=============================================================================== Maintenance for Sterling External Authentication Server (SEAS) =============================================================================== This cumulative maintenance archive includes GA release of SEAS 2.4.1.0 plus fixes for the issues listed below. Contents: I. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first) II. Detailed Description of Fixes =============================================================================== I. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first) =============================================================================== =============================================================================== Fixes for SEAS 2.4.1.2 IFix 6, Build 78 September 2013) =============================================================================== DEFECT / APAR No RTC - Upgrade to IBM JRE1.6 SR14 for latest security fixes RTC396445/ - SEAS GUI - Better notification when timeout occurs RTC392701/IC95188 - Value configured disappears from Match Attribute in SEAS RTC391817/IC95720 - SEAS authentication indicates failure during SFTP transfer =============================================================================== Fixes for SEAS 2.4.1.2 IFix 5, Build 75 (July 2013) =============================================================================== DEFECT / APAR RTC384645/ - Dynamic routing in SFTP adapter to a backend server based on Password and/or Key Auth with SEAS RTC386120/IC94108 - SEAS Session Idle Timeout does not work correctly RTC383961/IC94106 - SEAS Web access only allows a non-secure HTTP connection =============================================================================== Fixes for SEAS 2.4.1.2 IFix 4, Build 64 (June 2013) =============================================================================== DEFECT / APAR RTC366168/IC93055 - SEAS Java Webstart application gets security warning when launched. =============================================================================== Fixes for SEAS 2.4.1.2 IFix 3, Build 63 (May 2013) =============================================================================== DEFECT / APAR RTC373046/IC91512 - (GUI) - Error condition needed when client times out before shutdown =============================================================================== Fixes for SEAS 2.4.1.2 IFix 2, Build 62 (May 2013) =============================================================================== DEFECT / APAR RTC367011/IC90788 - Turn off OS command execution option =============================================================================== Fixes for SEAS 2.4.1.2 IFix 1, Build 61 (March 2013) =============================================================================== DEFECT / APAR RTC368161/IC90709 - Error message information leak RTC355410/IC89579 - Connections are not getting closed and going to CLOSE_WAIT =============================================================================== Fixes for SEAS 2.4.1.0 Patch 2, Build 59 (October 2012) =============================================================================== DEFECT / APAR RTC349165/IC86628 - CRL checking fails after upgrade to SEAS 2.4.1 RTC348784/IC86821 - Upgrade bundled JRE to IBM SR11 (August 2012) level RTC348461/IC86820 - Use 64-bit JRE on Solaris RTC346206/IC86440 - Syntax error in configuration allows users to be authenticated with invalid password RTC336420/IC85514 - Fast wakeup condition detected =============================================================================== Fixes for SEAS 2.4.1.0 Patch 1, Build 54 (August 2012) =============================================================================== RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. =============================================================================== II. Detailed Description of Fixes (in Defect ascending order) =============================================================================== RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. IBM internal research detected that Jetty was vulnerable to a type of denial of service (DOS) attack when the number of HTTP header parameters was high (in the tens of thousands). Resolution: Implemented fix from Jetty Eclipse which enforces a maximum number of keys in the HTTP header of 1000. The default can be adjusted by adding the Java system property to the startEngine.sh or startCM.sh startup scripts: -Dorg.eclipse.jetty.server.Request.maxFormKeys=2000 RTC336420/IC85514 - Fast wakeup condition detected Intermittent problem when SEAS attempts to accept a new connection. At that point, SEAS becomes unresponsive and logs fill with the following messages: WARN com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl - Fast wakeup condition detected. ERROR com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl - Could not handle fast wakeup condition - java.lang.Error Resolution: Upgraded Java Runtime Environment (JRE) to SR11 maintenance level which includes a fix for the socket accept problem. Also added code to correct the loop condition and give a better reason for why it is happening. RTC346206/IC86440 - Syntax error in configuration allows users to be authenticated with invalid password Misconfigured User DN field in the LDAP Authentication tab of the Secure External Authentication Server allows invalid users and passwords to be authenticated. The Customer supplied an invalid User DN value in the LDAP Authentication tab: "uid=${name},realm=…". But instead of all incoming sessions being rejected, all sessions were authenticated. The following messages in the log showed that there was a syntax error, but the resulting authentication said "true". INFO com.sterlingcommerce.component.authentication.impl.AuthenticationServiceImpl - AUTH064E Exception encountered while evaluating Bind Principal formula: java.lang.IllegalArgumentException: Variable substitution failed for: name. Element not found: name. INFO com.sterlingcommerce.component.dispatcher.XmlConversionFilter - Sending -> AuthenticationResponse(AUTH064E): Correlator - null: detailResponseCode - AUTH100D, type - Auth, authenticated - true Resolution: Corrected the SEAS LDAP Authenticator to correctly set the failed authentication flag when there is a syntax error detected in the configuration. RTC348461/IC86820 - Use 64-bit JRE on Solaris SEAS on Solaris points to the 32-bit JRE, even though the 64-bit JRE is shipped. All the scripts to run the product and utilities point to the ./jre/bin/java executable, which is the 32-bit version of the JRE. The 64-bit version of the jre is at ./jre/bin/sparcv9/java. Workaround: Manually update the SEAS/bin/startSeas.sh script to point to the new java location. However, the script gets rebuilt during any maintenance upgrade. Resolution: Updated the InstallAnywhere logic for the Solaris platform to properly build the scripts to point to the 64-bit version of the JRE at ./jre/bin/sparcv9/java. RTC348784/IC86821 - Upgrade bundled JRE to IBM SR11 (August 2012) level The Customer required that products with the IBM JRE 1.6 be at the SR10 FP1 (Feb 2012) maintenance level or greater. Resolution: Updated the IBM JRE which ships with SSP 3.4.1 to be at the SR11 (August 2012) maintenance level. RTC349165/IC86628 - CRL checking fails after upgrade to SEAS 2.4.1 Getting CERT005E Failed to complete required CRL check when running SEAS 2.4.0 or 2.4.1.0. The SEAS log shows the following events: ERROR CertValidator - CRL Problem 2: Exception processing CRL: MY_CRL: java.lang.IllegalArgumentException: CRL not found for LdapQueryDef (name=MY_CRL): ldaps://10.20.30.40:636/CN=CRL512, O=My Server, C=US?certificateRevocationList?Base ERROR CertValidator - CRL check could not be completed for certificate: CN=etc… ERROR CertValidator - CERT005E Failed to complete required CRL check. Problem 1 of 2: Exception processing crlDistributionPoint: java.lang.IllegalArgumentException: CRL not found for LdapQueryDef(name=null): Found that we were using a null value to initialize a Java NameClassPair, which is no longer allowed in the JRE that ships with the 2.4.x versions of SEAS. It returned a java.lang.IllegalArgumentException and caused the subsequent CRL processing to unwind. Resolution: Corrected the SEAS CRL logic to ensure a non-null value when initializing the NameClassPair. Also added additional diagnostic lines to make some of the hidden parts of the logic easier to follow in debug mode. RTC355410/IC89579 - Connections are not getting closed and going to CLOSE_WAIT Connections to SEAS are not getting closed and are going to CLOSE_WAIT or FIN_WAIT2 status after the SEAS custom exit is getting called. The adapter connections are also not getting released. Resolution: Updated the SEAS exit to use a different socket factory which automatically times out and releases the sockets correctly. RTC366168/IC93055 - SEAS Java Webstart application gets security warning when launched. The SEAS Webstart GUI application gets security warning when it is launched. The jar files which are downloaded when the SEAS Webstart is launched are signed with a self-signed certificate, causing it to get the message at startup: The application's digital signature cannot be verified. Do you want to run the application? Resolution: Now sign all the SEAS jar files with an IBM certificate which is signed by Verisign. Once the Webstart GUI is launched once and the certificate is okayed by the user, the warning does not come up again. RTC368161/IC90709 - Error message information leak During error conditions, IBM Sterling External Authentication Server may allow a malicious internal user to obtain product information which could be used to design further attacks. Resolution: Updated SEAS to validate any path added to the URL against a "white list" of allowed paths, and return a "404 Not Found - An invalid input was submitted to the server" instead of echoing the path. RTC367011/IC90788 - Turn off OS command execution option SEAS allows the administrator to configure an OS command to be run as part of the authentication process. A malicious internal user who has access to the application and who has administration privileges could configure the system to issue arbitrary Operating System commands, which could affect the confidentiality, integrity and availability of the system. Support has no record of any Customer using this feature. Resolution: Removed the option to configure an OS command to be run as part of the authentication process. RTC373046/IC91512 - (GUI) - Error condition needed when client times out before shutdown When the SEAS admin is logged onto the GUI and attempts to shutdown the SEAS when the GUI interface has already timed out, the shutdown process appears successful but does not happen. No messages are returned and the GUI terminates like normal during a normal shutdown. Resolution: Now notify the GUI user that the shutdown was unsuccessful because the user timed out. RTC383961/IC94106 - SEAS Web access only allows a non-secure HTTP connection This is a small enhancement to allow the SEAS Webstart port to be a secure (https) connection. Resolution: Added the capability for the WebStart port (default 9080) to be secured using the same keystore and truststore that the Secure Connection Listener (default port 61366) is configured to use. The SEAS Implementation Guide will be updated with the following instructions: To implement a secure port for Webstart 1) Assumption: You have configured the Secure Connection Listener. If not, follow the instructions in the SEAS: Implementation Guide in Chapter 3 to generate certificates and populate the keystore and truststore. 2) Update the {SEAS_INSTALL}/conf/jetty/JettyConfigDef.xml file with any text editor, and either add or change the httpsEnabled keyword to have a value of true. 9080 localhost / ../conf/jetty/docroot lib ../lib true false 3) Update the {SEAS_INSTALL}/conf/jetty/docroot/webstart/EA_GUI.jnlp file and change the first 2 occurrences of http://seashost:port... to https://seashost:port... 4) Start SEAS 5) Start the webstart by accessing https://seashost:port/ from your web browser where seashost is the host where SEAS is running and port is the configured webstart port (default 9080). RTC386120/IC94108 - SEAS Session Idle Timeout does not work correctly The Idle Session Timeout value, which determines how long to keep idle connections, always uses double the value set. e.g. the 30 minute default yields a 60 minute timeout. The value is set in the GUI under System Settings in the Global tab. Resolution: Corrected the timeout logic to work without waiting for 2 iterations. Also, ensured that the timer was reset after the initial download of GUI information. Workaround: Set the Idle Session Timeout value for half the value expected, or set it to 0 which means no idle session timeout. RTC384645/ - Dynamic routing in SFTP adapter to a backend server based on Password and/or Key Auth with SEAS Provide the ability to direct SFTP sessions to any back end server defined in the netmap, rather than just to the standard routing server. The selection is controlled by the Sterling External Authentication Server (SEAS), which returns the "routingNodeName". RTC391817/IC95720 - SEAS authentication indicates failure during SFTP transfer SEAS server returns "false" in authenticated flag to SSP when the SFTP adapter sends a conversation termination request. Resolution: Now return "true" to the end of conversation request, so that the SFTP server does not get confused. RTC392701/IC95188 - Value configured disappears from Match Attribute in SEAS Customer sets "O={Issuer[O]}/CN={Issuer[CN]}" in the Match Attributes field when setting up a new Certificate Validation profile in the SEAS GUI. When the Customer saved it and viewed it again, the value was gone. Resolution: Changed the logic to correctly handle the substrings in the Match Attributes field so that they do not disappear. RTC396445/ - SEAS GUI - Better notification when timeout occurs Enhancement to the SEAS GUI to detect a timeout disconnect from the SEAS server and present the login screen to allow logging in again.