================================================================================ Fixes in Sterling Secure Proxy (SSP) 3.4.3.0 iFix 04 - April 2017 ================================================================================ This cumulative maintenance iFix includes the GA release of SSP Engine 3.4.3.0 and SSP Configuration Manager 3.4.3.0 plus the fixes for the issues mentioned below. The install images for the SSP Engine, CM and PS may be used to install a new image or upgrade an existing image in place. Contents: I. HIPER fixes / Fixes requiring Action by iFix II. Summary of Fixes by iFix/Build (Latest iFix / Builds first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== Action - IMPORTANT upgrade steps from SSP341x - see "SSP3418 Upgrade" for details In iFix 4 (April 2017): HIPER - Upgrade to Java 1.8 for Java January 2017 security fixes ACTION - Java.security file disables Triple-DES (3DES-CBC) and DES ciphers. See RTC533801 for details In iFix 3 Plus (March 2017): HIPER - FTPS client connects, but LIST command delayed. See IT19026 HIPER - SFTP adapter won't come up when HSM is enabled. See IT19491 Action - Allow client-only certificates for CD server authentication. See IT19443 if you need to configure this differently. In iFix 3 (January 2017): HIPER - FTPS data connection timeouts after upgrade to SSP 3.4.2 or 3.4.3 - See RTC517058 for details. HIPER - Deadlock/hang in failover code - See RTC516359 for details HIPER - CD failures after upgrade to SSP3420 iFix 9 or SSP3430 iFix 2 - See RTC524219 for details and workaround HIPER - 100% CPU in Maverick toolkit after a few days - See RTC524897 In iFix 2 (December 2016): HIPER - See IT17228 for information on the upgrade to IBM JRE 1.7 SR9FP50 for the latest Java security patches in the CM, Engine and PS. HIPER - See "PSIRT 5869" for security patch related to commons-fileupload-1.3.2.jar HIPER - Thousands of sockets in TIME_WAIT when JMS listener down - See RTC522699 HIPER - System outage with too many open file handles - see RTC517621 Action - SFTP Hashmacs hmac-sha256 and hmac-sha512 renamed to hmac-sha2-256 and hmac-sha2-512, respectively. See RTC492052 for details Action - Allow server only certificates for CD client authentication. See IT18066 if you need to configure this differently. Action - Ability to externalize delay for CD HttpPingResponse. See IT18178 for details. Action - See IT15063 for information on configuring the SFTP rekey counts In iFix 1 (July 2016): Action - JRE upgrade turns off SSLv3 support by default - see IT07375 HIPER - CD Adapter failures causing high CPU - See RTC496962 Action - SFTP Hashmacs hmac-sha256 and hmac-sha512 renamed to hmac-sha2-256 and hmac-sha2-512, respectively. See RTC492052 for details =============================================================================== II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) Fixes are marked as Engine and CM (Configuration Manager) =============================================================================== =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Build 123 (April 2017) RTC528659/IT20207 (Engine) - SSP restarted due to OOM errors RTC533058/ (CM,Engine) - Shutdown scripts hang with JRE 1.8 on AIX RTC533482/ (Engine) - CD transfers not working with SSLv3 RTC533801/ (CM,Engine,PS) - Upgrade to Java 1.8 for Java January 2017 security fixes RTC534665/IT20206 (Engine) - Invalid CD copy step causes NPE in validation RTC536506/IT20338 (Engine) - SFTP maverick log getting numerous exceptions for each SFTP logoff. =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 115 (April 2017) RTC531365/IT19649 (CM) - SSPCM users unable to change password after upgrade RTC532854/IT19863 (CM) - REST API unable to use TLS1.2 to SSP CM Web RTC533580/ (CM) - REST unable to import exported configurations RTC533680/IT20027 (Engine) - RU size negotiated to 16259 when using Secure+ on one CD node and non-secure on the other. RTC533907/ (Engine,CM) - InstallAnywhere on Windows shows ERROR: Failure in the CopyJreLib step RTC534003/IT19950 (CM) - Error when executing configureCmSsl.sh RTC535210/ (Engine) - RAS Enhancement - Add new startEngine.log, switches for heap dumps and SSL debugging =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 112 (March 2017) RTC528702/IT19672 (CM,Engine) Install failure causes secure protocols to fail after upgrade RTC529443/IT19491 (Engine) - SFTP adapter won't come up when HSM is enabled. RTC529446/IT19332 (Engine) - Unable to use HSM keystore without password RTC529453 (CM) - Ship a separate security.properties for SSP CM RTC529530 (CM,Engine) (HSM) No longer ship setupHSM.bat or .sh and remove them if they exist. RTC530844/IT19443 (Engine) - (CD) Allow client-only certs in server authentication. RTC530859/IT19451 (Engine) - (CD) Accept "TLS" and change to "TLSv1" RTC531976/IT19734 (Engine) - SFTP sessions fail when HSM is enabled RTC532302/IT19647 (CM) - REST: Don't require truststore for http inbound node if client auth is not enabled =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 105 (February 2017) RTC525304/ (Engine) - Performance test fails for HTTPS and FTPS RTC527354/IT19159 (CM) - TLS1.2 is not negotiating when FIPS mode ON =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 104 (February 2017) RTC525694/IT18971 (CM) - Large certificate serial number appears incorrectly in SSPCM RTC527283/IT19153 (CM) - SSP 3.4.3 CM in Windows Uninstall shows Version 3.4.2.0; 'Help' points to v3.4.2 content =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 101 (February 2017) RTC524274/IT19027 (Engine) - (HSM) FTPS not working with HSM certificates after upgrading from 3.4.1.7 to 3.4.3 RTC525585/IT18998 (CM) - HTTP netmap logging level reset to NONE if Routing Node tab selected RTC527009/IT19026 (Engine) - FTPS client connects, but LIST command delayed RTC527355/ (CM,Engine) - SSP CM not PUSHing configured SSH Local User Keys to SSP Engine No Defect (Engine) - Additional KQV values for C:D FM71 - ZEDC =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Build 99 (January 2017) RTC524897/IT18695 (Engine) - 100% CPU in Maverick toolkit after a few days RTC525887/ (Engine) - FTPS data channel hangs when CEU is back end RTC526163/ (Engine) - Avoid erroneous PASV response from server =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 2 Plus Build 94 (January 2017) RTC517058/IT17567 (Engine) - *HIPER* FTPS data connection timeouts after upgrade to SSP 3.4.2 or 3.4.3. RTC525081/IT18698 (Engine) - Numerous Maverick NullPointerExceptions in systemout.log after SSP3420 iFix 9 RTC525909/ (Engine) - Error messages "peer not authenticated" in load test logs for C:D sessions RTC525956/ (Engine) - SFTP concurrency test produces number of NPEs =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 2 Plus Build 87 (December 2016) RTC516359/IT18163 (Engine) - Deadlock/hang in failover code RTC523287/IT18529 (Engine) - SEAS-Agent timeouts are hanging other SFTP Adapters including ones not dependent on SEAS RTC524219/IT18552 (Engine) - CD failures after upgrade from SSP3418 to SSP3430 iFix 2 =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 2 Build 83 (December 2016) RTC500069/IT15063 (Engine) - SFTP transfers stalling at 627MB or the sftp_rekeycount limit in the adapter. RTC523578/ (Engine) - (HSM) CD Protocol unable to use keycert in HSM =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 81 (December 2016) RTC512573/IT18260 (Engine) - HTTP connections fail with SSE0102E secure connection failures after upgrade to SSP 3.4.2 RTC518916/IT18164 (Engine) - CD "PNODE Host controls SSL Protocol" netmap setting fails in some circumstances RTC519253/IT18066 (Engine) - (CD) Allow server only certificates for client authentication RTC519510/IT18176 (CM,Engine) - Do not enforce common name checking if CD client authentication not turned on RTC520046/IT17985 (CM) - Unable to use a custom channel name in the JMS configuration RTC520758/IT18178 (CM) - Externalize delay for CD HttpPingResponse. RTC521075/IT18187 (CM) - 2 special characters in CM password when special characters required RTC521835/IT18266 (Engine) - (HSM) SecureRandom failure using HSM with CD RTC522699/IT18216 (CM) - Thousands of sockets in TIME_WAIT when JMS listener down =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 75 (November 2016) RTC508303/ (Engine) - CDzOS via SSP produces XXDR021I in CD Windows statistics. RTC513451/IT17846 (CM,Engine) - Updated to use Maverick sshd 1.6.27, j2ssh 1.6.23 RTC514315/IT17373 (CM) - Import of CA trusted file with multiple CA Certs gets corrupted RTC517621/IT17983 (Engine,PS) - Too many open file handles lsof output “can't identify protocol” entries RTC519864/IT17988 (Engine) - 2 ciphers missing from supported ciphersuites list RTC519966/IT18001 (CM) - Admin user can't be deleted in SSPCM Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 69 (October 2016) No Defect/IT17228 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR9FP50 for latest security patches PSIRT 5869 (CM) - Updated to use commons-fileupload-1.3.2.jar RTC496054/ (CM) - Error messages found in installation and CMS logs for both Engine and CM. RTC493866/IT14117 (Engine) - (PS) Too many fast wakeups in perimeter.log RTC508898/ (Engine) - (CD) With CHECKPOINT and FASP=SSP; SUSPEND hangs session RTC508901/ (Engine) - (CD) Submit process on Snode using FASP does not end session gracefully RTC510635/IT16815 (Engine) - (HSM) Certificates causing SSP0229E Exception Securing connection or Sending data, java.lang.NoClassDefFoundError - com.sterlingcommerce.security.util.SCIHSMManager RTC511154/IT16980 (Engine) - (CD) C:D adapter fails to send "Http Ping Response" string consistently RTC511666/IT17151 (CM) - Unable to invoke iKeyman bundled with SSP on Solaris 10 with error: "Could not find or load main class com.ibm.gsk.ikeyman.Ikeyman" RTC511903/IT17121 (Engine) - (SFTP) Slow upload speed via SSP on Solaris RTC511928/IT17359 (CM) - (HSM) Cannot delete old certificates in the CM HSM Keys list after upgrade RTC513206/IT17358 (CM) - SSPCM allows the password change step to be bypassed RTC513984/ (Engine, - Enhancement to allow silent Installs for SSP, CM, PS) SSPCM, PS and SEAS RTC516459/IT17419 (CM) - The manageCSRs.sh script gets a NullPointerException when attempting to create a CSR Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 47 (August 2016) RTC502863/IT16819 (CM,Eng) - (SFTP) Support hmac-sha256 & hmac-sha256@ssh.com RTC504898/IT16824 (CM) - (REST) XMLSchemas for Import RESTAPI Requests RTC505522/IT16713 (Engine) - (FTP/S) Enabling CCC causes transfers to fail RTC508526/IT16700 (CM) - Allow CM Admin to control locked account msgs RTC509062/IT16642 (PS) - (PS) Install issues with Windows service names RTC510313/IT16560 (CM,Eng) - (SFTP) Allow buffer lengths greater than 128K RTC510634/IT16823 (Engine) - (SFTP) SCP presents a RC 1 after successful GET RTC511478/RFE511476 (CM,Eng)- (SFTP) Force one line password prompt Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 34 (August 2016) RTC507008/IT16396 (Engine) - (CD) Memory usage increases and process slowdown with C:D wildcard copies. RTC508872/IT16456 (Engine) - SFTP public key auth failures cause locked accounts sooner in SSP3430. RTC509910/IT16488 (Engine) - (CD) SSP3430 causing data overrruns when inbound unencrypted, outbound secure. =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 1 Build 29 (July 2016) SSP3418 Upgrade (CM) - New SspCMCertConvertUtil tool to convert keys to SSP3420/SSP3430 format before upgrade No Defect/IT07375 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default RTC492052/IT13855 (CM,Engine) - (SFTP) Sha2 connections fail due to mismatched MAC names RTC494013/IT15074 (Engine) - (HTTP) Client is not receiving the 500 Error message from SSO login failure RTC495433/IT14514 (CM) - (HSM) manageKeyCerts import fails with java.lang.NullPointerException RTC496040/IT15910 (Engine) - SFTP client script causes FIN_WAIT2 on SSP server RTC496133/IT15041 (Engine) - Session starts rejected in PS due to "too many open files", or "max concurrent circuits reached" RTC496371/IT14589 (Engine) - (SFTP) Key-only authentication failing when mapped password not present RTC496962/IT16065 (Engine) - CD Adapter failures causing high CPU on Engine, Max concurrent circuits reached:4096 on PS RTC492949/IT15184 (Engine) - (SFT) Getting DH_GEX group out of range RTC497030/IT14809 (Engine) - (CD) SSP handshake failure with CDSA after upgrading to SI 5.2.6.1. RTC497033/IT14757 (Engine) - Dummy object unmarshalling error for PerimeterServerConfig RTC497092/IT14615 (Engine) - Engine Shutdown issue RTC500038/IT15916 (Engine) - Intermittent failures with concurrent SSL handshakes RTC501172/ (CM) - CM ManagedAccepterService fails to startup causing logins to fail RTC501513/IT15516 (CM) - Vulnerability issues found with SSPcm HTTP Headers RTC501735/IT15517 (Engine) - (SFTP) Key Exchange Exception encountered when FIPS enabled RTC502844/IT15531 (CM) - Unable to import PCKS12 SHA2 certs using configureCmSsl utility Logging Improvement (Engine) - C:D certificate failure logging improvements RTC503126/IT15568 (CM) - (REST API) Unable to create CM user who uses External Authentication RTC503895/IT15606 (CM) - (REST API) Delete Netmap Node entry request returns success but the node still exists RTC504462/IT15808 (PS) - Installation of SSP Perimeter Server package creates a single Windows Service and s starting/shutting down the PS service starts/stops all of them RTC505169/IT15947 (CM) - HTTP Security headers were missing. RTC505320/IT15946 (CM) - Traversal of SSP CM Webapp root RTC505321/IT16020 (CM) - Accessing SSP CM using expired session id RTC505585/IT15949 (CM) - SSP CM allows methods other than GET or POST RTC505702/IT16080 (CM) - Enhancements to password policy rules =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) Fixes are marked as Engine, CM (Configuration Manager), and PS (Perimeter) =============================================================================== SSP3418 Upgrade (CM) - New SspCMCertConvertUtil tool to convert keys to SSP3420/SSP3430 format before upgrade Some Customers who upgraded to SSP3420/SSP3430 had SHA256 keycerts in PKCS#8 PEM format in their keystore, which is the way they were stored in the pre-SSP3420 CM. After upgrading, these keys could not be read by the new IBM toolkit, due to a couple of OID fields. Resolution: Now supply a new SspCMCertConvertUtil with the SSP3418 CM which can be run just before upgrading to SSP3430 to convert the keystore(s) in place to PKCS#12 format, which is the format that SSP3430 uses. Once the conversion is done, the SSP3418CM image must be upgraded immediately to SSP3430CM. Here are the steps for using the new script. 1) Obtain the latest 3418 maintenance (iFix 8+ or higher) and the latest 3430 maintenance (iFix 1 or higher) on Fix Central: http://www.ibm.com/support/fixcentral/swg/selectFixes? parent=ibm~Other%2Bsoftware& product=ibm/Other+software/Sterling+Secure+Proxy& release=3.4.1.8&platform=All&function=all 2) Shut down and back up your existing 341x Engine, CM and PS instances. 3) Upgrade the 341x CM to the latest 3418 SSPM CM patch 4) Run bin/SspCMCertConvertUtil.sh (or .bat) 5) Select Yes to convert existing 3418 SSP CM keycerts or select no to exit the script 6) If yes is selected, this script will first backup the entire SSP CM current conf instance 7) Script will then convert all SSP CM keycerts that are in 341x format into SSP3420/SSP3430 CM keycert format 8) Once the script runs to completion, upgrade the SSP CM, Engine, and PS instances to SSP3430 9) Note: Once the script is run, the SSP3418 conf directory may no longer be used for SSP3418. Either convert to SSP3430 or restore the backed up copy. Note: If there is a need to go back to 341x, restore the backed up copies. The alternative is to upgrade directly to SSP3430, import the PCKS12 versions of your SHA256 keycerts into your system key store and point your netmaps to the new versions. No Defect/IT07375 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default This JRE was included with SSP3430 GA. SSP only allow TLS sessions by default and will reject SSLv3 sessions. If the SSLv3 protocol is required until trading partners can switch to TLS, then for UNIX/Linux, add the -Dcom.ibm.jsse2.disableSSLv3=false property to the Java startup line(s) in the bin/startEngine.sh script. For Windows, add the property to the " lax.nl.java.option.additional=" line in the bin\SSPengine$.lax file. In addition, edit the /jre/lib/security/java.security to change the following line from jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 to jdk.tls.disabledAlgorithms=RC4, MD5withRSA, DH keySize < 768 See http://www.ibm.com/support/docview.wss?uid=swg21695265 for more information. No Defect/IT17228 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR9FP50 for latest security patches This JRE includes the quarterly Java security patches through July 2016. See http://www.ibm.com/support/docview.wss?uid=swg21991287 for details. PSIRT 5869 (CM) - Updated to use commons-fileupload-1.3.2.jar Resolution: Upgraded to use commons-fileupload-1.3.2.jar to resolve a possible security vulnerability. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21995611. RTC492052/IT13855 (CM,Engine) - (SFTP) Sha2 connections fail due to mismatched MAC names Customer was attempting to configure their SFTP to use HMACs of 256 or higher. SFTP handshakes were getting a mismatch of the hmac algorithm names. SSP was presenting "hmac-sha256" and "hmac-sha512", but should have been using "hmac-sha2-256" and "hmac-sha2-512". Resolution: Now properly present the "hmac-sha2-256" and "hmac-sha2-512" hmac names. Action: If you have previously selected the "hmac-sha256" or "hmac-sha512" HMacs in the adapter Security tab or the netmap node Security tab, they will be de-selected during this upgrade, and you must reselect the "hmac-sha2-256" and/or "hmac-sha2-512" hmacs. RTC492949/IT15184 (Engine) - (SFTP) Getting DH_GEX group out of range Customer running with newer openSSH command line client getting DH_GEX group out of range during session initialization. Resolution: Updated the SFTP Maverick toolkits to SSHD 1.6.17 (front end server side) and J2SSH 1.6.15 (back end client side) for more advanced Diffie-Hellman Key negotiation. RTC493866/IT14117 (Engine) - (PS) Too many fast wakeups in perimeter.log After applying SSP3430 iFix 1, the perimeter.log began receiving the following messages in DEBUG mode: com.sterlingcommerce.perimeter - NioDispatcher.block() -- too many fast wakeups, rebuilding selector. com.sterlingcommerce.perimeter - NioDispatcher.block() - wakeup after 0, result: 0, fastwakeups: 1001 Resolution: Corrected the perimeter.properties file to match the new version shipping since iFix 1. Also added the following parameter to the bottom of the bin/perimeter.properties file to turn off the NIO dispatcher in the local perimeter server: perimeter.niodispatcher=false RTC494013/IT15074 (Engine) - (HTTP) Client is not receiving the 500 Error message from SSO login failure HTTP client logging onto the SSO portal and then onto Sterling File Gateway is getting a blank screen instead of a 500 error message when the login fails. Resolution: Added the text "Internal Server Error" to the message body for the 500 error response and pass it back to the user on login failure. RTC495433/IT14514 (CM) - (HSM) manageKeyCerts import fails with java.lang.NullPointerException The manageKeyCerts.sh utility fails with "Unexpected exception: java.lang.NullPointerException" when attempting to import a PKCS12 keycert into HSM. Resolution: Changed manageKeyTool to persist imported keys by saving off the private key. RTC496040/IT15910 (Engine) - SFTP client script causes FIN_WAIT2 on SSP server When SFTP proxy adapter times out on the client, the socket connection stays in FIN_WAIT2 state. Resolution: Modifed code related to close functionality. RTC496054/ (CM) - Error messages found in installation and CMS logs for both Engine and CM. Numerous error messages seen in log during installation or configuration update: ERROR SspEngineBuilder - routing type STD. They were introduced by Build 54. Resolution: Removed the superfluous message. RTC496133/IT15041 (Engine) - Session starts rejected in PS due to "too many open files", or "max concurrent circuits reached" After several hours or days of running, the Perimeter Server can get the message, "Too many open files", or "Max concurrent circuits reached: size is:4096", and all incoming connections are rejected. The C:D adapter was not closing the connections from the load balancer heartbeat pings correctly, causing an accumulation of circuits in the PS and leftover file descriptors showing up in a lsof command. Customers with a ulimit of 1024 for max open files per user will get the former message, while others will get the latter. Resolution: Updated the C:D adapter code to better handle a load balancer ping operation which does not do a clean close of the socket after connecting. These connections should get cleaned up by the Java garbage collector over time. The Customer should also set the kernel ulimit max open files value to 4096 or higher to allow time for the normal recycling of the load balancer ping sockets. RTC496371/IT14589 (Engine) - (SFTP) Key-only authentication failing when mapped password not present If an SFTP policy is configured to use a mapped routing key name from SEAS to connect to the backend server, a Null Pointer Exception can occur if the user does not have a mapped password defined.  When attempting to connect to the SSP SFTP adapter, the user will not be able to login, and the following exception will occur in the adapter log: java.lang.NullPointerException at java.lang.String.          at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.registerBackend          at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.logonUserHelper          at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.logonUser          at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.verifyPassword          at com.sterlingcommerce.cspssh.daemon.SftpAccessInstance.verifyPassword Resolution: Now correctly handle the situation where SEAS returns a mapped routing key name, but not a mapped password. RTC496962/IT16065 (Engine) - CD Adapter failures causing high CPU on Engine, Max concurrent circuits reached:4096 on PS When the C:D adapter recovers from a connection failure to the More Secure Perimeter Server, it restarts its listener on the inbound PS but no longer services connections coming in. As the load balancer continues to hit the CD port, it can lead to a "Max concurrent circuits reached: 4096" error on the PS and all inbound traffic turned away. Resolution: Corrected the recovery logic in the CD adapter to ensure that the inbound listener is brought up and the adapter continues to service connections. RTC497030/IT14809 (Engine) - (CD) SSP handshake failure with CDSA after upgrading to SI 5.2.6.1. SI/B2Bi 5.2.6.1 uses the fix provided in the IBM JRE (JSSE) to break up packets when using CBC cipher suites and TLS 1.0. The short packet during the initial FMH 68/72 exchange was causing SSP to issue message CSP900E Logged Exception : Invalid Connect:Direct FMH Resolution. Now handle SSL fragmentation caused by remediation for the CBC BEAST TLS 1.0 PSIRT advisory. Workaround: There are 2 known workarounds to this problem - 1) Switch to using TLS 1.2 between SSP and SI, as the BEAST "fix" only gets used with TLS 1.0 2) Update the SI 5.2.6.1 startup script(s) to add "-Djsse.enableCBCProtection=false" in the Java startup line(s). RTC497033/IT14757 (Engine) - Dummy object unmarshalling error for PerimeterServerConfig During a configuration push from the CM to the engine, getting multiple java.lang.RuntimeException: Problem with reflection based marshalling. Invalid data was being passed to SSP Engine Converter method. Resolution: Added logic to detect when an invalid data is passed into the converter method and handle it properly RTC497092/IT14615 (Engine) - Engine Shutdown issue Customer could not shut down the SSP engine from the command line using either stopEngine.sh mode=auto or the regular ./stopEngine.sh. Resolution: Added logic to SSP code base so that the TLS protocol is no longer hard-coded for SSP engine shutdown module. RTC500038/IT15916 (Engine) - Intermittent failures with concurrent SSL handshakes Customers experiencing intermittent failures during SSL handshaking in CD, FTP, or HTTP sessions. A PEMHelper utility class which feeds certificates to the SSL/TLS handshake process had objects defined in such a way that they were not thread-safe, causing unpredictable outcomes when multiple sessions were attempting to do simultaneous handshakes.  Resolution: Corrected the objects in the PEMHelper class to be thread-safe.   RTC500069/IT15063 (Engine) - SFTP transfers stalling at 627MB or the sftp_rekeycount limit in the adapter. Under certain circumstances, the rekey limit is causing SFTP transfers to stall. The sftp_rekeycount property defaults to 20000 by default, which allows 20k packets to flow before requesting a new key exchange. However, the SSP FTP daemon and the SSH Maverick toolkit are both keeping track of the packet count, which can cause a hang when both request a rekey at the same time. Turned off requesting rekey operations on the back end session to SI within the SFTP adapter. Added a new property, sftp_backend_rekeycount, with a default of zero, to specify the number of packets between rekeys on the backend session to SI, in case a Customer needs to turn it back on. Also updated the Maverick toolkit to get the latest versions with any impact on re-key issues. RTC501172/ (CM) - CM ManagedAccepterService fails to startup causing logins to fail There was an internal error during startup of the CM and the internal ManagedAccepterService never came up, which caused logins to fail. Resolution: Added the ManagedAccepterService to the list of global services so it would start sooner in the process. RTC501513/IT15516 (CM) - Vulnerability issues found with SSPcm HTTP Headers The SSP CM is missing the following HTTP security headers: Cache-Control: no-cache,no-store Pragma: no-cache X-Content-Type-Options: nosniff X-XSS-Protection: 1 Resolution: Added the missing HTTP security headers to the SSP CM. RTC502844/IT15531 (CM) - Unable to import PCKS12 SHA2 certs using configureCmSsl utility CmSslConfigTool was unable to successfully import pkcs12 certificates. Resolution: Added logic that allows for the public certificate to be extracted from pkcs12 into SSP CM truststore. Logging Improvement (Engine) - C:D certificate failure logging improvements Trusted certificates that contain comments or too many characters on a line may not be able to be parsed by SSP 3.4.2, even though they worked in SSP 3.4.1. Resolution: Added code so that if SSP fails to parse a trusted certificate, the name of the offending certificate is logged. RTC503126/IT15568 (CM) - (REST API) Unable to create CM user who uses External Authentication When using the SSP REST API to create a new CM user that uses external authentication, an error will occur if a password is not specified.  Since authentication is done externally, a password should not be required in SSP. Resolution: The SSP REST API code has been changed so that passwords are not required for new CM users that use external authentication. RTC503895/IT15606 (CM) - (REST API) Delete Netmap Node entry request returns success but the node still exists When using the SSP REST API to delete a C:D netmap node, and the node being deleted is referenced by another node’s ACL, the REST API will return a successful response, but the node will not be deleted. Resolution: The SSP REST API code has been updated to return a meaningful error message if a node cannot be deleted because it is referenced by another node's ACL. RTC504462/IT15808 (PS) - Installation of SSP Perimeter Server package creates a single Windows Service and s starting/shutting down the PS service starts/stops all of them After installing a more secure perimeter server, it is possible that the Windows service used to start and stop the perimeter server will be named using the wrong port number.  If this new Windows service name overwrites an existing service, the perimeter server corresponding to the old Windows service cannot be started. Resolution: The code has been changed so that the name of the perimeter server always contains the port number that the SSP Engine will listen on. This guarantees that the Windows Service name corresponds to the correct server. RTC501735/IT15517 (Engine) - (SFTP) Key Exchange Exception encountered when FIPS enabled With FIPS mode enabled in SSP, a null pointer exception can occur if the group-exchange-sha256 key exchange algorithm is enabled in the outbound netmap node. Resolution: Code has been added so that SSP can use the group-exchange-sha256 key exchange algorithm, in FIPS mode, for connections to the backend server. RTC502863/IT16819 (CM,Eng) - (SFTP) Support hmac-sha256 & hmac-sha256@ssh.com Previously, SSP did not support the following HMAC algorithms for SFTP adapters and outbound nodes: hmac-sha256 and hmac-sha256@ssh.com. Resolution: Added support for hmac-sha256 and hmac-sha256@ssh.com. RTC504898/IT16824 (CM) - (REST) XMLSchemas for Import RESTAPI Requests Resolution: XSD files are now provided to allow XML validation. Sample programs were changed to show validation using the appropriate xsd file. Note: Because netmapDef was re-used for cd, ftp, http, pesit and sftp and ftpPolicyDef was reused for ftp and sftp, changes were required to allow for xsd validation of import/export XML files. These changes also required modifications in the SSP CM, so CM must be upgraded to this level in order to use the xsd's provided. RTC505169/IT15947 (CM) - HTTP Security headers were missing. Resolution: Added the following security headers 1) Cache-Control: no-cache,no-store and Pragma: no-cache 2) X-Content-Type-Options "nosniff" 3) X-XSS-Protection "1" 4)Strict-Transport-Security - Note: Chrome may require some tweaking when CM server certificate CN does not match host name see https://support.opendns.com/entries/66657664-Chrome-for-Windows-only- HSTS-Certificate-Exception-Instructions for mitigation for chrome See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505320/IT15946 (CM) - Traversal of SSP CM Webapp root Under certain conditions, a browser user is able to traverse the SSP CM webapp root directory. Resolution: Added logic in SSP servlet filter to block directory traversal. See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505321/IT16020 (CM) - Accessing SSP CM using expired session id The SSP CM Dashboard web session was not being reset during a logoff operation. Resolution: Added logic to always reset the SSP CM Dashboard web session during a logoff operation. See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505522/IT16713 (Engine) - (FTP/S) Enabling CCC causes transfers to fail When CCC (Clear Control Channel) is enabled on the inbound node for the connection from FTP Client to SSP FTP Proxy, the session fails after the CCC command is sent by the client to SSP. Resolution: SSP was updated to correctly interface with the newer PS. RTC505585/IT15949 (CM) - SSP CM allows methods other than GET or POST User was able to send a method request other than GET and POST to the SSP CM server and get a response back. Resolution: Modified the SSP CM web.xml to only honor GET and POST methods. See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505702/IT16080 (CM) - Enhancements to password policy rules Resolution: Now allow the SSP CM admin to specify the allowed special characters and also to specify the number of consecutive repeating characters within a new password string RTC507008/IT16396 (Engine) - (CD) Memory usage increases and process slowdown with C:D wildcard copies. A C:D process with a large number of steps (e.g. a wildcard copy) continues to consume resources and processing slows down as more and more objects are added to SSP session document. Resolution: Refactored the way the SSP session document is manipulated to make it more efficient. RTC508303/ (Engine) - CDzOS via SSP produces XXDR021I in CD Windows statistics. C:D Windows stats shows XXDR012I RC 4 for processes between C:D Windows and C:D z/OS when going through SSP. Resolution: Now explicitly specify the ISO-8859-1 character set for "bytes to string" and "string to bytes". RTC508526/IT16700 (CM) - Allow CM Admin to control locked account msgs After SSP3430 iFix 1, the CM user is notified when its account is locked Resolution: Added a check box in SSPCM System Setting's tab to allow the Admin to indicate whether a CM user should be notified of a locked condition. RTC508872/IT16456 (Engine) - SFTP public key auth failures cause locked accounts sooner in SSP3430. When the "Key or Password" authentication policy is used in SSP's SFTP adapter and a user's key is invalid, the account gets locked after one failed password attempt. The public key authentication failure is recorded twice, causing one subsequent failure of a password attempt to lock the account for SSP's lockout period. Resolution: Ensure the SSH User Key authentication failure is not counted twice. Workaround: Raise the "User Lockout Threshold" from the default of 3 in the Credentials -> User Stores section of the CM. (This value is used whether or not the user account is in the SSP user store). RTC508898/ (Engine) - (CD) With CHECKPOINT and FASP=SSP; SUSPEND hangs session Doing CDZ PNODE to CDU SNODE PULL with a checkpoint interval (100K) and FASP=SSP. Suspend from CDZ hangs session. Last thing seen is CDZ sends exception response with sense code 08240118 to CDU then goes into receive, and after receiving all data and FMH80's buffered in SSP, final receive waits for a response that never comes. Unable to flush process, so CDZ must be shut down. Resolution: FASP connection was being closed prematurely when it should have waited for the LIC on the data. The code has been updated to do so. RTC508901/ (Engine) - (CD) Submit process on Snode using FASP does not end session gracefully The positive response from the SNODE to the PNODE after the FM7404 was not being waited on. Reslution: Now wait on the positive response correctly.   RTC509062/IT16642 (PS) - (PS) Install issues with Windows service names After SSP3430 iFix 1, The Windows Service name for the Remote Less Secure PS includes the local listen port number and for the More Secure PS, it includes the port number of SSP to which PS will connect. If there are more than one More Secure PS servers running on one host, pointing to the same port, the PS windows service name will not be unique and cause problems. Resolution: To make the Remote PS Windows service name unique, the IP address of the host on which the PS listens (Less Secure PS) or the IP address of the SSP to which the PS connects (More Secure PS) is appended to the service name in addition to the port number. Example PS name: IBM Sterling Perimeter Server V4.6.6.2 for SSP 3.4.3.0 on 3000 1.2.3.4 Windows Service name: SSP_PerimeterServer_3000_1.2.3.4. RTC509910/IT16488 (Engine) - (CD) SSP3430 causing data overrruns when inbound unencrypted, outbound secure. With SSP3430 in front of a B2Bi CD server adapter, the CDSA may get Java NullPointerException or IndexOutOfBoundsException when the C:D inbound session is unencrypted and the back end (outbound) node uses Secure Plus. When SSP encrypted the data from the inbound RU, it went beyond the negotiated RU size on the back end, causing the data overrrun exceptions. Resolution: Now properly break up the data from the unencrypted buffer into chunks which fit in the outbound RU, using multiple RUs as required. RTC510313/IT16560 (CM,Eng) - (SFTP) Allow buffer lengths greater than 128K Unable to upload files via SFTP if client is using a buffersize > 128K. Customer attempting to connect from command line sftp with larger buffer parm -B240000. Connection is ok, but during the upload the SSP Maverick toolkit gets an error. Maverick log is showing com.maverick.sshd.Subsystem - Incoming subsystem message length 240043 exceeds maximum supported packet length 131328 com.maverick.ssh.ExecutorOperationSupport - Caught exception in operation remainingTasks=0 java.nio.BufferOverflowException at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:183) ~[?:1.7.0] at java.nio.ByteBuffer.put(ByteBuffer.java:832) ~[?:1.7.0] at com.maverick.sshd.Subsystem.parseMessage(Subsystem.java:137) Resolution: Now set the default allowed buffersize supported to be 256K. Override using the sftp.maxPacketLength property. Note: Maverick toolkits were upgraded to SSHD 1.6.24 and J2SSH 1.6.22. RTC510634/IT16823 (Engine) - (SFTP) SCP presents a RC 1 after successful GET When a file is downloaded from SI SFTP Server Adapter thru SSP using the command line scp command, the scp client reports a Return Code of 1 instead of 0 for success. The scp put operations return a 0 as expected. Resolution: Made change to SSP to close the connection properly so the command line scp client reports 0 Return Code for "get" operations. RTC510635/IT16815 (Engine) - (HSM) Certificates causing SSP0229E Exception Customer has certificates stored in an HSM and upgrading to SSP 3.4.3. When securing connections or sending data, getting java.lang.NoClassDefFoundError - com.sterlingcommerce.security.util. SCIHSMManager. Resolution: Corrected SSP code and PS jar file to properly reference the failing class. RTC511154/IT16980 (Engine) - (CD) C:D adapter fails to send "Http Ping Response" string consistently Customer using the HTTP ping response for the C:D adapter to streamline the communication with the load balancer. After upgrading to SSP3420 iFix 8 (or SSP3430 iFix 1), the response was not being sent to the load balancer consistently. Resolution: SSP was closing the socket after writing the HTTP ping response before PS got a chance to complete its work. Added a 200ms delay after writing the HTTP response before closing the socket. RTC511478/RFE511476 (CM,Eng)- (SFTP) Force one line password prompt When the SFTP adapter is configured with the "Key or Password" authentication mechanism it was causing a multiple line password prompt to be displayed. Resolution: Added support for a new property in the SFTP adapter Property tab. kb.single.password.prompt=false is default is keeps a multi-line password prompt in keyboard interactive mode when using "Key or Password". Setting kb.single.password.prompt=true forces a one-line prompt. RTC511666/IT17151 (CM) - Unable to invoke iKeyman on Solaris 10. The IBM hybrid JRE on Solaris delivers ikeyman as a call to the native Java with a class to execute. However, if the JAVA_HOME doesn't point to the IBM JRE, it gets "Could not find or load main class com.ibm.gsk.ikeyman.Ikeyman" Resolution: Corrected Solaris installers for SEAS, SSP, SSP_CM and PS to modify jre/bin/ikeyman so that it always invokes the installed IBM JRE. RTC511903/IT17121 (Engine) - (SFTP) Slow upload speed via SSP on Solaris SSP was not automatically using Solaris hardware encryption to speed up its crypto processing. Resolution: Updated the installer to change the the java.security file on Solaris to include the security provider for Solaris hardware encryption. RTC511928/IT17359 (CM) - (HSM) Cannot delete old certificates in the CM HSM Keys list after upgrade Certificates installed into HSM using pre-SSP3420 had a different provider than is supported with the new IBM toolkit. Resolution: Updated the code to delete the old certificates successfully. RTC512573/IT18260 (Engine) - HTTP connections fail with SSE0102E secure connection failures after upgrade to SSP 3.4.2 Starting in version 3.4.2, a change was made in SSP to make use of the IBM JSSE as a security provider for SSL instead of Certicom. Certicom used only one thread to process the events related to SSL handshakes. For the IBM JSSE, a thread pool was introduced for processing the events. along with a new local perimeter server property, perimeterServices.tlsDefaultThreadsPerAdapter=1, specifying the number of threads in the pool. However, the default value of 1 resulted in not having enough threads to handle even small spikes in TLS handshakes. Resolution: Change the value of the local perimeter services property in /bin/perimeter.properties to perimeterServices.tlsDefaultThreadsPerAdapter=5. RTC513206/IT17358 (CM) - SSPCM allows the password change step to be bypassed When the administrator sets a CM user's password for first time or resets it and the user is required change the password initially entered by the admin, it is possible to bypass the mandatory password change and access the CM. Resolution: Locked down the access in the case of a required password change. RTC513451/IT17846 (CM,Engine) - Updated to use Maverick sshd 1.6.27, j2ssh 1.6.23, common 1.6.11 Resolution: Upgraded to newer Maverick toolkits to resolve several underlying issues. RTC513984/ (Engine, - Enhancement to allow silent Installs for SSP, CM, PS) SSPCM, PS and SEAS InstallAnywhere Silent Install is a feature which allows for automated installs without questions and answers from the console. It can be used for repetitive installs at Customer sites. The administrator first does the product install in "record" mode which builds an installation properties file for subsequent silent installs in "replay" mode. The SSP Engine, CM, PS, and SEAS have all been updated to allow silent installs. RTC514315/IT17373 (CM) - Import of CA trusted file with multiple certs or comments getting corrupted or rejected Customer imports a trusted.txt file that contains several CA certificates into the truststore (Credentials > Trusted Certificate Stores). The certificates import but in the Certificate Data window, it indicates only 1 of 1 certificates is imported though you are able to see the multiple BEGIN and END embedded certs. Also trusted files with imbedded comments before or after the BEGIN CERTIFICATE / END CERTIFICATE pairs were being rejected. Resolution: Updated the import logic to remove comments and blank lines during the import process and process multiple certs in one file. Also updated the CM during startup to clean trusted files already loaded in the truststore. RTC516359/IT18163 (Engine) - Deadlock/hang in failover code When Failover is setup in continuous mode and a more secure Remote PS is setup between SSP and the backend Server, if the backend Server goes down, it may result in a deadlock in the SSP Adapter threads. When the backend Server is active again, SSP Adapter may not be accepting new connections, causing the engine to appear hung. Resolution: Modified failover logic to avoid the deadlock. Note: RTC516359 is also internally called RTC524026. RTC516459/IT17419 (CM) - The manageCSRs.sh script gets a NullPointerException when attempting to create a CSR The manageCSRs.sh script gets a NullPointerException after generating the private and public key and attempting to place it in the keystore. Resolution: Now set the default keystore provider to be the IBM JCE. RTC517058/IT17567 (Engine) - *HIPER* FTPS passive data connection timeouts after upgrade to SSP 3.4.2 or 3.4.3. After upgrading to SSP3420 or SSP3430, Secure FTP client sessions were hanging intermittently on data operations, such as directory listings, sending and receiving files. The TLS handshake was failing to start, causing a timeout. One Customer also experienced data corruption when using Filezilla as the FTPS client. Resolution: Fixed a race condition when opening the data channel and responding to the TLS handshake for the client. RTC517621/IT17983 (Engine,PS) - Too many open file handles - lsof output Round 2 of issue with having sockets show up as leftover and in an unusual state (can't identify protocol) in a lsof command after hours of running. This can lead to the PS running out of available "channels". Resolution: Updated the PS code (local and remote) to automatically close sockets which are detected to be in this unusual state. RTC518916/IT18164 (Engine) - CD "PNODE Host controls SSL Protocol" netmap setting fails in some circumstances When SSP is connecting to the real SNODE, specifying "PNODE Host controls SSL Protocol" and the real SNODE doesn't support TLS1.2 and has specified OVERRIDE=N, the handshake fails. Resolution: Now recognize that "PNODE Host controls SSP Protocol" is set and the adapter allows differing encryption levels, and attempt to do a handshake supporting all protocols with the SNODE. The SNODE then decides what it can and cannot do. RTC519253/IT18066 (Engine) - (CD) Allow server only certificates for client authentication If Secure+ and client authentication is turned on for a CD PNode, and the node presents a certificate with "Netscape Cert Type: SSL Server" and does not also indicate an Extended Key usage of SSL Client, the SSL handshake fails with CSP057E "exception in processing com.ibm.jsse2.util.j: Netscape cert type does not permit use for SSL client". This is an RFC restriction imposed by the IBM JSSE toolkit. Resolution: SSP is updated to allow SSL Server certificates for CD client authentication by default. A new property can be set in the CD adapter, AcceptServerOnlyCertForClientAuth, to override this behavior. Settings are: true - (default) allow the handshake and produce message CSP998I to list the PNode and subject name of the certificate showcert - same as true, but also append the full certificate listing false - reject the handshake with message CSP997E. RTC519510/IT18176 (CM,Engine) - Do not enforce common name checking if CD client authentication not turned on The SSP CD adapter was failing PNode connections when common name checking was checked in the netmap, but client authentication was not. Resolution: Now ignore the common name checking flag during CD handshaking if the client authentication flag is not checked and put out a warning message instead. RTC519864/IT17988 (Engine) - 2 ciphers missing from supported ciphersuites list Two ciphers (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) were missing from the supported ciphersuites. Resolution: Added the ciphers to the supported ciphersuites. RTC519966/IT18001 (CM) - Admin user can't be deleted in SSPCM After installing the SSPCM and adding a new user with Admin privileges, the Customer was unable to delete the original default "admin" account. The Customer's site security required removing the default account. Resolution: Corected the code to allow deleting the "admin" account from another account with Admin privileges. RTC520046/IT17985 (CM) - Unable to use custom channel name in the JMS configuration The Customer defined a custom channel name in addition to the default "", but the custom channel name was overriden by the default. Resolution: Correct the code that was overriding the custom channel name so that it could be used to send messages. RTC520758/IT18178 (CM) - Externalize delay for CD HttpPingResponse. When the SSP CD adapter is configured to accept HTTP pings, SSP writes the ping response and closes the socket before the PS gets a chance to complete sending the response to the load balancer. Resolution: Now add a 200ms delay after writing the HTTP response before going to final to close socket. Delay can be adjusted with CD Adapter property HttpPingResponseDelay=200 (default). Value is in milliseconds. RTC521075/IT18187 (CM) - 2 special characters in CM password when special characters required When the SSPCM password policy was set to require a special character, the password was being forced to include at least two special characters. Resolution: Now only require one special character when the passsord policy is enabled with "must have special character". RTC521835/IT18266 (Engine) - (HSM) SecureRandom failures using HSM with CD CD sessions fail with "session.logic.engine not found in Parameters" when using ncipher HSM. The HSM random number generator does not accept seeding. Resolution: Removed code which was attempting to seed SecureRandom during TLS connections when the key certificate is in the ncipher HSM. RTC522699/IT18216 (CM) - Thousands of sockets in TIME_WAIT when JMS listener down After configuring SSP CM to publish messages to WebSphere MQ, Customer found a huge amount of sockets in TIME_WAIT status with destination of the queue manager and originating from the SSP CM. The excessive sockets used up file descriptors in their system. Resolution: Added logic to log JMS connection failures, and then added a 20 second delay between connection attempts to limit the growth of sockets when the JMS queue is down. RTC523578/ (Engine) - (HSM) CD Protocol unable to use keycert in HSM The C:D protocol was unable to use a key/certificate stored in HSM, getting CSP900E Logged Exception : no valid keycert found - exception. Resolution: Added the logic to correctly handle referencing keycerts in an HSM device when using the C:D protocol. RTC523287/IT18529 (Engine) - SEAS-Agent timeouts are hanging other SFTP Adapters including ones not dependent on SEAS SFTP sessions which go through SEAS and hang during a logoff operation can cause sessions on other SFTP adapters which do not use SEAS to hang. Resolution:   Placed the logic for doing SFTP logoffs in a separate thread pool so that they do not hold the EventServiceImplementation lock while doing the logoff operations. RTC524219/IT18552 (Engine) - *HIPER* CD failures after upgrade to SSP3420 iFix 9 or SSP3430 iFix 2 When upgrading to SSP3420 iFix 9 or 3430 iFix 2, the old Certicom SSL Context values from SSP3418 were not properly converted to IBM JSSE SSL Context values. This caused java.security.NoSuchAlgorithmException - TLS1-ONLY SSLContext not available on CD transfers. Resolution: Now convert the old Certicom SSL Context values to the IBM JSSE SSL Context values during CD SSL handshaking. Workaround: Do a Save in the GUI on the affected netmap node(s) to assign the correct TLS protocol setting. RTC524274/IT19027 (Engine) - (HSM) FTPS not working with HSM certificates after upgrading from 3.4.1.7 to 3.4.3 The key certificate alias in HSM was mixed case and was not succeeding during TLS connection in the SSP FTP adapter. Resolution: Now normalize the key certificate alias to lower case before attempting the TLS connection. RTC524897/IT18695 (Engine) - 100% CPU in Maverick toolkit after a few days Customer found that his engine was reaching 100% CPU after several days. Javacore showed that there were several threads looping in Maverick code. Resolution: Updated Maverick toolkits to SSHD 1.6.30 and J2SSH 1.6.25 RTC525081/IT18698 (Engine) - Numerous Maverick NullPointerExceptions in systemout.log after SSP3420 iFix 9 The fix for RTC523287 introduced a new thread to handle SFTP logoffs. However, it attempted to reference a Maverick Connection object which became stale. Since the NPE happened after the client had disconnected, it had no effect on transfers, etc. Resolution: Now get the information from the Maverick Connection object before invoking the SFTP logoff thread. RTC525304/ (Engine) - Performance test fails for HTTPS and FTPS Resolution Changed the default values for the following two properties in the local perimeter.properties file, based on recommendation from the SI team after performance testing with SSP. perimeterServices.outboundPipeCapacity=10 (was 2) perimeterServices.serverConduitCapacity=10 (was 2) RTC525585/IT18998 (CM) - HTTP netmap inbound logging level reset to NONE if Routing Node tab selected If the user sets a value for the logging level in the HTTP Netmap Inbound Advanced tab and then navigates to the Routing Node tab, the logging level is reset back to NONE. Resolution: Now save the logging level value before navigating away from the Advanced tab. RTC525694/IT18971 (CM) - Large certificate serial number appears incorrectly within SSPCM Certificate with a serial number larger than the maximum integer value (2G) was not being displayed correctly. Resolution: Now format the display of the certificate serial number using the BigInteger object type, which handles numbers larger than maxint. RTC525887/ (Engine) - FTPS data channel hangs when CEU is back end Running Secure FTP with Connect:Enterprise for UNIX as the back end FTP server, the data channel can hang waiting for TLS handshakd when in PASV mode. Resolution: Now determine if the back end server is CEU and automatically adjust the timing of when to start the TLS handshake on the back end. RTC525909/ (Engine) - Error messages "peer not authenticated" in load test logs for C:D sessions In our local testing there were numerous "peer not authenticated" error messages in the C:D logs, although the sessions completed normally. If the sessions were configured to require client authentication by the PNode, the messages were not produced. Resolution: Now bypass emitting the message if the PNode is not configured to do SSL client authentication. RTC525956/ (Engine) - SFTP concurrency test produces number of NPEs Our concurrencly load testing was turning up numerous NullPointerExceptions in BackendSftpSubsystem.java, after RTC523287 and RTC525081. Resolution: Now serialize the usage of the session object to eliminate the NPE. RTC526163/ (Engine) - Avoid erroneous PASV response from server When a FTPS client starts a data operation without waiting for the previous command to complete, the PASV response from the back end server can be sent directly to the client, disclosing the IP information of the internal system. Resolution: Now detect when a PASV response is being returned when not in passive mode and terminate the session with an internal error. RTC527009/IT19026 (Engine) - FTPS client connects, but LIST command delayed In some situations, the FTP LIST command takes a long time to finish when testing with WS-FTP. The time it takes seems to match the FTP Adapter session timeout time in SSP. A NullPointerException was causing the data channel to not be closed properly. Resolution: Changed the code to avoid the NullPointerException during the data channel operation. RTC527283/IT19153 (CM) - SSP 3.4.3 CM in Windows Uninstall shows Version 3.4.2.0; 'Help' points to v3.4.2 content The SSPCM v3.4.3 'Version' column information in Windows 'Programs and Features / Uninstall a Program' shows 3.4.2.0. The "IBM Sterling Perimeter Server V4.6.6.2 for SSP 3.4.3.0" shows a version of "4.6.6.0". Also, the SSPCM 3.4.3.0 'Help' links were all pointing to 3.4.2 content. Resolution: Updated the InstallAnywhere installer to properly set the version information for the SSPCM and SSP PS. Updated all the SSP3430 Help links to point to SSP3430 URLs. RTC527354/IT19159 (CM) - TLS1.2 is not negotiating when FIPS mode ON When running the SSP Engine in FIPS MODE, the HTTP and FTP adapters will not allow a TLS1.2 handshake. It works ok when FIPS mode is OFF. Resolution: Updated SSP to allow TLSv1.1 and TLSv1.2 under FIPS mode. RTC527355/ (CM,Engine) - SSP CM not PUSHing configured SSH Local User Keys to SSP Engine In some situations, the SSP CM was not pushing the SSH local user keys to the SSP Engine. Resolution: Now correctly push the SSH local user keys to the SSP Engine. No Defect (Engine) - Additional KQV values for C:D FM71 - ZEDC Resolution: New KQV values for the Connect:Direct FMH71 are added for ZEDC support to avoid error messages when unknown values are encountered. The following values are added: "ZEDR", "ZEDS", "ZEFR", "ZEFS", "ZERR", "ZERS", "ZWIN", "ZWIR", "Z15R", "Z15S", "ZIFR", "ZIFS", "ZBFR", "ZBFS", "ZEHR", "ZEHS", "ZEIR", "ZEIS" "ZIIR", "ZIIS", "ZIJR", and "ZIJS" RTC528659/IT20207 (Engine) - SSP restarted due to OOM errors The SFTP session config objects were not consistently getting disposed of and were causing a memory leak, resulting in a Java OutOfMemory exception. Resolution: Now properly dispose of the session config object at the end of each session. RTC528702/IT19672 (CM,Engine) Install failure causes secure protocols to fail after upgrade Customer had security software on their Linux box which prohibited running the InstallAnywhere scripts out of the /tmp directory. InstallAnywhere silently failed to copy the JRE libraries that we need to do unlimited strength security. Resolution:  Updated InstallAnywhere to check the return code from the "CopyJreLib files" step and put out a message panel to let the installer know they should set 2 environment variables and restart the installation to ensure that the InstallAnywhere scripts can run in their work directory. Workaround: Prior to running the install, set the following environment variables to point to a work directory other than /tmp (example, $HOME): export IATEMPDIR= export TEMPDIR= RTC529443/IT19491 (Engine) - SFTP adapter won't come up when HSM is enabled. The SFTP adapter will not start when HSM is enabled in security.properties. Resolution: Updated the SFTP toolkit API (Maverick) to use IBMJCE for algorithms handling the SSH private key. RTC529446/IT19332 (Engine) - Unable to use HSM keystore without password The SSP engine was not able to access ncipher HSM when HSM keystore password was set to blank Resolution: Now initialize the HSM interface with proper values for blank/null passphrases. RTC529453 (CM) - Ship a separate security.properties for SSP CM Resolution: Ship a separate copy of bin/security.properties for the SSP CM. RTC529530 (CM,Engine) (HSM) No longer ship setupHSM.bat or .sh and remove them if they exist. The setupHSM is no longer valid to run as all the support for HSM is contained in the IBM JRE. Resolution: The setupHSM.bat or .sh scripts are no longer shipped, and are removed at upgrade time with an InstallAnywhere post-install step. RTC530844/IT19443 (Engine) - (CD) Allow client-only certs in server authentication. This is similar to RTC519253/IT18066 for server-only certificates after an upgrade from SSP341x. If Secure+ is turned on for a CD SNode, and the node presents a server certificate with an Extended Key usage of SSL Client, the SSL handshake fails with CSP057E "exception in processing com.ibm.jsse2.util.j: Netscape cert type does not permit use for SSL server". This is an RFC restriction imposed by the IBM JSSE toolkit. Resolution: SSP is updated to allow SSL client certificates for CD server authentication by default. A new property can be set in the CD adapter, AcceptClientOnlyCertForServerAuth, to override this behavior. Settings are true - (default) allow the handshake and produce message CSP998I to list the SNode and subject name of the certificate showcert - same as true, but also append the full certificate listing false - reject the handshake with message CSP997E. RTC530859/IT19451 (Engine) - (CD) Accept "TLS" and change to "TLSv1" Some configurations from older levels of SSP contain "TLS" as the protocol to be used for the C:D netmap. "TLS" is not a valid protocol in the IBM JSSE. "TLSv1" is the correct name for version 1 of TLS. Resolution: Updated the code on the engine to recognize "TLS" and convert it to "TLSv1". Workaround: Do a Save in the GUI on the affected netmap node(s) to assign the correct TLSv1 protocol setting. RTC531365/IT19649 (CM) - SSPCM users unable to change password after upgrade SSP CM users were unable to successfully perform a password change when the SSP CM was upgraded from a version previous to 3430. A new string for specifying which special characters to allow in a password was not being populated during an upgrade and users got the message, "password must contain these special characters null" Resolution: Added logic for SSP CM during startup, to validate and correct password policies that have "mustContainSpecialCharacter" set but no default special character string set. Workaround is to simply save the password policy in the GUI, and it will self-correct. RTC531976/IT19734 (Engine) - SFTP sessions fail when HSM is enabled When HSM is turned on in the SSP Engine, the IBMPKCS11Impl provider is added ahead of the IBM JCE in the Java security provider list, which causes SFTP sessions to fail. Resolution: Now ensure that we use the IBM JCE for certain ciphers like the DH key exchange. RTC532302/IT19647 (CM) - REST: Don't require truststore for http inbound node if client auth is not enabled When using the SSP REST APIs to update an HTTP netmap with security enabled, an error is thrown if the HTTP inbound node does not specify a trust store, even when client auth is not enabled. Resolution: Update the REST validator to not require a trust store name when client auth is not enabled for HTTP inbound nodes.   RTC532854/IT19863 (CM) - REST API unable to use TLS1.2 to SSP CM Web Customer updated their SSPCM Web server to use the TLS1.2 protocol, but then the REST API would not connect to it. Resolution: Corrected the SSP REST API connections to use whatever protocol (SSLv3-TLS1.2) that the SSPCM is configured to use Prior to this fix, only TLSv1 protocol could be used. RTC533058/ (CM,Engine) - Shutdown scripts hang with JRE 1.8 on AIX The delay was caused by getRandom not getting enough entropy to initialize the seed value for the random number generator. Resolution: Set securerandom.source=file:/dev/random in the java.security file. This accesses the default random source on unix platforms and it works with no delay. RTC533482/ (Engine) - CD transfers not working with SSLv3 Customer has a legacy CD partner which still uses the SSLv3 protocol. However, SSLv3 was not working because the protocol specification was being passed to the IBM JSSE as uppercase "SSLV3" instead of "SSLv3" which the JSSE requires. Resolution: Now pass the correct "SSLv3" protocol to the JSSE when the netmap node definition is "SSLv3" or "PNode Controls the SSL protocol". Note: Since SSLv3 is disabled by default, see the notes for IT07375 to allow it to work for a legacy partner. RTC533580/ (CM) - REST unable to import exported configurations Several errors have been exposed in the SSP REST API validation when users export their entire configuration with "export entity=sspCMConfigs" and then attempt to import the same file back in. Problems found: o C:D Netmap: Common Name checking didn't allow blanks in names o C:D Netmap: Verify Common Name required client auth to be enabled o C:D Netmap: Old Certicom protocols rejected (TLS1-ONLY and TLS) o C:D Netmap: Node names not allowed to start with a dash "-" o C:D Netmap: Nodes rejected without the ACLOutboundRequired xml tag o KeyStore Certificates: old "templateNames" keyword mis-handled o KeyStore Certificates: Was rejecting expired certificates o CM Users: Only the role of "admin" was accepted o sysSslInfo: Validation required list of cipher suites o Error messages needed to be improved to aid in problem determination Resolution: Corrected the above issues so that exported configurations could be imported again via the REST API. RTC533680/IT20027 (Engine) - RU size negotiated to 16259 when using Secure+ on one CD node and non-secure on the other. C:D Windows and C:D UNIX put SSLB=fals in their FM68 when establishing a non-secure connection. This indicates that SSL blocking cannot be used to add multiple SSL buffers into a single RU. SSP only adds SSLB=true when the SSLB keyword is not present in the FM68. Resolution: Now recognize when SSLB-fals is sent from a non-secure node and change its value to true on the SNode side so that SSL blocking can be done on the secure side. RTC533801/ - Upgrade to Java 1.8 for Java January 2017 security fixes Resolution: Upgrade to IBM JRE 1.8 SR4.1 to take advantage of the improved security features. This level of JRE addresses several Java vulnerabilities documented in the Security Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22001966 ACTION: Disables Triple-DES (3DES_EDE_CBC) and DES ciphers. If your site requires 3DES ciphers (because you have not switched to AES128 or AES256), You may edit the /jre/lib/security/java.security and change the following line from jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede to jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DESede Note that the new Java 1.8 contains the following new parameters in the ./jre/lib/security/java.security file. See that file for additional comments. # IBMJCE and IBMSecureRandom SecureRandom seed source. securerandom.source=file:/dev/urandom securerandom.strongAlgorithms=SHA2DRBG:IBMJCE # Controls compatibility mode for the JKS keystore type. keystore.type.compat=true (allows JKS or PKCS12 format) jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ DSA keySize < 1024 (DSA keysize parm added) # Algorithm restrictions for signed JAR files jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024 (all new) # Algorithm restrictions for SSL/TLS processing jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede (Note: Disabling 3DES_EDE_CBC, DESede is new for this release) # Legacy algorithms for SSL/TLS processing (used as last resort) jdk.tls.legacyAlgorithms (New in 1.8, but not configured) # Policy for the XML Signature secure validation mode. jdk.xml.dsig.secureValidationPolicy=\ disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\ maxTransforms 5,\ maxReferences 30,\ disallowReferenceUriSchemes file http https,\ minKeySize RSA 1024,\ minKeySize DSA 1024,\ noDuplicateIds,\ noRetrievalMethodLoops RTC533907/ (Engine,CM) - InstallAnywhere on Windows shows ERROR: Failure in the CopyJreLib step After installing the fix for my defect 528702, Windows installs were showing an install step of "ERROR: failure in the CopyJreLib step". There was no actual failure, it just looked like one. Resolution: Changed the title of the panel from "ERROR: failure in the CopyJreLib step" to "JreLib Copy Check" and moved the "ERROR:..." down into the body of the panel. The panel should not show up unless there is an error in the CopyJreLib step. RTC534003/IT19950 (CM) - Error when executing configureCmSsl.sh The Customer wanted to limit the number of ciphers available for the CM. However, the ./configureCmSsl.sh -u cmCiphers=... command was getting ***Invalid value for cmCiphers: java.lang.NullPointerException and the /configureCmSsl.sh -u webCiphers=... command was getting ***Invalid value for jettyCiphers: java.lang.NullPointerException. Resolution: Moved the call to parse arguments in configureCmSsl to happen after all the relevant objects have been initialized. Workaround: Add the protocol cmSslProt=TLSv1.2 to the configureCmSSL.sh command. (or TLSv.1, TLSv1.1) RTC534665/IT20206 (Engine) - Invalid CD copy step causes NPE in validation C:D Windows was somehow generating a process where the COPY step did not contain a destination file name (DDSN in XDR). When SSP attempted to validate the FMH71, it got a NullPointerException in PasCdCbDelegate.getLocalCBType() Resolution: Now detect the missing file name and throw a new FmhLogicException with message "CDSP099E CCB did not validate - missing source/destination file name" RTC535210/ (Engine) - RAS Enhancement - Add new switches for heap dumps and SSL debugging Reliability/Availability/Serviceability (RAS) enhancement to the startEngine.sh and startEngine.bat scripts. 1) By default, capture heap dumps also when asked for a user javacore dump. 2) Add Java SSL Debug parms (# Z=...) so they can be uncommented and used. 3) Create /bin/startEngine.log with one line per startup for history RTC536506/IT20338 (Engine) - SFTP maverick log getting numerous exceptions for each SFTP logoff. After applying RTC523287 in SSP3430 iFix 2 Plus, the Maverick log was getting flooded with numerous exceptions with every SFTP logoff. Exception from event listener java.util.concurrent.RejectedExecution- Exception - rejected from java.util.concurrent.ThreadPoolExecutor. The problem happened after the SFTP adapter was brought down and back up. Restarting the engine clears the problem. Resolution: Now close the SFTP adapter's event listener whenever the adapter is taken down and create a new one at adapter startup.