================================================================================ Sterling Secure Proxy (SSP) 3.4.1.7 (3.4.1.0 FixPack 7) iFix 6 - September 2013 ================================================================================ This cumulative maintenance archive includes the GA release of SSP Engine 3.4.1.7 and SSP Configuration Manager 3.4.1.7 plus the fixes for the issues mentioned below. Contents: I. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first) II. Detailed Description of Fixes I. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first) Fixes are marked as Engine and CM (Configuration Manager) =============================================================================== Summary of Fixes for SSP 3.4.1.7 (3.4.1.0 FixPack 7) iFix 6 Build 156 (Sept 2013) =============================================================================== RTC383527/IC94691 (Engine) - C:D transfer with Pacing times out RTC383624/IC94690 (Engine) - Internal perimeter server max concurrent circuits reached. RTC393773/IC95995 (Engine) - Allow SFTP buffer sizes greater than 65535 No defect - Update IBM JRE6 to SR14 level =============================================================================== Summary of Fixes for SSP 3.4.1.7 (3.4.1.0 FixPack 7) iFix 5 Build 151 (Aug 2013) =============================================================================== RTC367007/ (CM) - CM account lockout not enforced RTC378549/IC94349 (CM/Engine) - CD Netmap TCP/IP Timeout settings not honored RTC381368/IC94350 (Engine) - Receiving CSP032E - Invalid content was found starting with element... RTC390736/ (Engine) - SFTP Adapter failover - not restarting the listener after EA comes backup =============================================================================== Summary of Fixes for SSP 3.4.1.7 (3.4.1.0 FixPack 7) iFix 4 Build 145 (July 2013) =============================================================================== RTC384645/ (Engine) - Dynamic routing in SFTP adapter to a backend server based on Password and/or Key Auth with SEAS =============================================================================== Summary of Fixes for SSP 3.4.1.7 (3.4.1.0 FixPack 7) iFix 3 Build 135 (July 2013) =============================================================================== RTC382822/IC94105 (Engine) - SSP Engine Stop Script fails when HSM device is down RTC387779/IC94263 (Engine) - CD adapter startup failure with failover enabled =============================================================================== Summary of Fixes for SSP 3.4.1.7 (3.4.1.0 FixPack 7) iFix 2 Build 132 (June 2013) =============================================================================== RTC379216/IC92879 (CM) - Unable to access SSP Configuration Manager after change of default password policy RTC379005/IC92734 (Engine) - C:D SNODEID not passed to SEAS when password not supplied; RTC377430/IC91239 (Engine) - CD z/OS cipher negotiation failure RTC377424/IC91239 (Engine) - SSP to SSP CD Secure+ authentication fails RTC376904/IC92878 (Engine) - netHSM: Password could not be validated RTC375116/IC91239 (Engine) - Problem setting up secure socket to SEAS RTC374241/IC91863 (CM) - manageCSRs script does not import a certificate into specific keystore RTC371378/IC91506 (Engine) - SSP FTP Does not negotiate down to TLS1.0 RTC368880/IC90731 (Engine) - Error updating HSM password with manageKeyCerts.sh RTC367921/IC90707 (CM) - CM Set secure attribute in SSL cookies RTC358963/IC91239 (Engine) - Update Certicom libraries to fix nCipher HSM private key issues. =============================================================================== Summary of Fixes for SSP 3.4.1.7 (3.4.1.0 FixPack 7) iFix 1 Build 127 (May 2013) =============================================================================== RTC373481/IC91900 (Engine) - Timeout during long C:D non-secure transfer =============================================================================== Summary of Fixes for SSP 3.4.1.7 (3.4.1.0 FixPack 7) GA Build 124 (March 2013) =============================================================================== RTC368531/IC90460 (Engine) - SSP splits log events written to syslog into 1000 byte chunks RTC368508/IC90590 (PS) - Perimeter Server fails to come up after SSP3416 install on Solaris RTC367240/IC90704 (CM) - Disable CM autocomplete of password field RTC367009/IC90714 (CM) - CM application pages do not break out of third party frames RTC367003/IC90712 (CM) - Version information revealed in HTTP header RTC367002/IC90711 (CM) - CM Inadequate application error handling RTC363382/IC89593 (Engine) - SSP not sending correct "clientID" value to SEAS user exit for authentication RTC360308/IC89642 (CM) - Unable to edit the SSL certificates imported via manageKeyCerts. sh RTC359203 (Engine,CM) - Enhancement to support an Access Control List (ACL) in the Connect:Direct netmap RTC358567/IC88580 (CM) - Allow SSP Configuration Manager to bind to a specific NIC RTC357923/IC88693 (Engine) - Unable to update a CA Signed certificate on an HSM using the manageCSR -update utility RTC354752/IC87654 (Engine) - Unable to authenticate SFTP User with "Password,Publickey" requested in that order =============================================================================== Summary of Fixes for SSP 3.4.1.0 FixPack 6 Build 83 (October 2012) =============================================================================== RTC351025/IC87649 (CM, Engine) - SFTP adapter session limits enforced globally rather than at the adapter level. RTC350386/IC87277 (CM, Engine) - New idmb2.enc system keyfile not created during upgrade RTC350243/IC87276 (CM) - Unable to stop CM with stopCM.sh and no indication why RTC348784/IC86821 (CM, Engine) - Upgrade JRE to IBM Java 6 SR11 level for security audit RTC348461/IC86820 (CM, Engine) - SSP on Solaris using 32-bit version of JRE RTC347347/IC87266 (CM) - SFTP Post-Authentication Banner Text appears before client authentication RTC347314/IC87274 (CM) - Admin able to add same named C:D node within netmap if name is in mixed case. RTC341834/IC85733 (Engine) - SFTP intermittently not returning the SSH server identification string during session startup RTC336514/IC87275 (CM) - Duplicate SSH public key with different name in Authorized Keystore causes key authentication to fail RTC336420/IC85514 (CM, Engine) - Loop getting "Fast wakeup condition detected" =============================================================================== Summary of Fixes for SSP 3.4.1.0 FixPack 5 Build 77 (August 2012) =============================================================================== RTC330660 (CM, Engine) - Jetty PSIRT Advisory 258 - DOS Hashmap attack =============================================================================== Summary of Fixes for SSP 3.4.1.0 FixPack 4 Build 76 (July 2012) =============================================================================== RTC335983 (CM, Engine) - Linux JVM subject to SIGPIPE interrupt. Updated IBM 1.6.0 Linux JRE to SR10 FP1 =============================================================================== Summary of Fixes for SSP 3.4.1.0 FixPack 3 Build 75 (June 2012) =============================================================================== RTC335861 (CM, GUI) - SSPCM Patch 2 delivers GA version of war files. =============================================================================== Summary of Fixes for SSP 3.4.1.0 FixPack 2 Build 74 (May 2012) =============================================================================== RTC322567 (Engine) - SSP aborts session if CDSA sends DSEQ in FM71 RTC322562 (Engine) - FTP EPSV and EPRT commands not correctly handled in SSP RTC315035 (Engine) - HTTP Header size rejected as too large RTC314343 (Engine) - Out of memory error during C:D sessions RTC314325 (Engine, - Unable to import Certificate with wrong Country Code CM) encoding into CM RTC313461 (Engine) - C:D Session gets MSGCSP057E snode session could not start to intended route, and NullPointerException RTC311930 (Engine) - In FIPS mode, SSP log shows Invalid Key Strength: 512 RTC310391 (Engine) - SFTP connections fail when multiple authentication methods defined in netmap RTC288193 (CM GUI) - SSP UI tables not displayed under FireFox 9.0.1 RTC140686 (Engine) - Tectia SSH sftpg3 command line client unable to connect to SSP RTC140683 (Engine) - Secure+ Timeouts during download of large files RTC140648 (Engine) - Correctly load the Step Permission values from the PNODE policy for each new CD session. RTC140524 (Engine) - CSP900E Logged Exception due to long PCRT value in C:D FMH70 RTC140514 (Engine) - SFTP Adapter rejects sessions specifying SFTP protocol 5 or 6. RTC103849 (CM - Installation) - SSPCM will not start after upgrade if dfltKeyStore.xml file is missing QC19167 (Engine) - Error connecting to SSP SSH/SFTP proxy adapter with Axway client ================================================================================ Summary of Fixes for SSP 3.4.1.0 FixPack 1 Build 72 (March 2012) ================================================================================ RTC319700 (Engine - PeSIT adapter) - PeSIT messages support and outbound PeSIT node trace have been added. II. Detailed Description of Fixes (in Defect ascending order) =============================================================================== Detailed Descriptions of Fixes in (ascending fix order) Fixes are marked as Engine, CM (Configuration Manager), and GUI (Admin GUI) =============================================================================== QC19167 (Engine) - Error connecting to SSP SSH/SFTP proxy adapter with Axway client Remotes running a version of the Axway SSH/SFTP client were experiencing problems after connecting to the SSP SFTP adapter. The SFTP adapter was expecting the client to provide the SSH_FXP_REALPATH command before any other command after the SSH_FXP_INIT. The Axway client was not supplying the REALPATH command. Resolution: Updated the SFTP adapter to relax the requirement for the client to send the SSH_FXP_REALPATH command before any other command after the SSH_FXP_INIT is received at session startup. RTC103849 (CM - Installation) - SSPCM will not start after upgrade if dfltKeyStore.xml file is missing The Customer had created a new System Certificate Store using the CM and deleted the one entitled dfltKeyStore. When upgrading the CM, the installation process laid down a new dfltKeyStore.xml file which was not encrypted. When the CM tried to decrypt the file to read it, the result was garbage and the CM failed to come up. The workaround was to delete the /conf/configurator/keyStore/dfltKeyStore.xml after the upgrade and start the CM. Resolution: Updated the SSP CM Installer to NOT lay down a fresh copy of the following files during an upgrade. The files will be added during a new install only. ./conf/configurator/keyStore/dfltCMTrustStore.xml ./conf/configurator/keyStore/dfltCMKeyStore.xml ./conf/configurator/keyStore/dfltKeyStore.xml ./conf/configurator/keyStore/dfltTrustStore.xml ./conf/configurator/pwdPolicy/defPasswordPolicy.xml ./conf/configurator/userStore/defUserStore.xml ./conf/system/defSslInfo.xml ./conf/system/defTrustStore.xml RTC140648 (Engine) - Correctly load the Step Permission values from the PNODE policy for each new CD session. A CD policy is pushed to the engine with Step Permissions:RunTasks set to true. The policy is successfully used by a process several times. Another process runs on the adapter using a netmap/policy with RunTasks set to false. When the first process runs again, it fails with CSP057E 16 Exception or other serious error occurred: exception in processing runtask policy prevents runtask from proceeding The CD configuration manager was not resetting policy defaults for Step Permissions at session start time. It only subtracted permissions when a policy used false values for RunTask, RunJob, Submit or Copy, causing the whole adapter to use false values until the policy is pushed again. Workaround: Ensure all polices you reference use a true value for the Step Permissions. Resolution: Corrected the CD Configuration manager to accurately load the Step Permission values from the PNODE policy for each new CD session. RTC140686 (Engine) - Tectia SSH sftpg3 command line client unable to connect to SSP When using the Tectia sftpg3 command line client to connect to an SSH adapter on SSP, the session terminates immediately after authentication. The logs show that the SSH_FXP_EXTENDED feature file-stat-extended@ssh.com was rejected: SSE2633 Closing remote client connection due to command decode policy: SSH_FXP_EXTENDED, version:3, Reason:invalid extended request: file-stat-extended@ssh.com request due to {1} request Per the SSP protocol, even though the feature is not supported, the session should not be terminated. Resolution: Updated the SSH command decoder to return a SSH_FXP_STATUS code rather than disconnecting the session. RTC140514 (Engine) - SFTP Adapter rejects sessions specifying SFTP protocol 5 or 6. SFTP Clients that connect specifying SFTP protocol version 5 or 6 are rejected by SSP, even if the client is capable of negotiating down to version 3. SSP logs the following messages and closes the connection: SSE2621 unsupported sftp protocol version:6 SSE2633 Closing remote client connection due to command decode policy: SSH_FXP_INIT, version:0, Reason:unsupported version:6 request due to {1} request One client that saw this failure was WinSCP. Resolution: Updated the SSH command decoder to allow the SSH_FXP_INIT specifying SFTP versions of 5 or 6, in addition to 3 and 4, which it already allows. It now returns a SSH_FXP_VERSION of 3 to allow the client to negotiate down rather than disconnecting the session. RTC140683 (Engine) - Secure+ Timeouts during download of large files Customer getting timeout messages when transferring large files with Connect:Direct Secure Plus through SSP. If the files take longer than 90 seconds to transfer, the Customer gets such messages as XIPT016I, XSMG621I, XCPS004I, and XSMG605I. The secureproxy log shows CSP900E Logged Exception : Did not get buffer in 90000 ms. A previous fix inserted a timeout on the channels that transfer data from PNODE to SNODE and from SNODE to PNODE. While data was traveling in one direction, the SSP channel that handled data going the other direction timed out waiting for data or an FMH, etc. Workaround is to increase the TCP timeout value in the Advanced tab of the Netmap for the C:D node(s). Resolution: Changed the code in the SSP C:D channels to ignore the timeout if the transfer is still running. RTC140524 (Engine) - CSP900E Logged Exception due to long PCRT value in C:D FMH70 A Connect:Direct Secure Plus session through SSP failed during the initial FMH exchange because the PCRT field added to the FMH70 record caused the zOS SNODE to mis-handle the record and drop the session. When the PCRT field is large, it can cause problems if the SNODE cannot handle the larger FMH70 RU. Study showed that the certificate passed in the PCRT field was not the PNODE certificate at all, which makes it of little value. Resolution: Turned off adding the “PCRT” breadcrumb to the C:D FMH70 unless the behavior is specifically turned on at the adapter level. The following properties are now the default in the C:D adapter: "CDSP|*|BreadCrumbAddress" = “granted” (allows “PRXY” breadcrumbs to be inserted) "CDSP|*|BreadCrumbAddressTransparentContent" = “granted” (allows more detail in “PRXY” field) "CDSP|*|BreadCrumbAddressPCRT" = "denied" (Do not insert the “PCRT” field) To continue to send the “PCRT” field, you must add the following property to the C:D adapter Properties tab of the CM GUI: "CDSP|*|BreadCrumbAddressPCRT" = "granted" RTC288193 (CM GUI) - SSP UI tables not displayed under FireFox 9.0.1 Several GUI tables were not being displayed under FireFox 9.0.1. Resolution: Added corrected table logic to ensure the tables display. RTC310391 (Engine) - SFTP connections fail when multiple authentication methods defined in netmap The Customer attempted to define password only authentication for one address in the SSH SFTP netmap and key only authentication for all others, like so: Name Peer Address Pattern Password_Inbound_SFTP 10.20.30.40/32 KeyOnly_Inbound_SFTP * However, no matter which address the remote logged in from, the server required both password and key authentication, so the authentication failed. Another variation of the problem is if the authentication method is first defined as password AND key, the authentication fails in the same way when dropped back to password OR key. This happens even with only one peer address pattern. Resolution: Updated the SFTP authentication selection code to first clear the authentication methods for the session and then add them per the values in the netmap. RTC311930 (Engine) - In FIPS mode, SSP log shows Invalid Key Strength: 512 Customer is running an outbound Connect:Direct Secure+ session with their keys stored in a HSM (Hardware Storage Manager) device. The transfers work ok until they turn on FIPS mode for the HSM device. Then the sessions fail with an exception in the log, “Invalid Key Strength: 512”. The HSM toolkit in the Java Security chain required the export key to be generated with a minimum key length of 1024 bits. Resolution: Added a new property in the C:D adapter to control the key size of the export key during C:D Secure Plus sessions. The “RsaExportKeySize” property will have a default of 512. To change the key size to 1024, define the property in the C:D adapter: RsaExportKeySize = 1024 RTC313461 (Engine) - C:D Session gets MSGCSP057E snode session could not start to intended route, and NullPointerException Customer is upgrading from SSP 2.x to SSP 3.4 and imported the configuration from SSP 2.x. When running Connect:Direct Secure+ sessions outbound through SSP, they get MSGCSP057E snode session could not start to intended route and a NullPointerException in ProxyServerCDImpl. Resolution: Corrected an error where a property was attempting to be pulled from a null configuration object. Now catch the error and continue processing. RTC314325 (Engine, - Unable to import Certificate with wrong Country Code CM) encoding into CM Customer attempted to import a certificate using the SSP Configuration Manager GUI and got message, Unable to parse certificate. Further research showed that the certificate was failing on the Country Code, because it had been generated with an ASN1 encoding of UTF8String instead of the required PrintableString. Resolution: Added a way for the Customer to ignore the check for Illegal encoding on the Country Codes by adding the -DallowIllegalCountryNameEncodings=1 parameter to the java parameters in the CM and engine startup scripts. RTC314343 (Engine) - Out of memory error during C:D sessions Customer applied fix RTC140683 for CD sessions and began to get Java Out of Memory errors within 24 hours. Fix RTC140683 did some cleanup on the session tracing, but introduced a problem where a trace buffer was never written and never cleared and grew to over 800MB. Resolution: Corrected the code that kept the trace buffer from being written and cleared. RTC315035 (Engine) - HTTP Header size rejected as too large PMR: 91702,999,000 The Customer attempted to override the HTTP Adapter property httpMaxHeaderFieldLength higher than the default value of 8192, but it always used the default. During sessions where the backend server used cookies which pushed the HTTP header length above 8192, the session would fail with SSP154E RequestHeader Line length >= max. length (8,192) Resolution: Corrected the HTTP adapter to correctly allow overrides to the default values of httpMaxHeaderFieldLength, httpMaxNumHeaderFields, html.rewrite.threads, and html.rewrite.threads.queue.size. RTC319700 (Engine - PeSIT adapter) - PeSIT messages support and outbound PeSIT node trace have been added. RTC322562 (Engine) - FTP EPSV and EPRT commands not correctly handled in SSP When SSP encounters the EPSV (extended passive) or EPRT (extended port) commands from the client, it incorrectly forwards the command to the back end server and echoes the reply to the client. However, since the port that the back end server listens on is not the same as the port that SSP will listen on, the client is never able to connect to the data channnel. Resolution: Now reject the EPSV and EPRT FTP commands from a client and allow the client to retry with the PASV or PORT command. RTC322567 (Engine) - SSP aborts session if CDSA sends DSEQ in FM71 When sending a transfer from a Connect:Direct zOS via SSP, the following error message is displayed and the transmission is aborted: Exception or other serious error occurred: cvc-complex-type.2.4.a: Invalid content was found starting with element 'DSEQ'. One of '{SBXS, SBLX, DBXS, DBLX, SBFS, ..., etc, ... FRKP, DKYL}' is expected. The Customer has the Protocol Error Action is set to Abort in the SSP C:D Policy, which instructs SSP to validate the FMH and ensure that no invalid keys are passed to the outbound C:D image. The workaround is to set the Protocol Error Action to None, Ignore, or Warn. Resolution: Updated the XSD schema for the SSP C:D FMH71 to include the following new keys, which have been introduced in recent releases of C:D: DCMS, DRPS, DSEQ, DSQS, DVSV, S21S, SARL, SDTS, SEXT, SRKP, SRKS, SUCN, SUCS. Also updated the XSD schema for the SSP C:D FMH70 to include the following new keys: VRMV, VRMR, VRMM, VRMF, VRMX, VRMS, and SECD. RTC335861 - SSPCM Patch 2 delivers GA version of war files. Customer put on SSP 3.4.1.0 patch 2 to get post-GA maintenance for SSPCM. However, when the SSPCM installation completed, the files in the /apps/jetty/webservices/webapps directory were all from the GA release (dated 1/18/2012). The InstallAnywhere image for SSP3410Maint was still being built with the GA versions of SSPDashboard.war and SspJsf.war. Resolution: Updated the SSP CM Installer to pull the ./apps/jetty/webservices/SSPDashboard.war and SspJsf .war files from the SSP3410Maint staging area instead of the SSP3410 (GA) staging area. RTC335983 (CM, Engine) - Linux JVM subject to SIGPIPE interrupt. Customer reported that after installing SSP 3.4.1.0 on their RedHat Linux box and logging onto their CM Gui, the CM died without warning. Found that the IBM JRE that is shipped with SSP contains a bug that makes it vulnerable to a SIGPIPE error causing the JVM to die without warning. Resolution: Updated the Linux JVM to IBM 1.6.0 SR10 FP1 level, which has a fix for IBM JRE APARs IV02378/IV02379. RTC330660 (CM, Engine) - Jetty PSIRT Advisory 258 - DOS Hashmap attack IBM PSIRT Advisory 258 was opened to document a denial of service attack on web servers that use a hashmap to store HTTP request headers. Resolution: Changed Jetty to limit the number of HTTP parameter keys in a request to a default of 1000. The value can be overridden by specifying -Dorg.eclipse.jetty.server.Request.maxFormKeys on the java startup line in the /bin/startEngine.sh or /bin/startCM.sh scripts. RTC336420/IC85514 (CM, Engine) - Loop getting "Fast wakeup condition detected" Customer gets loop in SSP logs showing the following messages. WARN com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl - Fast wakeup condition detected. ERROR com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl - Could not handle fast wakeup condition - java.lang.Error The bug is due to a Java error seen on IBM's HP and AIX JREs shipped with SSP. Resolution: Added code to correct the loop and provide better diagnostics when the socket accept error happens. Also updated the IBM JRE shipped with the SSP 3.4.1 server to be at the JRE 6 SR11 level. RTC336514/IC87275 (CM) - Duplicate SSH public key with different name in Authorized Keystore causes key authentication to fail If the administrator adds a duplicate SSH public key with a new name to the Authorized User keystore, the error is not found until the user connects and attempts to validate using the key. Depending on the order of the keys in the keystore, the connection may fail with: SSE2621 User key list was not empty and key UserKey2 was not in user key list SSE2610 Sessionid xxx Userkey xxx Invalid Logon Attempt, Count 1, ... SSE2624 Userid xxx from address xxx failed validation with key fingerprint xx:yy:zz Resolution: Added a search in the SSH Authorized User Keystore Configuration screen for a duplicate key fingerprint before saving a new key. If a duplicate key is found, a pop-up message is generated indicating which key it is a duplicate of so that the administrator can use that definition instead: Specified key finger print xx:yy:zz is already associated with authorized key UserKey2 RTC341834/IC85733 (Engine) - SFTP intermittently not returning the SSH server identification string during session startup When an SFTP client connects to the SSP SFTP adapter and already specifies an encryption method in its initial key exchange record, SSP does not return the server identification string as its first message to the client. Instead SSP responds with its own SSH key exchange (KEXINIT), which is out of order. The client software disconnects. Resolution: Updated the SSH Maverick toolkit, which contains the fix to ignore the encryption method if it appears in the first record at SFTP connection time. RTC347314/IC87274 (CM) - Admin able to add same named C:D node within netmap if name is in mixed case. Using the SSP configuration GUI for the CD netmap, the administrator is able to add a duplicate node using the same name if they use mixed case. Resolution: Now use a case-insensitive search for duplicate node names within the CD netmap before saving a new nodename. RTC347347/IC87266 (CM) - SFTP Post-Authentication Banner Text appears before client authentication SSP allows the administrator to supply a Pre-Authentication Banner Text and a Post-Authentication Banner Text in the SFTP adapter advanced tab. However, the pre-authentication banner never appears in a client session, and the post-authentication banner appears prior to the prompt for password on the client session. The banners are working as designed, but are named relative to server authentication, which comes before client authentication in an SSH session. The pre-authentication text allows the administrator to hide the SSH toolkit name, if desired. The post-server authentication text allows the site to display some legal verbiage on the client screen before they are fully authenticated. The names of the fields on the SFTP adapter advanced tab are updated to reflect the true use of the banners, and the help text will be updated accordingly. Resolution: Changed the names of the fields on the SFTP adapter advanced tab from "Pre-Authentication Banner Text" to "SSH Server Identification Text" And "Post-Authentication Banner Text" to "Post-Server Authentication Banner Text". RTC348461/IC86820 (CM, Engine) - SSP on Solaris using 32-bit version of JRE The Customer upgraded to SSP 3.3.01 on Solaris to get the 64-bit capability, but found that the JRE was only 32-bit. All the scripts to run the product and utilities point to the ./jre/bin/java executable, which is the 32-bit version of the JRE. The 64-bit version of the jre is at ./jre/bin/sparcv9/java. Workaround: Manually update the SSP/bin/startEngine.sh startCM.sh scripts to point to the new java location. However, these scripts get rebuilt during each maintenance upgrade. Resolution: Updated the InstallAnywhere logic for the Solaris platform to properly build the scripts to point to the 64-bit version of the JRE at ./jre/bin/sparcv9/java. RTC348784/IC86821 (CM, Engine) - Upgrade JRE to IBM Java 6 SR11 level for security audit The Customer required that products with the IBM JRE 1.6 be at the SR10 FP1 (Feb 2012) maintenance level or greater. Resolution: Updated the IBM JRE which ships with SSP 3.4.1 to be at the SR11 (August 2012) maintenance level. RTC350243/IC87276 (CM) - Unable to stop CM with stopCM.sh and no indication why The Customer ran the stopCM.sh command, but the CM did not come down and no indication was given why. The utility prompted for the system passphrase, admin id and password, then ended with no message. The utility had a deficiency that if the admin userid/password was not correct, it silently ended. Resolution: Updated the shutdown logic in the utility to return better diagnostics in case of a connection failure or an authentication failure. Also, give positive feedback when the CM has successfully been told to shut down. RTC350386/IC87277 (CM, Engine) - New idmb2.enc system keyfile not created during upgrade The new /conf/system/idmb2.enc provides a greater encryption level, and without the new file, the system will not start when running an HSM device. Without HSM, the idmb2.enc file is automatically created during the first system startup after the upgrade. Resolution: Updated the InstallAnywhere upgrade logic to silently create the idmb2.enc file from the idmb.enc file during an upgrade. If the file is created, it then goes on to update the self-bootstrap file sb.enc with the higher encryption level. RTC351025/IC87649 (CM, Engine) - SFTP adapter session limits enforced globally rather than at the adapter level. When multiple SFTP adapters are defined on one engine, each adapter uses the combined active session count of all adapters to determine if its session count is reached. For example if Adapter1 is defined with a max session count of 1 and Adapter2 is defined with a count of 3, if one session starts on Adapter2, no sessions may start on Adapter 1. Or if one session starts on Adapter1 and 2 sessions start on Adapter2, a third session will not start on Adapter2. Resolution: Updated the SSH Maverick toolkit, which contains the fix to correctly handle the session counts between adapters. RTC354752/IC87654 (Engine) - Unable to authenticate SFTP User with "Password,Publickey" requested in that order When an SFTP client connects with the Preferred Authentication order of Password, followed by PublicKey, the adapter prompts them for password a second time rather than authenticating their public key. Actually, the SFTP adapter mistakenly changes the authentication to Password,Password,Password,PublicKey, so if the client enters their password three times, the public key authentication will take place and the client will login. If the client uses the order of PublicKey,Password (which is normal), the authentication works. Resolution: Updated the SSH Maverick toolkit, which contains the fix to correctly handle the password,publickey authentication order. RTC357923/IC88693 (Engine) -Unable to update a CA Signed certificate on an HSM using the manageCSR -update utility Client is attempting to update a keycert on their HSM device using the manageCSR utility. However, they get the message, Updating key-certificate... ***Fail to parse input stream The operation which decoded the certificate from Base64 into its binary form was producing garbage, causing the subsequent generateCertificates method to fail. Resolution: Changed the Base64 class to the Apache version which does a more reliable job of encoding and decoding certificates. RTC358567/IC88580 (CM) - Allow SSP Configuration Manager to bind to a specific NIC The Customer runs the CM on a dual-homed system with 2 network interface cards (NICs). Their firewall is configured to only allow traffic out from the secure zone on one of the NICs, but the CM defaults to the other. The Customer needed a way to have the CM bind to the alternate NIC when connecting out to the engine to push a configuration. Resolution: Added a field to the CM "SSP Engine Configuration" screen called "Local bind address", which allows the administrator to specify the local IP address to bind to when making the connection to the Engine host and port. This optional field allows the local IP address as either a hostname or IP address value. When the screen is saved, the address is checked to make sure it is local to the machine and that it can be connected to. If not, an error message is posted and the configuration is not saved. RTC358963/IC91239 (Engine) - Update Certicom libraries to fix nCipher HSM private key issues. Customers running the nCipher Hardware Security Module (HSM) device encountered several issues when storing their private keys in the device. CSP900E Logged Exception : The private key material not exportable outside of the HSM - happens when the HSM private key is the client certificate in a server-client SSL handshake, such as FTP/SSL, HTTPs or Connect:Direct Secure Plus. Resolution: Worked with our third party security package vendor, Certicom, to correct the interaction with the nCipher HSM. RTC359203 (Engine,CM) - Enhancement to support an Access Control List (ACL) in the Connect:Direct netmap The Connect Direct netmap configuration is enhanced to allow the specification of an outbound Access Control List. Nodes in the netmap may be configured with one or more other nodes in the netmap to which they may make an outbound connection. When the ACL feature is enabled, sessions from an inbound node may only connect to one of the nodes in its outbound ACL list. RTC360308/IC89642 (CM) - Unable to edit the SSL certificates imported via manageKeyCerts.sh When a new KeyCert is added into a new KeyStore using the manageKeyCerts.sh script, it cannot be edited by the CM GUI. It can be assigned to an adapter and used successfully, but the description cannot be updated in the GUI, for example. The manageKeyCert tool was not setting the Format Version and Version Stamp fields when it created the new KeyStore, which caused it to be unusable when edited by the CM. Resolution: Updated the manageKeyCerts tool to correctly set the Format Version and Version Stamp fields when creating a new key store. Workaround: Use the manageKeyCerts.sh script with the update uption to change the description of the keycert, etc. RTC363382/IC89593 (Engine) - SSP not sending correct "clientID" value to SEAS user exit for authentication When running Sterling Secure Proxy (SSP) and using the Sterling External Authentication Server (SEAS) user exit for validation, the "ClientId" variable passed from SSP contains the wrong value. It contains the SSP sessionid, while the SEAS documentation says that it should contain the name of the SSP protocol adapter name. Resolution: Update SSP to correctly pass the protocol adapter name in the ClientID field to SEAS. RTC367002/IC90711 (CM) - CM Inadequate application error handling Security scan determined that the Sterling Secure Proxy Configuration Manager may return an error and a java stack trace to the browser when erroneous input data is entered. An attacker can exploit this to obtain information about the application to design further attacks. Resolution: Updated the SSP CM to catch errors and suppress the printing of stack traces to the browser so that it doesn't send unnecessary information to a would-be attacker. RTC367003/IC90712 (CM) - Version information revealed in HTTP header Security scan revealed that the version of the web server used by SSP CM is displayed in the HTTP header. This gives an attacker a head start in designing an attack specific to that web server version. Resolution: Updated the SSP CM web server parameters to no longer broadcast the version of the software in the HTTP headers. RTC367007/ (CM) - CM account lockout not enforced Provide the ability to lock a CM user account for a number of minutes after a set number of consecutive failed login attempts. Added new parameters in the /conf/system/sysGlobals.xml file which can be changed to invoke the lockout code. The default of 0 allows unlimited failed login attempts: 0 10 RTC367009/IC90714 (CM) - CM application pages do not break out of third party frames Security scan revealed that Sterling Secure Proxy Configuration Manager pages permit rendering within third party HTML frames. An internal attacker could potentially control elements of the framed pages and obtain unauthorized access to data. Resolution: Implemented frame options within the SSP CM web pages to keep third party applications from rendering the frames. RTC367240/IC90704 (CM) - Disable CM autocomplete of password field Security scan determined that the password field in the SSP Configuration Manager login page should not allow the browser to use the autocomplete function. Resolution: Corrrected the SSP CM Login page to set Autocomplete=false on the password field when the page is initialized. RTC367921/IC90707 (CM) - CM Set secure attribute in SSL cookies In some cases, the CM server response did not include the Secure attribute on its cookie. This could potentially allow a client to send data to the server in a non-HTTPS mode. Resolution: Ensured that every time a session is started to the CM, a cookie is returned with the Secure attribute set. RTC368508/IC90590 (PS) - Perimeter Server fails to come up after SSP3416 install on Solaris Customer installed the SSP 3.4.1.6 (3.4.1.0 Patch 6) Perimeter Server on Solaris, which contained the fix for RTC348461, supporting the 64-bit JRE on Solaris. Afterward, the PS would not come up. The following messages were produced: Exception in thread "main" java.lang.NoClassDefFoundError: {LOG_FILE} Could not find the main class: {LOG_FILE}. Program will exit. The InstallAnywhere step which updates the startupPs.sh script incorrectly interpreted a large portion of the startup line as a local variable and eliminated it. Resolution: Updated the InstallAnywhere process to bypass interpreting local variables so that the startup line in the startupPs.sh script would remain intact on the Solaris platform. RTC368531/IC90460 (Engine) - SSP splits log events written to syslog into 1000 byte chunks When forwarding SSP log information to syslogd using the syslogd parameters in /bin/log.properties, the messages get split into 1000 byte chunks. This can cause a problem with downstream applications that parse the messages. Resolution: Added support for a new parameter syslogd.maxmsglength= in the /bin/log.properties file, which overrides the default 1000 byte message length. RTC368880/IC90731 (Engine) - Error updating HSM password with manageKeyCerts.sh Customer attempting to update the password on their Hardware Security Module (HSM) device using our utility ./manageKeyCerts.sh -updateHsmPass certStore=certStoreName After supplying the proper credentials, the utility issues the error: ***Unexpected exception: java.lang.NullPointerException Resolution: Added additional checking to make sure that we check for null values in the cert store name and all other variables in the tool. RTC371378/IC91506 (Engine) - SSP FTP Does not negotiate down to TLS1.0 SSP currently does not support any TLS protocol higher than TLS 1.0. However, when a TLS 1.2 client (e.g. Filezilla) connects and can negotiate down to TLS 1.0, SSP should attempt to do it. Instead it rejects the connection with CERTICOM999 [com.certicom.tls.record.handshake.R{1}]Error: None of client suites is enabled on server or ECC ciphersuite curve and/or pointformat does not match. The SSL toolkit sees the TLS 1.2 extensions included in the CLIENT HELLO message and wrongly tries to match them. Resolution: Worked with our third party security package vendor, Certicom, to correctly ignore the TLS 1.2 extensions in a CLIENT HELLO and return a SERVER HELLO with a maximum TLS protocol version of 1.0. RTC373481/IC91900 (Engine) - Timeout during long C:D non-secure transfer Customer sending large GB+ files over their VPN network via C:D without Secure Plus (non-secure). At seemingly random times during the transfer the transfer times out with CSP057E 16 Exception or other serious error occurred: exception in processing Did not get buffer in 90000 ms CSP900E Logged Exception : java.io.InterruptedIOException: Did not get buffer in 90000 ms The timeout was happening on the non-sending side of the channel, and was self-healing if it detected any activity in the session within the last second. In some cases, the one second activity check failed and the transfer timed out. Resolution: Increased the activity check value during the timeout operation from 1 second to 10 seconds to ensure active transfers will not time out. RTC374241/IC91863 (CM) - manageCSRs script does not import a certificate into specific keystore Customer is importing a certificate whose CSR was generated on a netHSM Hardware Security Module using the manageCSRs -create tool. The create operation saves the HSM keystore password and the keycert passphrase in the CSR object until the -update operation is run supplying the signed certificate. The Customer ran the update operation, but got the following: Connecting to engine... Updating key-certificate on HSM... ***SSP0046E Error updating key-certificate: Invalid keystore password. Resolution: Corrected the engine code to properly send the HSM keystore passphrase when opening the HSM keystore for the first time. Also, renamed the newHsmPassword parm on the manageCSRs -create operation to be hsmPassword since it does not update the HSM keystore password. Also updated setupHsmTool to copy nCipherKM.jar to ./jre/lib/ext in addition to the kmcsp.jar. RTC375116/IC91239 (Engine) - Problem setting up secure socket to SEAS Customers running the nCipher Hardware Security Module (HSM) device encountered several issues after storing their private keys in the device. SSE0116E Attempt to secure connection with Pnode failed. Ensure that Pnode is using SSL/TLS and any of the following ciphers: [TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA]. These conditions were met, but the toolkit terminated the handshake. Resolution: Worked with our third party security package vendor, Certicom, to correct the interaction with the nCipher HSM. RTC376904/IC92878 (Engine) - netHSM: Password could not load any cards protecting this key Customer using an nCipher netHSM Hardware Security Module (HSM device) to store their private keys. The netHSM device requires a password to access the keystore, which may be different than the passphrases of the private keys that are stored on it. The Customer loads keys into the keystore and assigns them passphrases. When the Customer stops and starts the engine, the passphrase for the first keycert that requires the HSM is used to access the netHSM keystore, and generates the error java.io.IOException: The password could not load any of the cards protecting this key. The engine code that opens the HSM keystore was erroneously using the keycert passphrase to open the HSM keystore. Workaround is to ensure that the first keycert that is loaded from the HSM at engine startup has the same passphrase as the HSM keystore. Resolution: Corrected the engine code to properly send the HSM keystore passphrase when opening the HSM keystore for the first time. RTC377424/IC91239 (Engine) - SSP to SSP CD Secure+ authentication fails Customers running the nCipher Hardware Security Module (HSM) device encountered several issues when storing their private keys in the device. FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received. Though the certificate and ciphers in the handshake were valid, the toolkit was terminating the handshake. Resolution: Worked with our third party security package vendor, Certicom, to correct the interaction with the nCipher HSM. RTC377430/IC91239 (Engine) - CD z/OS cipher negotiation failure Customers running the nCipher Hardware Security Module (HSM) device encountered several issues when storing their private keys in the device. CSP900E Logged Exception : The private key material not exportable outside of the HSM - happens when the HSM private key is the client certificate in a server-client SSL handshake, such as FTP/SSL, HTTPs or Connect:Direct Secure Plus. Resolution: Worked with our third party security package vendor, Certicom, to correct the interaction with the nCipher HSM. RTC378549/IC94349 (CM/Engine) - CD Netmap TCP/IP Timeout settings not honored The TCP timeout value from the CD Node/netmap configuration has not been part of the Engine configuration being pushed by CM. So when the user sets up this value, it has not been honored by the CD Proxy Adapter. The CD Adapter session timeout is the only one used. Resolution: 1. Changed the TCP timeout field in the Netmap node advanced tab to either accept a default of "Use Adapter Session timeout" or specify a value in seconds. Changed the CM to push this value as part of the Engine configuration to the SSP Engine. 2. Changed the SSP Engine to use the higher of the Pnode and Snode values when determining when to time out a Connect:Direct session. Action: Check if you have timeout values coded for your Netmap nodes in your CM, as they will now be used. Change them to "Use Adapter Session timeout" if you want the adapter timeout value to prevail. RTC379005/IC92734 (Engine) - C:D SNODEID not passed to SEAS when password not supplied; Customer is validating C:D processes through a SEAS custom exit, comparing the SNODEID to a value in LDAP. If the C:D process presents an SNODEID without a password, SSP passes the submitter's userid to SEAS instead. Resolution: Added a property to the SSP C:D adapter to ensure that the SNODEID is passed to the SEAS custom exit even if the submitter does not include the password: pass.snodeid.if.supplied yes (or true, case insensitive) RTC379216/IC92879 (CM) - Unable to access SSP Configuration Manager after change of default password policy Customer applied SSP3417 and configured a password policy using the CM. The password expired for one of the IDs used to access the CM, and when the user went through the change password screen, it threw an error: System Error, Unexpected System Error has occurred. Please sign in again. If the problem persists, contact your system administrator. The CM log shows an error message ERROR com.sterlingcommerce.sspgui.web.filter.SSPDashboardNonce- ValidationFilter - An invalid system access is detected : /SSPDashboard/faces/changePassword.jsp SSP3417 introduced security code which passes a nonce back and forth from the client and the web screens. The change password screen did not have the correspoding nonce code. Additionally, when the failure was passed to the unauthorized.jsp screen, it was improperly mixing JSP and JSF calls, resulting in this message in the CM log: ERROR /SSPDashboard - org.apache.jasper.JasperException: /unauthorized (36,712) PWC6228: #{...} not allowed in a template text body. Resolution: Added nonce logic in the change password screen, and updated the nonce filter to include the change password operation. Also updated the unauthorized.jsp code to correctly call JSP and JSF functions. RTC381368/IC94350 (Engine) - Receiving CSP032E - Invalid content was found starting with element... Customer getting MSGCSP032E Invalid content was found starting with element 'CPOR' during Connect:Direct session going through SSP. SSP maintains a list of valid KQV (XDR) parms that C:D FMH's can contain. When a C:D Node sends in an unexpected value, and the SSP C:D policy has a value of Protocol Error Action=Abort, the session will be shut down. If the policy is set to Warn, a lengthy message is emitted with the offending parm and a short dump of the FMH that it was found in: CSP031E 16 Invalid protocol message or message key. CSP032E 16 cvc-complex-type.2.4.a: Invalid content was found starting with element 'CPOR'. One of '{SBZS, and all the other valid values, etc.}' is expected. CSP032E 16 etc. Resolution: Added the recently reported KQV values to the SSP list to quiet down the log. List includes CKPT to FM71; DARS, DUCN, DUCS, SYP1, SYP2 and TRKP for FM71 CCB; N3DD in FMH72; CPOR, CPOS, LFDN, LTDN, and TNOD in FM74 CTR. RTC382822/IC94105 (Engine) - SSP Engine Stop Script fails when HSM device is down The SSP stopEngine script fails during initialization and does not shut down the Engine when HSM is enabled and the associate HSM module is brought down while the engine is running. The following stack trace is emitted: Exception in thread "main" java.lang.ExceptionInInitializerError at java.lang.J9VMInternals.initialize(J9VMInternals.java:222) at org.apache.harmony.security.fortress.Services.getProvidersList etc. Resolution: Changed the logic to use the default Security Provider and algorithm in the stopEngine code, so we are not dependent on the HSM device. RTC383527/IC94691 (Engine) - C:D transfer with Pacing times out When Connect:Direct pacing is selected (pacing count especially), large file transmissions fail when Sterling Secure Proxy is in the middle. The pacing response buffer from CDUNIX contains a TCP header length which is 4 bytes higher than expected, which causes SSP to hang. Resolution: Handle the abnormal size on the pacing response buffer so that the response is sent back to the sending node. RTC383624/IC94690 (Engine) - Internal perimeter server max concurrent circuits reached: size is: 4096 Session timeout timer is getting an unexpected exception, causing sessions to accumulate. Over several hours, the perimeter server reaches a maximum of 4096 sessions and denies new sessions. Resolution: Now detect when the session timeout timer gets an exception. Put out an error message in the log and restart the timer so sessions can continue to timeout. RTC384645/ (Engine) - Dynamic routing in SFTP adapter to a backend server based on Password and/or Key Auth with SEAS Provide the ability to direct SFTP sessions to any back end server defined in the netmap, rather than just to the standard routing server. The selection is controlled by the Sterling External Authentication Server (SEAS), which returns the "routingNodeName". The SFTP adapter is updated to add 2 new Routing Types: Userid based, Userid based with default fallback. RTC387779/IC94263 (Engine) - CD adapter startup failure with failover enabled With SSP3417 applied and the failover.detection.enabled property set in the CD adapter, the adapter gets a failure at startup: java.util.ConcurrentModificationException. The CD netmap contained more than 3 nodes, and there were overlapping iterators, causing the problem. Resolution: Corrected the overlapping iterators so that the CD adapter could run with failover logic enabled. RTC390736/ (Engine) - SFTP Adapter failover - not restarting the listener after EA comes backup When failover is enabled in standard mode, the SFTP adapter listener is stopped if a connection to SEAS fails or if SEAS returns a 200D response code (indicating SEAS can not connect to LDAP). However, when the connection to SEAS is restored, the adapter listener is not being turned back on. Resolution: Now correctly monitor for the connection to SEAS to be restored in failover mode and restart the listener for the SFTP adapter. RTC393773/IC95995 (Engine) - Allow SFTP buffer sizes greater than 65535 Customer is using FTP Voyager from Serv-U to connect via a SSP SFTP Adapter to a SI Mailbox back end. While uploads are successful, any attempt to receive a file fails. The client sends a SSH_FXP_READ request with a buffer size of 97280 bytes and SSP closes the session with SSE2621 "Requested buffer is too large" error. Resolution: Updated the SSP SFP maximum buffer size to be 256K (262144 bytes).