================================================================================ Sterling Secure Proxy (SSP) 3.4.2.0 iFix 1 - March 2015 ================================================================================ This cumulative maintenance archive includes the GA release of SSP Engine 3.4.2.0 and SSP Configuration Manager 3.4.2.0 plus the fixes for the issues mentioned below. Contents: I. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first) II. Detailed Description of Fixes I. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first) Fixes are marked as Engine and CM (Configuration Manager) =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 1 Build 157 (Mar 2015) =============================================================================== RTC443906/IT04691 (CM) - REST API Unable to add C:D netmap entries RTC447381/IT05432 (CM) - REST API Creation of Perimeter Servers in More Secure zone fails RTC447386/IT05434 (CM) - REST API Unable to create engines listening on same port on different IPs RTC447746/IT05435 (CM) - REST API unable to create SSOConfig RTC448111/IT05497 (CM) - REST API Unable to add HTTP netmap entries RTC449216/IT05932 (CM) - REST API unable to add Properties with String values in SFTP Adapters RTC449220/IT05931 (CM) - REST API unable to add more than one Trusted Certificate for FTP Outbound netmap node RTC450252/IT06739 (CM) - REST API multiple issues with SSH keystores and netmaps. RTC451341/IT06259 (CM) - REST API: the setTrustedCertName method is not available for FTP Outbound Netmap RTC449219/IT07269 (Engine) - Transmission failure with checkpoint-restart and extended compression RTC451959/IT06748 (Engine) - SSP3420 error at startup when enabling syslog facility in log.properties RTC451962/IT06750 (Engine) - RuntimeException: Incorrect passphrase after upgrade to SSP3420 CM RTC453348/IT06749 (Engine) - SSP will not come up after replacing keystore passphrase with one having an ampersand RTC453767/IT07086 (CM) - REST API: Adding new key in invalid format gives successful return code. No Defect/IT06628 (Engine) - Upgraded Castor toolkit to address PSIRT vulnerability No Defect/IT07375 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default Enhancement (CM, Engine) - Dynamic routing based on inbound node, userid, or Connect:Direct PNode Enhancement (CM, Engine) - HSM Support using IBMPKCS11 provided with the IBM JRE No Defect/IT07778 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 FP10+IV70681 for latest security patches, including the FREAK vulnerability. II. Detailed Description of Fixes (in Defect ascending order) =============================================================================== Detailed Descriptions of Fixes in (ascending fix order) Fixes are marked as Engine, CM (Configuration Manager), and GUI (Admin GUI) =============================================================================== No Defect/IT07778 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 FP10+IV70681 for latest security patches, including the FREAK vulnerability. This brings the JRE to the Java 1.7 SR8 FP10 fix level from the Oracle Java January 2015 security refresh, plus the IV70681 APAR fix level, which addresses the recent “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. No Defect/IT07375 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default Note that with this new JRE, SSP only allow TLS sessions by default and will reject SSLv3 sessions. If the SSLv3 protocol is required until trading partners can switch to TLS, then for UNIX/Linux, add the -Dcom.ibm.jsse2.disableSSLv3=false property to the Java startup line(s) in the bin/startEngine.sh script. For Windows, add the property to the " lax.nl.java.option.additional=" line in the bin\SSPengine$.lax file. RTC443906/IT04691 (CM) - REST API Unable to add C:D netmap entries Connect:Direct Netmap creation fails when running the REST API Sample program. The SSPCMRestService_*.log would display an error that states the netmap creation failed, and refers to the cms.log file. Resolution: Modified the validation logic to match what's done in the CM. RTC447381/IT05432 (CM) - REST API Creation of Perimeter Servers in More Secure zone fails When creating a perimeter server in the more secure zone using the REST API the following error will occur even if the localPort and the listenPort are equal: Create perimeterServer operation failed. - perimeterServerDef localPort and listenPort must be equal for type PERIMETER_SERVER_MORE_SECURE. Resolution: Correctly compare the localPort and listenPort, so that if they are equal the perimeter server will be created. RTC447386/IT05434 (CM) - REST API Unable to create engines listening on same port on different IPs When creating an engine using the REST API that has the same port as an existing engine the following error will occur even if the two engines are running on different hosts: EngineService - java.lang.Exception: Port in use. Pick a different port. StackTrace: java.lang.Exception: Port in use. Pick a different port. The HTTP response code from the REST API will be 406 Not Acceptable. Resolution: The code has been changed so that engines with the same port, but different hosts can be created. RTC447746/IT05435 (CM) - REST API unable to create SSOConfig When creating an SSO configuration using the REST API an error will occur if defApplicationUrl or ssoCookieDomain are not specified, even though these attributes should not be required. If the configuration has an internal portal type, then an error will occur if applicationLoginUrl is not provided, even though it should not be required. Resolution: The code has been changed so that these attributes are not required by the REST API. RTC448111/IT05497 (CM) - REST API Unable to add HTTP netmap entries When creating an HTTP netmap using the REST API, the following error will occur if any of the outbound nodes use a secure connection. Validation error: Invalid cipher suites specified. Valid cipher suites are[PNODE, SSL3-ONLY, TLS1-ONLY, TLS1, SSL3, TLS1/2HI, SSL3/2HI, SSL] Resolution: The code has been changed so that the correct list of valid cipher suites is used to validate outgoing nodes. RTC449216/IT05932 (CM) - REST API unable to add Properties with String values in SFTP Adapters When creating a C:D or SFTP adapter using the REST API it is not possible to create properties that have string values. For SFTP adapters, it is not possible to add more that one property to a single adapter. Resolution: The code has been changed so that SFTP and C:D adapters can have properties with string values. SFTP adapters created with the REST API can now have more than one property. RTC449219/IT07269 (Engine) - Transmission failure with checkpoint-restart and extended compression Customer using C:D Secure Plus transfer of large file using Checkpoint/ Restart, Extended Compression and SSL Blocking (SSLB) and a TCP comm.bufsize of 64k. At a specific point in the transfer, just before a checkpoint record is taken, SSP sends an RU with only 3 bytes of data and the receiving C:D z/OS does not handle it properly. The result is a decompression failure and MSG_SVTO022I. SSP was not correctly filling up the output SSL Blocking buffers which caused the 3 bytes to be sent in its own RU rather than in the larger 64k RU. Workarounds: Transfer with comm.bufsize of 48k, or raise the checkpoint interval. Resolution: Corrected the logic in the SSL Blocking class to add blobs to the outgoing SSLB buffer on the basis of size only and not limit the number of blobs per buffer. RTC449220/IT05931 (CM) - REST API unable to add more than one Trusted Certificate for FTP Outbound netmap node When creating a C:D, FTP, HTTP, or PeSIT netmap using the REST API, it is not possible to add more that one trusted certificate to inbound or outbound nodes in the netmap. Resolution: The code has been changed so that multiple trusted certificates can be added to a single node. RTC450252/IT06739 (CM) - REST API multiple issues with SSH keystores and netmaps. The are three separate issues with the REST API that have been corrected. The first issue is that when creating a new authorized user key store or adding a new key to an existing key store, the validation of the keys will fail even if the keys are valid. The response from the REST service will be ERROR com.ibm.sspcm.rest.services.KeyStoreService - Invalid SSH Trusted Key specified. Please verify the SSH trusted certificate key. The second issue is that when a netmap is created, or nodes are added to an existing netmap using the REST API, multiple nodes within the same netmap can have the same name. This applies to inbound nodes for C:D and PeSIT netmaps as well as both inbound and outbound nodes for HTTP, FTP, and SFTP netmaps. The third issue is that when adding a user to a user store there is no way to specify an SSH authorized key store and keys. Even if the keystore and keys are included in the request, the rest service will not add them to the user configuration. Resolution: For the first problem, the code has been changed to correctly validate user keys. For the second problem, a check has been added to ensure that multiple nodes within the same netmap do not have the same name. For the third problem, the rest service has been updated so that if an SSH authorized key store and keys are included in the request to add a new user, they will be added to the current configuration. RTC451341/IT06259 (CM) - REST API: the setTrustedCertName method is not available for FTP Outbound Netmap When creating an FTP netmap using the REST API, it is not possible to add a list of trusted certificates to an outbound node using the setTrustedCertName method. Resolution: Added the setTrustedCertName method for FTP outbound nodes. RTC451959/IT06748 (Engine) - SSP3420 error at startup when enabling syslog facility in log.properties When the syslog facility is activated in bin/log.properties for the SSP3420 Engine or CM, one would get an error like this at startup: Error while converting string [17] to type [class org.apache.logging.log4j.core.net.Facility]. Using default value [LOCAL0]. java.lang.IllegalArgumentException: No enum constant org.apache.logging.log4j.core.net.Facility.17 The new log4j2 toolkit did not understand the integer values from the previous toolkit. Resolution: Updated the code to convert the integer values to the required keywords used by log4j2. RTC451962/IT06750 (Engine) - RuntimeException: Incorrect passphrase after upgrade to SSP3420 CM Getting RuntimeException: Incorrect passphrase after upgrading the Sterling Secure Proxy Configuration Manager (SSPCM) from a prior version. During the upgrade of the SSPCM, the passphrase bootstrap file conf/system/sb.enc should have been changed to sb2.enc. At startup, SSPCM attempted to obtain the passphrase from the sb2.enc file and reported an incorrect passphrase. Resolution: Updated the install/upgrade code to ensure that the conf/system/sb2.enc file is created. Now read the passphrase from sb2.enc if it exists and sb.enc as a fallback. Also updated messages to more accurately pinpoint whether the passphrase problem is because of missing bootstrap files or because of an invalid entry. RTC453348/IT06749 (Engine) - SSP will not come up after replacing keystore passphrase with one having an ampersand The engine or CM may not start correctly after using bin/configureEngineSsl.bat (.sh) or bin/configureCmSsl.bat (.sh) to change the keystore password to a string containing special characters. Depending on the location of the special character in the string, the error message will be something like: Startup did not succeed. Terminating: com.sterlingcommerce.hadrian.common.xml.XmlParsingException: Error on line 10: The reference to entity "pass" must end with the ';' delimiter. Resolution: Code has been added to correctly handle special characters within passwords. RTC453767/IT07086 (CM) - REST API: Adding new key in invalid format gives successful return code. When using the REST API to add certificates to an existing key store or certificate store, the rest service may return a successful response even if the request was not formatted correctly. The new key of certificate may not appear in the GUI, even though the response from the rest service was successful. It is also possible that the certificate or key will be created, but the certificate data field on the GUI will be empty. Resolution: The code validation has been updated to return an error message, and prevent the key or certificate from being added to the GUI if the request is invalid. Enhancement (CM, Engine) - Dynamic routing based on inbound node, userid, or Connect:Direct PNode Allow the outbound node to be chosen dynamically based on userid (for HTTP and FTP sessions), inbound IP address (for HTTP sessions) or the inbound PNode (for Connect:Direct sessions). See the Release Notes and online product documentation for SSP3420 iFix 1 for more information. Enhancement (CM, Engine) - HSM Support using IBMPKCS11 provided with the IBM JRE SSP is updated to use the IBM PKCS11 security provider that comes with IBM JRE to communicate and operate Hardware Security Module (HSM) adapters. See the Release Notes and online product documentation for SSP3420 iFix 1 for more information.