================================================================================ Fixes beyond Sterling Secure Proxy (SSP) 3.4.2.0 iFix 8 - July 2016 ================================================================================ This cumulative maintenance archive includes the GA release of SSP Engine 3.4.2.0 and SSP Configuration Manager 3.4.2.0 plus the fixes for the issues mentioned below. Contents: I. HIPER fixes / Fixes requiring Action by iFix II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== In iFix 8 Build286 (July 2016): HIPER - Session starts rejected in Perimeter Server due to "too many open files", or "max concurrent circuits reached" - See IT15041 for details In iFix 7 (March 2016): HIPER - Local PS getting high CPU / Fast wakeup messages - see IT14117 for for details HIPER - JRE7.0.9.30 upgrade turns off MD5 support by default - see IT13805 for details Action - Ensure no MD2/MD5/RC4 certificates or ciphers in use HIPER - Update to Apache Commons-collections library for PSIRT 4202 - See IT12342 for details Action - SFTP Hashmacs hmac-sha256 and hmac-sha512 renamed to hmac-sha2-256 and hmac-sha2-512, respectively. See RTC492052 for details In iFix 5 (September 2015): HIPER - Engine fails with CSP057E 16 Exception - java.lang.OutOfMemory Error: Java heap space - see RTC473228 for details In iFix 4 (August 2015): HIPER - TLS connection fails when local PS log level is set to DEBUG - see RTC471053 for details HIPER - SSP3420 C:D sessions getting java.net.SocketException: Too many open files - See RTC468626 for details In iFix 3 (June 2015): Action - JRE upgrade turns off RC4 support by default - see IT08982 for details In iFix 2 (May 2015): HIPER - SSP3420 crashes with OutOfMemory Exception when SFTP users get locked out *HIPER* - See RTC463125 for details HIPER - SSH Client using SFTP protocol version 4 fails after iFix 1 - See RTC463822 for details In iFix 1 (Mar 2015): Action - JRE upgrade turns off SSLv3 support by default - see IT07375 for details =============================================================================== II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) Fixes are marked as Engine and CM (Configuration Manager) =============================================================================== =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 8 Build 286 (July 2016) RTC485398 (Engine) - C:D File transfers fail with certificate issues RTC492949/IT15184 (Engine) - (SFT) Getting DH_GEX group out of range RTC494013/IT15074 (Engine) - (HTTP) Client is not receiving the 500 Error message from SSO login failure RTC495433/IT14514 (CM) - manageKeyCerts import fails with java.lang.NullPointerException RTC496040/IT15910 (Engine) - SFTP client script causes FIN_WAIT2 on SSP server RTC496133/IT15041 (Engine) - Session starts rejected in PS due to "too many open files", or "max concurrent circuits reached" RTC496371/IT14589 (Engine) - (SFTP) Key-only authentication failing when mapped password not present RTC496962/IT16065 (Engine) - CD Adapter failures causing high CPU on Engine, Max concurrent circuits reached:4096 on PS RTC497030/IT14809 (Engine) - (CD) SSP handshake failure with CDSA after upgrading to SI 5.2.6.1. RTC497033/IT14757 (Engine) - Dummy object unmarshalling error for PerimeterServerConfig RTC497092/IT14615 (Engine) - Engine Shutdown issue RTC500038/IT15916 (Engine) - Intermittent failures with concurrent SSL handshakes RTC500069/IT15063 (Engine) - SFTP transfers stalling at 627MB or the sftp_rekeycount limit in the adapter. RTC501172/ (CM) - CM ManagedAccepterService fails to startup causing logins to fail RTC501513/IT15516 (CM) - Vulnerability issues found with SSPcm HTTP Headers RTC501735/IT15517 (Engine) - (SFTP) Key Exchange Exception encountered when FIPS enabled RTC502844/IT15531 (CM) - Unable to import PCKS12 SHA2 certs using configureCmSsl utility RTC503126/IT15568 (CM) - (REST API) Unable to create CM user who uses External Authentication RTC503895/IT15606 (CM) - (REST API) Delete Netmap Node entry request returns success but the node still exists RTC504462/IT15808 (PS) - Installation of SSP Perimeter Server package creates a single Windows Service and s starting/shutting down the PS service starts/stops all of them RTC505702/IT16080 (CM) - Enhancements to password policy rules =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 7 Build 257 (March 2016) RTC480977/Enhance (CM,Engine) - (SFTP) Support for SHA2 macs and exchange No RTC /IT12342 (CM) - Update to Apache Commons-collections library for PSIRT 4202 No RTC / (PS) - Add info to differentiate SSP PS from SI PS RTC479958/IT13168 (Engine) - (FTP) Getting TLS security negotiation failed when retrieving 0 byte file RTC482830/ (Engine) - CD adapter port left in CLOSE-WAIT state when failover polling detects routing outage RTC485091/IT13200 (CM) - SSPCM may be vulnerable to a Cross Frame Scripting attack RTC486931/IT13592 (Engine) - (SFTP) Multiple Maverick stack-trace msgs logged when an SFTP client disconnects RTC488537/IT13196 (Engine) - (SFTP) Transfers getting occasional java.lang.ArithmeticException: / by zero RTC488638/ (CM) - Elliptical Curve EC private keys fail to import RTC488079/IT13769 (Engine) - (SFTP) SSH port forwarding allowed on SFTP adapter RTC492023/IT13805 (CM,Engine,PS) - Upgraded SSP Engine, CM, and PS to IBM JRE 7.0.9.30 for latest security patches. RTC492052/IT13855 (CM,Engine) - (SFTP) Sha2 connections fail due to mismatched MAC names RTC492951/IT14035 (Engine) - (FTP) Debug logging show passwords in clear RTC493866/IT14117 (Engine) - (PS) High CPU, fast wakeups in local PS log =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 6 Build 231 (November 2015) RTC468593/IT10631 (PS,Engine) - (PS) Proxy Local Interface does not setup listener on a specific interface. RTC475458/IT11735 (Engine) - C:D Adapter configuration push causes listener to mishandle new connections No RTC (Engine) - C:D Logging improvement to display client certificate during a C:D Secure+ SSL handshake when server/client authentication is turned on. RTC478044/IT11857 (Engine) - C:D Execute on Success Step Injection (RUN TASK) replaces variable with encoded characters RTC479400/IT12069 (CM) - Unable to import OpenSSL keycerts into SSP3420 System Certificate Store RTC480314/IT12099 (CM,Engine) - Incorrect timestamp showing in audit logs in SSP3420 RTC480325/IT12111 (Engine) - Stopping CD Adapter causes other adapters on same outbound PS to timeout RTC480882/IT11993 (Engine) - Mapped userid from SEAS is not honored when using SSO for SFTP and HTTP proxies RTC481064/ (Engine) - HTTP Proxy Adapter not catching invalid method =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 5 (September 2015) RTC473228/IT10611 (Engine) - (CD) Engine fails with CSP057E 16 Exception - java.lang.OutOfMemory Error: Java heap space *HIPER* RTC474077/IT10648 (Engine) - (CD) Getting non-fatal CSP057E 16 Exception: peer not authenticated on every transfer RTC474304/IT10682 (CM) - Logging Level reset to NONE when navigating netmap screens RTC461598 (Engine) - Various logging enhancements, mainly in CD processing JRE Upgrade (CM,Engine,PS) - Upgraded SSP Engine, CM, and PS to IBM JRE 7 SR9 FP10 for latest security patches. RTC476225 (Engine,CM) - SSP3420 iFix 3 and 4 missing SSLv3 courtesy message at startup. =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 4 (August 2015) RTC465113/IT09708 (CM, Engine) - Unsupported PKCS8 format on SHA256 private key after upgrade to SSP3420 RTC465226/ (Engine) - Change from IBMSecureRandom to SHA2DRBG to remain FIPS 140-2 compliant beyond 2015 RTC466081/ (Engine) - SCP sessions time out (hang) RTC468626/IT09823 (Engine) - SSP3420 C:D sessions getting java.net.SocketException: Too many open files *HIPER* RTC468588/IT09809 (Engine) - Connections using Non-Secure+ on the pnode leg and Secure+ on the snode leg fail RTC469108/IT09790 (CM) - Unable to create PESIT nodes with the same IP/Port combinations RTC469924/IT10252 (Engine) - PeSIT unable to do LogonID mapping RTC469964/IT09808 (Engine) - In FIPS mode, cipher selection limited to non-ECDHE cipher suites under Java 6. RTC469968/ (CM,Engine) - Support for SSP Automatic Shutdown RTC470812/ (Engine) - SCP reports Key auth error and locks the user account sooner, even though policy is password auth RTC471053/ (Engine) - TLS connection fails when local PS log level is set to DEBUG *HIPER* RTC472174/ (CM) - Error adding C:D netmap entries with duplicate IP/ports in SSP3420 RTC473126 (CM) - OutOfMemory error in CM after numerous large configuration updates No Defect (Engine) - Turned off JRE CBC protection to avoid C:D FMH failures after Secure+ handshake =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 3 Build 201 (June 2015) Enhancement (CM, Engine) - Support for SCP (SSH Secure Copy) in the SFTP adapter RTC469640/IT09670 (Engine) - Memory creep in SFTP when node level logging turned on. No Defect/IT08982 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM JRE 7 SR9 for latest security patches. =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 2 Build 169 (May 2015) RTC453484/IT06751 (CM,Engine) - Passwords partially visible on command line when pasting instead of typing RTC463125/IT08601 (Engine) - SSP3420 crashes with OutOfMemory Exception when SFTP users get locked out *HIPER* RTC462627/IT08718 (CM) - Unable to authenticate SSP CM users via SEAS & LDAP since upgrade of SSP 3.4.1.8 to 3.4.2 RTC463822/IT08800 (Engine) - (SFTP) SSH Client using SFTP protocol version 4 fails Minor Update (PS) - Increase Perimeter Server Maxheap to 1024M =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 1 Build 157 (Mar 2015) RTC443906/IT04691 (CM) - REST API Unable to add C:D netmap entries RTC447381/IT05432 (CM) - REST API Creation of Perimeter Servers in More Secure zone fails RTC447386/IT05434 (CM) - REST API Unable to create engines listening on same port on different IPs RTC447746/IT05435 (CM) - REST API unable to create SSOConfig RTC448111/IT05497 (CM) - REST API Unable to add HTTP netmap entries RTC449216/IT05932 (CM) - REST API unable to add Properties with String values in SFTP Adapters RTC449220/IT05931 (CM) - REST API unable to add more than one Trusted Certificate for FTP Outbound netmap node RTC450252/IT06739 (CM) - REST API multiple issues with SSH keystores and netmaps. RTC451341/IT06259 (CM) - REST API: the setTrustedCertName method is not available for FTP Outbound Netmap RTC449219/IT07269 (Engine) - Transmission failure with checkpoint-restart and extended compression RTC451959/IT06748 (Engine) - SSP3420 error at startup when enabling syslog facility in log.properties RTC451962/IT06750 (Engine) - RuntimeException: Incorrect passphrase after upgrade to SSP3420 CM RTC453348/IT06749 (Engine) - SSP will not come up after replacing keystore passphrase with one having an ampersand RTC453767/IT07086 (CM) - REST API: Adding new key in invalid format gives successful return code. No Defect/IT06628 (Engine) - Upgraded Castor toolkit to address PSIRT vulnerability No Defect/IT07375 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default Enhancement (CM, Engine) - Dynamic routing based on inbound node, userid, or Connect:Direct PNode Enhancement (CM, Engine) - HSM Support using IBMPKCS11 provided with the IBM JRE No Defect/IT07778 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 FP10+IV70681 for latest security patches, including the FREAK vulnerability. RTC457005/IT07549 (Engine) SSP3420 won't start due to "incorrect passphrase". RTC458209/IT07550 (CM) REST API: Adapter creation fails if pingResponse field has spaces in its value RTC458216/IT07551 (CM) REST API: Create HTTP Adapters with REST APIs fails with SSO Configuration error RTC460780/ (CM,Engine) Certificate chaining error when selecting multiple CA certs =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) Fixes are marked as Engine, CM (Configuration Manager), and PS (Perimeter) =============================================================================== No Defect/IT07375 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default Note that with this new JRE, SSP only allow TLS sessions by default and will reject SSLv3 sessions. If the SSLv3 protocol is required until trading partners can switch to TLS, then for UNIX/Linux, add the -Dcom.ibm.jsse2.disableSSLv3=false property to the Java startup line(s) in the bin/startEngine.sh script. For Windows, add the property to the " lax.nl.java.option.additional=" line in the bin\SSPengine$.lax file. See http://www-01.ibm.com/support/docview.wss?uid=swg21695265 for more information. No Defect/IT07778 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 FP10+IV70681 for latest security patches, including the FREAK vulnerability. This brings the JRE to the Java 1.7 SR8 FP10 fix level from the Oracle Java January 2015 security refresh, plus the IV70681 APAR fix level, which addresses the recent “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. See http://www-01.ibm.com/support/docview.wss?uid=swg21699829 for more information. RTC443906/IT04691 (CM) - REST API Unable to add C:D netmap entries Connect:Direct Netmap creation fails when running the REST API Sample program. The SSPCMRestService_*.log would display an error that states the netmap creation failed, and refers to the cms.log file. Resolution: Modified the validation logic to match what's done in the CM. RTC447381/IT05432 (CM) - REST API Creation of Perimeter Servers in More Secure zone fails When creating a perimeter server in the more secure zone using the REST API the following error will occur even if the localPort and the listenPort are equal: Create perimeterServer operation failed. - perimeterServerDef localPort and listenPort must be equal for type PERIMETER_SERVER_MORE_SECURE. Resolution: Correctly compare the localPort and listenPort, so that if they are equal the perimeter server will be created. RTC447386/IT05434 (CM) - REST API Unable to create engines listening on same port on different IPs When creating an engine using the REST API that has the same port as an existing engine the following error will occur even if the two engines are running on different hosts: EngineService - java.lang.Exception: Port in use. Pick a different port. StackTrace: java.lang.Exception: Port in use. Pick a different port. The HTTP response code from the REST API will be 406 Not Acceptable. Resolution: The code has been changed so that engines with the same port, but different hosts can be created. RTC447746/IT05435 (CM) - REST API unable to create SSOConfig When creating an SSO configuration using the REST API an error will occur if defApplicationUrl or ssoCookieDomain are not specified, even though these attributes should not be required. If the configuration has an internal portal type, then an error will occur if applicationLoginUrl is not provided, even though it should not be required. Resolution: The code has been changed so that these attributes are not required by the REST API. RTC448111/IT05497 (CM) - REST API Unable to add HTTP netmap entries When creating an HTTP netmap using the REST API, the following error will occur if any of the outbound nodes use a secure connection. Validation error: Invalid cipher suites specified. Valid cipher suites are[PNODE, SSL3-ONLY, TLS1-ONLY, TLS1, SSL3, TLS1/2HI, SSL3/2HI, SSL] Resolution: The code has been changed so that the correct list of valid cipher suites is used to validate outgoing nodes. RTC449216/IT05932 (CM) - REST API unable to add Properties with String values in SFTP Adapters When creating a C:D or SFTP adapter using the REST API it is not possible to create properties that have string values. For SFTP adapters, it is not possible to add more that one property to a single adapter. Resolution: The code has been changed so that SFTP and C:D adapters can have properties with string values. SFTP adapters created with the REST API can now have more than one property. RTC449219/IT07269 (Engine) - Transmission failure with checkpoint-restart and extended compression Customer using C:D Secure Plus transfer of large file using Checkpoint/ Restart, Extended Compression and SSL Blocking (SSLB) and a TCP comm.bufsize of 64k. At a specific point in the transfer, just before a checkpoint record is taken, SSP sends an RU with only 3 bytes of data and the receiving C:D z/OS does not handle it properly. The result is a decompression failure and MSG_SVTO022I. SSP was not correctly filling up the output SSL Blocking buffers which caused the 3 bytes to be sent in its own RU rather than in the larger 64k RU. Workarounds: Transfer with comm.bufsize of 48k, or raise the checkpoint interval. Resolution: Corrected the logic in the SSL Blocking class to add blobs to the outgoing SSLB buffer on the basis of size only and not limit the number of blobs per buffer. RTC449220/IT05931 (CM) - REST API unable to add more than one Trusted Certificate for FTP Outbound netmap node When creating a C:D, FTP, HTTP, or PeSIT netmap using the REST API, it is not possible to add more that one trusted certificate to inbound or outbound nodes in the netmap. Resolution: The code has been changed so that multiple trusted certificates can be added to a single node. RTC450252/IT06739 (CM) - REST API multiple issues with SSH keystores and netmaps. The are three separate issues with the REST API that have been corrected. The first issue is that when creating a new authorized user key store or adding a new key to an existing key store, the validation of the keys will fail even if the keys are valid. The response from the REST service will be ERROR com.ibm.sspcm.rest.services.KeyStoreService - Invalid SSH Trusted Key specified. Please verify the SSH trusted certificate key. The second issue is that when a netmap is created, or nodes are added to an existing netmap using the REST API, multiple nodes within the same netmap can have the same name. This applies to inbound nodes for C:D and PeSIT netmaps as well as both inbound and outbound nodes for HTTP, FTP, and SFTP netmaps. The third issue is that when adding a user to a user store there is no way to specify an SSH authorized key store and keys. Even if the keystore and keys are included in the request, the rest service will not add them to the user configuration. Resolution: For the first problem, the code has been changed to correctly validate user keys. For the second problem, a check has been added to ensure that multiple nodes within the same netmap do not have the same name. For the third problem, the rest service has been updated so that if an SSH authorized key store and keys are included in the request to add a new user, they will be added to the current configuration. RTC451341/IT06259 (CM) - REST API: the setTrustedCertName method is not available for FTP Outbound Netmap When creating an FTP netmap using the REST API, it is not possible to add a list of trusted certificates to an outbound node using the setTrustedCertName method. Resolution: Added the setTrustedCertName method for FTP outbound nodes. RTC451959/IT06748 (Engine) - SSP3420 error at startup when enabling syslog facility in log.properties When the syslog facility is activated in bin/log.properties for the SSP3420 Engine or CM, one would get an error like this at startup: Error while converting string [17] to type [class org.apache.logging.log4j.core.net.Facility]. Using default value [LOCAL0]. java.lang.IllegalArgumentException: No enum constant org.apache.logging.log4j.core.net.Facility.17 The new log4j2 toolkit did not understand the integer values from the previous toolkit. Resolution: Updated the code to convert the integer values to the required keywords used by log4j2. RTC451962/IT06750 (Engine) - RuntimeException: Incorrect passphrase after upgrade to SSP3420 CM Getting RuntimeException: Incorrect passphrase after upgrading the Sterling Secure Proxy Configuration Manager (SSPCM) from a prior version. During the upgrade of the SSPCM, the passphrase bootstrap file conf/system/sb.enc should have been changed to sb2.enc. At startup, SSPCM attempted to obtain the passphrase from the sb2.enc file and reported an incorrect passphrase. Resolution: Updated the install/upgrade code to ensure that the conf/system/sb2.enc file is created. Now read the passphrase from sb2.enc if it exists and sb.enc as a fallback. Also updated messages to more accurately pinpoint whether the passphrase problem is because of missing bootstrap files or because of an invalid entry. RTC453348/IT06749 (Engine) - SSP will not come up after replacing keystore passphrase with one having an ampersand The engine or CM may not start correctly after using bin/configureEngineSsl.bat (.sh) or bin/configureCmSsl.bat (.sh) to change the keystore password to a string containing special characters. Depending on the location of the special character in the string, the error message will be something like: Startup did not succeed. Terminating: com.sterlingcommerce.hadrian.common.xml.XmlParsingException: Error on line 10: The reference to entity "pass" must end with the ';' delimiter. Resolution: Code has been added to correctly handle special characters within passwords. RTC453484/IT06751 (CM,Engine) - Passwords partially visible on command line when pasting instead of typing If a password or passphrase is pasted into the command line instead of typed when running any of the scripts in the bin directory, all of the characters except for the last are visible. Resolution: The code which reads passwords has been updated with a better method of hiding passwords regardless of the speed at which the characters arrive. RTC453767/IT07086 (CM) - REST API: Adding new key in invalid format gives successful return code. When using the REST API to add certificates to an existing key store or certificate store, the rest service may return a successful response even if the request was not formatted correctly. The new key of certificate may not appear in the GUI, even though the response from the rest service was successful. It is also possible that the certificate or key will be created, but the certificate data field on the GUI will be empty. Resolution: The code validation has been updated to return an error message, and prevent the key or certificate from being added to the GUI if the request is invalid. Enhancement (CM, Engine) - Dynamic routing based on inbound node, userid, or Connect:Direct PNode Allow the outbound node to be chosen dynamically based on userid (for HTTP and FTP sessions), inbound IP address (for HTTP sessions) or the inbound PNode (for Connect:Direct sessions). See the Release Notes and online product documentation for SSP3420 iFix 1 for more information. Enhancement (CM, Engine) - HSM Support using IBMPKCS11 provided with the IBM JRE SSP is updated to use the IBM PKCS11 security provider that comes with IBM JRE to communicate and operate Hardware Security Module (HSM) adapters. See the Release Notes and online product documentation for SSP3420 iFix 1 for more information. RTC457005/IT07549 (Engine) SSP3420 won't start due to "incorrect passphrase". After changing the passphrase for the engine or configuration manager, it may fail to start with the error: Exception in thread “main” java.lang.RuntimeException:Incorrect passphrase. This error will occur if the encrypted password happens to contain the newline character as the first byte. Resolution: Now correctly handle encrypted passphrases with the newline character as the first byte. RTC458209/IT07550 (CM) REST API: Adapter creation fails if pingResponse field has spaces in its value Creating an HTTP, C:D, or PeSIT adapter using the REST API may fail if the pingResponse field contains spaces or special characters. The response from the REST service will be: 204 NO_CONTENT Please check the CMS log file for errors Create adapter operation failed. ERROR Valid characters for Name are:  "-abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_." Resolution: The validation logic for HTTP, C:D, and PeSIT adapters has been changed to allow spaces and special characters in the pingResponse field. RTC458216/IT07551 (CM) REST API: Create HTTP Adapters with REST APIs fails with SSO Configuration error Creating an HTTP adapter using the REST API may fail if it references an SSO Configuration. Below is the response from the REST service even if the SSO Configuration exists. 204 NO_CONTENT Please check the CMS log file for errors Create adapter operation failed. ERROR SSO Configuration sso_config_name not found Resolution: Now correctly determine if the SSO configuration is valid. RTC460780/ (CM,Engine) Certificate chaining error when selecting multiple CA certs Customer upgraded to SSP3420 and discovered that when multiple certificates are selected in a netmap, sessions do not complete their SSL/TLS handshaking properly. PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error Resolution: Now properly trim the certs as the stream is fed into the TrustManager and ensure that all certs are delivered. RTC461598 (Engine) - Various logging enhancements, mainly in CD processing Various logging enhancements - Add CD adapter name and sessionid to messsages sent to syslog - Better diagnostics (not stack traces) when CD Secure+ sessions fail - Ensure CD Error sessions end with ERROR message, not INFO - Added dump of CD FMH68 from PNode at debug level - Cleaned up excessive linefeeds during TLS tracing in systemout.log - For minimal but effective TLS tracing in systemout.log, use the following in the SSP or SEAS java startup line: -Djavax.net.debug=ssl:handshake RTC462627|IT08718 (CM) - Unable to authenticate SSP CM users via SEAS & LDAP since upgrade of SSP 3.4.1.8 to 3.4.2 In SSP3420, if a customer is using seas to authenticate CM users and has ssl setup for this connection, then we are unable to secure the ssl connection between the cm and seas. To verify that the customer is seeing this issue, they will notice that if they look at the ssl output from the cm that they see the following: "RequestHandler Pool Worker - 2, handling exception: java.lang.IllegalArgumentException:" Resolution: The original problem was that the CM was unable to understand the certificate format that we are using in 3.4.2.0. We added support for the new format. RTC463125/IT08601 (Engine) - SSP3420 crashes with OutOfMemory Exception when SFTP users get locked out *HIPER* In SSP3420, when an SFTP user gets locked out after 3 failed login attempts, the subsequent attempts against the userid are rejected, but the session count gets incremented and the session objects are not freed, eventually resulting in an OutOfMemory exception which crashes the Engine. This issue is considered High Impact PERvasive (HIPER) The logs will show many sessions with SSE2612 ... Login prevented (account locked). User xxx ... Followed by a SSE2654 Session limit of xxx has been exceeded and eventually (likely days later) an OutOfMemory exception which takes the engine down. Resolution: Now detect the failed login attempt and call the logoff operation to decrement the session count and free the session memory. RTC463822|IT08800 (Engine) - (SFTP) SSH Client using SFTP protocol version 4 fails In SSP3420, if a customer is using an sftp client configured to use an sftp version of 4 or higher, the Customer will have issues during the handshake. Depending upon this client, this may present itself as an issue in opening up the root directory. Resolution: SSP had an issue in how we handle the initial handshake in sftp SSP only supports sftpv3, but during a handshake we were allowing a client to continue using sftpv4 or above. We added code to make sure that an sftp handshake negotiates to version 3, which allows for SSP to correctly negotiate the sftp version between the client and backend server. Minor Update (PS) - Increase Perimeter Server Maxheap to 1024M Resolution: Increased the Perimeter Server Java MaxHeap from 512M to 1024M. Also, as a reference, the PServer_install.properties file in the install directory contains a line which identifies this as a SSP PS instead of a B2Bi (SI) PS. # ## IBM Sterling Secure Proxy (SSP) Perimeter Server ## No Defect/IT08982 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM JRE 7 SR9 for latest security patches. This revision of the JRE turns off the RC4 cipher suites and turns on CBC protection by default. See http://www-01.ibm.com/support/docview.wss?uid=swg21903468 for more information. Enhancement (CM, Engine) - Support for SCP (SSH Secure Copy) in the SFTP adapter Enhancement to add the SCP protocol to the SFTP adapter. RTC465113/IT09708 (CM, Engine) - Unsupported PKCS8 format on SHA256 private key after upgrade to SSP3420 SSP3418 Customer had a keycert with a private key signed using a SHA256 algorithm (generated by Certificate Wizard). When the Customer upgraded to SSP3420, the SSL handshake failed with the message Exception processing input certificate - java.security.cert. CertificateException - Unsupported PKCS8 format. oid1=[1.2.840.113549.1.5.13], oid2=[1.2.840.113549.1.5.12] Workaround: Use the following steps in Certificate Wizard to put the keycert into PKCS12 format so that it can be imported into the SSP CM: 1) Starting with the keycert in PEM format (contains "Begin Private Key") 2) Bring up the Certificate Wizard and navigate to the "Generate Key Certificate" tab 3) Enter the private key part of the pkcs8 keycert in the private key file edit field 4) Enter the rest of the certificate(s) from keycert in the certificate file name field. You can try specify the same keycert file for both and it may pick the pieces it needs. 5) Choose the output keycert format - PKCS12 and generate the output file 6) Import the pkcs12 keycert into the CM. Resolution: If the keycert used in the above workaround contains multiple CA's, this fix will allow the generated PKCS12 file to be imported into the SSPCM. RTC465226/ (Engine) - Change from IBMSecureRandom to SHA2DRBG to remain FIPS 140-2 compliant beyond 2015 The IBMSecureRandom Pseudo Random Number Generator will lose its FIPS compliance after December 2015. Resolution: Now use the SHA2DRBG generator to maintain FIPS compliance beyond 2015. RTC466081/ (Engine) - SCP sessions time out (hang) SCP sessions can hang, caused by a deadlock situation between 2 threads: [thread-1] is waiting to lock com.maverick.events.EventServiceImplementation which is held by [thread-2]. [thread-2] is waiting to lock com.maverick.ssh2.Ssh2Session which is held by [thread-1]. Resolution: Removed a fireEvent operation during a close call which was causing the deadlock. RTC468588/IT09809 (Engine) - Connections using Non-Secure+ on the pnode leg and Secure+ on the snode leg fail When a Connect:Direct netmap has a non-Secure+ PNODE on the inbound side going to a Secure+ SNODE on the outbound side, the connection fails. Resolution: Now handshake properly on both sides of the connection so that the non-secure to secure connection will work. RTC468593/IT10631 (PS,Engine) - (PS) Proxy Local Interface does not setup listener on a specific interface. When installing the Perimeter Server with the "More Secure Zone" option and placing a specific IPAddr in the Proxy Local Interface option The PS listens on all interfaces instead of the specified local interface. Resolution: Now include updated Perimeter Server code which binds on selected Proxy Local Interface. RTC468626/IT09823 (Engine) - SSP3420 C:D sessions getting java.net.SocketException: Too many open files *HIPER* SSP3420 Customers running many simultaneous C:D transfers through SSP getting a java.net.SocketException: Too many open files error. These open files are sockets which have not been closed. Resolution: Now close every used socket at the end of a C:D transfer. RTC469108/IT09790 (CM) - Unable to create PESIT nodes with the same IP/Port combinations When defining a new node in a PESIT netmap with a duplicate IP and port, the save operation will fail with: "There is already a node with that address & port, named: xxxxxxxx." However, PESIT netmaps should allow duplicate IP/Port combinations as long as the nodename is different. Resolution: Now allow duplicate IP/Port combinations in PESIT netmaps as long as the nodenames are different. RTC469640/IT09670 (Engine) - Memory creep in SFTP when node level logging turned on. When running with logging turned on for SFTP inbound or outbound nodes in a netmap, a small memory leak occurs with every session. A logging appender was being allocated whether or not the log was already going. Resolution: Now properly check for an existing appender before creating a new one when doing SFTP node level logging. RTC469924/IT10252 (Engine) - PeSIT unable to do LogonID mapping The LogonID Mapping values in the PeSIT netmap were not being honored. Resolution: Corrected the PeSIT netmap logic to allow LogonID Mapping: - Pass-through for PNODE (Default) - Replace LogonID with LogonID mapped in External Authentication - Replace LogonID with Netmap LogonID RTC469964/IT09808 (Engine) - In FIPS mode, cipher selection limited to non-ECDHE cipher suites under Java 6. Resolution: Updated the FIPS module to allow ECDHE cipher suites when running in FIPS mode under Java 7, which is what is distributed now. TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 RTC469968/ (CM,Engine) - Support for SSP Automatic Shutdown Enhancement to allow shutting down the SSP CM or engine without prompting for a userid or password. Syntax: /bin/stopCM.sh mode=auto /bin/stopEngine.sh mode=auto RTC470812/ (Engine) - SCP reports Key auth error and locks the user account sooner, even though policy is password auth Customer using SFTP policy specifying Password Authentication only is getting key authentication failures during SCP connections, which can cause an account to get locked more easily. Resolution: Now do the key authentication only if specified in the SFTP policy. RTC471053/ (Engine) - TLS connection fails when local PS log level is set to DEBUG *HIPER* TLS connection fails when Local PS log level is set to DEBUG on the SSP Engine Advanced TAB. Getting message: SSP0229E Exception Securing connection or Sending data, com.sterlingcommerce.perimeter.ssl.TLSInitException - java.lang.NullPointerException Resolution: Updated the perimeter.jar file, which corrects the NullPointerException. RTC472174/ (CM) - Error adding C:D netmap entries with duplicate IP/ports in SSP3420 Customer uses SSP to initiate C:D transfers to a trading partner with SSP in front of their system. In this case, all nodes on the remote system will use the same IP address and port. After applying SSP3420 iFix 2, the Customer could not add new nodes to their netmap, because they were flagged as duplicate IP/Port combinations. Resolution: Removed the check for duplicate IP/Port combinations in the C:D Netmap screens. RTC473126 (CM) - OutOfMemory error in CM after numerous large configuration updates When numerous large configuration updates are made in the GUI, the CM may get an OutOfMemoryError in the Java PermGen area: WARN AccepterImpl - Fast wakeup condition detected. ERROR AccepterImpl - Could not handle fast wakeup condition - before handleRequest - java.lang.OutOfMemoryError: PermGen space Resolution: Added the Java VM option -XX:MaxPermSize=512m in the startupCM.bat/sh and InstallAnywhere properties file SSPcm$.lax. No Defect (Engine) - Turned off JRE CBC protection to avoid C:D FMH failures after Secure+ handshake The IBM JRE1.7 SR9 in iFix 3 turned on CBC protection by default. The "protection" causes packets to be broken up into small pieces which some C:D instances cannot handle without new maintenance being applied. The CBC protection feature became available in 2011 for the BEAST vulnerability, which affects browser (HTTP client) sessions. Resolution: Added the -Djsse.enableCBCProtection=false to the startEngine.sh script so that C:D sessions will not be affected. RTC473228/IT10611 (Engine) - (CD) Engine fails with CSP057E 16 Exception - java.lang.OutOfMemory Error: Java heap space *HIPER* After applying SSP3420 iFix 3 and running multiple CD sessions, the SSP engine was going down with the message: CSP057E 16 Exception - java.lang.OutOfMemory Error: Java heap space A session object was being referenced by its object name rather than its sessionid and was not being freed correctly, causing an OutOfMemory condition. Resolution: Now reference the session object by its sessionid, so that its memory will be released at the end of the session. RTC474077/IT10648 (Engine) - (CD) Getting non-fatal CSP057E 16 Exception: peer not authenticated on every transfer When a Connect:Direct inbound node in the netmap specifies Secure+ but does not specify Client Authentication in the Security tab, the incoming sessions may get a spurious message CSP057E 16 Exception: peer not authenticated on every transfer, even though the transfer succeeds. Resolution: No longer put out the erroneous error message. RTC474304/IT10682 (CM) - Logging Level reset to NONE when navigating netmap screens When navigating in the CM GUI in the FTP, HTTP, and SFTP netmaps, the logging level in the Advanced tab may be reset to NONE when switching away from the Advanced tab. Resolution: Added checks to ensure the logging level in the Advanced tab is maintained when switching between tabs. JRE Upgrade (CM,Engine,PS) - Upgraded SSP Engine, CM, and PS to IBM JRE 7 SR9 FP10 for latest security patches. See http://www-01.ibm.com/support/docview.wss?uid=swg21965964 for more information. RTC475458/IT11735 (Engine) - CD Adapter configuration push causes listener to mishandle new connections When updating the listening port of a C:D adapter without stopping and starting the adapter, the configuration push leaves the adapter in an unusable state. It appears to be listening on the new port, but will not accept new connections. Connections which come in eventually time out and the sockets are left in CLOSE_WAIT status. Another similar scenario is when an external PS on the inbound side is brought down and back up, the C:D adapter port ends up in the same state as above. Resolution: Updated the C:D adapter listener code to properly handle the case when it loses connection to the listening port. It now re-establishes the listener correctly. RTC476225 (Engine,CM) - SSP3420 iFix 3 and 4 missing SSLv3 courtesy message at startup. A couple of courtesy messages were added to the startEngine.out and startCM.out files in SSP3420 iFix 2 to indicate whether SSLv3 was enabled. "Info: SSLv3 is disabled by default. Only TLS will be used." or "Warning: SSLv3 is allowed because -Dcom.ibm.jsse2.disableSSLv3=false is set." The product was honoring the ability to enable the SSLv3 protocol in iFix 3 and 4, but the courtesy messages were missing. Resolution: Updated the startup code to include the SSLv3 courtesy messages again. RTC478044/IT11857 (Engine) - C:D Execute on Success Step Injection (RUN TASK) replaces variable with encoded characters Some of the variables used in Step Injection parameters e.g DESTFILE, are not getting replaced properly. They are left in Base64 encoded mode when presented to the SNode. Resolution: Fixed an issue with the base64 encoding and decoding of the values for these replacement parameters. RTC479400/IT12069 (CM) - Unable to import OpenSSL keycerts into SSP3420 System Certificate Store After upgrading to SSP3420, Customer was unable to import system keys which start with "-----BEGIN RSA PRIVATE KEY-----", which is the native format for encrypted private keys generated by OpenSSL. Resolution: Updated the CM import code to be more inclusive of system key types to import. Now handle the RSA PRIVATE KEY format as well as the DSA PRIVATE KEY format. No RTC (Engine) - (CD) Logging improvement to display client certificate during a C:D Secure+ SSL handshake when server/client authentication is turned on. No RTC /IT12342 (CM) - Update to Apache Commons-collections library for PSIRT 4202 An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Sterling Secure Proxy. See http://www.ibm.com/support/docview.wss?uid=swg21971412 for more information. SSP3420CM Build235 and above ships with the correct commons-collections-3.2.2.jar file. No RTC / (PS) - Add info to differentiate SSP PS from SI PS The installed copies of the SSP and SI versions of the Perimeter Server can be difficult to distinguish. An SSP PS should not be run by SI and an SI PS should not be run by SSP. Resolution: Added a file called SSP_PServer_install.properties in the SSP PS install directory to visually know that the PS installation is for SSP. RTC479958/IT13168 (Engine) - (FTP) Getting TLS security negotiation failed when retrieving 0 byte file When executing an FTP command that results in no data being returned on the data channel (such as retrieving an empty file), it is possible that a TLS handshake error will occur while trying to secure the data stream connection. Resolution: Added code to ensure the handshake completes before closing the data stream connection. RTC480314/IT12099 (CM,Engine) - Incorrect timestamp showing in audit logs in SSP3420 After upgrading to SSP3420, the Audit log tags and were missing, and the only timestamp