=============================================================================== Maintenance for Sterling External Authentication Server (SEAS) 2.4.2.0 =============================================================================== This cumulative maintenance archive includes GA release of SEAS 2.4.2.0 plus fixes for the issues listed below. Contents: I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action II. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== In iFix 1 (August 2015): Action - JRE upgrade turns off SSLv3 and RC4 support by default - see IT07375 for details =============================================================================== II. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first) =============================================================================== =============================================================================== Fixes for SEAS 2.4.2.0 IFix 3, Build 192 (March 2016) =============================================================================== DEFECT / APAR JRE Upgrade - Upgrade to IBM JRE 1.7 SR9 FP30 for latest security patches =============================================================================== Fixes for SEAS 2.4.2.0 IFix 2, Build 173 (September 2015) =============================================================================== DEFECT / APAR JRE Upgrade - Upgrade to IBM JRE 1.7 SR9 FP10 for latest security patches =============================================================================== Fixes for SEAS 2.4.2.0 IFix 1, Build 170 (August 2015) =============================================================================== DEFECT / APAR RTC465772/IT08982 - Upgrade to IBM JRE 1.7 SR9 for latest security IT07375 which turns off SSLv3 and RC4 support by default RTC469964/IT09808 - In FIPS mode, cipher selection limited under Java 6. RTC469968 - Allow non-interactive "mode=auto" feature. =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) =============================================================================== RTC465772/IT08982 - Upgrade to IBM JRE 1.7 SR9 for latest security IT07375 which turn off SSLv3 and RC4 support by default Note that with this new JRE, SEAS only allows TLS sessions by default and will reject SSLv3 sessions. If the SSLv3 protocol is required until other components can switch to TLS, then for UNIX/Linux, add the -Dcom.ibm.jsse2.disableSSLv3=false property to the Java startup line(s) in the bin/startSeas.sh script. For Windows, add the property to the " lax.nl.java.option.additional=" line in the bin\SEAS$.lax file. RTC469964/IT09808 - In FIPS mode, cipher selection limited under Java 6. Resolution: Updated the FIPS module to allow extra cipher suites when running under Java 7, which is what is distributed now. RTC469968 - Allow non-interactive "autoshutdown" feature. Enhancement to allow shutting down SEAS without prompting for a userid or password. Syntax: /bin/stopSeas.sh mode=auto JRE Upgrade - Upgrade to IBM JRE 1.7 SR9 FP10 for latest security patches JRE Upgrade - Upgrade to IBM JRE 1.7 SR9 FP30 for latest security patches