================================================================================ Sterling Secure Proxy (SSP) APAR IT07375 - Oct 2014 JRE Upgrade - March 2015 ================================================================================ This APAR provides the Java Runtime Environment (JRE) only, with instructions on how to install it in the Customer's environment. This brings the JRE to the Java 1.7 SR8 fix level from the Oracle Java October 2014 security refresh. Alternately, the Customer may check the fixlist of the latest iFix cumulative maintenance package on Fix Central to see if it includes this level of Java. If not, the Customer may contact Support to request that the latest build with this Java Runtime Environment be placed on the ECuRep server. =============================================================================== Additional Notes on this Java Runtime Environment (JRE) update =============================================================================== APAR IT07375 (CM,Engine,PS) - Upgrade SSP Engine, CM, and PS to IBM JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default With this fix, Sterling Secure Proxy 3.4.2.0 and all versions of Sterling External Authentication Server will only allow TLS sessions by default and will reject SSLv3 sessions. Sterling Secure Proxy releases prior to 3.4.2.0 continue to allow SSLv3 sessions if SSL is coded in the netmap security tab. If the SSLv3 protocol is required until trading partners can switch to TLS, then for UNIX/Linux, add the -Dcom.ibm.jsse2.disableSSLv3=false property to the Java startup line(s) in the bin/startEngine.sh script. For Windows, add the property to the "lax.nl.java.option.additional=" line in the bin\SSPengine$.lax file. =============================================================================== IBM Sterling Secure Proxy Instructions for Installing a New JRE from IBM Fix Central for the Security Advisory. =============================================================================== This process will allow the Customer to pull a new JRE from the IBM Fix Central site and replace the existing jre directory in the various installed instances of Sterling Secure Proxy (SSP) Engine, SSP Configuration Manager CM, and SSP Perimeter Server (PS). The instructions are also valid for the Sterling External Authentication Server (SEAS). Steps 5 and following must be done for each instance of the SSP Engine, SSP CM, SSP PS, and SEAS. STEPS 1-3 ARE DONE ONCE AND CAN BE DONE WHILE THE PRODUCT IS RUNNING. You can skip these steps and pull from /home/nis02/dengs1/SSP_New_JRE_2014_10 1. Download the JRE refresh pack archive file from Fix Central to a work directory 2. Extract the JRE refresh pack archive file in the work directory UNIX: cd uncompress JRE.tar.Z Note: may need to use gunzip for .tgz file tar -xvf JRE.tar Windows: Use WinZip or equivalent to extract from the JRE.zip file. 3. If a jre folder is not part of the extracted archive, then create a new directory called jre and move the bin, lib, plugin, docs and properties folders to the newly created jre folder. UNIX: cd mkdir jre mv bin jre mv lib jre mv plugin jre mv docs jre mv properties jre Windows: cd mkdir jre move bin jre move lib jre move plugin jre move docs jre move properties jre Note: The structure of the /jre folder should match the structure of the /jre folder. Example for Windows ------------------- jre jre/bin jre/lib jre/docs jre/properties Example for AIX -------------------- jre jre/bin jre/lib jre/docs jre/properties jre/plugin 4. Verify the version of Java works and is the one expected by the Security Advisory: UNIX: jre/bin/java -version Windows: jre\bin\java -version See the description at the top of this README file for the version. STEPS 5 AND FOLLOWING ARE DONE FOR EACH INSTANCE OF THE SSP ENGINE, SSP CM, SSP PERIMETER SERVER and STERLING EXTERNAL AUTHENTICATION SERVER (SEAS). 5. Make a backup of your target directory. 6. Take the target Sterling Secure Proxy Engine, Configuration Manager, and/or Perimeter Server instances down 7. Rename the existing jre directory to jre_old. UNIX: cd mv jre jre_old Windows: cd rename jre jre_old 8. Copy the new jre from the work directory to your directory ( note the period at the end of the commands ) UNIX: cp -R /jre . Windows: copy \jre . 9. Copy the security policy files from the old_jre to the new jre directory UNIX: cp jre_old/lib/security/US_export_policy.jar jre/lib/security cp jre_old/lib/security/java.security jre/lib/security cp jre_old/lib/security/local_policy.jar jre/lib/security Windows: copy jre_old\lib\security\US_export_policy.jar jre\lib\security copy jre_old\lib\security\java.security jre\lib\security copy jre_old\lib\security\local_policy.jar jre\lib\security 10. Start the target Sterling Secure Proxy instance 11. If there are issues starting up the target instance with the new JRE a) Save a copy of the bin/startEngine.out file. (startCM.out for the CM) b) Rename the jre directory to jre_new, and jre_old to jre, and restart. c) Contact IBM Sterling Customer Support for help. 12. Duplicate this process (starting with step 5) for each SSP Engine, CM, SSP Perimeter Server, and Sterling External Authentication Server install.