=============================================================================== Maintenance for Sterling External Authentication Server (SEAS) 2.4.1.8 =============================================================================== This cumulative maintenance archive includes GA release of SEAS 2.4.1.8 plus fixes for the issues listed below. Contents: I. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first) II. Detailed Description of Fixes =============================================================================== I. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first) =============================================================================== =============================================================================== Fixes for SEAS 2.4.1.8 (2.4.1.0 Fixpack 8) IFix 3, Build 13 ( Sept 2014) =============================================================================== DEFECT / APAR No Defect/ - Upgrade to IBM JRE 1.7 SR7 FP1 =============================================================================== Fixes for SEAS 2.4.1.8 (2.4.1.0 Fixpack 8) IFix 2, Build 11 ( Aug 2014) =============================================================================== DEFECT / APAR RTC433967/ - Leftover GSSAPI Authentication Method in GUI =============================================================================== Fixes for SEAS 2.4.1.8 (2.4.1.0 Fixpack 8) IFix 1, Build 10 ( July 2014) =============================================================================== DEFECT / APAR RTC432417/IT03062 - SEAS getting java.lang.OutOfMemoryError: Java heap space =============================================================================== Fixes for SEAS 2.4.1.8, (2.4.1.0 Fixpack 8) Build 09 ( May 2014) =============================================================================== Note: Please see the Release Notes for more information on this fixpack. http://pic.dhe.ibm.com/infocenter/seas/v2r4m1/index.jsp DEFECT / APAR Enhancement - Add LDAP authentication of Administrative users  Enhancement - Support admin specified requirements for passwords Enhancement - Lockout user after an admin specified number of failed attempts for an admin specified amount of time Enhancement - Support Windows 2012   =============================================================================== Fixes for SEAS 2.4.1.2 (2.4.1.0 Fixpack 2) IFix 7, Build 86 ( April 2014) =============================================================================== DEFECT / APAR RTC413417/IT00308 - SEAS not encrypting passphrase correctly during install. Uses local JRE instead of supplied JRE. RTC413269/IC99677 - SEAS using obsoleted Kerberos function to change password from SSO Login Portal. =============================================================================== Fixes for SEAS 2.4.1.2 IFix 6 Plus, Build 80 ( November 2013) =============================================================================== DEFECT / APAR RTC403111/IC97765 - Audit conversation id's do not match RTC418004/IT00896 - Unable to launch Webstart GUI from browser after Java 7 U51 update =============================================================================== Fixes for SEAS 2.4.1.2 IFix 6, Build 78 September 2013) =============================================================================== DEFECT / APAR PSIRT 1050 - Upgrade to IBM JRE1.6 SR14 for latest security fixes RTC396445/ - SEAS GUI - Better notification when timeout occurs RTC392701/IC95188 - Value configured disappears from Match Attribute in SEAS RTC391817/IC95720 - SEAS authentication indicates failure during SFTP transfer =============================================================================== Fixes for SEAS 2.4.1.2 IFix 5, Build 75 (July 2013) =============================================================================== DEFECT / APAR RTC384645/ - Dynamic routing in SFTP adapter to a backend server based on Password and/or Key Auth with SEAS RTC386120/IC94108 - SEAS Session Idle Timeout does not work correctly RTC383961/IC94106 - SEAS Web access only allows a non-secure HTTP connection =============================================================================== Fixes for SEAS 2.4.1.2 IFix 4, Build 64 (June 2013) =============================================================================== DEFECT / APAR RTC366168/IC93055 - SEAS Java Webstart application gets security warning when launched. =============================================================================== Fixes for SEAS 2.4.1.2 IFix 3, Build 63 (May 2013) =============================================================================== DEFECT / APAR RTC373046/IC91512 - (GUI) - Error condition needed when client times out before shutdown =============================================================================== Fixes for SEAS 2.4.1.2 IFix 2, Build 62 (May 2013) =============================================================================== DEFECT / APAR RTC367011/IC90788 - Turn off OS command execution option =============================================================================== Fixes for SEAS 2.4.1.2 IFix 1, Build 61 (March 2013) =============================================================================== DEFECT / APAR RTC368161/IC90709 - Error message information leak RTC355410/IC89579 - Connections are not getting closed and going to CLOSE_WAIT =============================================================================== Fixes for SEAS 2.4.1.0 Patch 2, Build 59 (October 2012) =============================================================================== DEFECT / APAR RTC349165/IC86628 - CRL checking fails after upgrade to SEAS 2.4.1 RTC348784/IC86821 - Upgrade bundled JRE to IBM SR11 (August 2012) level RTC348461/IC86820 - Use 64-bit JRE on Solaris RTC346206/IC86440 - Syntax error in configuration allows users to be authenticated with invalid password RTC336420/IC85514 - Fast wakeup condition detected =============================================================================== Fixes for SEAS 2.4.1.0 Patch 1, Build 54 (August 2012) =============================================================================== RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. =============================================================================== II. Detailed Description of Fixes (in Defect ascending order) =============================================================================== RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. IBM internal research detected that Jetty was vulnerable to a type of denial of service (DOS) attack when the number of HTTP header parameters was high (in the tens of thousands). Resolution: Implemented fix from Jetty Eclipse which enforces a maximum number of keys in the HTTP header of 1000. The default can be adjusted by adding the Java system property to the startEngine.sh or startCM.sh startup scripts: -Dorg.eclipse.jetty.server.Request.maxFormKeys=2000 RTC336420/IC85514 - Fast wakeup condition detected Intermittent problem when SEAS attempts to accept a new connection. At that point, SEAS becomes unresponsive and logs fill with the following messages: WARN com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl - Fast wakeup condition detected. ERROR com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl - Could not handle fast wakeup condition - java.lang.Error Resolution: Upgraded Java Runtime Environment (JRE) to SR11 maintenance level which includes a fix for the socket accept problem. Also added code to correct the loop condition and give a better reason for why it is happening. RTC346206/IC86440 - Syntax error in configuration allows users to be authenticated with invalid password Misconfigured User DN field in the LDAP Authentication tab of the Secure External Authentication Server allows invalid users and passwords to be authenticated. The Customer supplied an invalid User DN value in the LDAP Authentication tab: "uid=${name},realm=…". But instead of all incoming sessions being rejected, all sessions were authenticated. The following messages in the log showed that there was a syntax error, but the resulting authentication said "true". INFO com.sterlingcommerce.component.authentication.impl.AuthenticationServiceImpl - AUTH064E Exception encountered while evaluating Bind Principal formula: java.lang.IllegalArgumentException: Variable substitution failed for: name. Element not found: name. INFO com.sterlingcommerce.component.dispatcher.XmlConversionFilter - Sending -> AuthenticationResponse(AUTH064E): Correlator - null: detailResponseCode - AUTH100D, type - Auth, authenticated - true Resolution: Corrected the SEAS LDAP Authenticator to correctly set the failed authentication flag when there is a syntax error detected in the configuration. RTC348461/IC86820 - Use 64-bit JRE on Solaris SEAS on Solaris points to the 32-bit JRE, even though the 64-bit JRE is shipped. All the scripts to run the product and utilities point to the ./jre/bin/java executable, which is the 32-bit version of the JRE. The 64-bit version of the jre is at ./jre/bin/sparcv9/java. Workaround: Manually update the SEAS/bin/startSeas.sh script to point to the new java location. However, the script gets rebuilt during any maintenance upgrade. Resolution: Updated the InstallAnywhere logic for the Solaris platform to properly build the scripts to point to the 64-bit version of the JRE at ./jre/bin/sparcv9/java. RTC348784/IC86821 - Upgrade bundled JRE to IBM SR11 (August 2012) level The Customer required that products with the IBM JRE 1.6 be at the SR10 FP1 (Feb 2012) maintenance level or greater. Resolution: Updated the IBM JRE which ships with SSP 3.4.1 to be at the SR11 (August 2012) maintenance level. RTC349165/IC86628 - CRL checking fails after upgrade to SEAS 2.4.1 Getting CERT005E Failed to complete required CRL check when running SEAS 2.4.0 or 2.4.1.0. The SEAS log shows the following events: ERROR CertValidator - CRL Problem 2: Exception processing CRL: MY_CRL: java.lang.IllegalArgumentException: CRL not found for LdapQueryDef (name=MY_CRL): ldaps://10.20.30.40:636/CN=CRL512, O=My Server, C=US?certificateRevocationList?Base ERROR CertValidator - CRL check could not be completed for certificate: CN=etc… ERROR CertValidator - CERT005E Failed to complete required CRL check. Problem 1 of 2: Exception processing crlDistributionPoint: java.lang.IllegalArgumentException: CRL not found for LdapQueryDef(name=null): Found that we were using a null value to initialize a Java NameClassPair, which is no longer allowed in the JRE that ships with the 2.4.x versions of SEAS. It returned a java.lang.IllegalArgumentException and caused the subsequent CRL processing to unwind. Resolution: Corrected the SEAS CRL logic to ensure a non-null value when initializing the NameClassPair. Also added additional diagnostic lines to make some of the hidden parts of the logic easier to follow in debug mode. RTC355410/IC89579 - Connections are not getting closed and going to CLOSE_WAIT Connections to SEAS are not getting closed and are going to CLOSE_WAIT or FIN_WAIT2 status after the SEAS custom exit is getting called. The adapter connections are also not getting released. This issue can lead to a java/lang/OutOfMemoryError error with a build up of class com.sterlingcommerce.component.authentication.impl.JNDISocketFactory method SessionIdleTimeTask. Resolution: Updated the SEAS exit to use a different socket factory which automatically times out and releases the sockets correctly. RTC366168/IC93055 - SEAS Java Webstart application gets security warning when launched. The SEAS Webstart GUI application gets security warning when it is launched. The jar files which are downloaded when the SEAS Webstart is launched are signed with a self-signed certificate, causing it to get the message at startup: The application's digital signature cannot be verified. Do you want to run the application? Resolution: Now sign all the SEAS jar files with an IBM certificate which is signed by Verisign. Once the Webstart GUI is launched once and the certificate is okayed by the user, the warning does not come up again. RTC368161/IC90709 - Error message information leak During error conditions, IBM Sterling External Authentication Server may allow a malicious internal user to obtain product information which could be used to design further attacks. Resolution: Updated SEAS to validate any path added to the URL against a "white list" of allowed paths, and return a "404 Not Found - An invalid input was submitted to the server" instead of echoing the path. RTC367011/IC90788 - Turn off OS command execution option SEAS allows the administrator to configure an OS command to be run as part of the authentication process. A malicious internal user who has access to the application and who has administration privileges could configure the system to issue arbitrary Operating System commands, which could affect the confidentiality, integrity and availability of the system. Support has no record of any Customer using this feature. Resolution: Removed the option to configure an OS command to be run as part of the authentication process. RTC373046/IC91512 - (GUI) - Error condition needed when client times out before shutdown When the SEAS admin is logged onto the GUI and attempts to shutdown the SEAS when the GUI interface has already timed out, the shutdown process appears successful but does not happen. No messages are returned and the GUI terminates like normal during a normal shutdown. Resolution: Now notify the GUI user that the shutdown was unsuccessful because the user timed out. RTC383961/IC94106 - SEAS Web access only allows a non-secure HTTP connection This is a small enhancement to allow the SEAS Webstart port to be a secure (https) connection. Resolution: Added the capability for the WebStart port (default 9080) to be secured using the same keystore and truststore that the Secure Connection Listener (default port 61366) is configured to use. The SEAS Implementation Guide will be updated with the following instructions: To implement a secure port for Webstart 1) Assumption: You have configured the Secure Connection Listener. If not, follow the instructions in the SEAS: Implementation Guide in Chapter 3 to generate certificates and populate the keystore and truststore. 2) Update the {SEAS_INSTALL}/conf/jetty/JettyConfigDef.xml file with any text editor, and either add or change the httpsEnabled keyword to have a value of true. 9080 localhost / ../conf/jetty/docroot lib ../lib true false 3) Update the {SEAS_INSTALL}/conf/jetty/docroot/webstart/EA_GUI.jnlp file and change the first 2 occurrences of http://seashost:port... to https://seashost:port... 4) Start SEAS 5) Start the webstart by accessing https://seashost:port/ from your web browser where seashost is the host where SEAS is running and port is the configured webstart port (default 9080). RTC386120/IC94108 - SEAS Session Idle Timeout does not work correctly The Idle Session Timeout value, which determines how long to keep idle connections, always uses double the value set. e.g. the 30 minute default yields a 60 minute timeout. The value is set in the GUI under System Settings in the Global tab. Resolution: Corrected the timeout logic to work without waiting for 2 iterations. Also, ensured that the timer was reset after the initial download of GUI information. Workaround: Set the Idle Session Timeout value for half the value expected, or set it to 0 which means no idle session timeout. RTC384645/ - Dynamic routing in SFTP adapter to a backend server based on Password and/or Key Auth with SEAS Provide the ability to direct SFTP sessions to any back end server defined in the netmap, rather than just to the standard routing server. The selection is controlled by the Sterling External Authentication Server (SEAS), which returns the "routingNodeName". RTC391817/IC95720 - SEAS authentication indicates failure during SFTP transfer SEAS server returns "false" in authenticated flag to SSP when the SFTP adapter sends a conversation termination request. Resolution: Now return "true" to the end of conversation request, so that the SFTP server does not get confused. RTC392701/IC95188 - Value configured disappears from Match Attribute in SEAS Customer sets "O={Issuer[O]}/CN={Issuer[CN]}" in the Match Attributes field when setting up a new Certificate Validation profile in the SEAS GUI. When the Customer saved it and viewed it again, the value was gone. Resolution: Changed the logic to correctly handle the substrings in the Match Attributes field so that they do not disappear. RTC396445/ - SEAS GUI - Better notification when timeout occurs Enhancement to the SEAS GUI to detect a timeout disconnect from the SEAS server and present the login screen to allow logging in again. PSIRT 1050 - Upgrade to IBM JRE1.6 SR14 for latest security fixes The IBM JRE embedded in the IBM Sterling External Authentication Server had security vulnerabilities in its Javadoc, and in SSL connections to the configuration GUI. Resolution: For details, see http://www.ibm.com/support/docview.wss?uid=swg21650811. Also corrected Webstart signing issue when running with Java 1.7. RTC403111/IC97765 - Audit conversation id's do not match Customer is doing SFTP Public Key AND Password authentication. In the SEAS audit log, the conversation id on the BEGIN operation does not match the conversation id on the RESUME operation, so that the two transactions cannot be tied together. Resolution: Updated the conversation processing to make sure that any leftover value in the conversation id on a BEGIN operation is cleared out so that a new value can be assigned if the authentication is successful. RTC413269/IC99677 - SEAS using obsoleted Kerberos function to change password from SSO Login Portal When SEAS client submits a change password request against an Active Directory server, the change password request fails because SEAS was trying to use Kerberos to perform the password change. Kerberos is no longer a supported mechanism for password change through SEAS. Resolution: Added logic to use LdapPasswordChangeStratey to perform password change requests for AD servers instead of Kerberos. Also handle a NullPointerException (NPE) in com.sun.jndi.ldap.LdapNamingEnumeration when attempting to retrieve a user password policy. Now ignore the NPE and go forward with retrieving the group password policy. RTC413417/IT00308 - SEAS not encrypting passphrase correctly during install. Uses local JRE instead of supplied JRE. After installing SEAS version 2.4.1 for Linux, the installation log showed the following error: java.security.NoSuchAlgorithmException: PBEWithSHAAnd3KeyTripleDES SecretKeyFactory not available It also shows that InstallAnywhere was incorrectly using a local non-IBM JRE instead of the one supplied in the install image. The product appears to install correctly, and comes up okay. But when the stopSeas.sh command is issued, it responds with " *** incorrect passphrase". Resolution: Changed the InstallAnywhere directives to take out possible locations to search for a local system JRE. Ensure that the only JRE used is the one we supply. RTC418004/IT00896 - Unable to launch Webstart GUI from browser after Java 7 U51 update Customer updated their OS Java environment and browser plugin to Java 7 U51, which has new permission requirements for applications. When launching the SEAS Webstart GUI, the following error is received: java.lang.SecurityException: Missing required Permissions manifest attribute in main jar: <> Resolution: Added new Permission attribute to all the jar files used by SEAS Webstart so it can be run on client systems using Java 7 at patch U51 or higher. RTC432417/IT03062 - SEAS getting java.lang.OutOfMemoryError: Java heap space Customer had their sessionIdleTimeout set to 30 minutes to allow GUI sessions to remain active longer. However, sockets used for connecting to the LDAP server were not getting freed for 30 minutes, causing SEAS to run out of memory. Resolution: Added support for a new parameter, ldapSessionIdleTimeout, in the {SEAS_INSTALL}/conf/system/sysGlobals.xml file with a default of 5 minutes to ensure that LDAP sockets get freed in a timely manner. RTC433967/ - Leftover GSSAPI Authentication Method in GUI The GSSAPI value was mistakenly left as an Authenticatoin Method in the SEAS GUI. It was used in pre-bluewashed non-AIX platforms to allow Kerberos authentication with Active Directory. When the product was bluewashed, however, the IBM JRE did not support the Kerberos methods. Resolution: Removed the GSSAPI selection from the Authentication Method in the SEAS GUI to avoid confusion.