===============================================================================
Sterling Secure Proxy (SSP) 3.4.00 Patch 6 iFix 4 Maintenance - May 2014
===============================================================================

This maintenance archive includes the GA release of SSP Engine 3.4.0 and
SSP Configuration Manager 3.4.0 plus the fixes for the issues mentioned below.

Contents:
   I. Summary of Fixes by Patch (Latest patch first)
   II. Detailed Description of Fixes


I. Summary of Fixes by Patch (Latest patch first)

===============================================================================
Summary of Fixes for SSP 3.4.0.6 (3.4.00 Patch 6) iFix 5 Build 165 (Sept 2014)
===============================================================================

  No RTC            (Engine,CM)  - Upgrade to IBM JRE1.7 SR7 FP1 for latest
                                   security maintenance

===============================================================================
Summary of Fixes for SSP 3.4.0.6 (3.4.00 Patch 6) iFix 4 Build 161 (May 2014)
===============================================================================

  No RTC            (Engine,CM)  - Upgrade to IBM JRE1.6 SR15 FP1 for latest
                                   security maintenance

===============================================================================
Summary of Fixes for SSP 3.4.0.6 (3.4.00 Patch 6) iFix 3 Build 160 (Sept 2013)
===============================================================================

  No defect                      - Update IBM JRE6 to SR14 level

===============================================================================
Summary of Fixes for SSP 3.4.0.6 (3.4.00 Patch 6) iFix 2 Build 156 (June 2013)
===============================================================================

  RTC379005/IC92734 (Engine)     - C:D SNODEID not passed to SEAS when password
                                   not supplied;

  RTC377430/IC91239 (Engine)     - CD z/OS cipher negotiation failure

  RTC377424/IC91239 (Engine)     - SSP to SSP CD Secure+ authentication fails

  RTC376904/IC92878 (Engine)     - netHSM: Password could not be validated

  RTC375116/IC91239 (Engine)     - Problem setting up secure socket to SEAS

  RTC373481/IC91900 (Engine)     - Timeout during long C:D non-secure transfer

  RTC371378/IC91506 (Engine)     - SSP FTP Does not negotiate down to TLS1.0

  RTC367921/IC90707 (CM)         - CM Set secure attribute in SSL cookies

  RTC358963/IC91239 (Engine)     - Update Certicom libraries to fix nCipher
                                   HSM private key issues.


===============================================================================
Summary of Fixes for SSP 3.4.0.6 (3.4.00 Patch 6) iFix 1 Build 153 (May 2013)
===============================================================================

  RTC368508/IC90590 (PS)         - Perimeter Server fails to come up after
                                   SSP3406 install on Solaris

  RTC367240/IC90704 (CM)         - Disable CM autocomplete of password field

  RTC367009/IC90714 (CM)         - CM application pages do not break out of
                                   third party frames

  RTC367003/IC90712 (CM)         - Version information revealed in HTTP header

  RTC367002/IC90711 (CM)         - CM Inadequate application error handling


===============================================================================
Summary of Fixes for SSP 3.4.0.0 Patch 6 Build 150 (November 2012)
===============================================================================

  RTC336420/IC85514 (CM, Engine) - Loop getting "Fast wakeup condition detected"

  RTC336514/IC87275 (CM)         - Duplicate SSH public key with different name
                                   in Authorized Keystore causes key
                                   authentication to fail

  RTC341834/IC85733 (Engine)     - SFTP intermittently not returning the SSH 
                                   server identification string during session startup

  RTC347314/IC87274 (CM)         - Admin able to add same named C:D node within
                                   netmap if name is in mixed case.

  RTC347347/IC87266 (CM)         - SFTP Post-Authentication Banner Text appears
                                   before client authentication

  RTC348461/IC86820 (CM, Engine) - SSP on Solaris using 32-bit version of JRE

  RTC350243/IC87276 (CM)         - Unable to stop CM with stopCM.sh and no
                                   indication why

  RTC351025/IC87649 (CM, Engine) - SFTP adapter session limits enforced globally
                                   rather than at the adapter level.

  RTC354752/IC87654 (Engine)     - Unable to authenticate SFTP User with
                                   "Password,Publickey" requested in that order

===============================================================================
Summary of Fixes for SSP 3.4.00 Patch 5 Build 148 August 2012
===============================================================================

  RTC330660 (CM, Engine) - Jetty PSIRT Advisory 258 - DOS Hashmap attack

===============================================================================
Summary of Fixes for SSP 3.4.0 Patch 4 Build 147 (May 2012)
Fixes are marked as Engine, CM (Configuration Manager), and GUI (Admin GUI)
===============================================================================

  RTC103849 (CM - Installation) - SSPCM will not start after upgrade if
                        dfltKeyStore.xml file is missing

  RTC288193 (CM GUI)  - SSP UI tables not displayed under FireFox 9.0.1

  RTC315035 (Engine)  - HTTP Header size rejected as too large

  RTC321975 (CM - Installation) - SSPCM will not start after upgrade from SSP 3.2

  RTC322562 (Engine)  - FTP EPSV and EPRT commands not correctly handled in SSP

  RTC322567 (Engine)  - SSP aborts session if CDSA sends DSEQ in FM71


================================================================================
Summary of Fixes for SSP 3.4.0 Patch 3 Build 146 (March 2012)
  Full descriptions below.
  Fixes are marked as Engine, CM (Configuration Manager), and GUI (Admin GUI)
================================================================================

  RTC319700 (Engine - PeSIT adapter)  - PeSIT messages support and outbound
                        PeSIT node trace have been added.


================================================================================
Summary of Fixes for SSP 3.4.0 Patch 2 Build 145 (February 2012)
  Full descriptions below.
  Fixes are marked as Engine, CM (Configuration Manager), and GUI (Admin GUI)
================================================================================

  RTC140648 (Engine)  - Correctly load the Step Permission values from the
                        PNODE policy for each new CD session.

  RTC140686 (Engine)  - Tectia SSH sftpg3 command line client unable to connect
                        to SSP

  RTC140514 (Engine)  - SFTP Adapter rejects sessions specifying SFTP protocol
                        5 or 6.

  RTC140683 (Engine)  - Secure+ Timeouts during download of large files

  RTC140524 (Engine)  - CSP900E Logged Exception due to long PCRT value in
                        C:D FMH70

  RTC310391 (Engine)  - SFTP connections fail when multiple authentication
                        methods defined in netmap

  RTC311930 (Engine)  - In FIPS mode, SSP log shows Invalid Key Strength: 512

  RTC313461 (Engine)  - C:D Session gets MSGCSP057E snode session could not
                        start to intended route, and NullPointerException

  RTC314325 (Engine,  - Unable to import Certificate with wrong Country Code
             CM)        encoding into CM

  RTC314343 (Engine)  - Out of memory error during C:D sessions


================================================================================
Summary of Fixes for SSP 3.4.0 Patch 1 Build 142 (October 2011)
  Full descriptions below.
  Fixes are marked as Engine, CM (Configuration Manager), and GUI (Admin GUI)
================================================================================

  QC18890 (GUI)       - Correct Sort by ID functionality

  QC18998 (Engine)    - Display the user specified Login Banner if present

  QC19167 (Engine)    - Error connecting to SSP SSH/SFTP proxy adapter with
                        Axway client

  QC19343 (CM, GUI)   - Disallow duplicate routing names for a key in the same
                        key store

  QC19364 (Engine)    - Unable to transfer files via FTP with specific key
                        words in filename (e.g. "port")

  QC19425 (Engine,CM) - Ensure status of adapter is displayed correctly after
                        failure

  QC19443 (Engine,CM) - Some internal connections fail when CM and engine
                        configured for SSLv3

  QC19521 (CM, GUI)   - Unable to import some key certificates from Certificate
                        Wizard.

  QC19557 (Engine)    - Intermittent SFTP transfer failures due to rekey issue

  QC19579 (GUI)       - Require selecting a local SSH key store before
                        selecting a key from the store

  QC19604 (Engine)    - SSP adding "?c=n" at the end of external URI
                        redirection


II. Detailed Description of Fixes

===============================================================================
Detailed Descriptions of Fixes in (ascending fix order)
  Fixes are marked as Engine, CM (Configuration Manager), and GUI (Admin GUI)
===============================================================================

  QC18890 (GUI) - Correct Sort by ID functionality

      The Sort by Name functionality in the User Store was dropped in 3.3.01.

      Resolution:  Corrected the User Store table element to allow sorting by
      Name

  QC18998 (Engine) - Display the user specified Login Banner if present

      The user specified Login Banner for an FTP adapter was not being displayed
      when the policy option was set to No Auth at SSP and Passthru to the
      backend.

      Resolution: Changed to always display the user specified Login Banner text
      if present, even when policy is set to No Auth and Passthru.

  QC19167 (Engine) - Error connecting to SSP SSH/SFTP proxy adapter with
                        Axway client

      Remotes running a version of the Axway SSH/SFTP client were experiencing
      problems after connecting to the SSP SFTP adapter. The SFTP adapter was
      expecting the client to provide the SSH_FXP_REALPATH command before any
      other command after the SSH_FXP_INIT.  The Axway client was not supplying
      the REALPATH command.

      Resolution: Updated the SFTP adapter to relax the requirement for the
      client to send the SSH_FXP_REALPATH command before any other command
      after the SSH_FXP_INIT is received at session startup.

  QC19343 (CM, GUI) - Disallow duplicate routing names for a key in the same
                        key store

      The same Routing Name value was being allowed for multiple keys in the
      same SSH Local User Keystore.

      Resolution: Disallow duplicate routing names for a key in the same key
      store

  QC19364 (Engine) - Unable to transfer files via FTP with specific key
                        words in filename

      When attempting to upload a file with the characters "PORT" or "PASV"
      imbedded in the filename using the FTP protocol, the operation gets
      rejected with message
           SSP170E Error PASV response from Server - 125 Data connection
                   already open; transfer starting.

      Resolution: Updated the Command handler to only look at the beginning of
      the command buffer for the keywords "PASV" or "PORT".  This allows
      filenames such as "STOR filename.PORT.txt" to be ignored.

  QC19425 (Engine,CM) - Ensure status of adapter is displayed correctly after
                        failure

      When failover.detection.enabled = true in the adapter and the outbound
      server could not be reached, the adapter stopped listening on the inbound
      side.  However, in some cases, the CM monitoring screen stayed "green",
      when it should have been "yellow".

      Resolution: Corrected code that starts and stops the listener ensuring
      that the status sent to CM matches the actual listener status.

  QC19443 (Engine,CM) - Some internal connections fail when CM and engine
                        configured for SSLv3

      After using configureCmSsl and configureEngineSsl scripts to change
      the security protocol to SSLv3, the GUI session can fail along with the
      secure connection to the engine.

      Resolution: Updated the SSPDashboard to push all SSL parameters that are
      used to connect to the CM server to the ConfigContent module so that
      all parts are in sync.

   QC19521 (CM, GUI) - Unable to import some key certificates from Certificate
                        Wizard.

      Key certificates encrypted with a passphrase other than "password" could
      not be imported into the CM System Key Store. The null string was being
      used during the verification which caused the verification to fail.

      Resolution: Retrieve and use the user provided passphrase when verifying
      the keyCert.

     QC19557 (Engine) - Intermittent SFTP transfer failures due to rekey issue

      When transferring large files, the SFTP adapter occasionally failed with
      re-key issues.  On the back-end SI, the following error indicated a 
      re-key problem:
         An exception occurred in writeFile. java.io.IOException:
           seek 326713344 not supported with cursor 326610944.

      Resolution: Upgraded the maverick-all.jar (J2SSH) from 1.4.21 to 1.4.33.
      It includes a fix for intermittent file transfer failures due to re-key
      issues.

  QC19579 (GUI) - Require selecting a local SSH key store before selecting a
                        key from the store

      In the SFTP outbound node configuration, CM allows not selecting the
      local user key store, but selecting a key.  However when this happens, 
      when CM pushes the configuration to engine, SSP Engine is unable to load 
      the key and use it.

      Resolution: Require selecting a local SSH key store before selecting a 
      key from the store

  QC19604 (Engine) - SSP adding "?c=n" at the end of external URI redirection

      SSP adding extra characters (such as ?c=5 or ?c=6) while redirecting to
      the URL specified in the External Application Login URL field of an SSO
      configuration.  

      Resolution: Now only add this query parameter when it is being used for
      an internal portal.

  RTC140648 (Engine)  - Correctly load the Step Permission values from the
                        PNODE policy for each new CD session.

      A CD policy is pushed to the engine with Step Permissions:RunTasks set to
      true.  The policy is successfully used by a process several times.  
      Another process runs on the adapter using a netmap/policy with RunTasks 
      set to false.  When the first process runs again, it fails with
         CSP057E 16 Exception or other serious error occurred: exception in 
           processing runtask policy prevents runtask from proceeding
      The CD configuration manager was not resetting policy defaults for Step 
      Permissions at session start time. It only subtracted permissions when 
      a policy used false values for RunTask, RunJob, Submit or Copy, causing 
      the whole adapter to use false values until the policy is pushed again.
      Workaround: Ensure all polices you reference use a true value for the 
      Step Permissions.

      Resolution: Corrected the CD Configuration manager to accurately load the
      Step Permission values from the PNODE policy for each new CD session.

   RTC140686 (Engine)  - Tectia SSH sftpg3 command line client unable to connect
                        to SSP

      When using the Tectia sftpg3 command line client to connect to an SSH
      adapter on SSP, the session terminates immediately after authentication.
      The logs show that the SSH_FXP_EXTENDED feature file-stat-extended@ssh.com
      was rejected:
        SSE2633 Closing remote client connection due to command decode policy:
           SSH_FXP_EXTENDED, version:3, Reason:invalid extended request:
           file-stat-extended@ssh.com request  due to {1} request
      Per the SSP protocol, even though the feature is not supported, the 
      session should not be terminated.

      Resolution: Updated the SSH command decoder to return a SSH_FXP_STATUS 
      code rather than disconnecting the session.

  RTC140514 (Engine)  - SFTP Adapter rejects sessions specifying SFTP protocol
                        5 or 6.

      SFTP Clients that connect specifying SFTP protocol version 5 or 6 are
      rejected by SSP, even if the client is capable of negotiating down to 
      version 3.  SSP logs the following messages and closes the connection:
        SSE2621 unsupported sftp protocol version:6
        SSE2633 Closing remote client connection due to command decode policy:
            SSH_FXP_INIT, version:0, Reason:unsupported version:6 request  due
            to {1} request
      One client that saw this failure was WinSCP.

      Resolution: Updated the SSH command decoder to allow the SSH_FXP_INIT 
      specifying SFTP versions of 5 or 6, in addition to 3 and 4, which it 
      already allows.  It now returns a SSH_FXP_VERSION of 3 to allow the client
      to negotiate down rather than disconnecting the session.

  RTC140683 (Engine)  - Secure+ Timeouts during download of large files

      Customer getting timeout messages when transferring large files with
      Connect:Direct Secure Plus through SSP. If the files take longer than 90
      seconds to transfer, the Customer gets such messages as XIPT016I, 
      XSMG621I, XCPS004I, and XSMG605I.  The secureproxy log shows 
      CSP900E Logged Exception : Did not get buffer in 90000 ms.
      A previous fix inserted a timeout on the channels that transfer data from
      PNODE to SNODE and from SNODE to PNODE.  While data was traveling in one
      direction, the SSP channel that handled data going the other direction
      timed out waiting for data or an FMH, etc.
      Workaround is to increase the TCP timeout value in the Advanced tab of
      the Netmap for the C:D node(s).

      Resolution: Changed the code in the SSP C:D channels to ignore the 
      timeout if the transfer is still running.

  RTC140524 (Engine)  - CSP900E Logged Exception due to long PCRT value in 
                        C:D FMH70

      A Connect:Direct Secure Plus session through SSP failed during the
      initial FMH exchange because the PCRT field added to the FMH70 record 
      caused the zOS SNODE to mis-handle the record and drop the session.
      When the PCRT field is large, it can cause problems if the SNODE cannot
      handle the larger FMH70 RU.  Study showed that the certificate passed in
      the PCRT field was not the PNODE certificate at all, which makes it of 
      little value.

      Resolution: Turned off adding the “PCRT” breadcrumb to the C:D FMH70 
      unless the behavior is specifically turned on at the adapter level.  
      The following properties are now the default in the C:D adapter:
	"CDSP|*|BreadCrumbAddress" = “granted”	(allows “PRXY” breadcrumbs 
                                                 to be inserted)
	"CDSP|*|BreadCrumbAddressTransparentContent" = “granted”
                                       (allows more detail in “PRXY” field)
	"CDSP|*|BreadCrumbAddressPCRT" = "denied"   
                                       (Do not insert the “PCRT” field)
      To continue to send the “PCRT” field, you must add the following property
      to the C:D adapter Properties tab of the CM GUI:
	"CDSP|*|BreadCrumbAddressPCRT" = "granted"

  RTC310391 (Engine)  - SFTP connections fail when multiple authentication
                        methods defined in netmap

      The Customer attempted to define password only authentication for one
      address in the SSH SFTP netmap and key only authentication for all 
      others, like so:
          Name					Peer Address Pattern
          Password_Inbound_SFTP			10.20.30.40/32
          KeyOnly_Inbound_SFTP			*
      However, no matter which address the remote logged in from, the server
      required both password and key authentication, so the authentication 
      failed.
      Another variation of the problem is if the authentication method is first
      defined as password AND key, the authentication fails in the same way 
      when dropped back to password OR key. This happens even with only one 
      peer address pattern.

      Resolution: Updated the SFTP authentication selection code to first clear
      the authentication methods for the session and then add them per the 
      values in the netmap.

  RTC311930 (Engine)  - In FIPS mode, SSP log shows Invalid Key Strength: 512

      Customer is running an outbound Connect:Direct Secure+ session with their
      keys stored in a HSM (Hardware Storage Manager) device. The transfers 
      work ok until they turn on FIPS mode for the HSM device.  Then the 
      sessions fail with an exception in the log, “Invalid Key Strength: 512”.
      The HSM toolkit in the Java Security chain required the export key to be
      generated with a minimum key length of 1024 bits.

      Resolution: Added a new property in the C:D adapter to control the key 
      size of the export key during C:D Secure Plus sessions. The 
      “RsaExportKeySize” property will have a default of 512.  To change the 
      key size to 1024, define the property in the C:D adapter:
	RsaExportKeySize = 1024

  RTC313461 (Engine)  - C:D Session gets MSGCSP057E snode session could not
                        start to intended route, and NullPointerException

      Customer is upgrading from SSP 2.x to SSP 3.4 and imported the
      configuration from SSP 2.x. When running Connect:Direct Secure+
      sessions outbound through SSP, they get
         MSGCSP057E snode session could not start to intended route
      and a NullPointerException in ProxyServerCDImpl.

      Resolution: Corrected an error where a property was attempting to
      be pulled from a null configuration object. Now catch the error and
      continue processing.

  RTC314325 (Engine,  - Unable to import Certificate with wrong Country Code
             CM)        encoding into CM

      Customer attempted to import a certificate using the SSP Configuration
      Manager GUI and got message, Unable to parse certificate.  Further
      research showed that the certificate was failing on the Country Code,
      because it had been generated with an ASN1 encoding of UTF8String
      instead of the required PrintableString.

      Resolution: Added a way for the Customer to ignore the check for
      Illegal encoding on the Country Codes by adding the
      -DallowIllegalCountryNameEncodings=1 parameter to the java parameters
      in the CM and engine startup scripts.

  RTC314343 (Engine)  - Out of memory error during C:D sessions

      Customer applied fix RTC140683 for CD sessions and began to get Java
      Out of Memory errors within 24 hours. Fix RTC140683 did some cleanup on
      the session tracing, but introduced a problem where a trace buffer was
      never written and never cleared and grew to over 800MB.

      Resolution: Corrected the code that kept the trace buffer from being
      written and cleared.

  RTC319700 (Engine - PeSIT adapter)  - PeSIT messages support and outbound
      PeSIT node trace have been added.

  RTC103849 (CM - Installation) - SSPCM will not start after upgrade if
      dfltKeyStore.xml file is missing

      The Customer had created a new System Certificate Store using the CM and
      deleted the one entitled dfltKeyStore.  The Customer upgraded the CM, and
      the installation process laid down a new dfltKeyStore.xml file which was 
      not encrypted.  When the CM tried to decrypt the file to read it, the 
      result was garbage and the CM failed to come up.  The workaround was to 
      delete the /conf/configurator/keyStore/dfltKeyStore.xml after the upgrade
      and start the CM.

      Resolution: Updated the SSP CM Installer to NOT lay down a fresh copy of 
      the following files during an upgrade. The files will be added during a new 
      install only.
	./conf/configurator/keyStore/dfltCMTrustStore.xml
	./conf/configurator/keyStore/dfltCMKeyStore.xml
	./conf/configurator/keyStore/dfltKeyStore.xml
	./conf/configurator/keyStore/dfltTrustStore.xml
	./conf/configurator/pwdPolicy/defPasswordPolicy.xml
	./conf/configurator/userStore/defUserStore.xml
	./conf/system/defSslInfo.xml
	./conf/system/defTrustStore.xml

  RTC288193 (CM GUI)  - SSP UI tables not displayed under FireFox 9.0.1

      Several GUI tables were not being displayed under FireFox 9.0.1.
      
      Resolution: Added corrected table logic to ensure the tables display.

  RTC315035 (Engine)  - HTTP Header size rejected as too large

      The Customer attempted to override the HTTP Adapter property
      httpMaxHeaderFieldLength higher than the default value of 8192, but it 
      always used the default.  During sessions where the backend server used 
      cookies which pushed the HTTP header length above 8192, the session would
      fail with
	SSP154E RequestHeader Line length >= max. length (8,192)

      Resolution: Corrected the HTTP adapter to correctly allow overrides to 
      the default values of httpMaxHeaderFieldLength, httpMaxNumHeaderFields, 
      html.rewrite.threads, and html.rewrite.threads.queue.size.

  RTC321975 (CM - Installation) - SSPCM will not start after upgrade from SSP 3.2
 
      The Customer attempted to upgrade the CM from SSP 3.2 to SSP 3.4. The CM
      failed to come up and the cms.log contained
        WARN org.eclipse.jetty.util.log - Failed startup of context WebAppContext
        java.util.zip.ZipException: invalid entry size (expected 2343829512 but 
           got 19513 bytes)
        * * *
	ERROR com.sterlingcommerce.hadrian.system.ServiceManagerImpl - Startup 
           did not succeed. Terminating.
           
     Resolution: Updated the SSP CM Installer to remove the 
     ./apps/jetty/webservices/webapps/SSPDashboard and SspJsf  directories 
     during the pre-install portion of an upgrade. The directories are 
     repopulated during the install.

  RTC322562 (Engine)  - FTP EPSV and EPRT commands not correctly handled in SSP

      When SSP encounters the EPSV (extended passive) or EPRT (extended port)
      commands from the client, it incorrectly forwards the command to the back
      end server and echoes the reply to the client. However, since the port 
      that the back end server listens on is not the same as the port that SSP 
      will listen on, the client is never able to connect to the data channnel.

      Resolution: Now reject the EPSV and EPRT FTP commands from a client and 
      allow the client to retry with the PASV or PORT command.

  RTC322567 (Engine)  - SSP aborts session if CDSA sends DSEQ in FM71

      When sending a transfer from a Connect:Direct zOS via SSP, the following
      error message is displayed and the transmission is aborted:
         Exception or other serious error occurred:  cvc-complex-type.2.4.a:
         Invalid content was found starting with element 'DSEQ'. One of '{SBXS,
         SBLX, DBXS, DBLX, SBFS, ..., etc, ...    FRKP, DKYL}' is expected.
      The Customer has the Protocol Error Action is set to Abort in the SSP C:D
      Policy, which instructs SSP to validate the FMH and ensure that no 
      invalid keys are passed to the outbound C:D image. The workaround is to 
      set the Protocol Error Action to None, Ignore, or Warn.

  RTC330660 (CM, Engine) - Jetty PSIRT Advisory 258 - DOS Hashmap attack

      IBM PSIRT Advisory 258 was opened to document a denial of service attack
      on web servers that use a hashmap to store HTTP request headers.   

      Resolution: Changed Jetty to limit the number of HTTP parameter keys in
      a request to a default of 1000. The value can be overridden by specifying
      -Dorg.eclipse.jetty.server.Request.maxFormKeys on the java startup line
      in the <SSP>/bin/startEngine.sh or <SSPcm>/bin/startCM.sh scripts.

  RTC336420/IC85514 (CM, Engine) - Loop getting "Fast wakeup condition detected"
  
      Customer gets loop in SSP logs showing the following messages.
         WARN  com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl
             - Fast wakeup condition detected.
         ERROR com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl 
             - Could not handle fast wakeup condition - java.lang.Error
      The bug is due to a Java error seen on IBM's HP and AIX JREs shipped with
      SSP.

      Resolution: Added code to correct the loop and provide better diagnostics
      when the socket accept error happens. Also updated the IBM JRE shipped 
      with the SSP 3.4.0 server to be at the JRE 6 SR11 level.

  RTC336514/IC87275 (CM)         - Duplicate SSH public key with different name
                                   in Authorized Keystore causes key 
                                   authentication to fail

      If the administrator adds a duplicate SSH public key with a new name to
      the Authorized User keystore, the error is not found until the user 
      connects and attempts to validate using the key.  Depending on the order
      of the keys in the keystore, the connection may fail with:
 	 SSE2621 User key list was not empty and key UserKey2 was not in user
                 key list
	 SSE2610 Sessionid xxx Userkey xxx Invalid Logon Attempt, Count 1, ...
	 SSE2624 Userid xxx from address xxx failed validation with key
                 fingerprint xx:yy:zz

      Resolution: Added a search in the SSH Authorized User Keystore 
      Configuration screen for a duplicate key fingerprint before saving a new 
      key.  If a duplicate key is found, a pop-up message is generated 
      indicating which key it is a duplicate of so that the administrator can 
      use that definition instead:
         Specified key finger print xx:yy:zz is already associated with 
                 authorized key UserKey2

  RTC341834/IC85733 (Engine)     - SFTP intermittently not returning the SSH 
                                   server identification string during session startup

      When an SFTP client connects to the SSP SFTP adapter and already specifies
      an encryption method in its initial key exchange record,  SSP does not 
      return the server identification string as its first message to the 
      client. Instead SSP responds with its own SSH key exchange (KEXINIT), 
      which is out of order.  The client software disconnects.

      Resolution: Updated the Maverick SFTP toolkit, which contains the fix to 
      ignore the encryption method if it appears in the first record at SFTP
      connection time.


  RTC347314/IC87274 (CM)         - Admin able to add same named C:D node within
                                   netmap if name is in mixed case.

      Using the SSP configuration GUI for the CD netmap, the administrator is 
      able to add a duplicate node using the same name if they use mixed case.

      Resolution: Now use a case-insensitive search for duplicate node names 
      within the CD netmap before saving a new nodename.

  RTC347347/IC87266 (CM)         - SFTP Post-Authentication Banner Text appears
                                   before client authentication

      SSP allows the administrator to supply a Pre-Authentication Banner Text 
      and a Post-Authentication Banner Text in the SFTP adapter advanced tab.  
      However, the pre-authentication banner never appears in a client session, 
      and the post-authentication banner appears prior to the prompt for 
      password on the client session.
      The banners are working as designed, but are named relative to server 
      authentication, which comes before client authentication in an SSH 
      session.  The pre-authentication text allows the administrator to hide 
      the SSH toolkit name, if desired.  The post-server authentication text 
      allows the site to display some legal verbiage on the client screen before
      they are fully authenticated. The names of the fields on the SFTP adapter 
      advanced tab are updated to reflect the true use of the banners, and
      the help text will be updated accordingly.

      Resolution: Changed the names of the fields on the SFTP adapter advanced
      tab from
	"Pre-Authentication Banner Text" to "SSH Server Identification Text"
      And
      	"Post-Authentication Banner Text" to "Post-Server Authentication Banner
        Text".

  RTC348461/IC86820 (CM, Engine) - SSP on Solaris using 32-bit version of JRE
  
      The Customer upgraded to SSP 3.3.01 on Solaris to get the 64-bit 
      capability, but found that the JRE was only 32-bit. All the scripts to 
      run the product and utilities point to the ./jre/bin/java executable, 
      which is the 32-bit version of the JRE.  The 64-bit version of the jre 
      is at ./jre/bin/sparcv9/java.  
      Workaround: Manually update the SSP/bin/startEngine.sh startCM.sh scripts
      to point to the new java location.  However, these scripts get rebuilt
      during each maintenance upgrade.

      Resolution: Updated the InstallAnywhere logic for the Solaris platform 
      to properly build the scripts to point to the 64-bit version of the JRE
      at ./jre/bin/sparcv9/java.

  RTC350243/IC87276 (CM)         - Unable to stop CM with stopCM.sh and no
                                   indication why

      The Customer ran the stopCM.sh command, but the CM did not come down and 
      no indication was given why. The utility prompted for the system 
      passphrase, admin id and password, then ended with no message.  The 
      utility had a deficiency that if the admin userid/password was not 
      correct, it silently ended.

      Resolution: Updated the shutdown logic in the utility to return better 
      diagnostics in case of a connection failure or an authentication failure.
      Also, give positive feedback when the CM has successfully been told to 
      shut down.

  RTC351025/IC87649 (CM, Engine) - SFTP adapter session limits enforced globally
                                   rather than at the adapter level.

      When multiple SFTP adapters are defined on one engine, each adapter uses 
      the combined active session count of all adapters to determine if its 
      session count is reached.  For example if Adapter1 is defined with a max 
      session count of 1 and Adapter2 is defined with a count of 3, if one 
      session starts on Adapter2, no sessions may start on Adapter 1. Or if one
      session starts on Adapter1 and 2 sessions start on Adapter2, a third 
      session will not start on Adapter2.

      Resolution: Updated the Maverick SFTP toolkit, which contains the fix to 
      correctly handle the session counts between adapters.

  RTC354752/IC87654 (Engine)     - Unable to authenticate SFTP User with
                                   "Password,Publickey" requested in that order

      When an SFTP client connects with the Preferred Authentication order of 
      Password, followed by PublicKey, the adapter prompts them for password a
      second time rather than authenticating their public key.  Actually, the 
      SFTP adapter mistakenly changes the authentication to 
      Password,Password,Password,PublicKey, so if the client enters their 
      password three times, the public key authentication will take place and
      the client will login.  If the client uses the order of 
      PublicKey,Password (which is normal), the authentication works.

      Resolution: Updated the Maverick SFTP toolkit, which contains the fix to 
      correctly handle the password,publickey authentication order. 

  RTC358963/IC91239 (Engine)     - Update Certicom libraries to fix nCipher
                                   HSM private key issues.

      Customers running the nCipher Hardware Security Module (HSM) device
      encountered several issues when storing their private keys in the
      device.
         CSP900E Logged Exception : The private key material not exportable 
         outside of the HSM - happens when the HSM private key is the
         client certificate in a server-client SSL handshake, such as 
         FTP/SSL, HTTPs or Connect:Direct Secure Plus.

      Resolution: Worked with our third party security package vendor,
      Certicom, to correct the interaction with the nCipher HSM.

  RTC367002/IC90711 (CM)         - CM Inadequate application error handling

      Security scan determined that the Sterling Secure Proxy Configuration 
      Manager may return an error and a java stack trace to the browser when 
      erroneous input data is entered. An attacker can exploit this to obtain 
      information about the application to design further attacks.
      
      Resolution: Updated the SSP CM to catch errors and suppress the printing
      of stack traces to the browser so that it doesn't send unnecessary 
      information to a would-be attacker.

  RTC367003/IC90712 (CM)         - Version information revealed in HTTP header

      Security scan revealed that the version of the web server used by SSP CM
      is displayed in the HTTP header. This gives an attacker a head start in 
      designing an attack specific to that web server version.

      Resolution: Updated the SSP CM web server parameters to no longer 
      broadcast the version of the software in the HTTP headers.

  RTC367009/IC90714 (CM)         - CM application pages do not break out of
                                   third party frames
      
      Security scan revealed that Sterling Secure Proxy Configuration Manager
      pages permit rendering within third party HTML frames.  An internal 
      attacker could potentially control elements of the framed pages and 
      obtain unauthorized access to data.

      Resolution: Implemented frame options within the SSP CM web pages to 
      keep third party applications from rendering the frames.

  RTC367240/IC90704 (CM)         - Disable CM autocomplete of password field

      Security scan determined that the password field in the SSP Configuration
      Manager login page should not allow the browser to use the autocomplete 
      function.

      Resolution: Corrrected the SSP CM Login page to set Autocomplete=false 
      on the password field when the page is initialized.

  RTC367921/IC90707 (CM)         - CM Set secure attribute in SSL cookies

      In some cases, the CM server response did not include the Secure
      attribute on its cookie. This could potentially allow a client to send
      data to the server in a non-HTTPS mode.

      Resolution: Ensured that every time a session is started to the CM, a
      cookie is returned with the Secure attribute set.

  RTC368508/IC90590 (PS)         - Perimeter Server fails to come up after
                                   SSP3406 install on Solaris

      Customer installed the SSP 3.4.0.6 (3.4.0.0 Patch 6) Perimeter Server
      on Solaris, which contained the fix for RTC348461, supporting the 64-bit
      JRE on Solaris. Afterward, the PS would not come up.  The following 
      messages were produced:
        Exception in thread "main" java.lang.NoClassDefFoundError: {LOG_FILE}
        Could not find the main class: {LOG_FILE}. Program will exit.
      The InstallAnywhere step which updates the startupPs.sh script 
      incorrectly interpreted a large portion of the startup line as a local
      variable and eliminated it. 

      Resolution: Updated the InstallAnywhere process to bypass interpreting
      local variables so that the startup line in the startupPs.sh script would
      remain intact on the Solaris platform.

  RTC371378/IC91506 (Engine)     - SSP FTP Does not negotiate down to TLS1.0

      SSP currently does not support any TLS protocol higher than TLS 1.0.
      However, when a TLS 1.2 client (e.g. Filezilla) connects and can negotiate
      down to TLS 1.0, SSP should attempt to do it.  Instead it rejects the 
      connection with
          CERTICOM999 [com.certicom.tls.record.handshake.R{1}]Error:
          None of client suites is enabled on server or ECC ciphersuite
          curve and/or pointformat does not match.
      The SSL toolkit sees the TLS 1.2 extensions included in the CLIENT HELLO
      message and wrongly tries to match them.

      Resolution: Worked with our third party security package vendor,
      Certicom, to correctly ignore the TLS 1.2 extensions in a CLIENT HELLO
      and return a SERVER HELLO with a maximum TLS protocol version of 1.0.

  RTC373481/IC91900 (Engine)     - Timeout during long C:D non-secure transfer

      Customer sending large GB+ files over their VPN network via C:D without
      Secure Plus (non-secure). At seemingly random times during the transfer
      the transfer times out with
         CSP057E 16 Exception or other serious error occurred:  exception in 
            processing Did not get buffer in 90000 ms
         CSP900E Logged Exception : java.io.InterruptedIOException: Did not 
            get buffer in 90000 ms
      The timeout was happening on the non-sending side of the channel, and
      was self-healing if it detected any activity in the session within the
      last second.  In some cases, the one second activity check failed and 
      the transfer timed out.

      Resolution: Increased the activity check value during the timeout 
      operation from 1 second to 10 seconds to ensure active transfers will
      not time out.

  RTC375116/IC91239 (Engine)     - Problem setting up secure socket to SEAS

      Customers running the nCipher Hardware Security Module (HSM) device
      encountered several issues after storing their private keys in the
      device.
         SSE0116E Attempt to secure connection with Pnode failed. Ensure that
         Pnode is using SSL/TLS and any of the following ciphers:
         [TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
          TLS_RSA_WITH_3DES_EDE_CBC_SHA]. These conditions were met, but
         the toolkit terminated the handshake.

      Resolution: Worked with our third party security package vendor,
      Certicom, to correct the interaction with the nCipher HSM.

  RTC376904/IC92878 (Engine)     - netHSM: Password could not load any
                                   cards protecting this key

      Customer using an nCipher netHSM Hardware Security Module (HSM device)
      to store their private keys. The netHSM device requires a password to
      access the keystore, which may be different than the passphrases of the
      private keys that are stored on it.  The Customer loads keys into the
      keystore and assigns them passphrases. When the Customer stops and
      starts the engine, the passphrase for the first keycert that requires
      the HSM is used to access the netHSM keystore, and generates the error
         java.io.IOException: The password could not load any of the cards
         protecting this key.
      The engine code that opens the HSM keystore was erroneously using the 
      keycert passphrase to open the HSM keystore.
      Workaround is to ensure that the first keycert that is loaded from
      the HSM at engine startup has the same passphrase as the HSM keystore.

      Resolution: Corrected the engine code to properly send the HSM keystore
      passphrase when opening the HSM keystore for the first time.

  RTC377424/IC91239 (Engine)     - SSP to SSP CD Secure+ authentication fails

      Customers running the nCipher Hardware Security Module (HSM) device
      encountered several issues when storing their private keys in the
      device.
          FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate
          was received. Though the certificate and ciphers in the handshake
          were valid, the toolkit was terminating the handshake.

      Resolution: Worked with our third party security package vendor,
      Certicom, to correct the interaction with the nCipher HSM.

  RTC377430/IC91239 (Engine)     - CD z/OS cipher negotiation failure

      Customers running the nCipher Hardware Security Module (HSM) device
      encountered several issues when storing their private keys in the
      device.
         CSP900E Logged Exception : The private key material not exportable 
         outside of the HSM - happens when the HSM private key is the
         client certificate in a server-client SSL handshake, such as 
         FTP/SSL, HTTPs or Connect:Direct Secure Plus.

      Resolution: Worked with our third party security package vendor,
      Certicom, to correct the interaction with the nCipher HSM.

  RTC379005/IC92734 (Engine)     - C:D SNODEID not passed to SEAS when password
                                   not supplied;
      Customer is validating C:D processes through a SEAS custom exit, comparing
      the SNODEID to a value in LDAP. If the C:D process presents an SNODEID
      without a password, SSP passes the submitter's userid to SEAS instead.

      Resolution: Added a property to the SSP C:D adapter to ensure that the
      SNODEID is passed to the SEAS custom exit even if the submitter does
      not include the password:
         pass.snodeid.if.supplied  yes  (or true, case insensitive)