installation or upgrade is complete, the firewall can be properly configured as specified in step 8.
! CAUTION:
If you fail to disable SELinux and the firewall before you install the AE Services software, someAE Services will not start
and other problems will occur. To resolve the AE Services problems, you must disable SELinux and the firewall and then
reboot the server. For more information about SELinux, see Administering SELinux on page 17 and page 94 for firewall
information.”
This section describes how to use the TransferMonitorObjects request for client high availability: enabling the client application
to request AE Services to move established registrations and monitors to a different client session. The section does not,
however, discuss the use of the TransferProxy service which allows a standby application instance to generate Listener objects for
the purposes of receiving events on these already established monitors. For an example of how to use TransferProxy, please see
SessionManagement App.java in the SDK sample applications.
• Starting or restarting the Presence Service during business hours resulted in the Presence Service competing with the
Conference Service for resources on the AE Services server. It was advised that the administrator start or restart the Presence
Service after business hours only, in order to provide the best response time to the users of the Conference Service.
• The TSAPI switch links used by the AE Services IBM Sametime Integration must have lowercase names in previous
releases. That is, when you administer a switch connection in AE Services (Administration > Switch Connections), the
connection name must use lowercase characters.
currentSeqNum = incomingSeqNum;
1.2 CREATING THE ENCRYPTION KEYS USING THE PSEUDO RANDOM FUNCTION
The pseudo random function PRF_n(key, x) produces a bit string of length “n” from a string “x” which is encrypted using the
encryption key named “key”. The AE Services Symmetric algorithm mode is “ECB” with no padding.
// Generate the symmetric key using the JCE Engine and the readMasterKey from the MediaStart
// event and then use the Avaya XeRx value to calculate the KeRx value
key = new SecretKeySpec(readMasterKey, algorithm);
//Print
dump0x("KeRx", KeRx, 0,KeRx.length);
Once the media receive and transmit encryption keys (KeTx and KeRx) are created, they will be used within the AE
Services algorithm to encrypt and decrypt the RTP stream.
//Print
dump0x("KsRx", KsRx, 0,KsRx.length);
KsBuffer.put(KsRx, 0, KsRx.length-2);
© 2010 Avaya Inc. All Rights Reserved. Page 13
And similarly for KsTx based on the writeMasterKey.
Next, we can continue to calculate the read buffer IV (ivRx):
// Grab the SSRC from the RTP header and populate the ssrcBuffer
ssrcBuffer.position(4);
ssrcBuffer.putInt(ssrc);
// Print
dump0x("ivRx", ivRx, 0,ivRx.length);
dst.position(hLength);
byte[] cipherData = new byte[pLength];
dst.get(cipherData, 0, pLength);
try {
IvParameterSpec ivSpec = new IvParameterSpec(ivRx);
cipher.init(Cipher.DECRYPT_MODE, secKeRx, ivSpec);
plainTextResult = cipher.doFinal(cipherData);
} catch (IllegalStateException e) {
// Attempting to decrypt before the cipher has been initialized.
// Probably a race condition resulting in the 1st packet not being
// decrypted. Ignore for now.
} catch (Exception e) {
e.printStackTrace();
}
return seq;
}
public static void dump0x(String label, byte[] data, int start, int stop) {
byte[] b = data;
StringBuffer sb = new StringBuffer();
int value;
cipherData = {(byte)0xbb,(byte)0xbb,(byte)0xbb,(byte)0xbb };
1.5.2 EXPECTED OUTPUT
Ke-Rx:
Ks-Rx:
IV-Rx:
When you click Import, OAM displays the Server Certificate Import page.
IMPORTANT: After you import a Server Certificate you must restart the Web
Server. For more information, see Service Controller.
IMPORTANT: After you delete a Server Certificate you must restart the Web
Server. For more information, see Service Controller.
When you click Import, OAM displays the Server Certificate Import page.
IMPORTANT: After you import a Server Certificate you must restart the Web
Server and AE Server. For more information, see Service Controller.
Delete Select a certificate, and click Delete to delete a server certificate.
IMPORTANT: After you delete a Server Certificate you must restart the Web
Server and AE Server. For more information, see Service Controller.
"2. Make a note of this IP address. You will need to use it when you edit the /etc/hosts file and the /etc/ppp/options.ttyUSB0 file
on the AE Server."
"2. Make a note of this IP address. You will need to use it when you edit the appropriate files on the AE Server for the specific
modem used."
© 2010 Avaya Inc. All Rights Reserved. Page 17
• Avaya MultiVantage® Application Enablement Services Administration and
Maintenance Guide
• Chapter 1: Administering Communication Manager for AE Services
To enable AE Services Processor Ethernet support on the S85xx, first enable the Processor Ethernet feature on the
System Parameters Customer Options form, then administer the processor interface with the add ip-interface procr
command.
Important: Processor Ethernet support on the S85xx limits the CTI Message rate to 240 messages per second
duplex.
<4.2.1 Release Notes> Step 2 in the current documentation needs to be changed to the following:
Note: *Make sure Processor Ethernet support has been enabled on the S85xx.
- On all other systems, type <nodename> (where <nodename> is the name of the
CLAN board you will use on an S8400, S85xx, S87xx, or DEFINITY Server Csi.
You can locate node names by typing display node-names ip and checking the
Local Node field on the IP NODE NAMES form.
● In the Local Port field, accept the default (8765).
Note: If you are adding more than one CLAN for AE Services, repeat Step 2 for each CLAN you add.
Resolution
n/a
Workaround or alternative remediation
n/a
Important Notes
AE Services 4.2.4 is compatible with the following Communication Manager Releases and Platforms:
– Communication Manager 3.1.x (G3csi, S8300, S8400, S8500, S87xx) – with the following limitation: AE Services
4.2.4 support of Communication Manager 3 .1.x is limited to any issues that can solely be addressed in the AE
Services software. Any issues that would require changes to Communication Manager 3.1.x are not supported, as
Communication Manager has been End of Manufacturers Support since December 31, 2008.
– Communication Manager 4.x (S8300, S8400, S8500, S87xx)
– Communication Manager 5.0 (S8300, S8400, S8500, S87xx)
– Communication Manager 5.1 (S8300, S8400, S85xx, S87xx)
– Communication Manager 5.2 (S8300x, S8400, S85xx, S87xx, S8800)
– Communication Manager 6.0 (S8300D, S8800)
Patch Notes
The information in this section concerns the patch, if any, recommended in the Resolution above.
Backup before applying the patch
n/a
Download
n/a
Patch install instructions Service-interrupting?
n/a Yes
Verification
n/a
Failure
n/a
Patch uninstall instructions
n/a
Security Notes
The information in this section concerns the security risk, if any, represented by the topic of this PSN.
Security risks
n/a
Avaya Security Vulnerability Classification
Not Susceptible
Mitigation
n/a