1 | NOTES FOR THE HPE NONSTOP PLATFORM
|
---|
2 | ==============================
|
---|
3 |
|
---|
4 | Requirement details
|
---|
5 | -------------------
|
---|
6 |
|
---|
7 | In addition to the requirements and instructions listed
|
---|
8 | in [INSTALL.md](INSTALL.md), the following are required as well:
|
---|
9 |
|
---|
10 | * The TNS/X platform supports hardware randomization.
|
---|
11 | Specify the `--with-rand-seed=rdcpu` option to the `./Configure` script.
|
---|
12 | This is recommended but not required. `egd` is supported at 3.0 but cannot
|
---|
13 | be used if FIPS is selected.
|
---|
14 | * The TNS/E platform does not support hardware randomization, so
|
---|
15 | specify the `--with-rand-seed=egd` option to the `./Configure` script.
|
---|
16 |
|
---|
17 | About c99 compiler
|
---|
18 | ------------------
|
---|
19 |
|
---|
20 | The c99 compiler is required for building OpenSSL from source. While c11
|
---|
21 | may work, it has not been broadly tested. c99 is the only compiler
|
---|
22 | prerequisite needed to build OpenSSL 3.0 on this platform. You should also
|
---|
23 | have the FLOSS package installed on your system. The ITUGLIB FLOSS package
|
---|
24 | is the only FLOSS variant that has been broadly tested.
|
---|
25 |
|
---|
26 | Threading Models
|
---|
27 | ----------------
|
---|
28 |
|
---|
29 | OpenSSL can be built using unthreaded, POSIX User Threads (PUT), or Standard
|
---|
30 | POSIX Threads (SPT). Select the following build configuration for each on
|
---|
31 | the TNS/X (L-Series) platform:
|
---|
32 |
|
---|
33 | * `nonstop-nsx` or default will select an unthreaded build.
|
---|
34 | * `nonstop-nsx_put` selects the PUT build.
|
---|
35 | * `nonstop-nsx_64_put` selects the 64 bit file length PUT build.
|
---|
36 | * `nonstop-nsx_spt_floss` selects the SPT build with FLOSS. FLOSS is
|
---|
37 | required for SPT builds because of a known hang when using SPT on its own.
|
---|
38 |
|
---|
39 | ### TNS/E Considerations
|
---|
40 |
|
---|
41 | The TNS/E platform is build using the same set of builds specifying `nse`
|
---|
42 | instead of `nsx` in the set above.
|
---|
43 |
|
---|
44 | You cannot build for TNS/E for FIPS, so you must specify the `no-fips`
|
---|
45 | option to `./Configure`.
|
---|
46 |
|
---|
47 | Linking and Loading Considerations
|
---|
48 | ----------------------------------
|
---|
49 |
|
---|
50 | Because of how the NonStop Common Runtime Environment (CRE) works, there are
|
---|
51 | restrictions on how programs can link and load with OpenSSL libraries.
|
---|
52 | On current NonStop platforms, programs cannot both statically link OpenSSL
|
---|
53 | libraries and dynamically load OpenSSL shared libraries concurrently. If this
|
---|
54 | is done, there is a high probability of encountering a SIGSEGV condition
|
---|
55 | relating to `atexit()` processing when a shared library is unloaded and when
|
---|
56 | the program terminates. This limitation applies to all OpenSSL shared library
|
---|
57 | components.
|
---|
58 |
|
---|
59 | A resolution to this situation is under investigation.
|
---|
60 |
|
---|
61 | About Prefix and OpenSSLDir
|
---|
62 | ---------------------------
|
---|
63 |
|
---|
64 | Because there are many potential builds that must co-exist on any given
|
---|
65 | NonStop node, managing the location of your build distribution is crucial.
|
---|
66 | Keep each destination separate and distinct. Mixing any mode described in
|
---|
67 | this document can cause application instability. The recommended approach
|
---|
68 | is to specify the OpenSSL version and threading model in your configuration
|
---|
69 | options, and keeping your memory and float options consistent, for example:
|
---|
70 |
|
---|
71 | * For 1.1 `--prefix=/usr/local-ssl1.1 --openssldir=/usr/local-ssl1.1/ssl`
|
---|
72 | * For 1.1 PUT `--prefix=/usr/local-ssl1.1_put --openssldir=/usr/local-ssl1.1_put/ssl`
|
---|
73 |
|
---|
74 | As of 3.0, the NonStop configurations use the multilib attribute to distinguish
|
---|
75 | between different models:
|
---|
76 |
|
---|
77 | * For 3.0 `--prefix=/usr/local-ssl3.0 --openssldir=/usr/local-ssl3.0/ssl`
|
---|
78 |
|
---|
79 | The PUT model is placed in `${prefix}/lib-put` for 32-bit models and
|
---|
80 | `${prefix}/lib64-put` for 64-bit models.
|
---|
81 |
|
---|
82 | Use the `_RLD_LIB_PATH` environment variable in OSS to select the appropriate
|
---|
83 | directory containing `libcrypto.so` and `libssl.so`. In GUARDIAN, use the
|
---|
84 | `=_RLD_LIB_PATH` search define to locate the GUARDIAN subvolume where OpenSSL
|
---|
85 | is installed.
|
---|
86 |
|
---|
87 | Float Considerations
|
---|
88 | --------------------
|
---|
89 |
|
---|
90 | OpenSSL is built using IEEE Float mode by default. If you need a different
|
---|
91 | IEEE mode, create a new configuration specifying `tfloat-x86-64` (for Tandem
|
---|
92 | Float) or `nfloat-x86-64` (for Neutral Float).
|
---|
93 |
|
---|
94 | Memory Models
|
---|
95 | -------------
|
---|
96 |
|
---|
97 | The current OpenSSL default memory model uses the default platform address
|
---|
98 | model. If you need a different address model, you must specify the appropriate
|
---|
99 | c99 options for compile (`CFLAGS`) and linkers (`LDFLAGS`).
|
---|
100 |
|
---|
101 | Cross Compiling on Windows
|
---|
102 | --------------------------
|
---|
103 |
|
---|
104 | To configure and compile OpenSSL, you will need to set up a Cygwin environment.
|
---|
105 | The Cygwin tools should include bash, make, and any other normal tools required
|
---|
106 | for building programs.
|
---|
107 |
|
---|
108 | Your `PATH` must include the bin directory for the c99 cross-compiler, as in:
|
---|
109 |
|
---|
110 | export PATH=/cygdrive/c/Program\ Files\ \(x86\)/HPE\ NonStop/L16.05/usr/bin:$PATH
|
---|
111 |
|
---|
112 | This should be set before Configure is run. For the c99 cross-compiler to work
|
---|
113 | correctly, you also need the `COMP_ROOT` set, as in:
|
---|
114 |
|
---|
115 | export COMP_ROOT="C:\Program Files (x86)\HPE NonStop\L16.05"
|
---|
116 |
|
---|
117 | `COMP_ROOT` needs to be in Windows form.
|
---|
118 |
|
---|
119 | `Configure` must specify the `no-makedepend` option otherwise errors will
|
---|
120 | result when running the build because the c99 cross-compiler does not support
|
---|
121 | the `gcc -MT` option. An example of a `Configure` command to be run from the
|
---|
122 | OpenSSL directory is:
|
---|
123 |
|
---|
124 | ./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu
|
---|
125 |
|
---|
126 | Do not forget to include any OpenSSL cross-compiling prefix and certificate
|
---|
127 | options when creating your libraries.
|
---|
128 |
|
---|
129 | The OpenSSL test suite will not run on your workstation. In order to verify the
|
---|
130 | build, you will need to perform the build and test steps in OSS in your NonStop
|
---|
131 | server. You can also build under gcc and run the test suite for Windows but that
|
---|
132 | is not equivalent.
|
---|
133 |
|
---|
134 | **Note:** In the event that you are attempting a FIPS-compliant cross-compile,
|
---|
135 | be aware that signatures may not match between builds done under OSS and under
|
---|
136 | cross-compiles as the compilers do not necessarily generate identical objects.
|
---|
137 | Anything and everything to do with FIPS is outside the scope of this document.
|
---|
138 | Refer to the FIPS security policy for more information.
|
---|
139 |
|
---|
140 | The following build configurations have been successfully attempted at one
|
---|
141 | point or another. If you are successful in your cross-compile efforts, please
|
---|
142 | update this list:
|
---|
143 |
|
---|
144 | - nonstop-nsx_64
|
---|
145 | - nonstop-nsx_64_put
|
---|
146 |
|
---|
147 | **Note:** Cross-compile builds for TNS/E have not been attempted, but should
|
---|
148 | follow the same considerations as for TNS/X above. SPT builds generally require
|
---|
149 | FLOSS, which is not available for workstation builds. As a result, SPT builds
|
---|
150 | of OpenSSL cannot be cross-compiled.
|
---|
151 |
|
---|
152 | Also see the NSDEE discussion below for more historical information.
|
---|
153 |
|
---|
154 | Cross Compiling with NSDEE
|
---|
155 | --------------------------
|
---|
156 |
|
---|
157 | **Note:** None of these builds have been tested by the platform maintainer and
|
---|
158 | are supplied for historical value. Please submit a Pull Request to OpenSSL
|
---|
159 | should these need to be adjusted.
|
---|
160 |
|
---|
161 | If you are attempting to build OpenSSL with NSDEE, you will need to specify
|
---|
162 | the following variables. The following set of compiler defines are required:
|
---|
163 |
|
---|
164 | # COMP_ROOT must be a full path for the build system (e.g. windows)
|
---|
165 | COMP_ROOT=$(cygpath -w /path/to/comp_root)
|
---|
166 | # CC must be executable by your shell
|
---|
167 | CC=/path/to/c99
|
---|
168 |
|
---|
169 | ### Optional Build Variables
|
---|
170 |
|
---|
171 | DBGFLAG="--debug"
|
---|
172 | CIPHENABLES="enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-rc4"
|
---|
173 |
|
---|
174 | ### Internal Known TNS/X to TNS/E Cross Compile Variables
|
---|
175 |
|
---|
176 | The following definition is required if you are building on TNS/X for TNS/E
|
---|
177 | and have access to a TNS/E machine on your EXPAND network - with an example
|
---|
178 | node named `\CS3`:
|
---|
179 |
|
---|
180 | SYSTEMLIBS="-L/E/cs3/usr/local/lib"
|
---|
181 |
|
---|
182 | Version Procedure (VPROC) Considerations
|
---|
183 | ----------------------------------------
|
---|
184 |
|
---|
185 | If you require a VPROC entry for platform version identification, use the
|
---|
186 | following variables:
|
---|
187 |
|
---|
188 | ### For Itanium
|
---|
189 |
|
---|
190 | OPENSSL_VPROC_PREFIX=T0085H06
|
---|
191 |
|
---|
192 | ### For x86
|
---|
193 |
|
---|
194 | OPENSSL_VPROC_PREFIX=T0085L01
|
---|
195 |
|
---|
196 | ### Common Definition
|
---|
197 |
|
---|
198 | export OPENSSL_VPROC=${OPENSSL_VPROC_PREFIX}_$(
|
---|
199 | . VERSION.dat
|
---|
200 | if [ -n "$PRE_RELEASE_TAG" ]; then
|
---|
201 | PRE_RELEASE_TAG="-$PRE_RELEASE_TAG"
|
---|
202 | fi
|
---|
203 | if [ -n "$BUILD_METADATA" ]; then
|
---|
204 | BUILD_METADATA="+$BUILD_METADATA"
|
---|
205 | fi
|
---|
206 | echo "$MAJOR.$MINOR.$PATCH$PRE_RELEASE_TAG$BUILD_METADATA" |\
|
---|
207 | sed -e 's/[-.+]/_/g'
|
---|
208 | )
|
---|
209 |
|
---|
210 | Example Configure Targets
|
---|
211 | -------------------------
|
---|
212 |
|
---|
213 | For OSS targets, the main DLL names will be `libssl.so` and `libcrypto.so`.
|
---|
214 | For GUARDIAN targets, DLL names will be `ssl` and `crypto`. The following
|
---|
215 | assumes that your PWD is set according to your installation standards.
|
---|
216 |
|
---|
217 | ./Configure nonstop-nsx --prefix=${PWD} \
|
---|
218 | --openssldir=${PWD}/ssl no-threads \
|
---|
219 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
220 | ./Configure nonstop-nsx_g --prefix=${PWD} \
|
---|
221 | --openssldir=${PWD}/ssl no-threads \
|
---|
222 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
223 | ./Configure nonstop-nsx_put --prefix=${PWD} \
|
---|
224 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
---|
225 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
226 | ./Configure nonstop-nsx_spt_floss --prefix=${PWD} \
|
---|
227 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
---|
228 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
229 | ./Configure nonstop-nsx_64 --prefix=${PWD} \
|
---|
230 | --openssldir=${PWD}/ssl no-threads \
|
---|
231 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
232 | ./Configure nonstop-nsx_64_put --prefix=${PWD} \
|
---|
233 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
---|
234 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
235 | ./Configure nonstop-nsx_g_tandem --prefix=${PWD} \
|
---|
236 | --openssldir=${PWD}/ssl no-threads \
|
---|
237 | --with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
238 |
|
---|
239 | ./Configure nonstop-nse --prefix=${PWD} \
|
---|
240 | --openssldir=${PWD}/ssl no-threads \
|
---|
241 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
242 | ./Configure nonstop-nse_g --prefix=${PWD} \
|
---|
243 | --openssldir=${PWD}/ssl no-threads \
|
---|
244 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
245 | ./Configure nonstop-nse_put --prefix=${PWD} \
|
---|
246 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
---|
247 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
248 | ./Configure nonstop-nse_spt_floss --prefix=${PWD} \
|
---|
249 | --openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
---|
250 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
251 | ./Configure nonstop-nse_64 --prefix=${PWD} \
|
---|
252 | --openssldir=${PWD}/ssl no-threads \
|
---|
253 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
254 | ./Configure nonstop-nse_64_put --prefix=${PWD} \
|
---|
255 | --openssldir=${PWD}/ssl threads "-D_REENTRANT"
|
---|
256 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|
257 | ./Configure nonstop-nse_g_tandem --prefix=${PWD} \
|
---|
258 | --openssldir=${PWD}/ssl no-threads \
|
---|
259 | --with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
---|