=============================================================================== Maintenance for Sterling External Authentication Server SEAS2430 iFix 5 October 2017 =============================================================================== This cumulative maintenance archive includes fixes for the issues listed below. Contents: I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action II. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== In SEAS2430 iFix 5 (October 2017): HIPER - Upgrade to Java 8.0.4.10 for Java July 2017 security fixes. In iFix 4 (April 2017): HIPER - Upgrade to Java 1.8 for Java January 2017 security fixes. ACTION - Java 1.8 will not install on Redhat 5. See RTC533801 for details ACTION - Disables Triple-DES (3DES-CBC) and DES ciphers. See RTC533801 for details =============================================================================== II. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first) =============================================================================== =============================================================================== Fixes for SEAS 2.4.3.0 iFix 5, Build 117 (October 2017) =============================================================================== PSIRT9227 - Update JRE 1.8 to SR4 FP10 (8.0.4.10) RTC553583 - Tivoli LDAP Policy was not being retrieved after upgrade to SDS8.0.1 =============================================================================== Fixes for SEAS 2.4.3.0 iFix 4 Plus, Build 115 (October 2017) =============================================================================== RTC550367/IT22489 - NPE in custom token manager after upgrade =============================================================================== Fixes for SEAS 2.4.3.0 iFix 4 Plus, Build 112 (September 2017) =============================================================================== RTC544478/IT22277 - Add support for ISAM v9.0.3 RTC548403/IT22242 - Avoid NPE when null ssh public key is returned from LDAP =============================================================================== Fixes for SEAS 2.4.3.0 iFix 4 Plus, Build 108 (June 2017) =============================================================================== RTC542640/IT21204 - Turn off world-writable files =============================================================================== Fixes for SEAS 2.4.3.0 iFix 4 Plus, Build 107 (June 2017) =============================================================================== RTC536554/IT20855 - Allow special characters in SEAS password fields RTC539439/IT20855 - SEAS GUI fails to start with non-IBM JRE =============================================================================== Fixes for SEAS 2.4.3.0 iFix 4, Build 104 (April 2017) =============================================================================== RTC533801/ - Upgrade to Java 1.8 for Java January 2017 security fixes RTC534100/IT20072 - Unable to start SEAS v2.4.3 using startSeas.bat on Windows RTC535210/ - RAS Enhancement - Add new startSeas.log, switches for heap dumps and SSL debugging =============================================================================== Fixes for SEAS 2.4.3.0 iFix 3 Plus, Build 101 (March 2017) =============================================================================== RTC533475/IT19864 - Assertion fails "element not found" when using custom attribute =============================================================================== Fixes for SEAS 2.4.3.0 iFix 3 Plus, Build 100 (March 2017) =============================================================================== RTC531980/IT19604 - Correlator id not returned for SSO token validation request from CEUNIX. =============================================================================== Fixes for SEAS 2.4.3.0 iFix 3, Build 99 (February 2017) =============================================================================== RTC524012/ - ldapImportTool unable to add sshPublicKey into Oracle LDAP RTC525080/IT18868 - All SEAS processes queued when 5 active transactions are delayed RTC525605/ - ldapImportTool support to include password policy name during upload RTC527345/IT19159 - Unable to edit existing Authentication Profile RTC527354/IT19159 - Unable to negotiate TLS1.2 when FIPS mode ON RTC528040/IT19158 - Unable to set some TLSv1.2 ciphers RTC528047/IT19156 - Unable to import seas_ad.ldf into Active Directory =============================================================================== Fixes for SEAS 2.4.3.0 iFix 2, Build 89 (December 2016) =============================================================================== No Defect/IT17228 - Upgraded SEAS to IBM JRE 1.7 SR9FP50 for latest security patches RTC508170/ - Allow token validation for CEUNIX RTC510283/RFE468574 - Allow SEAS to verify Hostnames RTC511666/IT17151 - Unable to invoke iKeyman on Solaris 10. RTC513984/ - Enhancement to allow silent Installs for SEAS RTC514318/IT17374 - SSH Public Key authentication through IBM SEAS fails due to trailing blank spaces RTC516324/ - SEAS does not start if passphrase contains “&” character RTC519864/IT17988 - 2 ciphers missing from SEAS supported ciphersuites list =============================================================================== Fixes for SEAS 2.4.3.0 iFix 1, Build 74 (July 2016) =============================================================================== RTC507060/no APAR - NumberFormatException during ip address conversion RTC498507/no APAR - The '-' character is not allowed in the username for SEAS system users RTC504692/IT15781 - Error after importing CEUNIX user data through LdapImportTool =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) =============================================================================== RTC504692/IT15781 - Error after importing CEUNIX user data through LdapImportTool The Customer was unable to establish SSL connections after the SEAS Truststore default password was changed during the execution of the LdapImportTool script. Resolution: Now ensure that the configured SEAS Truststore Password value is not overridden by default values. RTC507060/ no APAR - NumberFormatException during ip address conversion. Resolution: Changed the logic to avoid the NumberFormatException. RTC498507/ no APAR - The '-' character is not allowed in the username for SEAS system users Resolution: The SEAS username validation logic has been modified to allow hyphens in system user names. No Defect/IT17228 - Upgrade SEAS to IBM JRE 1.7 SR9FP50 for latest security patches This JRE includes the quarterly Java security patches through July 2016. See http://www.ibm.com/support/docview.wss?uid=swg21991287 for details. RTC508170/ - Allow token validation for CEUNIX Enhancement to allow CEUNIX to do token validation using the password field. RTC510283/RFE468574 - Allow SEAS to verify Hostnames There was no mechanism to perform DNS checks during certificate validation through SEAS Resolution: IBM SEAS has been modified to allow for DNS hostname checking during certificate validation. When the "Check hostname DNS" field is enabled in SEAS, the user IP address will be matched with information in the user certificate's SAN or certificate CN. RTC511666/IT17151 - Unable to invoke iKeyman on Solaris 10. The IBM hybrid JRE on Solaris delivers ikeyman as a call to the native Java with a class to execute. However, if the JAVA_HOME doesn't point to the IBM JRE, it gets "Could not find or load main class com.ibm.gsk.ikeyman.Ikeyman" Resolution: Corrected Solaris installers for SEAS, SSP, SSP_CM and PS to modify jre/bin/ikeyman so that it always invokes the installed IBM JRE. RTC513984/ - Enhancement to allow silent Installs for SEAS InstallAnywhere Silent Install is a feature which allows for automated installs without questions and answers from the console. It can be used for repetitive installs at Customer sites. The administrator first does the product install in "record" mode which builds an installation properties file for subsequent silent installs in "replay" mode. The SSP Engine, CM, PS, and SEAS have all been updated to allow silent installs. RTC514318/IT17374 - SSH Public Key authentication through IBM SEAS fails due to trailing blank spaces Resolution: Added logic to trim retrieved SSH PUBLIC key from the LDAP before using them in the SSH PUBLIC KEY authentication process. RTC516324/ - SEAS does not start if passphrase contains “&” character If the SEAS passphrase is changed to include an ampersand "&" character, the system will not start. Gets Startup did not succeed. Terminating: com.sterlingcommerce.hadrian. common.xml.XmlParsingException: Error on line 4: The entity name must immediately follow the '&' in the entity reference. Resolution: Escaped the system password field with the CDATA tag so that the xml converter will work properly RTC519864/IT17988 - 2 ciphers missing from SEAS supported ciphersuites list The ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 were not included as supported cipher suites for TLSv1.2. Resolution: Added these ciphers into ssl_tls_ciphers.properties so that they show up on a SEASCipherConfigTool.sh -c protocol=TLSV1.2 command. RTC524012/ - ldapImportTool unable to add sshPublicKey into Oracle ODSEE The ldapImportTool, which is used during Connect:Enterprise for UNIX migrations to SI/SFG, was not properly loading SSH public keys to a target Oracle ODSEE database. Resolution: Now properly load an SSH public key to Oracle systems RTC525080/IT18868 - All SEAS processes queued when 5 active transactions are delayed Customer was using a SEAS custom exit to process certain types of authentication. If the exit processing got hung, five processes would use up all the available threads, effectively locking out all work on the system, whether the authentication went through the custom exit or not. Resolution: Introduced 2 new System Global variables in the GUI to allow a configurable number of threads to process authentications. Service Thread Pool Size controls the number of threads to process authentications, token validations, custom exits, etc. Requests Thread Pool Size controls the number of threads to process incoming connections to SEAS. The default for both variables is 10 threads, with a minimum of 5 and a maximum of 500. RTC525605/ - ldapImportTool support to include password policy name during upload Customer needed the ability to include the name of the LDAP password policy for each user loaded into LDAP. Now provide a way in the ldapImportTool.properties to specify the name of an LDAP password policy for each user loaded. RTC527345/IT19159 - Unable to edit existing Authentication Profile SEAS admin user created an authentication profile that uses the searchDN option, but once it was saved, it could not be edited again. All tabs get an error. Resolution: Added an appropriate password mask, to keep from getting a cyclical error. RTC527354/IT19159 - Unable to negotiate TLS1.2 when FIPS mode ON When running in FIPS MODE, the Secure Accepter will not negotiate to accept connections using TLS 1.2. Resolution: Now allow TLSv1.1 and TLSv1.2 under FIPS mode. RTC528040/IT19158 - Unable to set some TLSv1.2 ciphers The Customer wants to limit which TLSv1.2 cipher suites can be used. The SEASCipherConfigTool -u eaSslProtocol=TLSv1.2 eaCiphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, command was not working because these 2 ciphers were missing from the ssl_tls_ciphers.properties file. Resolution. Updated the ssl_ssl_tls_ciphers.properties file to include the 2 missing ciphers and now ship the file in the SEAS jar instead of in the conf directory. RTC528047/IT19156 - Unable to import seas_ad.ldf into Active Directory The AD schema provided by SEAS was missing an end of attribute delimeter, so the imports were unsuccessful. Resolution: Corrected the missing end of attribute delimiter in the SEAS AD schema. RTC531980/IT19604 - Correlator id not returned for SSO token validation request from CEUNIX. When CEUNIX sent in a SSO token validation request with a correlation id, SEAS was not returning the correlation id with the authentication response. Resolution: Now return the correlation id for a SSO token validation. RTC533475/IT19864 - Assertion fails "element not found" when using custom attribute Attribute Assertion Processor was not handling Assertion of the form {attr[ldapQuery].yyyyy, xxxxx} properly during attribute resolution. Instead of using ldapQuery.yyyyy to resolve yyyyy within LDAP query attributes, it is using ldapQuery.yyyyyy,xxxxx which results in the wrong value being used in the assertion process. Resolution: Added logic to separate the default value from the actual attribute before resolving the attribute value from query attribute map. RTC533801/ - Upgrade to Java 1.8 for Java January 2017 security fixes Resolution: Upgrade to IBM JRE 1.8 SR4.1 to take advantage of the improved security features. This level of JRE addresses several Java vulnerabilities documented in the Security Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22001965 ACTION: Java 1.8 will not install on Redhat 5. See this web page for more details: https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.lnx.80.doc/user/supported_env_80.html ACTION: Disables Triple-DES (3DES_EDE_CBC) and DES ciphers. If your site requires 3DES ciphers (because you have not switched to AES128 or AES256), You may edit the /jre/lib/security/java.security and change the following line from jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede to jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DESede Note that the new Java 1.8 contains the following new parameters in the ./jre/lib/security/java.security file. See that file for additional comments. # IBMJCE and IBMSecureRandom SecureRandom seed source. securerandom.source=file:/dev/urandom securerandom.strongAlgorithms=SHA2DRBG:IBMJCE # Controls compatibility mode for the JKS keystore type. keystore.type.compat=true (allows JKS or PKCS12 format) jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ DSA keySize < 1024 (DSA keysize parm added) # Algorithm restrictions for signed JAR files jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024 (all new) # Algorithm restrictions for SSL/TLS processing jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede (Note: Disabling 3DES_EDE_CBC, DESede is new for this release) # Legacy algorithms for SSL/TLS processing (used as last resort) jdk.tls.legacyAlgorithms (New in 1.8, but not configured) # Policy for the XML Signature secure validation mode. jdk.xml.dsig.secureValidationPolicy=\ disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\ maxTransforms 5,\ maxReferences 30,\ disallowReferenceUriSchemes file http https,\ minKeySize RSA 1024,\ minKeySize DSA 1024,\ noDuplicateIds,\ noRetrievalMethodLoops RTC534100/IT20072 - Unable to start SEAS v2.4.3 using startSeas.bat on Windows Customer attempted to start SEAS2430 with the \bin\startSeas.bat file, but it was pointing to the SEAS 2.4.2.0 service. Resolution: Added the correct Windows service verbiage, 'net start SEAS_V2.4.3.0', to startSeas.bat. RTC535210/ - RAS Enhancement - Add new startSeas.log, switches for heap dumps and SSL debugging Reliability/Availability/Serviceability (RAS) enhancement to the startSeas.sh and startSeas.bat scripts. 1) By default, capture heap dumps also when asked for a user javacore dump. 2) Add Java SSL Debug parms (# Z=...) so they can be uncommented and used. 3) Start generating a /bin/startSeas.log file with a one line entry for each startup of the SEAS server. RTC539439/IT20855 - SEAS GUI fails to start with non-IBM JRE If the Customer was using a non-IBM JRE when calling the SEAS Webstart GUI, it would put out java.security.NoSuchProviderException: no such provider: IBMJCE and would not start up. Resolution: Updated the Security Properties handler to use the default security provider from the local JRE instead of IBMJCE. RTC536554/IT20855 - Allow special characters in SEAS password fields SEAS was unable to save certain special characters, such as the ampersand (&) in password fields, e.g. the principal password in an LDAP connection definition. Resolution: Added logic to the SEAS server configuration converter module to protect special characters in password values, so they can be saved. RTC542640/IT21204 - Turn off world-writable files Customer has a requirement that no files be created with write privileges by all users (i.e. UNIX "Other" ......RW.). By default, the JRE creates a temporary directory under /tmp/.com_ibm_tools_attach for monitoring programs to attach to (e.g. Dynatrace). One file based on the pid called attachNotificationSync has permissions of -rw-rw-rw-. Resolution: Added -Dcom.ibm.tools.attach.enable=no to all scripts associated with SSP, SSPCM, PS, and SEAS so that these world-writable files would no longer be created. ACTION: If you use third party monitoring tools to monitor SSP or SEAS, you may need to change to -Dcom.ibm.tools.attach.enable=yes in the startup scripts. RTC544478/IT22277 - Add support for ISAM v9.0.3 Tivoli Access Manager (TAM) 5.1 has been end-of-life'd and has been replaced with IBM Security Access Manager (ISAM) v9. Resolution: Now support ISAM v9 for back end security queries and assertions. If support for older TAM is required, Customer can add Java property -DenableTAM51=true to continue back level calls. RTC548403/IT22242 - Avoid NPE when null ssh public key is returned from LDAP SSH key authentication was getting a NullPointerException (NPE) after applying SEAS2430 iFix 3 Plus Build 101 or above. The Customer was using an LDAP query for their SSH key with a scope of "subTree" instead of "one level" and some of the public keys returned were null. Resolution: Added logic to detect when a null ssh public key is returned for users that have the loginCredential container associated with them. RTC550367/IT22489 - NPE in custom token manager after upgrade Getting a NullPointerException during authentication of an SSH key when using a custom token manager. RTC50817 introduced code to check if a password field might be populated with a SEAS token so that Connect:Enterprise for UNIX could participate in Single Signon processing. However, it was not validating the password field before calling the custom SSO token manager with a null value. Resolution:  Now check for a null password field before checking to see if it may contain a SSO token. Also did some cleanup on log messages to make the logs more readable: - Changed the date format and shortened thread and class names - Changed SSP failover logging (sspDUMMYprofile) to TRACE mode - Attempt to suppress some messages so that SEAS can run in INFO mode to get general flow. PSIRT9227 - Update JRE 1.8 to SR4 FP10 (8.0.4.10) Resolution: Update the JRE 1.8 to bring it up to the Oracle July 2017 level for all the security patches. RTC553583 - Tivoli LDAP Policy was not being retrieved after upgrade to SDS8.0.1 Resolution: Now retrieve the correct policy for Tivoli LDAP.