===================================================================== Sterling Secure Proxy (SSP) 3.4.1.0 Patch 5 Maintenance - August 2012 ===================================================================== This maintenance archive includes the GA release of SSP Engine 3.4.1.0 and SSP Configuration Manager 3.4.1.0 plus the fixes for the issues mentioned below. Contents: I. Summary of Fixes by Patch (Latest patch first) II. Detailed Description of Fixes I. Summary of Fixes by Patch (Latest patch first) Fixes are marked as Engine, CM (Configuration Manager), and GUI (Admin GUI) =============================================================================== Summary of Fixes for SSP 3.4.1.0 Patch 5 Build 77 August 2012) =============================================================================== RTC330660 (CM, Engine) - Jetty PSIRT Advisory 258 - DOS Hashmap attack =============================================================================== Summary of Fixes for SSP 3.4.1.0 Patch 4 Build 76 (July 2012) =============================================================================== RTC335983 (CM, Engine) - Linux JVM subject to SIGPIPE interrupt. Updated IBM 1.6.0 Linux JRE to SR10 FP1 =============================================================================== Summary of Fixes for SSP 3.4.1.0 Patch 3 Build 75 (June 2012) =============================================================================== RTC335861 (CM, GUI) - SSPCM Patch 2 delivers GA version of war files. =============================================================================== Summary of Fixes for SSP 3.4.1.0 Patch 2 Build 74 (May 2012) =============================================================================== QC19167 (Engine) - Error connecting to SSP SSH/SFTP proxy adapter with Axway client RTC103849 (CM - Installation) - SSPCM will not start after upgrade if dfltKeyStore.xml file is missing RTC140648 (Engine) - Correctly load the Step Permission values from the PNODE policy for each new CD session. RTC140686 (Engine) - Tectia SSH sftpg3 command line client unable to connect to SSP RTC140514 (Engine) - SFTP Adapter rejects sessions specifying SFTP protocol 5 or 6. RTC140683 (Engine) - Secure+ Timeouts during download of large files RTC140524 (Engine) - CSP900E Logged Exception due to long PCRT value in C:D FMH70 RTC310391 (Engine) - SFTP connections fail when multiple authentication methods defined in netmap RTC311930 (Engine) - In FIPS mode, SSP log shows Invalid Key Strength: 512 RTC313461 (Engine) - C:D Session gets MSGCSP057E snode session could not start to intended route, and NullPointerException RTC314325 (Engine, - Unable to import Certificate with wrong Country Code CM) encoding into CM RTC314343 (Engine) - Out of memory error during C:D sessions RTC288193 (CM GUI) - SSP UI tables not displayed under FireFox 9.0.1 RTC315035 (Engine) - HTTP Header size rejected as too large RTC322562 (Engine) - FTP EPSV and EPRT commands not correctly handled in SSP RTC322567 (Engine) - SSP aborts session if CDSA sends DSEQ in FM71 ================================================================================ Summary of Fixes for SSP 3.4.1.0 Patch 1 Build 72 (March 2012) ================================================================================ RTC319700 (Engine - PeSIT adapter) - PeSIT messages support and outbound PeSIT node trace have been added. II. Detailed Description of Fixes =============================================================================== Detailed Descriptions of Fixes in (ascending fix order) Fixes are marked as Engine, CM (Configuration Manager), and GUI (Admin GUI) =============================================================================== QC19167 (Engine) - Error connecting to SSP SSH/SFTP proxy adapter with Axway client Remotes running a version of the Axway SSH/SFTP client were experiencing problems after connecting to the SSP SFTP adapter. The SFTP adapter was expecting the client to provide the SSH_FXP_REALPATH command before any other command after the SSH_FXP_INIT. The Axway client was not supplying the REALPATH command. Resolution: Updated the SFTP adapter to relax the requirement for the client to send the SSH_FXP_REALPATH command before any other command after the SSH_FXP_INIT is received at session startup. RTC103849 (CM - Installation) - SSPCM will not start after upgrade if dfltKeyStore.xml file is missing The Customer had created a new System Certificate Store using the CM and deleted the one entitled dfltKeyStore. When upgrading the CM, the installation process laid down a new dfltKeyStore.xml file which was not encrypted. When the CM tried to decrypt the file to read it, the result was garbage and the CM failed to come up. The workaround was to delete the /conf/configurator/keyStore/dfltKeyStore.xml after the upgrade and start the CM. Resolution: Updated the SSP CM Installer to NOT lay down a fresh copy of the following files during an upgrade. The files will be added during a new install only. ./conf/configurator/keyStore/dfltCMTrustStore.xml ./conf/configurator/keyStore/dfltCMKeyStore.xml ./conf/configurator/keyStore/dfltKeyStore.xml ./conf/configurator/keyStore/dfltTrustStore.xml ./conf/configurator/pwdPolicy/defPasswordPolicy.xml ./conf/configurator/userStore/defUserStore.xml ./conf/system/defSslInfo.xml ./conf/system/defTrustStore.xml RTC140648 (Engine) - Correctly load the Step Permission values from the PNODE policy for each new CD session. A CD policy is pushed to the engine with Step Permissions:RunTasks set to true. The policy is successfully used by a process several times. Another process runs on the adapter using a netmap/policy with RunTasks set to false. When the first process runs again, it fails with CSP057E 16 Exception or other serious error occurred: exception in processing runtask policy prevents runtask from proceeding The CD configuration manager was not resetting policy defaults for Step Permissions at session start time. It only subtracted permissions when a policy used false values for RunTask, RunJob, Submit or Copy, causing the whole adapter to use false values until the policy is pushed again. Workaround: Ensure all polices you reference use a true value for the Step Permissions. Resolution: Corrected the CD Configuration manager to accurately load the Step Permission values from the PNODE policy for each new CD session. RTC140686 (Engine) - Tectia SSH sftpg3 command line client unable to connect to SSP When using the Tectia sftpg3 command line client to connect to an SSH adapter on SSP, the session terminates immediately after authentication. The logs show that the SSH_FXP_EXTENDED feature file-stat-extended@ssh.com was rejected: SSE2633 Closing remote client connection due to command decode policy: SSH_FXP_EXTENDED, version:3, Reason:invalid extended request: file-stat-extended@ssh.com request due to {1} request Per the SSP protocol, even though the feature is not supported, the session should not be terminated. Resolution: Updated the SSH command decoder to return a SSH_FXP_STATUS code rather than disconnecting the session. RTC140514 (Engine) - SFTP Adapter rejects sessions specifying SFTP protocol 5 or 6. SFTP Clients that connect specifying SFTP protocol version 5 or 6 are rejected by SSP, even if the client is capable of negotiating down to version 3. SSP logs the following messages and closes the connection: SSE2621 unsupported sftp protocol version:6 SSE2633 Closing remote client connection due to command decode policy: SSH_FXP_INIT, version:0, Reason:unsupported version:6 request due to {1} request One client that saw this failure was WinSCP. Resolution: Updated the SSH command decoder to allow the SSH_FXP_INIT specifying SFTP versions of 5 or 6, in addition to 3 and 4, which it already allows. It now returns a SSH_FXP_VERSION of 3 to allow the client to negotiate down rather than disconnecting the session. RTC140683 (Engine) - Secure+ Timeouts during download of large files Customer getting timeout messages when transferring large files with Connect:Direct Secure Plus through SSP. If the files take longer than 90 seconds to transfer, the Customer gets such messages as XIPT016I, XSMG621I, XCPS004I, and XSMG605I. The secureproxy log shows CSP900E Logged Exception : Did not get buffer in 90000 ms. A previous fix inserted a timeout on the channels that transfer data from PNODE to SNODE and from SNODE to PNODE. While data was traveling in one direction, the SSP channel that handled data going the other direction timed out waiting for data or an FMH, etc. Workaround is to increase the TCP timeout value in the Advanced tab of the Netmap for the C:D node(s). Resolution: Changed the code in the SSP C:D channels to ignore the timeout if the transfer is still running. RTC140524 (Engine) - CSP900E Logged Exception due to long PCRT value in C:D FMH70 A Connect:Direct Secure Plus session through SSP failed during the initial FMH exchange because the PCRT field added to the FMH70 record caused the zOS SNODE to mis-handle the record and drop the session. When the PCRT field is large, it can cause problems if the SNODE cannot handle the larger FMH70 RU. Study showed that the certificate passed in the PCRT field was not the PNODE certificate at all, which makes it of little value. Resolution: Turned off adding the “PCRT” breadcrumb to the C:D FMH70 unless the behavior is specifically turned on at the adapter level. The following properties are now the default in the C:D adapter: "CDSP|*|BreadCrumbAddress" = “granted” (allows “PRXY” breadcrumbs to be inserted) "CDSP|*|BreadCrumbAddressTransparentContent" = “granted” (allows more detail in “PRXY” field) "CDSP|*|BreadCrumbAddressPCRT" = "denied" (Do not insert the “PCRT” field) To continue to send the “PCRT” field, you must add the following property to the C:D adapter Properties tab of the CM GUI: "CDSP|*|BreadCrumbAddressPCRT" = "granted" RTC288193 (CM GUI) - SSP UI tables not displayed under FireFox 9.0.1 Several GUI tables were not being displayed under FireFox 9.0.1. Resolution: Added corrected table logic to ensure the tables display. RTC310391 (Engine) - SFTP connections fail when multiple authentication methods defined in netmap The Customer attempted to define password only authentication for one address in the SSH SFTP netmap and key only authentication for all others, like so: Name Peer Address Pattern Password_Inbound_SFTP 10.20.30.40/32 KeyOnly_Inbound_SFTP * However, no matter which address the remote logged in from, the server required both password and key authentication, so the authentication failed. Another variation of the problem is if the authentication method is first defined as password AND key, the authentication fails in the same way when dropped back to password OR key. This happens even with only one peer address pattern. Resolution: Updated the SFTP authentication selection code to first clear the authentication methods for the session and then add them per the values in the netmap. RTC311930 (Engine) - In FIPS mode, SSP log shows Invalid Key Strength: 512 Customer is running an outbound Connect:Direct Secure+ session with their keys stored in a HSM (Hardware Storage Manager) device. The transfers work ok until they turn on FIPS mode for the HSM device. Then the sessions fail with an exception in the log, “Invalid Key Strength: 512”. The HSM toolkit in the Java Security chain required the export key to be generated with a minimum key length of 1024 bits. Resolution: Added a new property in the C:D adapter to control the key size of the export key during C:D Secure Plus sessions. The “RsaExportKeySize” property will have a default of 512. To change the key size to 1024, define the property in the C:D adapter: RsaExportKeySize = 1024 RTC313461 (Engine) - C:D Session gets MSGCSP057E snode session could not start to intended route, and NullPointerException Customer is upgrading from SSP 2.x to SSP 3.4 and imported the configuration from SSP 2.x. When running Connect:Direct Secure+ sessions outbound through SSP, they get MSGCSP057E snode session could not start to intended route and a NullPointerException in ProxyServerCDImpl. Resolution: Corrected an error where a property was attempting to be pulled from a null configuration object. Now catch the error and continue processing. RTC314325 (Engine, - Unable to import Certificate with wrong Country Code CM) encoding into CM Customer attempted to import a certificate using the SSP Configuration Manager GUI and got message, Unable to parse certificate. Further research showed that the certificate was failing on the Country Code, because it had been generated with an ASN1 encoding of UTF8String instead of the required PrintableString. Resolution: Added a way for the Customer to ignore the check for Illegal encoding on the Country Codes by adding the -DallowIllegalCountryNameEncodings=1 parameter to the java parameters in the CM and engine startup scripts. RTC314343 (Engine) - Out of memory error during C:D sessions Customer applied fix RTC140683 for CD sessions and began to get Java Out of Memory errors within 24 hours. Fix RTC140683 did some cleanup on the session tracing, but introduced a problem where a trace buffer was never written and never cleared and grew to over 800MB. Resolution: Corrected the code that kept the trace buffer from being written and cleared. RTC315035 (Engine) - HTTP Header size rejected as too large PMR: 91702,999,000 The Customer attempted to override the HTTP Adapter property httpMaxHeaderFieldLength higher than the default value of 8192, but it always used the default. During sessions where the backend server used cookies which pushed the HTTP header length above 8192, the session would fail with SSP154E RequestHeader Line length >= max. length (8,192) Resolution: Corrected the HTTP adapter to correctly allow overrides to the default values of httpMaxHeaderFieldLength, httpMaxNumHeaderFields, html.rewrite.threads, and html.rewrite.threads.queue.size. RTC319700 (Engine - PeSIT adapter) - PeSIT messages support and outbound PeSIT node trace have been added. RTC322562 (Engine) - FTP EPSV and EPRT commands not correctly handled in SSP When SSP encounters the EPSV (extended passive) or EPRT (extended port) commands from the client, it incorrectly forwards the command to the back end server and echoes the reply to the client. However, since the port that the back end server listens on is not the same as the port that SSP will listen on, the client is never able to connect to the data channnel. Resolution: Now reject the EPSV and EPRT FTP commands from a client and allow the client to retry with the PASV or PORT command. RTC322567 (Engine) - SSP aborts session if CDSA sends DSEQ in FM71 When sending a transfer from a Connect:Direct zOS via SSP, the following error message is displayed and the transmission is aborted: Exception or other serious error occurred: cvc-complex-type.2.4.a: Invalid content was found starting with element 'DSEQ'. One of '{SBXS, SBLX, DBXS, DBLX, SBFS, ..., etc, ... FRKP, DKYL}' is expected. The Customer has the Protocol Error Action is set to Abort in the SSP C:D Policy, which instructs SSP to validate the FMH and ensure that no invalid keys are passed to the outbound C:D image. The workaround is to set the Protocol Error Action to None, Ignore, or Warn. Resolution: Updated the XSD schema for the SSP C:D FMH71 to include the following new keys, which have been introduced in recent releases of C:D: DCMS, DRPS, DSEQ, DSQS, DVSV, S21S, SARL, SDTS, SEXT, SRKP, SRKS, SUCN, SUCS. Also updated the XSD schema for the SSP C:D FMH70 to include the following new keys: VRMV, VRMR, VRMM, VRMF, VRMX, VRMS, and SECD. RTC335861 - SSPCM Patch 2 delivers GA version of war files. Customer put on SSP 3.4.1.0 patch 2 to get post-GA maintenance for SSPCM. However, when the SSPCM installation completed, the files in the /apps/jetty/webservices/webapps directory were all from the GA release (dated 1/18/2012). The InstallAnywhere image for SSP3410Maint was still being built with the GA versions of SSPDashboard.war and SspJsf.war. Resolution: Updated the SSP CM Installer to pull the ./apps/jetty/webservices/SSPDashboard.war and SspJsf .war files from the SSP3410Maint staging area instead of the SSP3410 (GA) staging area. RTC335983 (CM, Engine) - Linux JVM subject to SIGPIPE interrupt. Customer reported that after installing SSP 3.4.1.0 on their RedHat Linux box and logging onto their CM Gui, the CM died without warning. Found that the IBM JRE that is shipped with SSP contains a bug that makes it vulnerable to a SIGPIPE error causing the JVM to die without warning. Resolution: Updated the Linux JVM to IBM 1.6.0 SR10 FP1 level, which has a fix for IBM JRE APARs IV02378/IV02379. RTC330660 (CM, Engine) - Jetty PSIRT Advisory 258 - DOS Hashmap attack IBM PSIRT Advisory 258 was opened to document a denial of service attack on web servers that use a hashmap to store HTTP request headers. Resolution: Changed Jetty to limit the number of HTTP parameter keys in a request to a default of 1000. The value can be overridden by specifying -Dorg.eclipse.jetty.server.Request.maxFormKeys on the java startup line in the /bin/startEngine.sh or /bin/startCM.sh scripts.