===============================================================================
Maintenance for Sterling External Authentication Server (SEAS) 2.4.1.8
===============================================================================
This cumulative maintenance archive includes GA release of SEAS 2.4.1.8 plus
fixes for the issues listed below.
Contents:
I. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first)
II. Detailed Description of Fixes
===============================================================================
I. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first)
===============================================================================
===============================================================================
Fixes for SEAS 2.4.1.8 (2.4.1.0 Fixpack 8) IFix 3, Build 13 ( Sept 2014)
===============================================================================
DEFECT / APAR
No Defect/ - Upgrade to IBM JRE 1.7 SR7 FP1
===============================================================================
Fixes for SEAS 2.4.1.8 (2.4.1.0 Fixpack 8) IFix 2, Build 11 ( Aug 2014)
===============================================================================
DEFECT / APAR
RTC433967/ - Leftover GSSAPI Authentication Method in GUI
===============================================================================
Fixes for SEAS 2.4.1.8 (2.4.1.0 Fixpack 8) IFix 1, Build 10 ( July 2014)
===============================================================================
DEFECT / APAR
RTC432417/IT03062 - SEAS getting java.lang.OutOfMemoryError: Java heap space
===============================================================================
Fixes for SEAS 2.4.1.8, (2.4.1.0 Fixpack 8) Build 09 ( May 2014)
===============================================================================
Note: Please see the Release Notes for more information on this fixpack.
http://pic.dhe.ibm.com/infocenter/seas/v2r4m1/index.jsp
DEFECT / APAR
Enhancement - Add LDAP authentication of Administrative users
Enhancement - Support admin specified requirements for passwords
Enhancement - Lockout user after an admin specified number of failed
attempts for an admin specified amount of time
Enhancement - Support Windows 2012
===============================================================================
Fixes for SEAS 2.4.1.2 (2.4.1.0 Fixpack 2) IFix 7, Build 86 ( April 2014)
===============================================================================
DEFECT / APAR
RTC413417/IT00308 - SEAS not encrypting passphrase correctly during install.
Uses local JRE instead of supplied JRE.
RTC413269/IC99677 - SEAS using obsoleted Kerberos function to change password
from SSO Login Portal.
===============================================================================
Fixes for SEAS 2.4.1.2 IFix 6 Plus, Build 80 ( November 2013)
===============================================================================
DEFECT / APAR
RTC403111/IC97765 - Audit conversation id's do not match
RTC418004/IT00896 - Unable to launch Webstart GUI from browser after
Java 7 U51 update
===============================================================================
Fixes for SEAS 2.4.1.2 IFix 6, Build 78 September 2013)
===============================================================================
DEFECT / APAR
PSIRT 1050 - Upgrade to IBM JRE1.6 SR14 for latest security fixes
RTC396445/ - SEAS GUI - Better notification when timeout occurs
RTC392701/IC95188 - Value configured disappears from Match Attribute in SEAS
RTC391817/IC95720 - SEAS authentication indicates failure during SFTP transfer
===============================================================================
Fixes for SEAS 2.4.1.2 IFix 5, Build 75 (July 2013)
===============================================================================
DEFECT / APAR
RTC384645/ - Dynamic routing in SFTP adapter to a backend server
based on Password and/or Key Auth with SEAS
RTC386120/IC94108 - SEAS Session Idle Timeout does not work correctly
RTC383961/IC94106 - SEAS Web access only allows a non-secure HTTP connection
===============================================================================
Fixes for SEAS 2.4.1.2 IFix 4, Build 64 (June 2013)
===============================================================================
DEFECT / APAR
RTC366168/IC93055 - SEAS Java Webstart application gets security warning when
launched.
===============================================================================
Fixes for SEAS 2.4.1.2 IFix 3, Build 63 (May 2013)
===============================================================================
DEFECT / APAR
RTC373046/IC91512 - (GUI) - Error condition needed when client times out
before shutdown
===============================================================================
Fixes for SEAS 2.4.1.2 IFix 2, Build 62 (May 2013)
===============================================================================
DEFECT / APAR
RTC367011/IC90788 - Turn off OS command execution option
===============================================================================
Fixes for SEAS 2.4.1.2 IFix 1, Build 61 (March 2013)
===============================================================================
DEFECT / APAR
RTC368161/IC90709 - Error message information leak
RTC355410/IC89579 - Connections are not getting closed and going to CLOSE_WAIT
===============================================================================
Fixes for SEAS 2.4.1.0 Patch 2, Build 59 (October 2012)
===============================================================================
DEFECT / APAR
RTC349165/IC86628 - CRL checking fails after upgrade to SEAS 2.4.1
RTC348784/IC86821 - Upgrade bundled JRE to IBM SR11 (August 2012) level
RTC348461/IC86820 - Use 64-bit JRE on Solaris
RTC346206/IC86440 - Syntax error in configuration allows users to be
authenticated with invalid password
RTC336420/IC85514 - Fast wakeup condition detected
===============================================================================
Fixes for SEAS 2.4.1.0 Patch 1, Build 54 (August 2012)
===============================================================================
RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack.
===============================================================================
II. Detailed Description of Fixes (in Defect ascending order)
===============================================================================
RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack.
IBM internal research detected that Jetty was vulnerable to a type of
denial of service (DOS) attack when the number of HTTP header parameters
was high (in the tens of thousands).
Resolution: Implemented fix from Jetty Eclipse which enforces a maximum
number of keys in the HTTP header of 1000. The default can be adjusted
by adding the Java system property to the startEngine.sh or startCM.sh
startup scripts:
-Dorg.eclipse.jetty.server.Request.maxFormKeys=2000
RTC336420/IC85514 - Fast wakeup condition detected
Intermittent problem when SEAS attempts to accept a new connection. At
that point, SEAS becomes unresponsive and logs fill with the following
messages:
WARN com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl -
Fast wakeup condition detected.
ERROR com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl -
Could not handle fast wakeup condition - java.lang.Error
Resolution: Upgraded Java Runtime Environment (JRE) to SR11 maintenance
level which includes a fix for the socket accept problem. Also added
code to correct the loop condition and give a better reason for why it
is happening.
RTC346206/IC86440 - Syntax error in configuration allows users to be
authenticated with invalid password
Misconfigured User DN field in the LDAP Authentication tab of the Secure
External Authentication Server allows invalid users and passwords to be
authenticated.
The Customer supplied an invalid User DN value in the LDAP Authentication
tab: "uid=${name},realm=…". But instead of all incoming sessions being
rejected, all sessions were authenticated. The following messages in the
log showed that there was a syntax error, but the resulting
authentication said "true".
INFO com.sterlingcommerce.component.authentication.impl.AuthenticationServiceImpl
- AUTH064E Exception encountered while evaluating Bind Principal
formula: java.lang.IllegalArgumentException: Variable substitution
failed for: name. Element not found: name.
INFO com.sterlingcommerce.component.dispatcher.XmlConversionFilter
- Sending -> AuthenticationResponse(AUTH064E): Correlator - null:
detailResponseCode - AUTH100D, type - Auth, authenticated - true
Resolution: Corrected the SEAS LDAP Authenticator to correctly set the
failed authentication flag when there is a syntax error detected in the
configuration.
RTC348461/IC86820 - Use 64-bit JRE on Solaris
SEAS on Solaris points to the 32-bit JRE, even though the 64-bit JRE is
shipped. All the scripts to run the product and utilities point to the
./jre/bin/java executable, which is the 32-bit version of the JRE. The
64-bit version of the jre is at ./jre/bin/sparcv9/java.
Workaround: Manually update the SEAS/bin/startSeas.sh script to point to
the new java location. However, the script gets rebuilt during any
maintenance upgrade.
Resolution: Updated the InstallAnywhere logic for the Solaris platform
to properly build the scripts to point to the 64-bit version of the JRE
at ./jre/bin/sparcv9/java.
RTC348784/IC86821 - Upgrade bundled JRE to IBM SR11 (August 2012) level
The Customer required that products with the IBM JRE 1.6 be at the
SR10 FP1 (Feb 2012) maintenance level or greater.
Resolution: Updated the IBM JRE which ships with SSP 3.4.1 to be at the
SR11 (August 2012) maintenance level.
RTC349165/IC86628 - CRL checking fails after upgrade to SEAS 2.4.1
Getting CERT005E Failed to complete required CRL check when running
SEAS 2.4.0 or 2.4.1.0. The SEAS log shows the following events:
ERROR CertValidator - CRL Problem 2: Exception processing CRL: MY_CRL:
java.lang.IllegalArgumentException: CRL not found for LdapQueryDef
(name=MY_CRL): ldaps://10.20.30.40:636/CN=CRL512, O=My Server,
C=US?certificateRevocationList?Base
ERROR CertValidator - CRL check could not be completed for
certificate: CN=etc…
ERROR CertValidator - CERT005E Failed to complete required CRL check.
Problem 1 of 2: Exception processing crlDistributionPoint:
java.lang.IllegalArgumentException: CRL not found for
LdapQueryDef(name=null):
Found that we were using a null value to initialize a Java NameClassPair,
which is no longer allowed in the JRE that ships with the 2.4.x versions
of SEAS. It returned a java.lang.IllegalArgumentException and caused
the subsequent CRL processing to unwind.
Resolution: Corrected the SEAS CRL logic to ensure a non-null value when
initializing the NameClassPair. Also added additional diagnostic lines
to make some of the hidden parts of the logic easier to follow in debug
mode.
RTC355410/IC89579 - Connections are not getting closed and going to
CLOSE_WAIT
Connections to SEAS are not getting closed and are going to CLOSE_WAIT
or FIN_WAIT2 status after the SEAS custom exit is getting called. The
adapter connections are also not getting released. This issue can lead
to a java/lang/OutOfMemoryError error with a build up of class
com.sterlingcommerce.component.authentication.impl.JNDISocketFactory
method SessionIdleTimeTask.
Resolution: Updated the SEAS exit to use a different socket factory which
automatically times out and releases the sockets correctly.
RTC366168/IC93055 - SEAS Java Webstart application gets security warning when
launched.
The SEAS Webstart GUI application gets security warning when it is
launched. The jar files which are downloaded when the SEAS Webstart is
launched are signed with a self-signed certificate, causing it to get the
message at startup:
The application's digital signature cannot be verified. Do you want
to run the application?
Resolution: Now sign all the SEAS jar files with an IBM certificate
which is signed by Verisign. Once the Webstart GUI is launched once and
the certificate is okayed by the user, the warning does not come up
again.
RTC368161/IC90709 - Error message information leak
During error conditions, IBM Sterling External Authentication Server may
allow a malicious internal user to obtain product information which could
be used to design further attacks.
Resolution: Updated SEAS to validate any path added to the URL against
a "white list" of allowed paths, and return a "404 Not Found - An invalid
input was submitted to the server" instead of echoing the path.
RTC367011/IC90788 - Turn off OS command execution option
SEAS allows the administrator to configure an OS command to be run as
part of the authentication process. A malicious internal user who has
access to the application and who has administration privileges could
configure the system to issue arbitrary Operating System commands, which
could affect the confidentiality, integrity and availability of the
system. Support has no record of any Customer using this feature.
Resolution: Removed the option to configure an OS command to be run as
part of the authentication process.
RTC373046/IC91512 - (GUI) - Error condition needed when client times out
before shutdown
When the SEAS admin is logged onto the GUI and attempts to shutdown the
SEAS when the GUI interface has already timed out, the shutdown process
appears successful but does not happen. No messages are returned and the
GUI terminates like normal during a normal shutdown.
Resolution: Now notify the GUI user that the shutdown was unsuccessful
because the user timed out.
RTC383961/IC94106 - SEAS Web access only allows a non-secure HTTP connection
This is a small enhancement to allow the SEAS Webstart port to be a
secure (https) connection.
Resolution: Added the capability for the WebStart port (default 9080) to
be secured using the same keystore and truststore that the Secure
Connection Listener (default port 61366) is configured to use. The SEAS
Implementation Guide will be updated with the following instructions:
To implement a secure port for Webstart
1) Assumption: You have configured the Secure Connection Listener. If not,
follow the instructions in the SEAS: Implementation Guide in Chapter 3
to generate certificates and populate the keystore and truststore.
2) Update the {SEAS_INSTALL}/conf/jetty/JettyConfigDef.xml file with any
text editor, and either add or change the httpsEnabled keyword to have
a value of true.
9080
localhost
/
../conf/jetty/docroot
lib
../lib
true
false
3) Update the {SEAS_INSTALL}/conf/jetty/docroot/webstart/EA_GUI.jnlp file
and change the first 2 occurrences of
http://seashost:port...
to https://seashost:port...
4) Start SEAS
5) Start the webstart by accessing https://seashost:port/ from your web
browser where seashost is the host where SEAS is running and port is
the configured webstart port (default 9080).
RTC386120/IC94108 - SEAS Session Idle Timeout does not work correctly
The Idle Session Timeout value, which determines how long to keep idle
connections, always uses double the value set. e.g. the 30 minute default
yields a 60 minute timeout. The value is set in the GUI under System
Settings in the Global tab.
Resolution: Corrected the timeout logic to work without waiting for 2
iterations. Also, ensured that the timer was reset after the initial
download of GUI information.
Workaround: Set the Idle Session Timeout value for half the value
expected, or set it to 0 which means no idle session timeout.
RTC384645/ - Dynamic routing in SFTP adapter to a backend server
based on Password and/or Key Auth with SEAS
Provide the ability to direct SFTP sessions to any back end server
defined in the netmap, rather than just to the standard routing
server. The selection is controlled by the Sterling External
Authentication Server (SEAS), which returns the "routingNodeName".
RTC391817/IC95720 - SEAS authentication indicates failure during SFTP transfer
SEAS server returns "false" in authenticated flag to SSP when the SFTP
adapter sends a conversation termination request.
Resolution: Now return "true" to the end of conversation request, so that
the SFTP server does not get confused.
RTC392701/IC95188 - Value configured disappears from Match Attribute in SEAS
Customer sets "O={Issuer[O]}/CN={Issuer[CN]}" in the Match Attributes
field when setting up a new Certificate Validation profile in the SEAS
GUI. When the Customer saved it and viewed it again, the value was gone.
Resolution: Changed the logic to correctly handle the substrings in the
Match Attributes field so that they do not disappear.
RTC396445/ - SEAS GUI - Better notification when timeout occurs
Enhancement to the SEAS GUI to detect a timeout disconnect from the SEAS
server and present the login screen to allow logging in again.
PSIRT 1050 - Upgrade to IBM JRE1.6 SR14 for latest security fixes
The IBM JRE embedded in the IBM Sterling External Authentication Server
had security vulnerabilities in its Javadoc, and in SSL connections to
the configuration GUI.
Resolution:
For details, see http://www.ibm.com/support/docview.wss?uid=swg21650811.
Also corrected Webstart signing issue when running with Java 1.7.
RTC403111/IC97765 - Audit conversation id's do not match
Customer is doing SFTP Public Key AND Password authentication. In the
SEAS audit log, the conversation id on the BEGIN operation does not
match the conversation id on the RESUME operation, so that the two
transactions cannot be tied together.
Resolution: Updated the conversation processing to make sure that any
leftover value in the conversation id on a BEGIN operation is cleared
out so that a new value can be assigned if the authentication is
successful.
RTC413269/IC99677 - SEAS using obsoleted Kerberos function to change password
from SSO Login Portal
When SEAS client submits a change password request against an Active
Directory server, the change password request fails because SEAS was
trying to use Kerberos to perform the password change. Kerberos is no
longer a supported mechanism for password change through SEAS.
Resolution: Added logic to use LdapPasswordChangeStratey to perform
password change requests for AD servers instead of Kerberos.
Also handle a NullPointerException (NPE) in
com.sun.jndi.ldap.LdapNamingEnumeration when attempting to retrieve
a user password policy. Now ignore the NPE and go forward with
retrieving the group password policy.
RTC413417/IT00308 - SEAS not encrypting passphrase correctly during install.
Uses local JRE instead of supplied JRE.
After installing SEAS version 2.4.1 for Linux, the installation log
showed the following error:
java.security.NoSuchAlgorithmException: PBEWithSHAAnd3KeyTripleDES
SecretKeyFactory not available
It also shows that InstallAnywhere was incorrectly using a local non-IBM
JRE instead of the one supplied in the install image. The product
appears to install correctly, and comes up okay. But when the
stopSeas.sh command is issued, it responds with
" *** incorrect passphrase".
Resolution: Changed the InstallAnywhere directives to take out possible
locations to search for a local system JRE. Ensure that the only JRE
used is the one we supply.
RTC418004/IT00896 - Unable to launch Webstart GUI from browser after
Java 7 U51 update
Customer updated their OS Java environment and browser plugin to Java 7
U51, which has new permission requirements for applications. When
launching the SEAS Webstart GUI, the following error is received:
java.lang.SecurityException: Missing required Permissions manifest
attribute in main jar: <>
Resolution: Added new Permission attribute to all the jar files used by
SEAS Webstart so it can be run on client systems using Java 7 at patch
U51 or higher.
RTC432417/IT03062 - SEAS getting java.lang.OutOfMemoryError: Java heap space
Customer had their sessionIdleTimeout set to 30 minutes to allow GUI
sessions to remain active longer. However, sockets used for connecting to
the LDAP server were not getting freed for 30 minutes, causing SEAS to run
out of memory.
Resolution: Added support for a new parameter, ldapSessionIdleTimeout, in
the {SEAS_INSTALL}/conf/system/sysGlobals.xml file with a default of 5
minutes to ensure that LDAP sockets get freed in a timely manner.
RTC433967/ - Leftover GSSAPI Authentication Method in GUI
The GSSAPI value was mistakenly left as an Authenticatoin Method in the SEAS
GUI. It was used in pre-bluewashed non-AIX platforms to allow Kerberos
authentication with Active Directory. When the product was bluewashed,
however, the IBM JRE did not support the Kerberos methods.
Resolution: Removed the GSSAPI selection from the Authentication Method in
the SEAS GUI to avoid confusion.