===============================================================================
Maintenance for Sterling External Authentication Server SEAS2430 iFix 3 Plus
===============================================================================

This cumulative maintenance archive includes fixes for the issues listed below.

Contents:
   I.   HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action
   II.  Summary of Fixes by Patch/APAR (Latest iFix / FixPack first)
   III. Detailed Description of Fixes

===============================================================================
I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action
===============================================================================

In iFix04 (April 2017):

  HIPER  - Upgrade to Java 1.8 for Java January 2017 security fixes.
           ACTION: Disables Triple-DES (3DES-CBC) and DES ciphers.
           See RTC533801 for details

===============================================================================
II. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first)
===============================================================================

===============================================================================
Fixes for SEAS 2.4.3.0 iFix 4, Build 104 (April 2017)
===============================================================================

  RTC533801/        - Upgrade to Java 1.8 for Java January 2017 security fixes

  RTC534100/IT20072 - Unable to start SEAS v2.4.3 using startSeas.bat on Windows

  RTC535210/        - RAS Enhancement - Add new startSeas.log, switches for
                      heap dumps and SSL debugging

===============================================================================
Fixes for SEAS 2.4.3.0 iFix 3 Plus, Build 101 (March 2017)
===============================================================================

  DEFECT   / APAR

  RTC533475/IT19864 - Assertion fails "element not found" when using custom
                      attribute

===============================================================================
Fixes for SEAS 2.4.3.0 iFix 3 Plus, Build 100 (March 2017)
===============================================================================

  DEFECT   / APAR

  RTC531980/IT19604 - Correlator id not returned for SSO token validation
                      request from CEUNIX.

===============================================================================
Fixes for SEAS 2.4.3.0 iFix 3, Build 99 (February 2017)
===============================================================================

  DEFECT   / APAR

  RTC524012/        - ldapImportTool unable to add sshPublicKey into Oracle
                      LDAP

  RTC525080/IT18868 - All SEAS processes queued when 5 active transactions are
                      delayed

  RTC525605/        - ldapImportTool support to include password policy name
                      during upload

  RTC527345/IT19159 - Unable to edit existing Authentication Profile

  RTC527354/IT19159 - Unable to negotiate TLS1.2 when FIPS mode ON

  RTC528040/IT19158 - Unable to set some TLSv1.2 ciphers

  RTC528047/IT19156 - Unable to import seas_ad.ldf into Active Directory

===============================================================================
Fixes for SEAS 2.4.3.0 iFix 2, Build 89 (December 2016)
===============================================================================

  DEFECT   / APAR

  No Defect/IT17228   - Upgraded SSP Engine, CM, and PS to
                        IBM JRE 1.7 SR9FP50 for latest security patches

  RTC508170/          - Allow token validation for CEUNIX

  RTC510283/RFE468574 - Allow SEAS to verify Hostnames

  RTC511666/IT17151   - Unable to invoke iKeyman on Solaris 10.

  RTC513984/          - Enhancement to allow silent Installs for SEAS

  RTC514318/IT17374   - SSH Public Key authentication through IBM SEAS fails due
                       to trailing blank spaces

  RTC516324/          - SEAS does not start if passphrase contains “&” character

  RTC519864/IT17988  - 2 ciphers missing from SEAS supported ciphersuites list

===============================================================================
Fixes for SEAS 2.4.3.0 iFix 1, Build 74 (July 2016)
===============================================================================

  DEFECT   / APAR

  RTC507060/ no APAR  - NumberFormatException during ip address conversion
  
  RTC498507/ no APAR  - The '-' character is not allowed in the username for 
                        SEAS system users
                       
===============================================================================
III. Detailed Description of Fixes (in Defect ascending order)
===============================================================================

  RTC507060/ no APAR  - NumberFormatException during ip address conversion.
  
			Resolution: Changed the logic to avoid the 
                        NumberFormatException.
  
  
  RTC498507/ no APAR  - The '-' character is not allowed in the username for 
                        SEAS system users
						
			Resolution: The SEAS username validation logic has been
                        modified to allow hyphens in system user names.

  No Defect/IT17228  - Upgrade SEAS to IBM JRE 1.7 SR9FP50 for latest security
                       patches

      This JRE includes the quarterly Java security patches through July 2016.
      See http://www.ibm.com/support/docview.wss?uid=swg21991287 for details.

  RTC508170/         - Allow token validation for CEUNIX
  
      Enhancement to allow CEUNIX to do token validation using the password 
      field.

  RTC510283/RFE468574 - Allow SEAS to verify Hostnames

      There was no mechanism to perform DNS checks during certificate 
      validation through SEAS

      Resolution: IBM SEAS has been modified to allow for DNS hostname checking
      during certificate validation. When the "Check hostname DNS" field is 
      enabled in SEAS, the user IP address will be matched with information in 
      the user certificate's SAN or certificate CN.

  RTC511666/IT17151  - Unable to invoke iKeyman on Solaris 10.

      The IBM hybrid JRE on Solaris delivers ikeyman as a call to the native
      Java with a class to execute.  However, if the JAVA_HOME doesn't point
      to the IBM JRE, it gets "Could not find or load main class
      com.ibm.gsk.ikeyman.Ikeyman"

      Resolution: Corrected Solaris installers for SEAS, SSP, SSP_CM and PS
      to modify jre/bin/ikeyman so that it always invokes the installed IBM JRE.

  RTC513984/         - Enhancement to allow silent Installs for SEAS

      InstallAnywhere Silent Install is a feature which allows for automated
      installs without questions and answers from the console.  It can be used
      for repetitive installs at Customer sites.  The administrator first does
      the product install in "record" mode which builds an installation
      properties file for subsequent silent installs in "replay" mode.

      The SSP Engine, CM, PS, and SEAS have all been updated to allow silent
      installs.

  RTC514318/IT17374  - SSH Public Key authentication through IBM SEAS fails due 
                       to trailing blank spaces

      Resolution: Added logic to trim retrieved SSH PUBLIC key from the LDAP
      before using them in the SSH PUBLIC KEY authentication process.

  RTC516324/         - SEAS does not start if passphrase contains “&” character
  
      If the SEAS passphrase is changed to include an ampersand "&" character,
      the system will not start.  Gets
        Startup did not succeed. Terminating: com.sterlingcommerce.hadrian.
        common.xml.XmlParsingException: Error on line 4: The entity name must
        immediately follow the '&' in the entity reference.

      Resolution: Escaped the system password field with the CDATA tag so that
      the xml converter will work properly

  RTC519864/IT17988  - 2 ciphers missing from SEAS supported ciphersuites list

      The ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 were not included as supported
      cipher suites for TLSv1.2.

      Resolution: Added these ciphers into ssl_tls_ciphers.properties so that
      they show up on a SEASCipherConfigTool.sh -c protocol=TLSV1.2 command.

   RTC524012/        - ldapImportTool unable to add sshPublicKey into Oracle
                       ODSEE

      The ldapImportTool, which is used during Connect:Enterprise for UNIX 
      migrations to SI/SFG, was not properly loading SSH public keys to a
      target Oracle ODSEE database.

      Resolution: Now properly load an SSH public key to Oracle systems

  RTC525080/IT18868 - All SEAS processes queued when 5 active transactions are
                      delayed

      Customer was using a SEAS custom exit to process certain types of
      authentication. If the exit processing got hung, five processes would
      use up all the available threads, effectively locking out all work on
      the system, whether the authentication went through the custom exit or
      not.
      
      Resolution: Introduced 2 new System Global variables in the GUI to allow
      a configurable number of threads to process authentications.
        Service Thread Pool Size controls the number of threads to process
          authentications, token validations, custom exits, etc.
        Requests Thread Pool Size controls the number of threads to process
          incoming connections to SEAS.
      The default for both variables is 10 threads, with a minimum of 5 and a 
      maximum of 500.

   RTC525605/        - ldapImportTool support to include password policy name
                       during upload

      Customer needed the ability to include the name of the LDAP password 
      policy for each user loaded into LDAP.

      Now provide a way in the ldapImportTool.properties to specify the name
      of an LDAP password policy for each user loaded.

  RTC527345/IT19159 - Unable to edit existing Authentication Profile

      SEAS admin user created an authentication profile that uses the searchDN
      option, but once it was saved, it could not be edited again. All tabs
      get an error.

      Resolution: Added an appropriate password mask, to keep from getting
      a cyclical error.

  RTC527354/IT19159 - Unable to negotiate TLS1.2 when FIPS mode ON
  
      When running in FIPS MODE, the Secure Accepter will not negotiate to 
      accept connections using TLS 1.2.
      
      Resolution: Now allow TLSv1.1 and TLSv1.2 under FIPS mode.

  RTC528040/IT19158 - Unable to set some TLSv1.2 ciphers
  
      The Customer wants to limit which TLSv1.2 cipher suites can be used. The
      SEASCipherConfigTool -u eaSslProtocol=TLSv1.2 
          eaCiphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
      command was not working because these 2 ciphers were missing from the
      ssl_tls_ciphers.properties file.

      Resolution.  Updated the ssl_ssl_tls_ciphers.properties file to include 
      the 2 missing ciphers and now ship the file in the SEAS jar instead of in 
      the conf directory.

  RTC528047/IT19156 - Unable to import seas_ad.ldf into Active Directory

      The AD schema provided by SEAS was missing an end of attribute delimeter,
      so the imports were unsuccessful.

      Resolution: Corrected the missing end of attribute delimiter in the SEAS 
      AD schema.

  RTC531980/IT19604 - Correlator id not returned for SSO token validation
                      request from CEUNIX.

      When CEUNIX sent in a SSO token validation request with a correlation id,
      SEAS was not returning the correlation id with the authentication 
      response.  
      
      Resolution: Now return the correlation id for a SSO token validation.

  RTC533475/IT19864 - Assertion fails "element not found" when using custom
                      attribute

      Attribute Assertion Processor was not handling Assertion of the form 
      {attr[ldapQuery].yyyyy, xxxxx} properly during attribute resolution. 
      Instead of using ldapQuery.yyyyy to resolve yyyyy within LDAP query 
      attributes, it is using ldapQuery.yyyyyy,xxxxx which results in the 
      wrong value being used in the assertion  process.

      Resolution: Added logic to separate the default value from the actual 
      attribute before resolving the attribute value from query attribute map.

  RTC533801/        - Upgrade to Java 1.8 for Java January 2017 security fixes

    Resolution: Upgrade to IBM JRE 1.8 SR4.1 to take advantage of the improved
    security features.  This level of JRE addresses several Java
    vulnerabilities documented in the Security Bulletin:
       http://www.ibm.com/support/docview.wss?uid=swg22001965

    ACTION: Disables Triple-DES (3DES_EDE_CBC) and DES ciphers. If your site
    requires 3DES ciphers (because you have not switched to AES128 or AES256),
    You may edit the <SEAS>/jre/lib/security/java.security and change the 
    following line from
      jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede
    to
      jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DESede

    Note that the new Java 1.8 contains the following new parameters in the
    ./jre/lib/security/java.security file.  See that file for additional 
    comments.
      # IBMJCE and IBMSecureRandom SecureRandom seed source.
        securerandom.source=file:/dev/urandom
        securerandom.strongAlgorithms=SHA2DRBG:IBMJCE
      # Controls compatibility mode for the JKS keystore type.
        keystore.type.compat=true  (allows JKS or PKCS12 format)
        jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
          DSA keySize < 1024   (DSA keysize parm added)
      # Algorithm restrictions for signed JAR files
        jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024  (all new)
      # Algorithm restrictions for SSL/TLS processing
        jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede
          (Note: Disabling 3DES_EDE_CBC, DESede is new for this release)
      # Legacy algorithms for SSL/TLS processing (used as last resort)
        jdk.tls.legacyAlgorithms (New in 1.8, but not configured)
      # Policy for the XML Signature secure validation mode.
       jdk.xml.dsig.secureValidationPolicy=\
         disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
 	 disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
         disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
         disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
         maxTransforms 5,\
         maxReferences 30,\
         disallowReferenceUriSchemes file http https,\
         minKeySize RSA 1024,\
         minKeySize DSA 1024,\
         noDuplicateIds,\
         noRetrievalMethodLoops

  RTC534100/IT20072 - Unable to start SEAS v2.4.3 using startSeas.bat on Windows

      Customer attempted to start SEAS2430 with the <SEAS>\bin\startSeas.bat
      file, but it was pointing to the SEAS 2.4.2.0 service.

      Resolution: Added the correct Windows service verbiage,
      'net start SEAS_V2.4.3.0', to startSeas.bat.

  RTC535210/        - RAS Enhancement - Add new startSeas.log, switches
                      for heap dumps and SSL debugging

    Reliability/Availability/Serviceability (RAS) enhancement to the 
    startSeas.sh and startSeas.bat scripts.
    1) By default, capture heap dumps also when asked for a user javacore dump.
    2) Add Java SSL Debug parms (# Z=...) so they can be uncommented and used.
    3) Start generating a <SEAS>/bin/startSeas.log file with a one line
       entry for each startup of the SEAS server.