================================================================================ Sterling External Authentication Server (SEAS) APAR IT17228 July 2016 JRE Upgrade (including April 2016 PSIRT updates) - October 2016 ================================================================================ This APAR provides the Java Runtime Environment (JRE) only, with instructions on how to install it in the Customer's environment. This brings the JRE to the Java 1.7 SR9 FP50 (7.0.9.50) fix level from the Oracle Java July 2016 security refresh. This fix is applicable to: SSP3420 (Engine, CM, and PS) SSP3430 (Engine, CM, and PS) SEAS2420 SEAS2430 Alternately, the Customer may check the fixlist of the latest iFix cumulative maintenance package on Fix Central to see if it includes this level of Java. If not, the Customer may contact Support to request that the latest build with this Java Runtime Environment be placed on the ECuRep server. =============================================================================== Additional Notes on this Java Runtime Environment (JRE) update =============================================================================== APAR IT17228 (Engine,CM,PS,SEAS) - Upgrade SSP Engine, CM, PS and SEAS to IBM JRE 7.0.9.50 for latest security patches. This APAR brings the JRE to the Java 1.7 SR9 FP50 (7.0.9.50) fix level from the Oracle Java July 2016 security refresh. It is not a full product install - Steps must be followed to download the new JRE for your platform(s) and installed for each portion of the product. =============================================================================== IBM Sterling Secure Proxy Instructions for Installing a New JRE from IBM Fix Central for the Security Advisory. =============================================================================== This process will allow the Customer to pull a new JRE from the IBM Fix Central site and replace the existing jre directory in the various installed instances of Sterling Secure Proxy (SSP) Engine, SSP Configuration Manager CM (CM), and SSP Perimeter Server (PS). The instructions are also valid for the Sterling External Authentication Server (SEAS). Steps 4 and following must be done for each instance of the SSP Engine, SSP CM, SSP PS, and SEAS. STEPS 1-3 ARE DONE ONCE AND CAN BE DONE WHILE THE PRODUCT IS RUNNING. Note: is the platform specific tar.Z or .zip file. 1. Download the refresh pack archive file from Fix Central to a work directory 2. Extract the JRE refresh pack archive file in the work directory. On UNIX: cd uncompress .tar.Z or gunzip .tar.Z tar -xvf .tar On Windows: Use WinZip or equivalent to extract the jre folder from the .zip file into the directory. 3. Verify the version of Java works and is the one expected by the Security Advisory: On UNIX: cd ./jre/bin/java -version On Windows: cd jre\bin\java -version See the description at the top of this README file for the version. STEPS 4 AND FOLLOWING ARE DONE FOR EACH INSTANCE OF THE SSP ENGINE, SSP CM, SSP PERIMETER SERVER and STERLING EXTERNAL AUTHENTICATION SERVER (SEAS). 4. Make a backup of your target directory. 5. Stop the target Sterling Secure Proxy Engine, Configuration Manager, Perimeter Server and/or Sterling External Authentication Server instance. 6. Rename the existing /jre directory to /jre_old. 7. Copy the new jre directory from the directory to your directory 8. Copy the old /jre_old/lib/security/java.security file to the new /jre/lib/security directory. Edit the /jre/lib/security/java.security file to add or ensure the following 2 lines are included: jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, MD5 jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, MD5withRSA 9. Start the target SSP/SSPCM/PS/SEAS instance 10. If there are issues starting up the target instance with the new JRE a) Save a copy of the bin/startEngine.out file. (startCM.out for the CM) b) Rename the jre directory to jre_new, and jre_old to jre, and restart. 11. Duplicate this process (starting with step 4) for each SSP Engine, CM, SSP Perimeter Server, and Sterling External Authentication Server install.