HPCC Systems 8.12.x Releases

Welcome to the Red Book for HPCC Systems® 8.12.x series. 

You may benefit from glancing at other Red Book entries when making a large jump between releases.

Here's how to contact us if you find an issue or want to add something to the Red Book:

  • To raise an issue, use our Community Issue Tracker. Please create yourself an account if you don't already have one, to get automatic updates as your issue progresses through the workflow.

  • To ask a developer a technical question about something you are doing or have encountered, post in the Forums on Stack Overflow.
    We invite you to post your questions on Stack Overflow utilizing the tag hpcc-ecl (https://stackoverflow.com/search?tab=newest&q=hpcc-ecl). 

  • To add a note to the RedBook, please contact Jim DeFabia with full details.

Client Tools and OpenSSL Vulnerability

Due to a vulnerability in the version 3.0 OpenSSL library prior to version 3.08, we recommend updating your Client Tools to a version using the newer library. If you are using a version of Client Tools from the 8.12.x series, you should upgrade to 8.12.26 or later. For the 9.0.x series, you should upgrade to 9.0.14 or later. This issue does not affect the 9.2.x series Client Tools.  If you are using a version prior to 8.12.x, there is no reason to delay upgrading even if you are targeting an older system. 

Indexes built on Thor

Indexes built by Thor have a special file part (the top-level key or TLK) that indicates how the entries are distributed among file parts.  

Indexes built using a platform version of 8.12.0 and later remove some unnecessary information from the TLK. This makes them smaller and more efficient to search. 

The new TLKs are backward compatible, except for reading from hThor.  For indexes generated by Thor to be read by hThor, the hThor system should use at least version 8.6.66, 8.8.28 or 8.10.10. 

ECL Playground and Filter pages in ECL Watch 9

In Version 8.12.0-1:
In the ECL Watch 9 interface, the ECL Playground Page will render blank.  On all other pages accessing a filter or dialog may also cause the page to render blank.

The workaround is to use the ECL Watch 5 interface. Use the Advanced menu on the top right-hand side of the navigation bar to disable Tech Preview mode.  

This was fixed in 8.12.2-1

LDAPS Connection Error issue on some LDAP servers

HPCC Systems® platform versions 8.12.x or later use newer, more secure, OpenSSL libraries. A side effect of this added security is that some legacy Microsoft Active Directory implementations will no longer allow LDAPS connections without specifying the CipherSuite in the HPCC configuration. A CipherSuite is a text string that identifies a collection of algorithms used to secure the LDAPS connection. 

Some LDAP servers will report a connection error when an LDAPS-enabled ESP or Dali starts. This only occurs when the ESP or Dali security manager is configured to use the more secure, TLS-based LDAPS protocol on port 636. If this is the case, contact your Microsoft Active Directory LDAP Administrator to determine if the connection requires the specification of a CipherSuite.  

If a CipherSuite string is required, you must add it to the configuration.  

For bare-metal installations, use Configuration Manager to add the Cypher suite.  For containerized deployments, use a custom Helm chart.  

A CipherSuite string will look something like: 
 
ECDH+AES128:@SECLEVEL=0 

Or  

DEFAULT:@SECLEVEL=0 

For a bare-metal deployment:  

  1. Start the Configuration Manager service.

    sudo /opt/HPCCSystems/sbin/configmgr 

  2. Using a Web browser, go to the Configuration Manager's interface:

    http://<ESP_IP>:8015 


  3. Navigate to the LDAPServer component that is bound to the IP address of the LDAP server and locate the new cipherSuite key/value entry field. 

  4. Enter the CipherSuite exactly as provided by your LDAP AD Administrator.

  5. Save and deploy the configuration file to every node and retry starting the ESP/Dali component bound to that LDAP server.

 

Notes:   

  • Adding this value to the configuration does not affect LDAP (port 389) based connections. These connections do not require a CipherSuite. 

  • This entry is ignored by older versions of the HPCC Systems platform (pre 8.12), so the environment file can be shared across environments.

  • If you use specific suites and need a ‘+’ plus sign in the string, you should know that Configuration Manager incorrectly replaces the ‘+’ plus signs with spaces. So, if you enter the string with + signs in Configuration Manager it will be written incorrectly in the environment.xml file.  (https://track.hpccsystems.com/browse/HPCC-28893

 As a workaround, you can either hand edit the environment.xml file or use the Unicode Decimal Code equivalent for plus signs: 

 &#43;  

 For example: 

ECDH&#43;AES128:@SECLEVEL=0 

 

For HELM-based deployments: 

 

1. Add the CipherSuite key/value to a custom Helm Chart (YAML) as follows: 

esp: 
- name: eclwatch 
application: eclwatch 
auth: ldaps 
ldap: 
  ldapAddress: "xx.xxx.xxx.xx" 
  serverType: ActiveDirectory 
  cipherSuite: "ECDH&#43;AES128:@SECLEVEL=0" 

 

Be sure to provide the actual ldapAddress and the actual cipherSuite provided by your LDAP administrator. 

For this example, let’s call the file myLDAP.yaml . You can name it anything you like, but it must use that name in your helm install command.  

2.  Add the new custom configuration to your startup command using the -f parameter:



 helm install <clustername> hpcc/hpcc  -f myLDAP.yaml 

 Notes:   

  • Adding this value to the configuration does not affect LDAP (port 389) based connections. These connections do not require a CipherSuite. 

  • This entry is ignored by older versions of the HPCC Systems platform (pre 8.12), so the environment file can be shared across environments.

 

 



All pages in this wiki are subject to our site usage guidelines.