=============================================================================== Maintenance for Sterling External Authentication Server (SEAS) 2.4.2.0 iFix 5 =============================================================================== This cumulative maintenance archive includes GA release of SEAS 2.4.2.0 plus fixes for the issues listed below. Contents: I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action II. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== In iFix 4 (July 2016): None In iFix 3 (March 2016): Action - Improve performance through SEAS Custom Exit to HTTP URLs - see IT12882 for details Action - JRE upgrade turns off MD5 support by default - see IT13805 for details In iFix 1 (August 2015): Action - JRE upgrade turns off SSLv3 and RC4 support by default - see IT07375 for details =============================================================================== II. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first) =============================================================================== =============================================================================== Fixes for SEAS 2.4.2.0 IFix 5, Build 211 (December 2016) =============================================================================== DEFECT / APAR No Defect/IT17228 - Upgrade SEAS to IBM JRE 1.7 SR9FP50 for latest security patches RTC508170/ - Allow token validation for CEUNIX RTC510283/RFE468574 - Allow SEAS to verify Hostnames RTC511666/IT17151 - Unable to invoke iKeyman on Solaris 10. RTC513984/ - Enhancement to allow silent Installs for SEAS RTC514318/IT17374 - SSH Public Key authentication through IBM SEAS fails due to trailing blank spaces RTC516324/IT17383 - SEAS does not start if passphrase contains “&” character RTC519864/IT17988 - 2 ciphers missing from SEAS supported ciphersuites list =============================================================================== Fixes for SEAS 2.4.2.0 IFix 4 Plus, Build 196 (August 2016) =============================================================================== DEFECT / APAR RTC505344/IT16081 - Change password portal doesn't work if user is mapped from SEAS. =============================================================================== Fixes for SEAS 2.4.2.0 IFix 4, Build 195 (July 2016) =============================================================================== DEFECT / APAR RTC507060/ no APAR - Fixed the NumberFormatException during ip address conversion =============================================================================== Fixes for SEAS 2.4.2.0 IFix 3, Build 192 (March 2016) =============================================================================== DEFECT / APAR RTC485429/IT12882 - Authentication through SEAS Custom Exit to HTTP URLs causing slowdowns, timeouts No RTC /IT12342 - Update to Apache Commons-collections library for PSIRT 4202 No RTC /IT13805 - Upgrade to IBM JRE 1.7 SR9 FP30 for latest security patches which turn off MD5 support by default =============================================================================== Fixes for SEAS 2.4.2.0 IFix 2, Build 173 (September 2015) =============================================================================== DEFECT / APAR JRE Upgrade - Upgrade to IBM JRE 1.7 SR9 FP10 for latest security patches =============================================================================== Fixes for SEAS 2.4.2.0 IFix 1, Build 170 (August 2015) =============================================================================== DEFECT / APAR RTC465772/IT08982 - Upgrade to IBM JRE 1.7 SR9 for latest security IT07375 which turns off SSLv3 and RC4 support by default RTC469964/IT09808 - In FIPS mode, cipher selection limited under Java 6. RTC469968 - Allow non-interactive "mode=auto" feature. =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) =============================================================================== RTC465772/IT08982 - Upgrade to IBM JRE 1.7 SR9 for latest security IT07375 which turn off SSLv3 and RC4 support by default See http://www-01.ibm.com/support/docview.wss?uid=swg21903468 for details of the vulnerabilities addressed. Note that with this new JRE, SEAS only allows TLS sessions by default and will reject SSLv3 sessions. If the SSLv3 protocol is required until other components can switch to TLS, then for UNIX/Linux, add the -Dcom.ibm.jsse2.disableSSLv3=false property to the Java startup line(s) in the bin/startSeas.sh script. For Windows, add the property to the " lax.nl.java.option.additional=" line in the bin\SEAS$.lax file. RTC469964/IT09808 - In FIPS mode, cipher selection limited under Java 6. Resolution: Updated the FIPS module to allow extra cipher suites when running under Java 7, which is what is distributed now. RTC469968 - Allow non-interactive "autoshutdown" feature. Enhancement to allow shutting down SEAS without prompting for a userid or password. Syntax: /bin/stopSeas.sh mode=auto RTC485429/IT12882 - Authentication through SEAS Custom Exit to HTTP URLs causing slowdowns, timeouts When running multiple authentication requests through the SEAS Custom exit an HTTP URL (such as SI) the SEAS processing slows down and begins to timeout sessions. The initialization process was destroying and recreating the HTTP client object for each session, causing increased overhead. Resolution: Now check for a property in the startSeas.sh or startSeas.bat startup line, -Dhttp.exit.cache.client=true. If the property is coded, and the HTTP User Auth Exit is being used, the exit initialization code will be bypassed. Action: To eliminate the performance degradation in the HTTP User Auth custom exit, update the startSeas.sh (UNIX) or startSeas.bat (Windows) file to include the -Dhttp.exit.cache.client=true property in the 2 Java call lines (they begin with "nohup"). Example - insert the property just before the -Dhadrian.root.dir property: nohup ... -cp ${CLASSPATH} -Dhttp.exit.cache.client=true -Dhadrian.root.dir=${DIST_DIR} ... JRE Upgrade - Upgrade to IBM JRE 1.7 SR9 FP10 for latest security patches See http://www-01.ibm.com/support/docview.wss?uid=swg21965912 for details of the vulnerabilities addressed. No RTC /IT12342 - Update to Apache Commons-collections library for PSIRT 4202 Address an Apache Commons Collections vulnerability for handling Java object deserialization. See http://www.ibm.com/support/docview.wss?uid=swg21971412 for more information. No RTC /IT13805 - Upgrade to IBM JRE 1.7 SR9 FP30 for latest security patches which turn off MD5 support by default See http://www-01.ibm.com/support/docview.wss?uid=swg21977054 for details of the vulnerabilities addressed. Note: Review your ciphers and certificates to ensure you do not use MD5. RTC505344/IT16081 - Change password portal doesn't work if user is mapped from SEAS. When a user tries to change the password on the SSP SSO logon portal, the user is prompted with mapped userid instead of the userid with which user is logged on. This happens when the user authentication profile is setup in SEAS with mapped credentials and LDAP has an entry for the mapped userid. Resolution: Changed SEAS to return the source or client side userid along with the mapped userid and SSP would use the correct userid when the user tries to change the password from the SSP SSO logon portal web page. No Defect/IT17228 - Upgrade SEAS to IBM JRE 1.7 SR9FP50 for latest security patches This JRE includes the quarterly Java security patches through July 2016. See http://www.ibm.com/support/docview.wss?uid=swg21991287 for details. RTC508170/ - Allow token validation for CEUNIX Enhancement to allow CEUNIX to do token validation using the password field. RTC510283/RFE468574 - Allow SEAS to verify Hostnames There was no mechanism to perform DNS checks during certificate validation through SEAS Resolution: IBM SEAS has been modified to allow for DNS hostname checking during certificate validation. When the "Check hostname DNS" field is enabled in SEAS, the user IP address will be matched with information in the user certificate's SAN or certificate CN. RTC511666/IT17151 - Unable to invoke iKeyman on Solaris 10. The IBM hybrid JRE on Solaris delivers ikeyman as a call to the native Java with a class to execute. However, if the JAVA_HOME doesn't point to the IBM JRE, it gets "Could not find or load main class com.ibm.gsk.ikeyman.Ikeyman" Resolution: Corrected Solaris installers for SEAS, SSP, SSP_CM and PS to modify jre/bin/ikeyman so that it always invokes the installed IBM JRE. RTC513984/ - Enhancement to allow silent Installs for SEAS InstallAnywhere Silent Install is a feature which allows for automated installs without questions and answers from the console. It can be used for repetitive installs at Customer sites. The administrator first does the product install in "record" mode which builds an installation properties file for subsequent silent installs in "replay" mode. The SSP Engine, CM, PS, and SEAS have all been updated to allow silent installs. RTC514318/IT17374 - SSH Public Key authentication through IBM SEAS fails due to trailing blank spaces Resolution: Added logic to trim retrieved SSH PUBLIC key from the LDAP before using them in the SSH PUBLIC KEY authentication process. RTC516324/IT17383 - SEAS does not start if passphrase contains “&” character If the SEAS passphrase is changed to include an ampersand "&" character, the system will not start. Gets Startup did not succeed. Terminating: com.sterlingcommerce.hadrian. common.xml.XmlParsingException: Error on line 4: The entity name must immediately follow the '&' in the entity reference. Resolution: Escaped the system password field with the CDATA tag so that the xml converter will work properly RTC519864/IT17988 - 2 ciphers missing from SEAS supported ciphersuites list The ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 were not included as supported cipher suites for TLSv1.2. Resolution: Added these ciphers into ssl_tls_ciphers.properties so that they show up on a SEASCipherConfigTool.sh -c protocol=TLSV1.2 command.