HPCC Systems 8.12.x Releases

Welcome to the Red Book for HPCC Systems® 8.12.x series.

You may benefit from glancing at other Red Book entries when making a large jump between releases.

Here's how to contact us if you find an issue or want to add something to the Red Book:

• To raise an issue, use our Community Issue Tracker. Please create yourself an account if you don't already have one, to get automatic updates as your issue progresses through the workflow.
• To ask a developer a technical question about something you are doing or have encountered, post in the Forums on Stack Overflow. We invite you to post your questions on Stack Overflow utilizing the tag hpcc-ecl (StackOverflow).
• To add a note to the RedBook, please contact Jim DeFabia with full details.

Client Tools and OpenSSL Vulnerability

Due to a vulnerability in the version 3.0 OpenSSL library prior to version 3.08, we recommend updating your Client Tools to a version using the newer library.

• If you are using a version of Client Tools from the 8.12.x series, upgrade to 8.12.26 or later.
• For the 9.0.x series, upgrade to 9.0.14 or later.
• This issue does not affect the 9.2.x series Client Tools.
• If you are using a version prior to 8.12.x, there is no reason to delay upgrading even if you are targeting an older system.

---

Indexes built on Thor

Indexes built by Thor have a special file part (the top-level key or TLK) that indicates how the entries are distributed among file parts.

• Indexes built using platform version 8.12.0 and later remove unnecessary information from the TLK, making them smaller and more efficient.
• These TLKs are backward compatible, except for reading from hThor.
• For indexes generated by Thor to be read by hThor, the hThor system should use at least version 8.6.66, 8.8.28, or 8.10.10.

---

ECL Playground and Filter pages in ECL Watch 9

In Version 8.12.0-1:

• The ECL Playground Page in ECL Watch 9 will render blank.
• Accessing a filter or dialog on other pages may also cause blank rendering.

Workaround: Use the ECL Watch 5 interface. Disable Tech Preview mode via the Advanced menu on the top right-hand side of the navigation bar.

Fixed in: Version 8.12.2-1

---

LDAPS Connection Error issue on some LDAP servers

HPCC Systems® platform versions 8.12.x or later use newer, more secure, OpenSSL libraries. A side effect of this added security is that some legacy Microsoft Active Directory implementations will no longer allow LDAPS connections without specifying the CipherSuite in the HPCC configuration. A CipherSuite is a text string that identifies a collection of algorithms used to secure the LDAPS connection.

Some LDAP servers will report a connection error when an LDAPS-enabled ESP or Dali starts. This only occurs when the ESP or Dali security manager is configured to use the more secure, TLS-based LDAPS protocol on port 636. If this is the case, contact your Microsoft Active Directory LDAP Administrator to determine if the connection requires the specification of a CipherSuite.

If a CipherSuite string is required, you must add it to the configuration.

For bare-metal installations, use Configuration Manager to add the Cypher suite. For containerized deployments, use a custom Helm chart.

A CipherSuite string will look something like:

ECDH+AES128:@SECLEVEL=0

Or

DEFAULT:@SECLEVEL=0

For a bare-metal deployment:

1. Start the Configuration Manager service.

   sudo /opt/HPCCSystems/sbin/configmgr

2. Using a Web browser, go to the Configuration Manager's interface:

   http://<ESP_IP>:8015

3. Navigate to the LDAPServer component that is bound to the IP address of the LDAP server and locate the new cipherSuite key/value entry field.

4. Enter the CipherSuite exactly as provided by your LDAP AD Administrator.

5. Save and deploy the configuration file to every node and retry starting the ESP/Dali component bound to that LDAP server.

Notes:

• Adding this value to the configuration does not affect LDAP (port 389) based connections. These connections do not require a CipherSuite.

• This entry is ignored by older versions of the HPCC Systems platform (pre 8.12), so the environment file can be shared across environments.

• If you use specific suites and need a '+' plus sign in the string, you should know that Configuration Manager incorrectly replaces the '+' plus signs with spaces. So, if you enter the string with + signs in Configuration Manager it will be written incorrectly in the environment.xml file HPCC-28893.

  As a workaround, you can either hand edit the environment.xml file or use the Unicode Decimal Code equivalent for plus signs:

  +

  For example:

  ECDH+AES128:@SECLEVEL=0

For HELM-based deployments:

1. Add the CipherSuite key/value to a custom Helm Chart (YAML) as follows:

   esp:
   - name: eclwatch
     application: eclwatch
     auth: ldaps
     ldap:
       ldapAddress: "xx.xxx.xxx.xx"
       serverType: ActiveDirectory
       cipherSuite: "ECDH+AES128:@SECLEVEL=0"

   Be sure to provide the actual ldapAddress and the actual cipherSuite provided by your LDAP administrator.

   For this example, let's call the file myLDAP.yaml . You can name it anything you like, but it must use that name in your helm install command.

2. Add the new custom configuration to your startup command using the -f parameter:

 helm install <clustername> hpcc/hpcc  -f myLDAP.yaml

Notes:

• Adding this value to the configuration does not affect LDAP (port 389) based connections. These connections do not require a CipherSuite.

• This entry is ignored by older versions of the HPCC Systems platform (pre 8.12), so the environment file can be shared across environments.