================================================================================ IBM Sterling Connect:Direct Browser APAR IT07936 - Jan 2015 JRE Upgrade - March 2015 ================================================================================ This APAR provides the Java Runtime Environment (JRE) only, with instructions on how to install it in the Customer's environment. This brings the JRE to the Java 1.7 SR8 FP10 fix level from the Oracle Java January 2015 security refresh, plus the IV70681 APAR fix level, which addresses the recent “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. Alternately, the Customer may check the fixlist of the latest iFix cumulative maintenance package on Fix Central to see if it includes this level of Java. If not, the Customer may contact Support to request that the latest build with this Java Runtime Environment be placed on the ECuRep server. =============================================================================== Additional Notes on this Java Runtime Environment (JRE) update =============================================================================== APAR IT07936 Upgrade CD Browser to IBM JRE 1.7 SR8 FP10+IV70681 for latest security patches which turn off SSLv3 support by default With this fix, all versions of Connect:Direct Browser will only allow TLS sessions by default and will reject SSLv3 sessions. Set the following property in /bin/jettyBrowser.xml TLS If the SSLv3 protocol is required, add the -Dcom.ibm.jsse2.disableSSLv3=false property to the Java startup line(s) in the bin/runBrowser.sh script (in this case use SSL). =============================================================================== IBM Sterling Connect:Direct Browser Instructions for Installing a New JRE from IBM Fix Central for the Security Advisory. =============================================================================== This process will allow the Customer to pull a new JRE from the IBM Fix Central site and replace the existing jre directory in the various installed instances of IBM Sterling Connect:Direct Browser. 1. Download the JRE refresh pack archive file from Fix Central to a work directory 2. Extract the JRE refresh pack archive file in the work directory. On UNIX: cd uncompress JRE.tar.Z tar -xvf JRE.tar Windows: Use WinZip or equivalent to extract from the JRE.zip file. 3. Verify the version of Java works and is the one expected by the Security Advisory: UNIX: jre/bin/java -version Windows: jre\bin\java -version See the description at the top of this README file for the version. 4. Make a backup of your target directory. 5. Shutdown the target Sterling Connect:Direct Browser. 6. Rename the existing jre directory to jre_old. 7. Copy the new jre directory from the directory to your directory 8. Start the target Sterling Connect:Direct Browser instance 9. If there are issues starting up the target instance with the new JRE a) Run the data collector and save the output zip file. b) Rename the jre directory to jre_new, and jre_old to jre, and restart.