================================================================================ Fixes in Sterling Secure Proxy (SSP) 3.4.3.0 Fixpack 2 (SSP3432) iFix 03 December 2018 ================================================================================ This cumulative maintenance iFix includes the GA release of SSP Engine and SSP Configuration Manager 3.4.3.0 Fixpack 2 (SSP3432) as well as the fixes for the issues mentioned below. The install images for the SSP Engine, CM and PS may be used to install a new image or upgrade an existing image in place. Contents: I. HIPER fixes / Fixes requiring Action by iFix II. Summary of Fixes by iFix/Build (Latest iFix / Builds first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== ACTION - IMPORTANT upgrade steps from SSP341x - see "SSP3418 Upgrade" for details In SSP3430 Fixpack 2 (SSP3432) iFix 3 (December 2018): HIPER - Possible vulnerability in Jetty server. See PSIRT12571/SSP-30410 HIPER - Possible vulnerability in Apache Active MQ. See PSIRT13307/SSP-3070 In SSP3430 Fixpack 2 (SSP3432) iFix 2 (August 2018): HIPER - Update JRE 1.8 to SR5 FP17 (8.0.5.17) for security patches - See PSIRT11819 for more details. In SSP3430 Fixpack 2 (SSP3432) iFix 1 (May 2018): HIPER - Update JRE 1.8 to SR5 FP10 (8.0.5.10) for security patches - See PSIRT10955 for more details. In SSP3430 Fixpack 2 (SSP3432) (March 2018): HIPER - SSP/SEAS code signing certificate expires June 21, 2018. Upgrade SEAS before that date to keep the SEAS Webstart GUI running. See RTC565487. In SSP3430 iFix 5 Plus (January 2018): HIPER - Possible vulnerability in Apache Commons Fileupload toolkit. See PSIRT10042. ACTION - If you have any customizations to the log4j property files, you must retrofit them after the upgrade. See RTC557073. ACTION - The default SSP Factory Certificate, expired on December 1, 2017. See RTC541553 if you have not replaced it yet ACTION - If REST imports fail due to XSD validation, see RTC557986 for a way to turn off XSD validation temporarily In SSP3430 iFix 5 (October 2017): HIPER - Update JRE 1.8 to SR4 FP10 (8.0.4.10) for security patches - See PSIRT9227 ACTION - Allow adding/manipulating HTTP headers from backend servers to front end browsers. See RTC552273. In SSP3430 iFix 4 Plus (Sept 2017): HIPER - SSP login portal pages do not get displayed properly in Chrome in SSP 343 ifix4 plus builds (160-165) see RTC550968/RTC546604 for details. ACTION - Add the two following properties in SSP CM GUI HTTP Proxy Adapter Properties to bypass sending these headers: Content-Security-Policy.override = ignore X-Content-Type-Options.override = ignore Later version SSP 343 ifix4 plus build 166 bypasses these two headers by default and no need to add the above properties. In SSP3430 iFix 4 Plus (June 2017): HIPER - EAProxy deadlock due to method serialization - see RTC538773 ACTION - If you use third party monitoring tools to monitor SSP or SEAS, please see RTC542640 for info on world-writable files. In SSP3430 iFix 4 (April 2017): HIPER - Upgrade to Java 1.8 for Java January 2017 security fixes ACTION - Java 1.8 will not install on Redhat 5. See RTC533801 for details ACTION - Java.security file disables Triple-DES (3DES-CBC) and DES ciphers. See RTC533801 for details In SSP3430 iFix 3 Plus (March 2017): HIPER - FTPS client connects, but LIST command delayed. See IT19026 HIPER - SFTP adapter won't come up when HSM is enabled. See IT19491 Action - Allow client-only certificates for CD server authentication. See IT19443 if you need to configure this differently. In SSP3430 iFix 3 (January 2017): HIPER - FTPS data connection timeouts after upgrade to SSP 3.4.2 or 3.4.3 - See RTC517058 for details. HIPER - Deadlock/hang in failover code - See RTC516359 for details HIPER - CD failures after upgrade to SSP3420 iFix 9 or SSP3430 iFix 2 - See RTC524219 for details and workaround HIPER - 100% CPU in Maverick toolkit after a few days - See RTC524897 In SSP3430 iFix 2 (December 2016): HIPER - See IT17228 for information on the upgrade to IBM JRE 1.7 SR9FP50 for the latest Java security patches in the CM, Engine and PS. HIPER - See "PSIRT 5869" for security patch related to commons-fileupload-1.3.2.jar HIPER - Thousands of sockets in TIME_WAIT when JMS listener down - See RTC522699 HIPER - System outage with too many open file handles - see RTC517621 Action - Allow server only certificates for CD client authentication. See IT18066 if you need to configure this differently. Action - Ability to externalize delay for CD HttpPingResponse. See IT18178 for details. Action - See IT15063 for information on configuring the SFTP rekey counts In SSP3430 iFix 1 (July 2016): Action - JRE upgrade turns off SSLv3 support by default - see IT07375 HIPER - CD Adapter failures causing high CPU - See RTC496962 Action - SFTP Hashmacs hmac-sha256 and hmac-sha512 renamed to hmac-sha2-256 and hmac-sha2-512, respectively. See RTC492052 for details =============================================================================== II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) Fixes are marked as Engine and CM (Configuration Manager) =============================================================================== =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 03 Build 274 December 2018 MFT-9898/IT26763 (Engine) - (HTTP) Userid included in URL query string parameter during password change MFT-9981/IT27055 (Engine) - (FTP) Password prompt not retrying if SEAS auth fails SSP-3229/ (Engine) - (SEAS) Support for OpenDJ LDAP server PSIRT12571 (Engine,CM) - Upgrade SSP to Jetty 9.4.12 (See MFT-3041) PSIRT13307 (Engine,CM) - Update SSP to Apache Active MQ 5.15.6 (See SSP-3070) =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 02 Plus Build 266 November 2018 MFT-10004/IT27002 (Engine) - (SFTP) Unable to upload files > 32k SSP-3234 (CM,Engine) - Correct missing ActiveMQ lib =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 02 Plus Build 266 November 2018 MFT-9975/IT26788 (Engine) - (CM) Adding cipher suite to External Auth definition gets System Error SSP-3233 (Engine) - (HTTP) NPE in SSO portal after Jetty upgrade =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 02 Plus Build 263 October 2018 MFT-9902/IT26640 (Engine) - (HTTP) Error messages in log after successful transfer. MFT-9946/IT26632 (Engine) - (CD) Alternate node in netmap not called unless specified with ip/port. MFT-9961/IT26631 (Engine,CM) - (SFTP) Intermittent SignatureException SSP-3041 (Engine,CM) - Upgrade SSP to Jetty 9.4.12 SSP-3070 (Engine,CM) - Update SSP to Apache Active MQ 5.15.6 =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 02 Plus Build 257 October 2018 MFT-9835/IT26615 (Engine) - (CD) Timeout during FASP Close at end of large transfer. =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 02 Plus Build 256 September 2018 MFT-9925/IT26416 (Engine) - Allow Customer to override minimum DH Exchange key sizes =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 02 Build 255 August 2018 No Defect/ (Engine) - (CD) CSV057E missing values Z15R, DDTY, DDTS RTC572605/IT25899 (Engine) - (CD) Upper and lower case node logs not created SSP-3036/ (Engine) - (HTTP) B2Bi 6.0 rejecting HTTP requests with "400 Bad Message" error PSIRT11819 (CM,Engine,PS) - Update JRE 1.8 to SR5 FP17 (8.0.5.17) =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 01 Plus Build 249 August 2018 RTC572142/DT001321 (Engine) - (FTPS) Customers on slow line getting 226 Transfer Complete on the Control Channel prior to all data sent RTC572554/IT26062 (CM) - (CM) ./manageKeyCerts.sh fails when admin user defined in SEAS =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 01 Plus Build 246 July 2018 RTC569857/ (CM) - (CM) Improve messages for xml parsing exceptions RTC571371/IT25695 (CM) - (REST) Failure to add a new node to a netmap when an existing node has problems in its configuration =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 01 Plus Build 244 July 2018 RTC566675/IT25694 (Engine,PS) - (CD) Large FASP Transfers (5GB) are failing with broken pipe RTC566772/IT25294 (Engine) - (SFTP) Users unable to logon using "key and password" policy (session limit exceeded) RTC568408/ (Engine) - (HTTP) Limit userid/password fields to 256 characters RTC570690/ (CM) - IBM Metric tools cannot detect SSPCM =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 01 Build 237 May 2018 RTC567296/ (Engine) - (SFTP) resetting failed login attempt count even when one of the auth fails RTC567354/IT24987 (CM) - (Install) Getting non-fatal stackOverflowExceptions in log of SILENT install of SSPcm PSIRT10955/10418 (Engine, CM, PS) - Update JRE 1.8 to SR5 FP10 (8.0.5.10) =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 00 Plus Build 235 May 2018 RTC561821/IT24660 (Engine) - (SFTP) Password prompted after key auth failed when "key and password" auth policy is used RTC566007 (CM, Engine, PS) - (HSM) SSP crashes with HSM enabled =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 00 Plus Build 234 May 2018 RTC566450/IT24790 (CM, Engine) - (SFTP) Remove the twofish* and cast* ciphers RTC566512/IT24843 (CM, Engine) - (FTPS) Add missing ciphers to FIPS list RTC567232/IT24869 (Engine) - (CD) SSL Protocol missing from CSP007I and SSP0240I messages RTC568078/IT24967 (Engine) - (CD) HSM retargeted keys get java.security.UnrecoverableKeyException - DER input not an octet string RTC568515/IT25039 (Engine) - (CD) Unable to access HSM key referenced from non-default keystore =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 00 Plus Build 229 April 2018 RTC563781/IT24842 (Engine) - (HTTP) malformed upload causes hung state RTC564157/internal (CM) - IPV4 and IPV6 addresses not screened properly RTC564992/ (CM) - (Install) SSPCM fails to start after upgrade if "admin" id previously deleted. RTC566337/IT24733 (Engine) - (SFTP) Adapter will not start in FIPS mode =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432 GA) Build 222 (March 2018) RFE547267/ (CM) - Enhancement - Ability to disallow concurrent SSP CM sessions RTC548827/ (CM,Engine) - IPv6 support for SSP and SEAS RTC561952/ (CM) - (CM) - Authentication Bypass Using HTTP Verb Tampering RTC563014/IT24648 (Engine) - SSP not failing back to primary SEAS server RTC563311/IT24440 (Engine) - (SFTP) Client receives password prompt when netmap using a sftpPolicy set to KEY only RTC563547/IT24449 (Engine) - (HTTP) Not encoding url correctly when SSP redirects to an external login page RTC564833/ (CM) - (CM) AppScan - Stack trace in the response body RTC565487/ (CM,Engine) - SSP/SEAS code signing certificate expires June 21, 2018 =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 5 Plus Build 208 (March 2018) RTC104091/ (Engine) - (CD) Let PS (local or remote) do DNS resolution RTC458227/ (Engine) - Update the inbound Reverse DNS Lookup message with the hostname for better diagnostics RTC521499/ (CM) - (RESTAPI) HTTP Netmap import failing without truststore even though no client authentication RTC560800/IT24125 (Engine) - (CD) CSP057E KQV keyword "FSOK" found in FM71, but not defined in XML schema definition RFE547267/ (CM) - (GUI,RESTAPI) Update sysGlobals.xsd with allowMultipleSessionsPerUser tag RTC558982/IT24252 (CM) - (CM) NPE importing keycert with comma, asterisk or exclamation mark in password. RTC561255/IT24036 (Engine) - (CD) Unable to use Secure+ with Wild Card Nodename feature - %DEFAULT_NODE RTC561382/IT24037 (CM) - (GUI,RESTAPI) Importing multiple certificates into the truststore. RTC561603/IT24112 (CM) - (CM) GUI listing AES ciphers for SSLv3 protocol RTC562430/(Enh) (CM) - (CM) Enhancement to improve listing of certificates to include chains and pkcs12 RTC562623/IT24251 (Engine) - (SFTP) logoff messages with every load balancer ping. RTC563309/IT24246 (CM) - (RESTAPI) Unable to add HMAC values that are available in the SSPcm UI RTC563378/IT24253 (Engine) - (CD) Allow suppressing content length header in http health check ping response =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 5 Plus Build 202 (January 2018) PSIRT10042/IT23654 (CM) - (CM) Possible vulnerability in Apache Commons Fileupload toolkit RTC556199/IT23554 (CM/Engine) - (HSM) SSP import replace in HSM fails if key with same alias already exists in HSM RTC557073/IT23495 (Engine,CM) - (Install) Engine fails to start after upgrading from pre-SSP3420 RTC557173/IT23483 (Engine,CM) - (PeSIT) Add TLSv1.1 and 1.2 protocols RTC557986/IT23827 (CM) - (REST) API responds with 200/OK on invalid netmap XML input RTC559115/IT23828 (PS) - (Install) Install failed - "CIP_List is not set" when interface not found RTC559657/IT23829 (CM) - (REST) Distinguish in CM logs between REST API and CM GUI configuration updates =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 5 Plus Build 194 (December 2017) RTC550295/IT23475 (PS) - (PS) Perimeter Services Messages ALWAYS getting logged only under DEBUG RTC551786/IT23476 (Engine) - (SFTP) Updated Maverick to SSHD 1.6.41, J2SSH 1.6.34 RTC554088/IT23494 (Engine) - (FTPS) Support EPSV and EPRT commands RTC556393/ (Engine) - (CD) Improve SSP logging for XDR keyword error RTC556544/ (CM) - (REST) Improve console output for sspRestAPI script when connection cannot be made. =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 5 Plus Build 190 (November 2017) RTC497412/ (Engine) - Inbound FTPS fails when client cert has server flag RTC503335/ (Engine) - (CD) Logging improvements for Certificate issues RTC507936/ (Engine, CM) - (Install) Unpredictable install directory when backspace settings not set correctly RTC522918/ (Engine) - (CD) Include content-length header in CD Health check ping response RTC553906/ (Engine) - (HTTP) 'must change password' does not work if browser makes favicon request RTC554173/IT23167 (CM) - (CM) scripts not honoring the TLS protocol version from CM security System Settings RTC554225/ (CM) - (CM) Poor error message when importing expired certificate RTC555530/ (Engine) - (SFTP) log showing parameter place holders: {1} =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 5 Build 187 (October 2017) PSIRT9227 (Engine, CM, PS) - Update JRE 1.8 to SR4 FP10 (8.0.4.10) RTC503335/ (Engine) - (CD) Improve certificate failure logging RTC503536/ (Engine) - (HTTP) Client is not receiving the 500 error message from SSO login failure RTC524639/ (Engine) - (SFTP) Bad format in one user auth key keeps RTC538332 adapters from coming up RTC528506/ (Engine,CM) - (Install) Remove/rename seas.log from CM, engine RTC548552/IT22537 (Engine) - (SFTP) Intermittent transfers through SSP show as an "ABORT" in SFG RTC550367/ (Engine) - (SEAS) Set correlator on EA failover ping request so it can be suppressed in EA log RTC552273/ (Engine) - (HTTP) Security Headers causing errors in rendering SSO HTTP proxy portal pages =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 184 (October 2017) RTC488587/ (PS) - (PS) Show SSP version/build at startup in PS log RTC552345/IT22825 (CM) - (CD,FTPS,HTTP) SHA2 and SHA3 Cipher Suites not available when selecting "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 168 (September 2017) RTC505548/ (Engine) - (CD) CM monitor shows CD adapter status as active, though the less secure remote PS is down. RTC546370/IT22549 (Engine) - (SFTP) One line password prompt not working RTC550068/IT22538 (Engine) - (SFTP) Leaving leftover sessions. RTC551227/IT22491 (Engine) - (CD) Avoid Perimeter race condition causing C:D z/OS error messages (SVTM091I and SVTM090I) =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 166 (September 2017) RTC528288 (CM) - (SFTP) Allow space char at end of password prompt RTC547559/IT22014 (CM) - (REST) Allow API to run concurrently, support better format for encrypted passwords RTC550113 (CM) - (CM) Error writing to UDP audit syslog when configuration change record exceeds 65k RTC550278/IT22371 (Engine) - (Pesit) Allow Pre-connection phase to be optional with TCP connections RTC550968 (Engine) - (HTTP) New headers cause problem with Chrome =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 160 (August 2017) RTC543000/IT21407 (Engine) - Option to roll over log files at midnight RTC546604/IT22033 (Engine) - (HTTP) SSP Engine needs to send HTTP security headers =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 156 (August 2017) RTC505365/ (CM) - (REST) Unable to create CM user using ExternalAUTH RTC542811/IT21439 (Engine) - (SFTP) problem with zlib compression - Windows RTC546159/IT21867 (Engine) - (SFTP) Error resuming a transfer =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 154 (July 2017) RTC535333/ (Engine,CM) - Data Collector updates RTC504499/ (Engine) - (CD) Common name (CN=) can be last entry in subject. RTC541553/ (CM,Engine) - Factory cert expiring December 1, 2017 RTC542811/IT21439 (Engine) - (SFTP) zlib compression is not working RTC544511/IT21482 (Engine,CM) - (CD,FTPS,HTTP) New protocol option for TLS1.0-1.2 only RTC544966/ (Engine) - (SFTP) Correct 5 second delay at the beginning of a session RTC545321/IT21567 (CM) - (REST) Password corruption on HTTPnetmap RTC545688/IT21592 (Engine) - (CD) Common name can contain comma RTC545903/IT21596 (Engine) - (REST) Error loading C:D Adapter with EA PS =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 146 (June 2017) RTC536410/ (Engine) - (SFTP) Spurious RejectedExecutionExceptions in log during load testing RTC537525/IT21212 (CM) - (CM) configureCmSsl script gets error - No supported private key marker found in PEM stream RTC542091/IT21139 (CM) - (CD) Include all ciphers for PNODE Controls RTC542503/IT21213 (CM) - (REST) Add more information to error message when importing SSH KeyDef RTC542640/IT21204 (CM,Engine,PS) - (Install) Turn off world-writable directories =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 139 (June 2017) RTC533345/ (Engine) - (CD) Session fails because "End user tried to act as a CA" RTC535517/IT20520 (Engine) - (CD) Error on first block when enabling data encryption RTC538591/IT20896 (CM) - (CM) Error accessing certificates in the trusted keystore after upgrade from 3.4.1.8 RTC538773/IT21115 (Engine) - (Failover) EAProxy deadlock due to method serialization RTC540861/IT21120 (PS) - (PS) Upgrade fails to replace JRE when jre directory is owned by another user/group =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 135 (June 2017) RTC534483/IT20590 (Engine) - (SFTP) adapter policy (password+key) doesn't report failed logon attempts RTC536899/ (CM) - (REST) API import errors detected RTC536951/IT20749 (CM) - (CM) Hashed password display RTC537305/IT20816 (Engine) - (CD) SSP Engine OutOfMemory (OOM) exception when adapter gets out of sync with local PS RTC538758/IT20889 (Engine) - (SFTP) Avoid NPE when SFTP adapter shut down RTC539383/IT20879 (CM) - (CM) Unable to see the all trusted certificates in Netmap > Outbound > Security RTC540353/IT20845 (CM) - (REST) Import failed with ERROR SspCMConfigService - sysGlobalsDef Host required =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Build 123 (April 2017) RTC528659/IT20207 (Engine) - (SFTP) SSP restarted due to OOM errors RTC533058/ (CM,Engine) - Shutdown scripts hang with JRE 1.8 on AIX RTC533482/IT20234 (Engine) - (CD) Transfers not working with SSLv3 RTC533801/ (CM,Engine,PS) - Upgrade to Java 1.8 for Java January 2017 security fixes RTC534665/IT20206 (Engine) - (CD) Invalid copy step causes NPE in validation RTC536506/IT20338 (Engine) - (SFTP) Maverick log getting numerous exceptions for each SFTP logoff. =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 115 (April 2017) RTC531365/IT19649 (CM) - (CM) Users unable to change password after upgrade RTC532854/IT19863 (CM) - (REST) API unable to use TLS1.2 to SSP CM Web RTC533580/ (CM) - (REST) unable to import exported configurations RTC533680/IT20027 (Engine) - (CD) RU size negotiated to 16259 when using Secure+ on one CD node and non-secure on the other. RTC533907/ (Engine,CM) - InstallAnywhere on Windows shows ERROR: Failure in the CopyJreLib step RTC534003/IT19950 (CM) - Error when executing configureCmSsl.sh RTC535210/ (Engine) - RAS Enhancement - Add new startEngine.log, switches for heap dumps and SSL debugging =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 112 (March 2017) RTC528702/IT19672 (CM,Engine) Install failure causes secure protocols to fail after upgrade RTC529443/IT19491 (Engine) - SFTP adapter won't come up when HSM is enabled. RTC529446/IT19332 (Engine) - Unable to use HSM keystore without password RTC529453 (CM) - Ship a separate security.properties for SSP CM RTC529530 (CM,Engine) (HSM) No longer ship setupHSM.bat or .sh and remove them if they exist. RTC530844/IT19443 (Engine) - (CD) Allow client-only certs in server authentication. RTC530859/IT19451 (Engine) - (CD) Accept "TLS" and change to "TLSv1" RTC531976/IT19734 (Engine) - SFTP sessions fail when HSM is enabled RTC532302/IT19647 (CM) - REST: Don't require truststore for http inbound node if client auth is not enabled =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 105 (February 2017) RTC525304/ (Engine) - Performance test fails for HTTPS and FTPS RTC527354/IT19159 (CM) - TLS1.2 is not negotiating when FIPS mode ON =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 104 (February 2017) RTC525694/IT18971 (CM) - Large certificate serial number appears incorrectly in SSPCM RTC527283/IT19153 (CM) - SSP 3.4.3 CM in Windows Uninstall shows Version 3.4.2.0; 'Help' points to v3.4.2 content =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 101 (February 2017) RTC524274/IT19027 (Engine) - (HSM) FTPS not working with HSM certificates after upgrading from 3.4.1.7 to 3.4.3 RTC525585/IT18998 (CM) - HTTP netmap logging level reset to NONE if Routing Node tab selected RTC527009/IT19026 (Engine) - FTPS client connects, but LIST command delayed RTC527355/ (CM,Engine) - SSP CM not PUSHing configured SSH Local User Keys to SSP Engine No Defect (Engine) - Additional KQV values for C:D FM71 - ZEDC =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Build 99 (January 2017) RTC524897/IT18695 (Engine) - 100% CPU in Maverick toolkit after a few days RTC525887/ (Engine) - FTPS data channel hangs when CEU is back end RTC526163/ (Engine) - Avoid erroneous PASV response from server =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 2 Plus Build 94 (January 2017) RTC517058/IT17567 (Engine) - *HIPER* FTPS data connection timeouts after upgrade to SSP 3.4.2 or 3.4.3. RTC525081/IT18698 (Engine) - Numerous Maverick NullPointerExceptions in systemout.log after SSP3420 iFix 9 RTC525909/ (Engine) - Error messages "peer not authenticated" in load test logs for C:D sessions RTC525956/ (Engine) - SFTP concurrency test produces number of NPEs =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 2 Plus Build 87 (December 2016) RTC516359/IT18163 (Engine) - Deadlock/hang in failover code RTC523287/IT18529 (Engine) - SEAS-Agent timeouts are hanging other SFTP Adapters including ones not dependent on SEAS RTC524219/IT18552 (Engine) - CD failures after upgrade from SSP3418 to SSP3430 iFix 2 =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 2 Build 83 (December 2016) RTC500069/IT15063 (Engine) - SFTP transfers stalling at 627MB or the sftp_rekeycount limit in the adapter. RTC523578/ (Engine) - (HSM) CD Protocol unable to use keycert in HSM =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 81 (December 2016) RTC512573/IT18260 (Engine) - HTTP connections fail with SSE0102E secure connection failures after upgrade to SSP 3.4.2 RTC518916/IT18164 (Engine) - CD "PNODE Host controls SSL Protocol" netmap setting fails in some circumstances RTC519253/IT18066 (Engine) - (CD) Allow server only certificates for client authentication RTC519510/IT18176 (CM,Engine) - Do not enforce common name checking if CD client authentication not turned on RTC520046/IT17985 (CM) - Unable to use a custom channel name in the JMS configuration RTC520758/IT18178 (CM) - Externalize delay for CD HttpPingResponse. RTC521075/IT18187 (CM) - 2 special characters in CM password when special characters required RTC521835/IT18266 (Engine) - (HSM) SecureRandom failure using HSM with CD RTC522699/IT18216 (CM) - Thousands of sockets in TIME_WAIT when JMS listener down =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 75 (November 2016) RTC508303/ (Engine) - CDzOS via SSP produces XXDR021I in CD Windows statistics. RTC513451/IT17846 (CM,Engine) - Updated to use Maverick sshd 1.6.27, j2ssh 1.6.23 RTC514315/IT17373 (CM) - Import of CA trusted file with multiple CA Certs gets corrupted RTC517621/IT17983 (Engine,PS) - Too many open file handles lsof output “can't identify protocol” entries RTC519864/IT17988 (Engine) - 2 ciphers missing from supported ciphersuites list RTC519966/IT18001 (CM) - Admin user can't be deleted in SSPCM Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 69 (October 2016) No Defect/IT17228 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR9FP50 for latest security patches PSIRT 5869 (CM) - Updated to use commons-fileupload-1.3.2.jar RTC496054/ (CM) - Error messages found in installation and CMS logs for both Engine and CM. RTC493866/IT14117 (Engine) - (PS) Too many fast wakeups in perimeter.log RTC508898/ (Engine) - (CD) With CHECKPOINT and FASP=SSP; SUSPEND hangs session RTC508901/ (Engine) - (CD) Submit process on Snode using FASP does not end session gracefully RTC510635/IT16815 (Engine) - (HSM) Certificates causing SSP0229E Exception Securing connection or Sending data, java.lang.NoClassDefFoundError - com.sterlingcommerce.security.util.SCIHSMManager RTC511154/IT16980 (Engine) - (CD) C:D adapter fails to send "Http Ping Response" string consistently RTC511666/IT17151 (CM) - Unable to invoke iKeyman bundled with SSP on Solaris 10 with error: "Could not find or load main class com.ibm.gsk.ikeyman.Ikeyman" RTC511903/IT17121 (Engine) - (SFTP) Slow upload speed via SSP on Solaris RTC511928/IT17359 (CM) - (HSM) Cannot delete old certificates in the CM HSM Keys list after upgrade RTC513206/IT17358 (CM) - SSPCM allows the password change step to be bypassed RTC513984/ (Engine, - Enhancement to allow silent Installs for SSP, CM, PS) SSPCM, PS and SEAS RTC516459/IT17419 (CM) - The manageCSRs.sh script gets a NullPointerException when attempting to create a CSR Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 47 (August 2016) RTC502863/IT16819 (CM,Eng) - (SFTP) Support hmac-sha256 & hmac-sha256@ssh.com RTC504898/IT16824 (CM) - (REST) XMLSchemas for Import RESTAPI Requests RTC505522/IT16713 (Engine) - (FTP/S) Enabling CCC causes transfers to fail RTC508526/IT16700 (CM) - Allow CM Admin to control locked account msgs RTC509062/IT16642 (PS) - (PS) Install issues with Windows service names RTC510313/IT16560 (CM,Eng) - (SFTP) Allow buffer lengths greater than 128K RTC510634/IT16823 (Engine) - (SFTP) SCP presents a RC 1 after successful GET RTC511478/RFE511476 (CM,Eng)- (SFTP) Force one line password prompt Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 34 (August 2016) RTC507008/IT16396 (Engine) - (CD) Memory usage increases and process slowdown with C:D wildcard copies. RTC508872/IT16456 (Engine) - SFTP public key auth failures cause locked accounts sooner in SSP3430. RTC509910/IT16488 (Engine) - (CD) SSP3430 causing data overrruns when inbound unencrypted, outbound secure. =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 1 Build 29 (July 2016) SSP3418 Upgrade (CM) - New SspCMCertConvertUtil tool to convert keys to SSP3420/SSP3430 format before upgrade No Defect/IT07375 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default RTC492052/IT13855 (CM,Engine) - (SFTP) Sha2 connections fail due to mismatched MAC names RTC494013/IT15074 (Engine) - (HTTP) Client is not receiving the 500 Error message from SSO login failure RTC495433/IT14514 (CM) - (HSM) manageKeyCerts import fails with java.lang.NullPointerException RTC496040/IT15910 (Engine) - SFTP client script causes FIN_WAIT2 on SSP server RTC496133/IT15041 (Engine) - Session starts rejected in PS due to "too many open files", or "max concurrent circuits reached" RTC496371/IT14589 (Engine) - (SFTP) Key-only authentication failing when mapped password not present RTC496962/IT16065 (Engine) - CD Adapter failures causing high CPU on Engine, Max concurrent circuits reached:4096 on PS RTC492949/IT15184 (Engine) - (SFT) Getting DH_GEX group out of range RTC497030/IT14809 (Engine) - (CD) SSP handshake failure with CDSA after upgrading to SI 5.2.6.1. RTC497033/IT14757 (Engine) - Dummy object unmarshalling error for PerimeterServerConfig RTC497092/IT14615 (Engine) - Engine Shutdown issue RTC500038/IT15916 (Engine) - Intermittent failures with concurrent SSL handshakes RTC501172/ (CM) - CM ManagedAccepterService fails to startup causing logins to fail RTC501513/IT15516 (CM) - Vulnerability issues found with SSPcm HTTP Headers RTC501735/IT15517 (Engine) - (SFTP) Key Exchange Exception encountered when FIPS enabled RTC502844/IT15531 (CM) - Unable to import PCKS12 SHA2 certs using configureCmSsl utility Logging Improvement (Engine) - C:D certificate failure logging improvements RTC503126/IT15568 (CM) - (REST API) Unable to create CM user who uses External Authentication RTC503895/IT15606 (CM) - (REST API) Delete Netmap Node entry request returns success but the node still exists RTC504462/IT15808 (PS) - Installation of SSP Perimeter Server package creates a single Windows Service and s starting/shutting down the PS service starts/stops all of them RTC505169/IT15947 (CM) - HTTP Security headers were missing. RTC505320/IT15946 (CM) - Traversal of SSP CM Webapp root RTC505321/IT16020 (CM) - Accessing SSP CM using expired session id RTC505585/IT15949 (CM) - SSP CM allows methods other than GET or POST RTC505702/IT16080 (CM) - Enhancements to password policy rules =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) Fixes are marked as Engine, CM (Configuration Manager), and PS (Perimeter) =============================================================================== SSP3418 Upgrade (CM) - New SspCMCertConvertUtil tool to convert keys to SSP3420/SSP3430 format before upgrade Some Customers who upgraded to SSP3420/SSP3430 had SHA256 keycerts in PKCS#8 PEM format in their keystore, which is the way they were stored in the pre-SSP3420 CM. After upgrading, these keys could not be read by the new IBM toolkit, due to a couple of OID fields. Resolution: Now supply a new SspCMCertConvertUtil with the SSP3418 CM which can be run just before upgrading to SSP3430 to convert the keystore(s) in place to PKCS#12 format, which is the format that SSP3430 uses. Once the conversion is done, the SSP3418CM image must be upgraded immediately to SSP3430CM. Here are the steps for using the new script. 1) Obtain the latest 3418 maintenance (iFix 8+ or higher) and the latest 3430 maintenance (iFix 1 or higher) on Fix Central: http://www.ibm.com/support/fixcentral/swg/selectFixes? parent=ibm~Other%2Bsoftware& product=ibm/Other+software/Sterling+Secure+Proxy& release=3.4.1.8&platform=All&function=all 2) Shut down and back up your existing 341x Engine, CM and PS instances. 3) Upgrade the 341x CM to the latest 3418 SSPM CM patch 4) Run bin/SspCMCertConvertUtil.sh (or .bat) 5) Select Yes to convert existing 3418 SSP CM keycerts or select no to exit the script 6) If yes is selected, this script will first backup the entire SSP CM current conf instance 7) Script will then convert all SSP CM keycerts that are in 341x format into SSP3420/SSP3430 CM keycert format 8) Once the script runs to completion, upgrade the SSP CM, Engine, and PS instances to SSP3430 9) Note: Once the script is run, the SSP3418 conf directory may no longer be used for SSP3418. Either convert to SSP3430 or restore the backed up copy. Note: If there is a need to go back to 341x, restore the backed up copies. The alternative is to upgrade directly to SSP3430, import the PCKS12 versions of your SHA256 keycerts into your system key store and point your netmaps to the new versions. No Defect/IT07375 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default This JRE was included with SSP3430 GA. SSP only allow TLS sessions by default and will reject SSLv3 sessions. If the SSLv3 protocol is required until trading partners can switch to TLS, then for UNIX/Linux, add the -Dcom.ibm.jsse2.disableSSLv3=false property to the Java startup line(s) in the bin/startEngine.sh script. For Windows, add the property to the " lax.nl.java.option.additional=" line in the bin\SSPengine$.lax file. In addition, edit the /jre/lib/security/java.security to change the following line from jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 to jdk.tls.disabledAlgorithms=RC4, MD5withRSA, DH keySize < 768 See http://www.ibm.com/support/docview.wss?uid=swg21695265 for more information. No Defect/IT17228 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR9FP50 for latest security patches This JRE includes the quarterly Java security patches through July 2016. See http://www.ibm.com/support/docview.wss?uid=swg21991287 for details. PSIRT 5869 (CM) - Updated to use commons-fileupload-1.3.2.jar Resolution: Upgraded to use commons-fileupload-1.3.2.jar to resolve a possible security vulnerability. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21995611. RTC104091/ (Engine) - (CD) Let PS (local or remote) do DNS resolution The CD Adapter has always done DNS resolution on the local host, even when the Perimeter Server definition Advanced tab specified "Perform DNS Resolution" "At Perimeter Server Host". In most cases, it required the addresses of CD nodenames to be specified as IP addresses rather than hostnames. Resolution: Now have the CD adapter honor the setting in the PS definition for "Perform DNS Resolution" (either "At Local Host" or "At Perimeter Server Host"). RTC458227/ (Engine) - Update the inbound Reverse DNS Lookup message with the hostname for better diagnostics When there are hostnames in the inbound netmap list instead of IP addresses the DNS resolution process does not echo the hosthames in the log, nor identify which nodename matched. Resolution: Now echo the hostname with the IP address it resolves to and indicate which nodename matches if a match is made: DEBUG Resolved: to: 9.8.7.6 INFO SSP104I Session Proceeding after Node match: HTTP_In RTC488587/ (PS) - Show SSP version/build at startup in PS log There is a desire for support purposes to determine at a glance whether a Perimeter Server (PS) is for SSP (vs. B2Bi) and if so, which version and build of SSP it was from. Resolution: At a glance, the SSP PS install directory contains a file called SSP_PServer_install.properties, which distinguishes it from a B2Bi PS. Now the PSLogger.* file at startup will contain a string SSP.INSTALLED.VERSION, which will list the build the installer came from. grep SSP.INSTALLED.VERSION PSLogger.* SSP.INSTALLED.VERSION=SSP 3.4.2.0 iFix11+ Build 411 RTC492052/IT13855 (CM,Engine) - (SFTP) Sha2 connections fail due to mismatched MAC names Customer was attempting to configure their SFTP to use HMACs of 256 or higher. SFTP handshakes were getting a mismatch of the hmac algorithm names. SSP was presenting "hmac-sha256" and "hmac-sha512", but should have been using "hmac-sha2-256" and "hmac-sha2-512". Resolution: Now properly present the "hmac-sha2-256" and "hmac-sha2-512" hmac names. Action: If you have previously selected the "hmac-sha256" or "hmac-sha512" HMacs in the adapter Security tab or the netmap node Security tab, they will be de-selected during this upgrade, and you must reselect the "hmac-sha2-256" and/or "hmac-sha2-512" hmacs. RTC492949/IT15184 (Engine) - (SFTP) Getting DH_GEX group out of range Customer running with newer openSSH command line client getting DH_GEX group out of range during session initialization. Resolution: Updated the SFTP Maverick toolkits to SSHD 1.6.17 (front end server side) and J2SSH 1.6.15 (back end client side) for more advanced Diffie-Hellman Key negotiation. RTC493866/IT14117 (Engine) - (PS) Too many fast wakeups in perimeter.log After applying SSP3430 iFix 1, the perimeter.log began receiving the following messages in DEBUG mode: com.sterlingcommerce.perimeter - NioDispatcher.block() -- too many fast wakeups, rebuilding selector. com.sterlingcommerce.perimeter - NioDispatcher.block() - wakeup after 0, result: 0, fastwakeups: 1001 Resolution: Corrected the perimeter.properties file to match the new version shipping since iFix 1. Also added the following parameter to the bottom of the bin/perimeter.properties file to turn off the NIO dispatcher in the local perimeter server: perimeter.niodispatcher=false RTC494013/IT15074 (Engine) - (HTTP) Client is not receiving the 500 Error message from SSO login failure HTTP client logging onto the SSO portal and then onto Sterling File Gateway is getting a blank screen instead of a 500 error message when the login fails. Resolution: Added the text "Internal Server Error" to the message body for the 500 error response and pass it back to the user on login failure. RTC495433/IT14514 (CM) - (HSM) manageKeyCerts import fails with java.lang.NullPointerException The manageKeyCerts.sh utility fails with "Unexpected exception: java.lang.NullPointerException" when attempting to import a PKCS12 keycert into HSM. Resolution: Changed manageKeyTool to persist imported keys by saving off the private key. RTC496040/IT15910 (Engine) - SFTP client script causes FIN_WAIT2 on SSP server When SFTP proxy adapter times out on the client, the socket connection stays in FIN_WAIT2 state. Resolution: Modifed code related to close functionality. RTC496054/ (CM) - Error messages found in installation and CMS logs for both Engine and CM. Numerous error messages seen in log during installation or configuration update: ERROR SspEngineBuilder - routing type STD. They were introduced by Build 54. Resolution: Removed the superfluous message. RTC496133/IT15041 (Engine) - Session starts rejected in PS due to "too many open files", or "max concurrent circuits reached" After several hours or days of running, the Perimeter Server can get the message, "Too many open files", or "Max concurrent circuits reached: size is:4096", and all incoming connections are rejected. The C:D adapter was not closing the connections from the load balancer heartbeat pings correctly, causing an accumulation of circuits in the PS and leftover file descriptors showing up in a lsof command. Customers with a ulimit of 1024 for max open files per user will get the former message, while others will get the latter. Resolution: Updated the C:D adapter code to better handle a load balancer ping operation which does not do a clean close of the socket after connecting. These connections should get cleaned up by the Java garbage collector over time. The Customer should also set the kernel ulimit max open files value to 4096 or higher to allow time for the normal recycling of the load balancer ping sockets. RTC496371/IT14589 (Engine) - (SFTP) Key-only authentication failing when mapped password not present If an SFTP policy is configured to use a mapped routing key name from SEAS to connect to the backend server, a Null Pointer Exception can occur if the user does not have a mapped password defined.  When attempting to connect to the SSP SFTP adapter, the user will not be able to login, and the following exception will occur in the adapter log: java.lang.NullPointerException at java.lang.String.        at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.registerBackend        at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.logonUserHelper        at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.logonUser        at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.verifyPassword        at com.sterlingcommerce.cspssh.daemon.SftpAccessInstance.verifyPassword Resolution: Now correctly handle the situation where SEAS returns a mapped routing key name, but not a mapped password. RTC496962/IT16065 (Engine) - CD Adapter failures causing high CPU on Engine, Max concurrent circuits reached:4096 on PS When the C:D adapter recovers from a connection failure to the More Secure Perimeter Server, it restarts its listener on the inbound PS but no longer services connections coming in. As the load balancer continues to hit the CD port, it can lead to a "Max concurrent circuits reached: 4096" error on the PS and all inbound traffic turned away. Resolution: Corrected the recovery logic in the CD adapter to ensure that the inbound listener is brought up and the adapter continues to service connections. RTC497030/IT14809 (Engine) - (CD) SSP handshake failure with CDSA after upgrading to SI 5.2.6.1. SI/B2Bi 5.2.6.1 uses the fix provided in the IBM JRE (JSSE) to break up packets when using CBC cipher suites and TLS 1.0. The short packet during the initial FMH 68/72 exchange was causing SSP to issue message CSP900E Logged Exception : Invalid Connect:Direct FMH Resolution. Now handle SSL fragmentation caused by remediation for the CBC BEAST TLS 1.0 PSIRT advisory. Workaround: There are 2 known workarounds to this problem - 1) Switch to using TLS 1.2 between SSP and SI, as the BEAST "fix" only gets used with TLS 1.0 2) Update the SI 5.2.6.1 startup script(s) to add "-Djsse.enableCBCProtection=false" in the Java startup line(s). RTC497033/IT14757 (Engine) - Dummy object unmarshalling error for PerimeterServerConfig During a configuration push from the CM to the engine, getting multiple java.lang.RuntimeException: Problem with reflection based marshalling. Invalid data was being passed to SSP Engine Converter method. Resolution: Added logic to detect when an invalid data is passed into the converter method and handle it properly RTC497092/IT14615 (Engine) - Engine Shutdown issue Customer could not shut down the SSP engine from the command line using either stopEngine.sh mode=auto or the regular ./stopEngine.sh. Resolution: Added logic to SSP code base so that the TLS protocol is no longer hard-coded for SSP engine shutdown module. RTC497412/ (Engine) - Inbound FTPS fails when client cert has server flag FTPS client fails the SSL handshake because it is using a certificate marked for Server use only. Resolution: Now provide better diagnostics in the error message so that the client can be instructed to get a certificate marked Client only or Server plus Client. Now the error message will say: [TLSCheck.certificateCallback] Entered: 4 (TRUST_ERROR_OTHER - could be server-only certificate used for client auth or client-only certificate used for server auth or broken chain, etc) RTC500038/IT15916 (Engine) - Intermittent failures with concurrent SSL handshakes Customers experiencing intermittent failures during SSL handshaking in CD, FTP, or HTTP sessions. A PEMHelper utility class which feeds certificates to the SSL/TLS handshake process had objects defined in such a way that they were not thread-safe, causing unpredictable outcomes when multiple sessions were attempting to do simultaneous handshakes.  Resolution: Corrected the objects in the PEMHelper class to be thread-safe.   RTC500069/IT15063 (Engine) - SFTP transfers stalling at 627MB or the sftp_rekeycount limit in the adapter. Under certain circumstances, the rekey limit is causing SFTP transfers to stall. The sftp_rekeycount property defaults to 20000 by default, which allows 20k packets to flow before requesting a new key exchange. However, the SSP FTP daemon and the SSH Maverick toolkit are both keeping track of the packet count, which can cause a hang when both request a rekey at the same time. Turned off requesting rekey operations on the back end session to SI within the SFTP adapter. Added a new property, sftp_backend_rekeycount, with a default of zero, to specify the number of packets between rekeys on the backend session to SI, in case a Customer needs to turn it back on. Also updated the Maverick toolkit to get the latest versions with any impact on re-key issues. RTC501172/ (CM) - CM ManagedAccepterService fails to startup causing logins to fail There was an internal error during startup of the CM and the internal ManagedAccepterService never came up, which caused logins to fail. Resolution: Added the ManagedAccepterService to the list of global services so it would start sooner in the process. RTC501513/IT15516 (CM) - Vulnerability issues found with SSPcm HTTP Headers The SSP CM is missing the following HTTP security headers: Cache-Control: no-cache,no-store Pragma: no-cache X-Content-Type-Options: nosniff X-XSS-Protection: 1 Resolution: Added the missing HTTP security headers to the SSP CM. RTC501735/IT15517 (Engine) - (SFTP) Key Exchange Exception encountered when FIPS enabled With FIPS mode enabled in SSP, a null pointer exception can occur if the group-exchange-sha256 key exchange algorithm is enabled in the outbound netmap node. Resolution: Code has been added so that SSP can use the group-exchange-sha256 key exchange algorithm, in FIPS mode, for connections to the backend server. RTC502844/IT15531 (CM) - Unable to import PCKS12 SHA2 certs using configureCmSsl utility CmSslConfigTool was unable to successfully import pkcs12 certificates. Resolution: Added logic that allows for the public certificate to be extracted from pkcs12 into SSP CM truststore. RTC502863/IT16819 (CM,Eng) - (SFTP) Support hmac-sha256 & hmac-sha256@ssh.com Previously, SSP did not support the following HMAC algorithms for SFTP adapters and outbound nodes: hmac-sha256 and hmac-sha256@ssh.com. Resolution: Added support for hmac-sha256 and hmac-sha256@ssh.com. Logging Improvement (Engine) - C:D certificate failure logging improvements Trusted certificates that contain comments or too many characters on a line may not be able to be parsed by SSP 3.4.2, even though they worked in SSP 3.4.1. Resolution: Added code so that if SSP fails to parse a trusted certificate, the name of the offending certificate is logged. RTC503126/IT15568 (CM) - (REST API) Unable to create CM user who uses External Authentication When using the SSP REST API to create a new CM user that uses external authentication, an error will occur if a password is not specified.  Since authentication is done externally, a password should not be required in SSP. Resolution: The SSP REST API code has been changed so that passwords are not required for new CM users that use external authentication. RTC503335/ (Engine) - (CD) Improve certificate failure logging Resolution: Changed the CSP062E (Secure+ mismatch error) message to ERROR level. Also updated the SSE0116E and SSE0117E messages (handshake failures) to include "Check for certificate failures" in addition to the instructions to verify protocols and ciphers. RTC503335/ (Engine) - (CD) Logging improvements for Certificate issues C:D Secure+ handshakes sometimes failed due to certificate errors, but did not include which certificate was identified as failing. Resolution: Add keycertificate name to error messages when appropriate. Examples: CSP037E Could not load certificate information for node. KeyCertificate Name=CertWiz_SHA256_SelfSigned.keycert CSP900E Logged Exception : could not handshake because certs or configuration is invalid, KeyCertificate Name=CertWiz_SHA256_SelfSigned.keycert CSP057E 16 Exception or other serious error occurred: exception in processing could not handshake because certs or configuration is invalid, KeyCertificate Name=CertWiz_SHA256_SelfSigned.keycert RTC503536/ (Engine) - (HTTP) Client is not receiving the 500 error message from SSO login failure When using SSP/SEAS to connect to myFileGateway the username that is entered into the SSP login page is authenticated against SEAS before it is sent to SFG. The username in LDAP is case insensitive, but in SI it is case sensitive, so authentication can succeed in LDAP, but fail on SI.  This causes SSP to display a blank page, and return the 500 HTTP response code.  Resolution: Now whenever the HTTP response code is 500, SSP also returns “Internal Server Error” in the message body, so that the response code is delivered and the client does not get a blank page. RTC503895/IT15606 (CM) - (REST API) Delete Netmap Node entry request returns success but the node still exists When using the SSP REST API to delete a C:D netmap node, and the node being deleted is referenced by another node’s ACL, the REST API will return a successful response, but the node will not be deleted. Resolution: The SSP REST API code has been updated to return a meaningful error message if a node cannot be deleted because it is referenced by another node's ACL. RTC504462/IT15808 (PS) - Installation of SSP Perimeter Server package creates a single Windows Service and s starting/shutting down the PS service starts/stops all of them After installing a more secure perimeter server, it is possible that the Windows service used to start and stop the perimeter server will be named using the wrong port number.  If this new Windows service name overwrites an existing service, the perimeter server corresponding to the old Windows service cannot be started. Resolution: The code has been changed so that the name of the perimeter server always contains the port number that the SSP Engine will listen on. This guarantees that the Windows Service name corresponds to the correct server. RTC504499/ (Engine) - (CD) Common name (CN=) can be last entry in subject. If certificate common name matching was turned on for CD Secure Plus transfers, the comparisons would fail if the common name was the last field in the Subject or if it had a comma (,) in it. Legacy code was relying on the comma as a terminator for the CN= field in the certificate. Resolution: Converted from legacy parsing to use the X500Name field built into Java certificate processing. RTC504898/IT16824 (CM) - (REST) XMLSchemas for Import RESTAPI Requests Resolution: XSD files are now provided to allow XML validation. Sample programs were changed to show validation using the appropriate xsd file. Note: Because netmapDef was re-used for cd, ftp, http, pesit and sftp and ftpPolicyDef was reused for ftp and sftp, changes were required to allow for xsd validation of import/export XML files. These changes also required modifications in the SSP CM, so CM must be upgraded to this level in order to use the xsd's provided. RTC505169/IT15947 (CM) - HTTP Security headers were missing. Resolution: Added the following security headers 1) Cache-Control: no-cache,no-store and Pragma: no-cache 2) X-Content-Type-Options "nosniff" 3) X-XSS-Protection "1" 4)Strict-Transport-Security - Note: Chrome may require some tweaking when CM server certificate CN does not match host name see https://support.opendns.com/entries/66657664-Chrome-for-Windows-only- HSTS-Certificate-Exception-Instructions for mitigation for chrome See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505320/IT15946 (CM) - Traversal of SSP CM Webapp root Under certain conditions, a browser user is able to traverse the SSP CM webapp root directory. Resolution: Added logic in SSP servlet filter to block directory traversal. See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505321/IT16020 (CM) - Accessing SSP CM using expired session id The SSP CM Dashboard web session was not being reset during a logoff operation. Resolution: Added logic to always reset the SSP CM Dashboard web session during a logoff operation. See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505365/ (CM) - (REST) Unable to create CM user using ExternalAUTH When creating a new CM user that uses External authentication, the REST API requires a password for that user. A password should only be required if Local authentication is selected. Resolution: Changed the CM User validator so that a password is not required if External authentication is selected. RTC505548/ (Engine) - CD Proxy shows CM monitoring status as active, though the less secure remote PS is down. SSP C:D Adapter failed to recognize that remote PS had failed and didn't initate recovery (both with and without failover). Resolution: The C:D Adapter now recognizes the failure of the remote PS failure and reports is properly in the log and to CM and initiates recovery attempts. RTC505522/IT16713 (Engine) - (FTP/S) Enabling CCC causes transfers to fail When CCC (Clear Control Channel) is enabled on the inbound node for the connection from FTP Client to SSP FTP Proxy, the session fails after the CCC command is sent by the client to SSP. Resolution: SSP was updated to correctly interface with the newer PS. RTC505585/IT15949 (CM) - SSP CM allows methods other than GET or POST User was able to send a method request other than GET and POST to the SSP CM server and get a response back. Resolution: Modified the SSP CM web.xml to only honor GET and POST methods. See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505702/IT16080 (CM) - Enhancements to password policy rules Resolution: Now allow the SSP CM admin to specify the allowed special characters and also to specify the number of consecutive repeating characters within a new password string RTC507008/IT16396 (Engine) - (CD) Memory usage increases and process slowdown with C:D wildcard copies. A C:D process with a large number of steps (e.g. a wildcard copy) continues to consume resources and processing slows down as more and more objects are added to SSP session document. Resolution: Refactored the way the SSP session document is manipulated to make it more efficient. RTC507936/ (Engine, CM) - Unpredictable install directory when backspace settings not set correctly Inputting data to InstallAnywhere during installation and using the backspace or cursor arrow keys results in bad data. This comes about when the stty terminal settings are not set up correctly. The install directory value may display correctly, but end up containing unprintable backspace or arrow keys in them. Resolution: Added code to inspect for backspace and cursor keystrokes and correct the data inputted. RTC508303/ (Engine) - CDzOS via SSP produces XXDR021I in CD Windows statistics. C:D Windows stats shows XXDR012I RC 4 for processes between C:D Windows and C:D z/OS when going through SSP. Resolution: Now explicitly specify the ISO-8859-1 character set for "bytes to string" and "string to bytes". RTC508526/IT16700 (CM) - Allow CM Admin to control locked account msgs After SSP3430 iFix 1, the CM user is notified when its account is locked Resolution: Added a check box in SSPCM System Setting's tab to allow the Admin to indicate whether a CM user should be notified of a locked condition. RTC508872/IT16456 (Engine) - SFTP public key auth failures cause locked accounts sooner in SSP3430. When the "Key or Password" authentication policy is used in SSP's SFTP adapter and a user's key is invalid, the account gets locked after one failed password attempt. The public key authentication failure is recorded twice, causing one subsequent failure of a password attempt to lock the account for SSP's lockout period. Resolution: Ensure the SSH User Key authentication failure is not counted twice. Workaround: Raise the "User Lockout Threshold" from the default of 3 in the Credentials -> User Stores section of the CM. (This value is used whether or not the user account is in the SSP user store). RTC508898/ (Engine) - (CD) With CHECKPOINT and FASP=SSP; SUSPEND hangs session Doing CDZ PNODE to CDU SNODE PULL with a checkpoint interval (100K) and FASP=SSP. Suspend from CDZ hangs session. Last thing seen is CDZ sends exception response with sense code 08240118 to CDU then goes into receive, and after receiving all data and FMH80's buffered in SSP, final receive waits for a response that never comes. Unable to flush process, so CDZ must be shut down. Resolution: FASP connection was being closed prematurely when it should have waited for the LIC on the data. The code has been updated to do so. RTC508901/ (Engine) - (CD) Submit process on Snode using FASP does not end session gracefully The positive response from the SNODE to the PNODE after the FM7404 was not being waited on. Reslution: Now wait on the positive response correctly.   RTC509062/IT16642 (PS) - (PS) Install issues with Windows service names After SSP3430 iFix 1, The Windows Service name for the Remote Less Secure PS includes the local listen port number and for the More Secure PS, it includes the port number of SSP to which PS will connect. If there are more than one More Secure PS servers running on one host, pointing to the same port, the PS windows service name will not be unique and cause problems. Resolution: To make the Remote PS Windows service name unique, the IP address of the host on which the PS listens (Less Secure PS) or the IP address of the SSP to which the PS connects (More Secure PS) is appended to the service name in addition to the port number. Example PS name: IBM Sterling Perimeter Server V4.6.6.2 for SSP 3.4.3.0 on 3000 1.2.3.4 Windows Service name: SSP_PerimeterServer_3000_1.2.3.4. RTC509910/IT16488 (Engine) - (CD) SSP3430 causing data overrruns when inbound unencrypted, outbound secure. With SSP3430 in front of a B2Bi CD server adapter, the CDSA may get Java NullPointerException or IndexOutOfBoundsException when the C:D inbound session is unencrypted and the back end (outbound) node uses Secure Plus. When SSP encrypted the data from the inbound RU, it went beyond the negotiated RU size on the back end, causing the data overrrun exceptions. Resolution: Now properly break up the data from the unencrypted buffer into chunks which fit in the outbound RU, using multiple RUs as required. RTC510313/IT16560 (CM,Eng) - (SFTP) Allow buffer lengths greater than 128K Unable to upload files via SFTP if client is using a buffersize > 128K. Customer attempting to connect from command line sftp with larger buffer parm -B240000. Connection is ok, but during the upload the SSP Maverick toolkit gets an error. Maverick log is showing com.maverick.sshd.Subsystem - Incoming subsystem message length 240043 exceeds maximum supported packet length 131328 com.maverick.ssh.ExecutorOperationSupport - Caught exception in operation remainingTasks=0 java.nio.BufferOverflowException at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:183) ~[?:1.7.0] at java.nio.ByteBuffer.put(ByteBuffer.java:832) ~[?:1.7.0] at com.maverick.sshd.Subsystem.parseMessage(Subsystem.java:137) Resolution: Now set the default allowed buffersize supported to be 256K. Override using the sftp.maxPacketLength property. Note: Maverick toolkits were upgraded to SSHD 1.6.24 and J2SSH 1.6.22. RTC510634/IT16823 (Engine) - (SFTP) SCP presents a RC 1 after successful GET When a file is downloaded from SI SFTP Server Adapter thru SSP using the command line scp command, the scp client reports a Return Code of 1 instead of 0 for success. The scp put operations return a 0 as expected. Resolution: Made change to SSP to close the connection properly so the command line scp client reports 0 Return Code for "get" operations. RTC510635/IT16815 (Engine) - (HSM) Certificates causing SSP0229E Exception Customer has certificates stored in an HSM and upgrading to SSP 3.4.3. When securing connections or sending data, getting java.lang.NoClassDefFoundError - com.sterlingcommerce.security.util. SCIHSMManager. Resolution: Corrected SSP code and PS jar file to properly reference the failing class. RTC511154/IT16980 (Engine) - (CD) C:D adapter fails to send "Http Ping Response" string consistently Customer using the HTTP ping response for the C:D adapter to streamline the communication with the load balancer. After upgrading to SSP3420 iFix 8 (or SSP3430 iFix 1), the response was not being sent to the load balancer consistently. Resolution: SSP was closing the socket after writing the HTTP ping response before PS got a chance to complete its work. Added a 200ms delay after writing the HTTP response before closing the socket. RTC511478/RFE511476 (CM,Eng)- (SFTP) Force one line password prompt When the SFTP adapter is configured with the "Key or Password" authentication mechanism it was causing a multiple line password prompt to be displayed. Resolution: Added support for a new property in the SFTP adapter Property tab. kb.single.password.prompt=false is default is keeps a multi-line password prompt in keyboard interactive mode when using "Key or Password". Setting kb.single.password.prompt=true forces a one-line prompt. RTC511666/IT17151 (CM) - Unable to invoke iKeyman on Solaris 10. The IBM hybrid JRE on Solaris delivers ikeyman as a call to the native Java with a class to execute. However, if the JAVA_HOME doesn't point to the IBM JRE, it gets "Could not find or load main class com.ibm.gsk.ikeyman.Ikeyman" Resolution: Corrected Solaris installers for SEAS, SSP, SSP_CM and PS to modify jre/bin/ikeyman so that it always invokes the installed IBM JRE. RTC511903/IT17121 (Engine) - (SFTP) Slow upload speed via SSP on Solaris SSP was not automatically using Solaris hardware encryption to speed up its crypto processing. Resolution: Updated the installer to change the the java.security file on Solaris to include the security provider for Solaris hardware encryption. RTC511928/IT17359 (CM) - (HSM) Cannot delete old certificates in the CM HSM Keys list after upgrade Certificates installed into HSM using pre-SSP3420 had a different provider than is supported with the new IBM toolkit. Resolution: Updated the code to delete the old certificates successfully. RTC512573/IT18260 (Engine) - HTTP connections fail with SSE0102E secure connection failures after upgrade to SSP 3.4.2 Starting in version 3.4.2, a change was made in SSP to make use of the IBM JSSE as a security provider for SSL instead of Certicom. Certicom used only one thread to process the events related to SSL handshakes. For the IBM JSSE, a thread pool was introduced for processing the events. along with a new local perimeter server property, perimeterServices.tlsDefaultThreadsPerAdapter=1, specifying the number of threads in the pool. However, the default value of 1 resulted in not having enough threads to handle even small spikes in TLS handshakes. Resolution: Change the value of the local perimeter services property in /bin/perimeter.properties to perimeterServices.tlsDefaultThreadsPerAdapter=5. RTC513206/IT17358 (CM) - SSPCM allows the password change step to be bypassed When the administrator sets a CM user's password for first time or resets it and the user is required change the password initially entered by the admin, it is possible to bypass the mandatory password change and access the CM. Resolution: Locked down the access in the case of a required password change. RTC513451/IT17846 (CM,Engine) - Updated to use Maverick sshd 1.6.27, j2ssh 1.6.23, common 1.6.11 Resolution: Upgraded to newer Maverick toolkits to resolve several underlying issues. RTC513984/ (Engine, - Enhancement to allow silent Installs for SSP, CM, PS) SSPCM, PS and SEAS InstallAnywhere Silent Install is a feature which allows for automated installs without questions and answers from the console. It can be used for repetitive installs at Customer sites. The administrator first does the product install in "record" mode which builds an installation properties file for subsequent silent installs in "replay" mode. Resolution: The SSP Engine, CM, PS, and SEAS have all been updated to allow silent installs. RTC514315/IT17373 (CM) - Import of CA trusted file with multiple certs or comments getting corrupted or rejected Customer imports a trusted.txt file that contains several CA certificates into the truststore (Credentials > Trusted Certificate Stores). The certificates import but in the Certificate Data window, it indicates only 1 of 1 certificates is imported though you are able to see the multiple BEGIN and END embedded certs. Also trusted files with imbedded comments before or after the BEGIN CERTIFICATE / END CERTIFICATE pairs were being rejected. Resolution: Updated the import logic to remove comments and blank lines during the import process and process multiple certs in one file. Also updated the CM during startup to clean trusted files already loaded in the truststore. RTC516359/IT18163 (Engine) - Deadlock/hang in failover code When Failover is setup in continuous mode and a more secure Remote PS is setup between SSP and the backend Server, if the backend Server goes down, it may result in a deadlock in the SSP Adapter threads. When the backend Server is active again, SSP Adapter may not be accepting new connections, causing the engine to appear hung. Resolution: Modified failover logic to avoid the deadlock. Note: RTC516359 is also internally called RTC524026. RTC516459/IT17419 (CM) - The manageCSRs.sh script gets a NullPointerException when attempting to create a CSR The manageCSRs.sh script gets a NullPointerException after generating the private and public key and attempting to place it in the keystore. Resolution: Now set the default keystore provider to be the IBM JCE. RTC517058/IT17567 (Engine) - *HIPER* FTPS passive data connection timeouts after upgrade to SSP 3.4.2 or 3.4.3. After upgrading to SSP3420 or SSP3430, Secure FTP client sessions were hanging intermittently on data operations, such as directory listings, sending and receiving files. The TLS handshake was failing to start, causing a timeout. One Customer also experienced data corruption when using Filezilla as the FTPS client. Resolution: Fixed a race condition when opening the data channel and responding to the TLS handshake for the client. RTC517621/IT17983 (Engine,PS) - Too many open file handles - lsof output Round 2 of issue with having sockets show up as leftover and in an unusual state (can't identify protocol) in a lsof command after hours of running. This can lead to the PS running out of available "channels". Resolution: Updated the PS code (local and remote) to automatically close sockets which are detected to be in this unusual state. RTC518916/IT18164 (Engine) - CD "PNODE Host controls SSL Protocol" netmap setting fails in some circumstances When SSP is connecting to the real SNODE, specifying "PNODE Host controls SSL Protocol" and the real SNODE doesn't support TLS1.2 and has specified OVERRIDE=N, the handshake fails. Resolution: Now recognize that "PNODE Host controls SSP Protocol" is set and the adapter allows differing encryption levels, and attempt to do a handshake supporting all protocols with the SNODE. The SNODE then decides what it can and cannot do. RTC519253/IT18066 (Engine) - (CD) Allow server only certificates for client authentication If Secure+ and client authentication is turned on for a CD PNode, and the node presents a certificate with "Netscape Cert Type: SSL Server" and does not also indicate an Extended Key usage of SSL Client, the SSL handshake fails with CSP057E "exception in processing com.ibm.jsse2.util.j: Netscape cert type does not permit use for SSL client". This is an RFC restriction imposed by the IBM JSSE toolkit. Resolution: SSP is updated to allow SSL Server certificates for CD client authentication by default. A new property can be set in the CD adapter, AcceptServerOnlyCertForClientAuth, to override this behavior. Settings are: true - (default) allow the handshake and produce message CSP998I to list the PNode and subject name of the certificate showcert - same as true, but also append the full certificate listing false - reject the handshake with message CSP997E. RTC519510/IT18176 (CM,Engine) - Do not enforce common name checking if CD client authentication not turned on The SSP CD adapter was failing PNode connections when common name checking was checked in the netmap, but client authentication was not. Resolution: Now ignore the common name checking flag during CD handshaking if the client authentication flag is not checked and put out a warning message instead. RTC519864/IT17988 (Engine) - 2 ciphers missing from supported ciphersuites list Two ciphers (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) were missing from the supported ciphersuites. Resolution: Added the ciphers to the supported ciphersuites. RTC519966/IT18001 (CM) - Admin user can't be deleted in SSPCM After installing the SSPCM and adding a new user with Admin privileges, the Customer was unable to delete the original default "admin" account. The Customer's site security required removing the default account. Resolution: Corected the code to allow deleting the "admin" account from another account with Admin privileges. RTC520046/IT17985 (CM) - Unable to use custom channel name in the JMS configuration The Customer defined a custom channel name in addition to the default "", but the custom channel name was overriden by the default. Resolution: Correct the code that was overriding the custom channel name so that it could be used to send messages. RTC520758/IT18178 (CM) - Externalize delay for CD HttpPingResponse. When the SSP CD adapter is configured to accept HTTP pings, SSP writes the ping response and closes the socket before the PS gets a chance to complete sending the response to the load balancer. Resolution: Now add a 200ms delay after writing the HTTP response before going to final to close socket. Delay can be adjusted with CD Adapter property HttpPingResponseDelay=200 (default). Value is in milliseconds. RTC521075/IT18187 (CM) - 2 special characters in CM password when special characters required When the SSPCM password policy was set to require a special character, the password was being forced to include at least two special characters. Resolution: Now only require one special character when the passsord policy is enabled with "must have special character". RTC521499/ (CM) - (RESTAPI) HTTP Netmap import failing without truststore even though no client authentication When XML validation through XSD was added, some of the XSD files did not mark some tags as optional. This caused validation to fail indicating tags were required when they were not. Resolution: Changed XSD files to mark all tags as optional. RTC521835/IT18266 (Engine) - (HSM) SecureRandom failures using HSM with CD CD sessions fail with "session.logic.engine not found in Parameters" when using ncipher HSM. The HSM random number generator does not accept seeding. Resolution: Removed code which was attempting to seed SecureRandom during TLS connections when the key certificate is in the ncipher HSM. RTC522699/IT18216 (CM) - Thousands of sockets in TIME_WAIT when JMS listener down After configuring SSP CM to publish messages to WebSphere MQ, Customer found a huge amount of sockets in TIME_WAIT status with destination of the queue manager and originating from the SSP CM. The excessive sockets used up file descriptors in their system. Resolution: Added logic to log JMS connection failures, and then added a 20 second delay between connection attempts to limit the growth of sockets when the JMS queue is down. RTC522918/ (Engine) - Include content-length header in CD Health check ping response The CD health check ping response always specified HTTP 1.0 and included no content-length header. Resolution: Now include content-length header in the CD HTTP ping response and if a CD adapter property "ping.response.http.1_1=true" is set, an HTTP 1.1 response will be sent. RTC523287/IT18529 (Engine) - SEAS-Agent timeouts are hanging other SFTP Adapters including ones not dependent on SEAS SFTP sessions which go through SEAS and hang during a logoff operation can cause sessions on other SFTP adapters which do not use SEAS to hang. Resolution:   Placed the logic for doing SFTP logoffs in a separate thread pool so that they do not hold the EventServiceImplementation lock while doing the logoff operations. RTC523578/ (Engine) - (HSM) CD Protocol unable to use keycert in HSM The C:D protocol was unable to use a key/certificate stored in HSM, getting CSP900E Logged Exception : no valid keycert found - exception. Resolution: Added the logic to correctly handle referencing keycerts in an HSM device when using the C:D protocol. RTC524219/IT18552 (Engine) - *HIPER* CD failures after upgrade to SSP3420 iFix 9 or SSP3430 iFix 2 When upgrading to SSP3420 iFix 9 or 3430 iFix 2, the old Certicom SSL Context values from SSP3418 were not properly converted to IBM JSSE SSL Context values. This caused java.security.NoSuchAlgorithmException - TLS1-ONLY SSLContext not available on CD transfers. Resolution: Now convert the old Certicom SSL Context values to the IBM JSSE SSL Context values during CD SSL handshaking. Workaround: Do a Save in the GUI on the affected netmap node(s) to assign the correct TLS protocol setting. RTC524274/IT19027 (Engine) - (HSM) FTPS not working with HSM certificates after upgrading from 3.4.1.7 to 3.4.3 The key certificate alias in HSM was mixed case and was not succeeding during TLS connection in the SSP FTP adapter. Resolution: Now normalize the key certificate alias to lower case before attempting the TLS connection. RTC524639/ (Engine) - Bad format in one user auth key keeps SFTP RTC538332 adapters from coming up The SFTP adapter does not start if there is an error loading any of the known host keys or authorized user keys. Resolution: Now log the failing key name with message SSE2727 and continue to load other valid keys and start the SFTP adapter. RTC524897/IT18695 (Engine) - 100% CPU in Maverick toolkit after a few days Customer found that his engine was reaching 100% CPU after several days. Javacore showed that there were several threads looping in Maverick code. Resolution: Updated Maverick toolkits to SSHD 1.6.30 and J2SSH 1.6.25 RTC525081/IT18698 (Engine) - Numerous Maverick NullPointerExceptions in systemout.log after SSP3420 iFix 9 The fix for RTC523287 introduced a new thread to handle SFTP logoffs. However, it attempted to reference a Maverick Connection object which became stale. Since the NPE happened after the client had disconnected, it had no effect on transfers, etc. Resolution: Now get the information from the Maverick Connection object before invoking the SFTP logoff thread. RTC525304/ (Engine) - Performance test fails for HTTPS and FTPS Resolution Changed the default values for the following two properties in the local perimeter.properties file, based on recommendation from the SI team after performance testing with SSP. perimeterServices.outboundPipeCapacity=10 (was 2) perimeterServices.serverConduitCapacity=10 (was 2) RTC525585/IT18998 (CM) - HTTP netmap inbound logging level reset to NONE if Routing Node tab selected If the user sets a value for the logging level in the HTTP Netmap Inbound Advanced tab and then navigates to the Routing Node tab, the logging level is reset back to NONE. Resolution: Now save the logging level value before navigating away from the Advanced tab. RTC525694/IT18971 (CM) - Large certificate serial number appears incorrectly within SSPCM Certificate with a serial number larger than the maximum integer value (2G) was not being displayed correctly. Resolution: Now format the display of the certificate serial number using the BigInteger object type, which handles numbers larger than maxint. RTC525887/ (Engine) - FTPS data channel hangs when CEU is back end Running Secure FTP with Connect:Enterprise for UNIX as the back end FTP server, the data channel can hang waiting for TLS handshake when in PASV mode. The CEU was placed behind SSP to assist in migrating to Sterling File Gateway using Single Signon and Dynamic Routing. Resolution: Now determine if the back end server is CEU and automatically adjust the timing of when to start the TLS handshake for the data channel on the back end. If the CEU is not recognized, the parameter bypass.wait.for.data.channel=true can be added to the FTP adapter properties to force this behavior. RTC525909/ (Engine) - Error messages "peer not authenticated" in load test logs for C:D sessions In our local testing there were numerous "peer not authenticated" error messages in the C:D logs, although the sessions completed normally. If the sessions were configured to require client authentication by the PNode, the messages were not produced. Resolution: Now bypass emitting the message if the PNode is not configured to do SSL client authentication. RTC525956/ (Engine) - SFTP concurrency test produces number of NPEs Our concurrencly load testing was turning up numerous NullPointerExceptions in BackendSftpSubsystem.java, after RTC523287 and RTC525081. Resolution: Now serialize the usage of the session object to eliminate the NPE. RTC526163/ (Engine) - Avoid erroneous PASV response from server When a FTPS client starts a data operation without waiting for the previous command to complete, the PASV response from the back end server can be sent directly to the client, disclosing the IP information of the internal system. Resolution: Now detect when a PASV response is being returned when not in passive mode and terminate the session with an internal error. RTC527009/IT19026 (Engine) - FTPS client connects, but LIST command delayed In some situations, the FTP LIST command takes a long time to finish when testing with WS-FTP. The time it takes seems to match the FTP Adapter session timeout time in SSP. A NullPointerException was causing the data channel to not be closed properly. Resolution: Changed the code to avoid the NullPointerException during the data channel operation. RTC527283/IT19153 (CM) - SSP 3.4.3 CM in Windows Uninstall shows Version 3.4.2.0; 'Help' points to v3.4.2 content The SSPCM v3.4.3 'Version' column information in Windows 'Programs and Features / Uninstall a Program' shows 3.4.2.0. The "IBM Sterling Perimeter Server V4.6.6.2 for SSP 3.4.3.0" shows a version of "4.6.6.0". Also, the SSPCM 3.4.3.0 'Help' links were all pointing to 3.4.2 content. Resolution: Updated the InstallAnywhere installer to properly set the version information for the SSPCM and SSP PS. Updated all the SSP3430 Help links to point to SSP3430 URLs. RTC527354/IT19159 (CM) - TLS1.2 is not negotiating when FIPS mode ON When running the SSP Engine in FIPS MODE, the HTTP and FTP adapters will not allow a TLS1.2 handshake. It works ok when FIPS mode is OFF. Resolution: Updated SSP to allow TLSv1.1 and TLSv1.2 under FIPS mode. RTC527355/ (CM,Engine) - SSP CM not PUSHing configured SSH Local User Keys to SSP Engine In some situations, the SSP CM was not pushing the SSH local user keys to the SSP Engine. Resolution: Now correctly push the SSH local user keys to the SSP Engine. No Defect (Engine) - Additional KQV values for C:D FM71 - ZEDC Resolution: New KQV values for the Connect:Direct FMH71 are added for ZEDC support to avoid error messages when unknown values are encountered. The following values are added: "ZEDR", "ZEDS", "ZEFR", "ZEFS", "ZERR", "ZERS", "ZWIN", "ZWIR", "Z15R", "Z15S", "ZIFR", "ZIFS", "ZBFR", "ZBFS", "ZEHR", "ZEHS", "ZEIR", "ZEIS" "ZIIR", "ZIIS", "ZIJR", and "ZIJS" RTC528288 (CM) - Allow space char at end of SFTP password prompt For password prompt overrides in the SFTP adapter, e.g. kb.pwd.prompt or kb.sec.code.prompt, any space character at the end of the prompt would be stripped. Resolution: Now allow the space character to be specified by spelling out the unicode value for a space: \u0020. RTC528506/ (Engine,CM) - Remove/rename seas.log from CM, engine The seas.log is unused in the CM and does not have anything to do with SEAS in the engine. Resolution: Remove the seas.log from the CM log directory. Rename seas.log to sspengine.log in the Engine log directory so it may be used to log access to the engine from the SSPCM. RTC528659/IT20207 (Engine) - SSP restarted due to OOM errors The SFTP session config objects were not consistently getting disposed of and were causing a memory leak, resulting in a Java OutOfMemory exception. Resolution: Now properly dispose of the session config object at the end of each session. RTC528702/IT19672 (CM,Engine) Install failure causes secure protocols to fail after upgrade Customer had security software on their Linux box which prohibited running the InstallAnywhere scripts out of the /tmp directory. InstallAnywhere silently failed to copy the JRE libraries that we need to do unlimited strength security. Resolution:  Updated InstallAnywhere to check the return code from the "CopyJreLib files" step and put out a message panel to let the installer know they should set 2 environment variables and restart the installation to ensure that the InstallAnywhere scripts can run in their work directory. Workaround: Prior to running the install, set the following environment variables to point to a work directory other than /tmp (example, $HOME): export IATEMPDIR= export TEMPDIR= RTC529443/IT19491 (Engine) - SFTP adapter won't come up when HSM is enabled. The SFTP adapter will not start when HSM is enabled in security.properties. Resolution: Updated the SFTP toolkit API (Maverick) to use IBMJCE for algorithms handling the SSH private key. RTC529446/IT19332 (Engine) - Unable to use HSM keystore without password The SSP engine was not able to access ncipher HSM when HSM keystore password was set to blank Resolution: Now initialize the HSM interface with proper values for blank/null passphrases. RTC529453 (CM) - Ship a separate security.properties for SSP CM Resolution: Ship a separate copy of bin/security.properties for the SSP CM. RTC529530 (CM,Engine) (HSM) No longer ship setupHSM.bat or .sh and remove them if they exist. The setupHSM is no longer valid to run as all the support for HSM is contained in the IBM JRE. Resolution: The setupHSM.bat or .sh scripts are no longer shipped, and are removed at upgrade time with an InstallAnywhere post-install step. RTC530844/IT19443 (Engine) - (CD) Allow client-only certs in server authentication. This is similar to RTC519253/IT18066 for server-only certificates after an upgrade from SSP341x. If Secure+ is turned on for a CD SNode, and the node presents a server certificate with an Extended Key usage of SSL Client, the SSL handshake fails with CSP057E "exception in processing com.ibm.jsse2.util.j: Netscape cert type does not permit use for SSL server". This is an RFC restriction imposed by the IBM JSSE toolkit. Resolution: SSP is updated to allow SSL client certificates for CD server authentication by default. A new property can be set in the CD adapter, AcceptClientOnlyCertForServerAuth, to override this behavior. Settings are true - (default) allow the handshake and produce message CSP998I to list the SNode and subject name of the certificate showcert - same as true, but also append the full certificate listing false - reject the handshake with message CSP997E. RTC530859/IT19451 (Engine) - (CD) Accept "TLS" and change to "TLSv1" Some configurations from older levels of SSP contain "TLS" as the protocol to be used for the C:D netmap. "TLS" is not a valid protocol in the IBM JSSE. "TLSv1" is the correct name for version 1 of TLS. Resolution: Updated the code on the engine to recognize "TLS" and convert it to "TLSv1". Workaround: Do a Save in the GUI on the affected netmap node(s) to assign the correct TLSv1 protocol setting. RTC531365/IT19649 (CM) - SSPCM users unable to change password after upgrade SSP CM users were unable to successfully perform a password change when the SSP CM was upgraded from a version previous to 3430. A new string for specifying which special characters to allow in a password was not being populated during an upgrade and users got the message, "password must contain these special characters null" Resolution: Added logic for SSP CM during startup, to validate and correct password policies that have "mustContainSpecialCharacter" set but no default special character string set. Workaround is to simply save the password policy in the GUI, and it will self-correct. RTC531976/IT19734 (Engine) - SFTP sessions fail when HSM is enabled When HSM is turned on in the SSP Engine, the IBMPKCS11Impl provider is added ahead of the IBM JCE in the Java security provider list, which causes SFTP sessions to fail. Resolution: Now ensure that we use the IBM JCE for certain ciphers like the DH key exchange. RTC532302/IT19647 (CM) - REST: Don't require truststore for http inbound node if client auth is not enabled When using the SSP REST APIs to update an HTTP netmap with security enabled, an error is thrown if the HTTP inbound node does not specify a trust store, even when client auth is not enabled. Resolution: Update the REST validator to not require a trust store name when client auth is not enabled for HTTP inbound nodes.   RTC532854/IT19863 (CM) - REST API unable to use TLS1.2 to SSP CM Web Customer updated their SSPCM Web server to use the TLS1.2 protocol, but then the REST API would not connect to it. Resolution: Corrected the SSP REST API connections to use whatever protocol (SSLv3-TLS1.2) that the SSPCM is configured to use Prior to this fix, only TLSv1 protocol could be used. RTC533058/ (CM,Engine) - Shutdown scripts hang with JRE 1.8 on AIX The delay was caused by getRandom not getting enough entropy to initialize the seed value for the random number generator. Resolution: Set securerandom.source=file:/dev/random in the java.security file. This accesses the default random source on unix platforms and it works with no delay. RTC533345/ (Engine) - (CD) Session fails because "End user tried to act as a CA" CD node was sending an old 1999 Entrust root CA in their certificate chain during the SSL handshake. The certificate used the old NetscapeCertType [SSL CA; S/MIME CA; Object Signing CA] extension instead of the newer BasicConstraints:[CA:true ...] extension. The IBM JSSE toolkit was ignoring the Netscape extension and rejected the certificate with javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: End user tried to act as a CA. Resolution: Back in RTC530844, SSP was updated to allow Customers to bypass a certificate exception by including a portion of the exception message in a new adapter property, "AcceptClientServerText". The Customer added this property to their CD adapter to allow this old root CA: "AcceptClientServerText" = "End user tried to act as a CA" (case sensitive, without the quotes). The engine required a restart for the adapter to pick up the change. This defect updated our trust manager code to print out the exception text if the certificate is about to be rejected. RTC533482/IT20234 (Engine) - CD transfers not working with SSLv3 Customer has a legacy CD partner which still uses the SSLv3 protocol. However, SSLv3 was not working because the protocol specification was being passed to the IBM JSSE as uppercase "SSLV3" instead of "SSLv3" which the JSSE requires. Resolution: Now pass the correct "SSLv3" protocol to the JSSE when the netmap node definition is "SSLv3" or "PNode Controls the SSL protocol". Note: Since SSLv3 is disabled by default, see the notes for IT07375 to allow it to work for a legacy partner. RTC533580/ (CM) - REST unable to import exported configurations Several errors have been exposed in the SSP REST API validation when users export their entire configuration with "export entity=sspCMConfigs" and then attempt to import the same file back in. Problems found: o C:D Netmap: Common Name checking didn't allow blanks in names o C:D Netmap: Verify Common Name required client auth to be enabled o C:D Netmap: Old Certicom protocols rejected (TLS1-ONLY and TLS) o C:D Netmap: Node names not allowed to start with a dash "-" o C:D Netmap: Nodes rejected without the ACLOutboundRequired xml tag o KeyStore Certificates: old "templateNames" keyword mis-handled o KeyStore Certificates: Was rejecting expired certificates o CM Users: Only the role of "admin" was accepted o sysSslInfo: Validation required list of cipher suites o Error messages needed to be improved to aid in problem determination Resolution: Corrected the above issues so that exported configurations could be imported again via the REST API. RTC533680/IT20027 (Engine) - RU size negotiated to 16259 when using Secure+ on one CD node and non-secure on the other. C:D Windows and C:D UNIX put SSLB=fals in their FM68 when establishing a non-secure connection. This indicates that SSL blocking cannot be used to add multiple SSL buffers into a single RU. SSP only adds SSLB=true when the SSLB keyword is not present in the FM68. Resolution: Now recognize when SSLB-fals is sent from a non-secure node and change its value to true on the SNode side so that SSL blocking can be done on the secure side. RTC533801/ - Upgrade to Java 1.8 for Java January 2017 security fixes Resolution: Upgrade to IBM JRE 1.8 SR4.1 to take advantage of the improved security features. This level of JRE addresses several Java vulnerabilities documented in the Security Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22001966 ACTION: Java 1.8 will not install on Redhat 5. See this web page for the list of supported platforms: https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.lnx.80.doc/user/supported_env_80.html ACTION: Disables Triple-DES (3DES_EDE_CBC) and DES ciphers. If your site is using TLSv1 and above, there is no need for 3DES, since AES ciphers are available. However, if you still have trading partners who have not switched to TLS* protocols and need to keep the SSLv3 protocol, you must retain the 3DES cipher as well, as AES ciphers do not work with SSLv3. To allow SSLv3 and 3DES do the following: 1) Edit the /jre/lib/security/java.security file and change the following line from jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede to jdk.tls.disabledAlgorithms=RC4, MD5withRSA, DH keySize < 768 2) You must also add the -Dcom.ibm.jsse2.disableSSLv3=false java parm to the engine startup parms. See the writeup for IT07375 in this fixlist for instructions. Note that the new Java 1.8 contains the following new parameters in the ./jre/lib/security/java.security file. See that file for additional comments. # IBMJCE and IBMSecureRandom SecureRandom seed source. securerandom.source=file:/dev/urandom securerandom.strongAlgorithms=SHA2DRBG:IBMJCE # Controls compatibility mode for the JKS keystore type. keystore.type.compat=true (allows JKS or PKCS12 format) jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ DSA keySize < 1024 (DSA keysize parm added) # Algorithm restrictions for signed JAR files jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024 (all new) # Algorithm restrictions for SSL/TLS processing jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede (Note: Disabling 3DES_EDE_CBC, DESede is new for this release) # Legacy algorithms for SSL/TLS processing (used as last resort) jdk.tls.legacyAlgorithms (New in 1.8, but not configured) # Policy for the XML Signature secure validation mode. jdk.xml.dsig.secureValidationPolicy=\ disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\ maxTransforms 5,\ maxReferences 30,\ disallowReferenceUriSchemes file http https,\ minKeySize RSA 1024,\ minKeySize DSA 1024,\ noDuplicateIds,\ noRetrievalMethodLoops RTC533907/ (Engine,CM) - InstallAnywhere on Windows shows ERROR: Failure in the CopyJreLib step After installing the fix for my defect 528702, Windows installs were showing an install step of "ERROR: failure in the CopyJreLib step". There was no actual failure, it just looked like one. Resolution: Changed the title of the panel from "ERROR: failure in the CopyJreLib step" to "JreLib Copy Check" and moved the "ERROR:..." down into the body of the panel. The panel should not show up unless there is an error in the CopyJreLib step. RTC534003/IT19950 (CM) - Error when executing configureCmSsl.sh The Customer wanted to limit the number of ciphers available for the CM. However, the ./configureCmSsl.sh -u cmCiphers=... command was getting ***Invalid value for cmCiphers: java.lang.NullPointerException and the /configureCmSsl.sh -u webCiphers=... command was getting ***Invalid value for jettyCiphers: java.lang.NullPointerException. Resolution: Moved the call to parse arguments in configureCmSsl to happen after all the relevant objects have been initialized. Workaround: Add the protocol cmSslProt=TLSv1.2 to the configureCmSSL.sh command. (or TLSv.1, TLSv1.1) RTC534483/IT20590 (Engine) - SFTP adapter policy (password+key) doesn't report failed logon attempts When the SFTP Policy of Key AND Password auth is used, audit messages related to key authentication success and failure are not logged. Resolution: Now generate audit log messages for key auth failure/success when Key & Password auth is used. RTC534665/IT20206 (Engine) - Invalid CD copy step causes NPE in validation C:D Windows was somehow generating a process where the COPY step did not contain a destination file name (DDSN in XDR). When SSP attempted to validate the FMH71, it got a NullPointerException in PasCdCbDelegate.getLocalCBType() Resolution: Now detect the missing file name and throw a new FmhLogicException with message "CDSP099E CCB did not validate - missing source/destination file name" RTC535210/ (Engine) - RAS Enhancement - Add new switches for heap dumps and SSL debugging Reliability/Availability/Serviceability (RAS) enhancement to the startEngine.sh and startEngine.bat scripts. 1) By default, capture heap dumps also when asked for a user javacore dump. 2) Add Java SSL Debug parms (# Z=...) so they can be uncommented and used. 3) Create /bin/startEngine.log with one line per startup for history RTC535333/ (Engine,CM) - Data Collector updates Customers are asked to run the data collector scripts when opening a PMR to gather common information which can help with problem resolution. (runEngineDataCollector(.sh/.bat) and runCMDataCollector(.sh/.bat)) Resolution: Added additional artifacts to the default collection - Full recursive listings of install directories - More complete gathering of property files - Optional parm "includeDumps" which pulls any dumps from today - Optional parm "includeConfigs" which dumps Customer's configs RTC535517/IT20520 (Engine) - Error on first block when enabling data encryption When decrypting and encrypting data during Secure Plus sessions, the session may fail and the SNode report, "MSST=The buffer to hold the data is too small. Length=4." Encrypted data, when decrypted and re-encrypted for the outbound side, can be larger than the negotiated RU size. Resolution: Now ensure that the decrypted data for the outbound side will fit into the RU. If not, split the data into two RU's. RTC536410/ (Engine) - Spurious RejectedExecutionExceptions in log during load testing During internal load testing after applying RTC536506, discovered that there were still RejectedExecutionExceptions in the log. When we added code to call logoffUser() on disconnect event on a ThreadPoolExecutor, the eventlistener was getting called even after the sftp adapter was shutdown, resulting in java.util.concurrent.RejectedExecutionExceptions being thrown. Resolution: 1. Catch the RejectedExecutionException and log an error msg. 2. Remove the event listener from the EventServiceImplementation instance when the adapter is taken down. 3. Ignore the disconnect event if the connection does not pertain to this sftp adapter (i.e. when more than one sftp adapters defined for the engine). RTC536506/IT20338 (Engine) - SFTP maverick log getting numerous exceptions for each SFTP logoff. After applying RTC523287 in SSP3430 iFix 2 Plus, the Maverick log was getting flooded with numerous exceptions with every SFTP logoff. Exception from event listener java.util.concurrent.RejectedExecution- Exception - rejected from java.util.concurrent.ThreadPoolExecutor. The problem happened after the SFTP adapter was brought down and back up. Restarting the engine clears the problem. Resolution: Now close the SFTP adapter's event listener whenever the adapter is taken down and create a new one at adapter startup. RTC536899/ (CM) - SSP REST API import errors detected Cleaning up several errors encountered during REST imports: 1) ERROR ObjectFactory - unexpected element (uri:"", local:"sftpPolicyDef"). Expected elements are <{}ftpPolicyDef> 2) ERROR SSPGUIAgent - Exception : GUIException: SYST039E SessionId: 1 - Error Validting System Settings: defSslInfo; Validation of keystore failed: Keystore was tampered with, or password was incorrect 3) Problem importing passwords in netmap entries for ftp, http and sftp Resolution: Corrected the SFTP, keystore, and password issues encountered during REST API imports. RTC536951/IT20749 (CM) - Hashed password returned in CM display When logged into the CM and accessing the local or CM user stores at SSPCM->System->CM Users or SSPCM->Credentials->User Store->defUserStore, a View Frame Source operation will show the hashed password value for a user. The value is not readily usable. Resolution: Now mask the password values when returning them to the CM GUI, but allow them when returning to the REST API. RTC537305/IT20816 (Engine) - SSP Engine OutOfMemory (OOM) exception when CD adapter gets out of sync with local PS In some situations, when the connection between SSP and the outbound Perimeter Server (PS) is lost and restored, the CD proxy adapter can think that its listener is down, while the local inbound PS is still accepting connections on its behalf and queueing them up. No useful work is done by the CD adapter. If the situation goes undetected, the load balancer health check pings can lead to build up of connection objects and eventually cause the OutOfMemory exception. Another symptom is the CD adapter hung in "Waiting on connection to the PS server" state at startup. Resolution: Improved the startup of the CD adapter as well as the recovery of the listener after an outage event on the outbound side. RTC537525/IT21212 (CM) - configureCmSsl script gets error - No supported private key marker found in PEM stream When running the configureCmSsl.bat -r command to restore to factory settings, it can get ***No supported private key marker found in PEM stream. Resolution: Added better logic to determine if the keycert is in PEM or PKCS12 format. RTC538591/IT20896 (CM) - Error accessing certificates in the trusted keystore after upgrade from 3.4.1.8 After SSP3420, the SSP CM could not import into the trusted store if the certificates had a private key imbedded. And certificates currently in the truststore could not be seen. Resolution: Now ignore any imbedded private keys during an import to the truststore by focusing only on what is between the BEGIN CERTIFICATE/ END CERTIFICATE pairs. At CM startup, remove private keys from existing public keys in the Trusted Certificate Store so the IBM JCE toolkit can process them. RTC538758/IT20889 (Engine) - Avoid NPE when SFTP adapter shut down An SFTP session can get a NullPointerException (NPE) when the SFTP adapter is stopped. Any session just starting that requests a back end session will get a null object, and a NPE. Resolution:  Now ensure when requesting a back end session that it is non-null before attempting to write to it. If not, return an error message instead of a NullPointerException. RTC538773/IT21115 (Engine) - (Failover) EAProxy deadlock due to method serialization When multiple adapters are using SEAS and also configured for failover detection, a deadlock can occur in the EA_Proxy class due to synchronization at the method level in the timer task. Resolution: Updated the EA_Proxy failover code to no longer synchronize at the method level, but instead synchronize on 2 local objects to ensure that no deadlocks occur. RTC539383/IT20879 (CM) - Unable to see the all trusted certificates in Netmap > Outbound > Security The SSP CM did not recognize public certificates without imbedded PEM-linefeed delimiters. The Customer had a certificate which was delimited with spaces instead of the linefeed character. Resolution: Now strip the incoming certificates and internally reformat them into linefeed-limited PEM format. RTC540353/IT20845 (CM) - RestAPI import failed with ERROR SspCMConfigService - sysGlobalsDef Host required The Customer defined a new JMS configuration in the CM->System->System Settings and left the default auditLogJmsConfig configuration (which has no host information). After doing a REST export of entity=sspCMConfigs, the import operation got the above failure because there was no hostname in the auditLogJmsConfig definition. Resolution: Now validate the JMS configs only when referenced elsewhere in the configuration. RTC540861/IT21120 (PS) - PS upgrade fails to replace JRE when jre directory is owned by another user/group The Customer had changed the ownership of the /jre directory prior to doing the PS install/upgrade. The JRE was not updated, and no error messages were written. Resolution: Corrected the PS installer to recognize an error occurred and report it. RTC541553/ (CM,Engine) - Factory cert expiring December 1, 2017 The Sterling Secure Proxy (SSP) factory certificate that comes with the product is expiring December 1, 2017 at 10:54 PM EST. The factory certificate is shipped as the default certificate for the secure connections to the SSP Configuration Manager (CM) GUI and between the SSP CM and the Engine. Similar to replacing the "admin" userid which is shipped with the product, the factory certificate is intended to be replaced by the Customer once the product is up. ACTION: If you are still using the factory certificate for the CM and the Engine you need to replace it before December 1, 2017. Failure to do so will result in the SSP CM being unable to push new configurations to the Engine and users being unable to login to the CM. The following link is to a knowledgebase article with instructions for checking to see if you are still using the factory default certificate and if so, how to replace it with your own. If you still need assistance with replacing the factory certificate please open a new PMR. http://www-01.ibm.com/support/docview.wss?uid=swg22004773 Resolution: For NEW installs (not upgrades), the default factory certificate has been updated with one that expires in the year 2037. RTC542091/IT21139 (CM) - (CD) Include all ciphers for PNODE Controls When configuring a CD netmap node with "PNODE Host controls SSL Protocol", ciphers with SHA256 and SHA384 are not shown. Resolution: Now include all the ciphers from the CD TLS1.2 list in the "PNODE Host controls SSL Protocol" list. Similarly, for the FTP and HTTP protocols, the list for the "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" selection has been reworked. RTC542503/IT21213 (CM) - (REST) Add more information to error message when importing SSH KeyDef During a REST API import of an SSH KeyDef, a particular key was failing to validate, but there was nothing in the cms.log file which would point to which key was failing. Resolution: Improved the error message from the REST API to report which SSH key is failing to import properly. RTC542640/IT21204 (CM,Engine,PS) - Turn off world-writable files Customer has a requirement that no files be created with write privileges by all users (i.e. UNIX "Other" ......RW.). By default, the JRE creates a temporary directory under /tmp/.com_ibm_tools_attach for monitoring programs to attach to (e.g. Dynatrace). One file based on the pid called attachNotificationSync has permissions of -rw-rw-rw-. Resolution: Added -Dcom.ibm.tools.attach.enable=no to all scripts associated with SSP, SSPCM, PS, and SEAS so that these world-writable files would no longer be created. ACTION: If you use third party monitoring tools to monitor SSP or SEAS, you may need to change to -Dcom.ibm.tools.attach.enable=yes in the startup scripts. RTC542811/IT21439 (Engine) - SFTP with zlib compression is not working SFTP with zlib compression has not been working since SSP3418. The session connects and gets SshException: com.jcraft.jzlib.ZStream [java.lang.NoClassDefFoundError]. Resolution:  Now include the jzlib-1.1.3.jar file in the distribution so that our Maverick SFTP toolkit can call the zlib compression utilities. Build 154 updated to include the jzlib jar in the classpath when running SSP as a service under Windows. RTC543000/IT21407 (Engine) - Option to roll over log files at midnight The Customer needed a way to roll logs for archive on a daily basis Made changes to allow a cron pattern in bin/log.properties and conf/log4j2.xml to control time based rollover. Sample of setup provided in new bin/log.properties.install and conf/log4j2.xml.install files. RTC544511/IT21482 (Engine,CM) - New protocol option for TLS1.0-1.2 only The Customer's auditors did not like seeing a protocol selection which included SSLv3. Resolution: Add new choice for C:D, HTTP and FTP which includes "TLSv1, TLSv1.1 or TLSv1.2" without having to select the option "SSLv3, TLSv1, TLSv1.1 or TLSv1.2". RTC544966/ (Engine) - (SFTP) Correct 5 second delay at the beginning of a session The Customer noticed a 5 second delay at the beginning of each SFTP session that connected. Resolution: Added a selector wakeup in the code before the channel registration with the selector to mitigate the delay. RTC545321/IT21567 (CM) - (REST) Password corruption on HTTPnetmap HTTP Netmaps may contain passwords for outbound connections. However, the REST API code for updating the netmap stripped off critical information causing the passwords to be corrupted. Resolution: Updated the REST API to no longer strip off critical information when handling any Netmap entry. RTC545688/IT21592 (Engine) - (CD) Common name can contain comma If certificate common name matching was turned on for CD Secure Plus transfers, the comparisons would fail if the common name was the last field in the Subject or if it had a comma (,) in it. Legacy code was relying on the comma as a terminator for the CN= field in the certificate. Resolution: Converted from legacy parsing to use the X500Name field built into Java certificate processing. RTC545903/IT21596 (Engine) - (REST) Error loading C:D Adapter with EA PS When a CD adapter is configured with a remote perimeter server (PS) for the External Authentication (EA) server, the REST API was erroneously marking it as invalid. Invalid value specified for perimeter server out name(psEA) Resolution: Now correctly allow an EA PS definition in the CD adapter during REST API update. RTC546159/IT21867 (Engine) - Error resuming an SFTP transfer Error resuming the partial upload of a file (curl -C option). SSP logs this error : "Closing remote client connection due to command decode policy:SSH_FXP_OPEN, version:3, Reason:invalid flag:6 request due to {1} request". Resolution: Fixed an internal SFTP command validation error. RTC546370/IT22549 (Engine) - (SFTP) One line password prompt not working Displaying of a single line password prompt is not honored when the property "kb.single.password.prompt=true" is set in the SFTP Proxy Adapter. Resolution: Made changes to turn off keyboard interactive prompting when kb.single.password.prompt=true is set or defaulted. RTC546604/IT22033 (Engine) - SSP Engine needs to send HTTP security headers The SSP HTTP adapter is not sending desired security headers in the HTTP responses sent to the browsers: Resolution: Added the following Security Headers with the default values, some of which can be customized through adapter properties: Strict-Transport-Security: max-age=31536000;includeSubDomains X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN (override with Adapter property 'X-Frame-Options.value=...' ) Referrer-Policy: no-referrer-when-downgrade (override with 'Referrer-Policy.value=...' Content-Security-Policy: default-src 'self' https (override with 'Content-Security-Policy.value=...' Also property like the following for each of these headers will control how the header needs to be handled if one is sent by the backend server. e.g Referrer-Policy.override = ignore | no | add | replace ignore - SSP will not add this header no - SSP will not add the header if a header is sent by the backend server add - SSP will add an additional header, if a header is sent by the backend server replace - SSP will replace the header, if a header is sent by the backend server RFE547267/ (CM,RESTAPI) - Enhancement - Ability to disallow concurrent SSP CM sessions The Customer has a security policy that allows only one CM session at a time per user. Resolution: Added a checkbox to CM -> System -> System Settings -> Globals called, "Allow multiple sessions per user". Default is checked, which is the current behavior. To handle the case where a user forgets to log off and holds a session, added a default 15 minute timeout. This default value can be changed with a system property, -Dsspcm.idle.timeout.min=15, added to the java startup line(s) in the startCM.sh script for UNIX, or to the lax.nl.java.option.additional parameter in the SSPcm$.lax file for Windows. Also added support for backward compatibility within the RESTAPI. RTC547559/IT22014 (CM) - Allow REST API to run concurrently, support better format for encrypted passwords The Customer needed a way to run concurrent copies of the SSP REST API and insure that update conflicts could be detected and retried. Resolution:The SSP REST API has been changed to allow for concurrent SSP REST API users to be able to run and to insure that their updates will not regress an update done by another user. The sample Java programs in SSPCM/sdk/SSPCMRESTAPI.zip have all been updated to illustrate the use of the new RestUtils.getVerStampFromXML(xml) method which returns the version stamp after a "get" operation. Update calls now include the version stamp, e.g. updateNetmap(xml, "HTTPNetmap", verstamp)) which should be the same unless another task has updated the object after our "get" was done. Also cleaned up various other REST messages and issues. Second issue with passwords: The original encryption of passwords returned to the SSP REST API required newline (\n) characters, which HTML can strip off. If the newline character is stripped, the password can no longer be decrypted. It is corrupted and causes the size of the object being updated to grow each time the object is updated. Resolution: Now use a base64 encoding on the entire password field when encrypting passwords for a SSP REST API export or get operation. This hides the newline characters so that the import/update can be done with HTML. When receiving a new object, validate the consistency of the password field in the old or new format before storing it internally. Also added restrictions on password values: o It cannot contain \n or \r characters o It cannot be null or empty o It cannot be longer then 1024 characters (unless overridden by a System property (-Dpassword.length=nnnn) when CM is started). RTC548552/IT22537 (Engine) - Intermittent SFTP transfers through SSP show as an "ABORT" in SFG Various SFTP clients requesting files from SFG were causing intermittent issues when they closed the file and immediately disconnected without waiting for the result of the close operation. If SFG does not get the close command, it assumes the file was not successfully downloaded and marks it available, which can result in duplicate sends. Resolution: Handled one case where SSP can get into a race condition and not send the close command to SFG if it detects the client has already disconnected. All other cases are caused by the client. Workaround: Have the client add an operation such as a directory command after the download to ensure the client hangs around long enough for the close command to be delivered to SFG. RTC548827/ (CM,Engine) - IPv6 support for SSP and SEAS Resolution: Added support for iPv6 by - Removing the disabling IPV6 from the engine and CM startups - Changed the validators in all address fields to allow IPV6 addresses where IPV4 addresses were allowed  - Changed HTTP usage of IPV6 so that IPV6 addresses are enclosed in square brackets (RFC requirement). RTC550068/IT22538 (Engine) - SFTP leaving leftover sessions.  Customer was seeing a handful of SFTP sessions in ESTABLISHED mode which stayed for hours. They could be cleared by restarting the SFTP adapter. Resolution:   Upgraded the Maverick SSH toolkit to include a new fix which times out a session if there is no attempt at a handshake in 30 seconds. (New Maverick jars - J2SSH-1.6.32, SSHD-1.6.39, Common-1.1.18) RTC550113 (CM) - Error writing to UDP audit syslog when configuration change record exceeds 65k Customer getting ERROR Unable to write to stream UDP: addr:port for appender proxy.syslog.audit.appender" when a configuration change causes an audit record to be written which exceeds 65k. The limit on a UDP write is 65K. Resolution: Now document an exisiting option in the log.properties file that syslogd.protocol=TCP can be specified to override the default of UDP. RTC550278/IT22371 (Engine) - (Pesit) Allow Pre-connection phase to be optional with TCP connections Some PeSIT products do not send the pre-connection message and the PeSIT adapter rejects incoming client with no pre-connection. Resolution: Pre-connection has been made optional in the PeSIT adapter. RTC550295/IT23475 (PS) - Perimeter Services Messages ALWAYS getting logged only under DEBUG Customer noticed that after SSP upgraded the PS from PS4660 to PS4662 these periodic 'ALWAYS' log messages were only getting logged as DEBUG messages. The messages have value, but not at the expense of running the PS in DEBUG mode: MemoryManager (SingleBar strategy) current allocated bytes: n, current count: n, high water mark: n, h.w.m. count: n, denied preallocations: n - (This message comes out every 10 minutes by default) PhysicalConnectionManager connections: active: n, listening: n, loopback: n - (This message comes out every 2 minutes by default) Resolution: Added 'ALWAYS' log level in SSP to match the one in PS. RTC550367/ (Engine) - Set correlator on EA failover ping request so it can be suppressed in EA log When failover checking is requested on SSP adapters, the resulting "pings" to SEAS can result in multiple log messages, making the SEAS log difficult to read. Resolution: Now add a correlator on the ping request to SEAS, "EAPING-sspDUMMYprofile", which SEAS can detect, so it suppresses the messages related to the SSP pings. RTC550968 (Engine) - New HTTP headers cause problem with Chrome 6 new security headers were added to messages returned by the HTTP adapter by RTC546604. 2 of them, X-Content-Type-Options and Content-Security-Policy have been found to cause problems with Chrome and some other older browser version. Resolution: Now disable these 2 headers by default so they don't cause problems for existing browsers. RTC551227/IT22491 (Engine) - Avoid Perimeter race condition causing C:D z/OS error messages (SVTM091I and SVTM090I) At times, the last RU to be sent to the SNODE by the C:D Adapter is not sent when the close of the socket occurs too quickly. Resolution: A short wait (default 200ms) is introduced before the close to avoid this problem. This wait time can be changed with a Java property in the SSP engine startup: -Dcd.close.wait=200. RTC551786/IT23476 (Engine) - Updated Maverick to SSHD 1.6.41, J2SSH 1.6.34 After upgrading from SSP 3.4.1 to 3.4.3 iFix4 the Customer was experiencing intermittent connection failures through the SFTP adapter. The connections appear to have a successful SEAS Authentication, however the connection is then terminated for no obvious reason. Resolution: Upgraded the SSH Maverick toolkits to the SSHD 1.6.41 (server side) and J2SSH 1.6.34 (client side) levels. RTC552345/IT22825 (CM) - SHA2 and SHA3 Cipher Suites not available when selecting "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" When selecting "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" in the CD, HTTP, or FTP netmap security tab, there were no SHA256 or SHA384 cipher suites listed. Resolution: Now default to 18 cipher suites, including at least 5 each of SHA256 and SHA384 for the following protocol selections: "TLSv1, TLSv1.1, or TLSv1.2" (Inroduced with RTC544511) "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" "The PNODE Host controls SSL Protocol" (CD only) PSIRT9227 (Engine, CM, PS) - Update JRE 1.8 to SR4 FP10 (8.0.4.10) Resolution: Update the JRE 1.8 to bring it up to the Oracle July 2017 level for all the security patches. RTC552273/ (Engine) - Security Headers causing errors in rendering SSO HTTP proxy portal pages The Security Headers (Content-Security-Policy, X-Content-Type-Options) introduced in RTC546604 and disabled in RTC550968 were causing errors in rendering Single Signon (SSO) HTTP proxy portal pages. Resolution: Reworked these defects to not add the following security headers by default: Strict-Transport-Security, X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Content-Security-Policy. Updated the SSO html pages, javascript, and java code to avoid browser side errors. Action: To send these headers, add HTTP Adapter properties as shown below: Strict-Transport-Security.value = max-age=31536000 X-XSS-Protection.value = 1; mode=block X-Content-Type-Options.value = nosniff X-Frame-Options.value = SAMEORIGIN Referrer-Policy.value = no-referrer-when-downgrade Content-Security-Policy.value=default-src 'self' https: Note: Sending the 'Content-Security-Policy' header can cause existing backend application pages to not get displayed correctly if they have any in-line scripts or in-line style in their html. Action: For headers already being sent, one can specify HTTP Adapter property '
.override' = ignore - SSP ignores and does not send this header. replace - SSP removes any of these headers sent by the backend server before adding the value specified. add - SSP simply adds these headers, even if they are present already (sent by the backend server) no- SSP does not replace the header if it is present already. This is the default behavior. Action: Any custom response header can be sent by specifying an HTTP Adapter property like the following: resp.header.1.key=
resp.header.1.value=
resp.header.2.key=
resp.header.2.value=
... Action: When upgrading, if you have customized the SSP portal pages before, you need to update the portal pages from this iFix upgrade with your customization. Also, there is a new properties file in this upgrade : /bin/portal/mediatypes.properties. If you have any new files under the /Signon dir because of customization and if the extensions of these files are not present in the mediatypes.properties file, please add entries as appropriate to this file. RTC553906/ (Engine) - (HTTP) 'must change password' does not work if browser makes favicon request This is related to the SSP HTTP Portal, when the password is reset by the admin, and LDAP requires the user to change his password after login. If the browser makes a request for favicon (/favicon.ico) for the change password page, SSP logs the user out takes the user back to the login prompt out of the change password page. Under this circumstance the user is unable to login to the SSP HTTP portal. Resolution: Changed SSP to automatically handle a favicon name of "favicon.ico". Also allow the user to specify a list of valid favicon names with HTTP SSO property 'favicon.names=favicon.ico,favicon2.ico, etc". If a request comes for /favicon.ico, SSP renders the file under /Signon/resources/. Any custom favicon files need to be copied to Signon/resources/ (and after each install/upgrade). RTC554088/IT23494 (Engine) - Support EPSV and EPRT FTPs commands The Customer's trading partner was restricted to using an FTPs client in IPv6 mode, which is not allowed to use the PORT and PASV commands for specifying a data port. Resolution: Added support for the "extended" EPRT and EPSV FTPs commands when a client uses them. The response for the EPSV command only includes the port number we are opening: 229 Entering Extended Passive Mode (|||6446|) RTC554173/IT23167 (CM) - CM scripts not honoring the TLS protocol version from CM security Sytem Settings Customer changed the CM TLS protocol from TLSv1 to TLSv1.2 using configureCmSsl.sh and exported it to the engines with configureCmSsl.sh and configureEngineSsl.sh. Afterward, the manageKeyCerts.sh script would not work. Resolution: Fixed the manageKeyCerts and manageCSRs scripts by updating the underlying code to use the TLS protocol from the CM security System Settings. RTC554225/ (CM) - Poor error message when importing expired certificate When importing an expired certificate into the CM, the error message is "Certificate data could not be validated". Resolution: Now put out the message "Certificate data could not be validated or certificate expired. Check Valid Until date." RTC555530/ (Engine) - SFTP log showing parameter place holders: {1} Some of the SFTP Adapter log debug messages have parameter place holders like "{1}". Example: "SSE2633 Closing Closing backend session due to ending sessions from sftpsubsystem: did not close session request due to {1} request" Resolution: Corrected the messages and calls to ensure the placeholders are used correctly. PSIRT10042/IT23654 (CM) - Possible vulnerability in Apache Commons Fileupload toolkit Resolution: Upgraded to use commons-fileupload-1.3.3.jar to resolve a possible security vulnerability. This toolkit is used by the SSPCM GUI in the secure zone when importing certificates. For more information, see http://www.ibm.com/support/docview.wss?uid=swg22012458. RTC556199/IT23554 (CM/Engine) - SSP import replace in HSM fails if key with same alias already exists in HSM When trying to replace a certificate in the HSM, with the command ./manageKeyCerts.sh -import certName= ... replace=y Getting the error ***SSP0044E Error adding key-certificate: Cannot add key-certificate to keystore. Alias already exists. Resolution: Now correctly honor the replace request. RTC556393/ (Engine) - Improve SSP logging for C:D XDR keyword error When a remote C:D node sends in an FMH with a keyword that SSP has not been updated to recognize, SSP spits out a very verbose set of error messages which clutter up the log: CSP031E 16 Invalid protocol message or message key. CSP032E 16 cvc-complex-type.2.4.a: Invalid content was found starting with element 'xxxx'. One of '{aaaa, bbbb, ..., zzzz}' is expected. Followed by a multi-line (20+ lines) dump of the FMH Resolution: Now capture the Exception and parse it to get the KQV value that is missing and report it in a one-line message: CSP032E 4 KQV keyword "APID" found in FM68, but not defined in XML schema definition RTC556544/ (CM) - Improve console output for sspRestAPI script when connection cannot be made. When a SSPREST connection can't be made to the SSPcm, the console is flooded with Java exceptions and stack traces, obfuscating the reason for the error. Resolution: Now print a simpler error message: Attempting to logon to localhost:28443 as admin ERROR: Unable to acquire connection Only produce the Java exception and stack trace if GLOBAL_DEBUG is set. RTC557073/IT23495 (Engine,CM) - Engine fails to start after upgrading from pre-SSP3420 Upgrade installs of SEAS, SSPcm or SSP engine did not replace the log4j property files and in some cases, the SSP CM and/or SSP engine will not come up properly. Resolution: The installer (during an upgrade) will make a copy of the following log4j files and append a date/time stamp to the name before replacing the file with the current version: bin/log.properties conf/log.properties conf/log4j.properties conf/log4j2.xml ACTION: If there are customizations to the log4j property files, the Customer must retrofit them after the upgrade. RTC557173/IT23483 (Enging,CM) - Add TLS 1.1 and 1.2 protocols for PeSIT The PeSIT Netmap entries should allow TLSv1.1 and TLSv1.2, since Connect:Express (C:X) supports them. Resolution: Updated the SSL/TLS ciphers table to include the additional protocol selections for PeSIT. RTC557986/IT23827 (CM) - REST API responds with 200/OK on invalid netmap XML input REST API Unable to delete first node in CD Netmap When using the REST API to update or delete a netmap node which doesn't exist or has invalid XML tags, the operation was getting a 200 OK return code. Also, it was not possible to delete the first node in a netmap. Resolution: Added xsd validation code to REST API to check for consistency in the XML, and return an appropriate code when an operation fails. ACTION: If REST imports fail due to XSD validation after applying this fix, You may modify the startup parms for the SSPCM to include a new parm to turn off the XSD validation during import. In the bin/startCM.sh script (UNIX) add or replace the following parm: N=-DvalidateThruXSD=false (default is true) In Windows, update the bin\SSPcm$.lax to include the -DvalidateThruXSD=false parm at the end of the line starting with lax.nl.java.option.additional=. RTC558982/IT24252 (CM) - NPE importing keycert with comma, asterisk, or exclamation mark in password. When attempting to import a keycert in .pfx (.p12) format which had a private key with a passphrase containing invalid characters, the admin session ended abruptly with a NullPointerException. Resolution: Now correctly detect the invalid characters in the passphrase and put out an appropriate message instead of knocking the admin out of the session. RTC559115/IT23828 (PS) - Install failed - "CIP_List is not set" when interface not found Customer installing a Perimeter Server, gets the following message during the install dialogs and the Perimeter Server Interface Address choices does not display: ERROR: CIP_List is not set Resolution: Updated the InstallAnywhere exit to set the $CIP_List$ and $CIP_DEFAULT$ variables even if an exception happens while looking for interfaces. RTC559657/IT23829 (CM) - Distinguish in CM logs between REST API and CM GUI configuration updates SSP CM doesn't indicate in the logs whether a session is from REST API or the CM GUI. Resolution: Updated the SSP CM logs (including the Audit Log) to indicate whether a session is from the "REST API" or "CM GUI". RTC560800/IT24125 (Engine) - (CD) CSP057E KQV keyword "FSOK" found in FM71, but not defined in XML schema definition A Connect:Direct session is coming in specifying an Aspera FASP keyword, but the keyword was not recognized by SSP. Resolution: The FSOK keyword has been added to the FM71.xsd. RTC561255/IT24036 (Engine) - (CD) Unable to use Secure+ with Wild Card Nodename feature - %DEFAULT_NODE Customer was attempting to use the wild card nodename feature within the CD netmap to receive connections from nodes not in the netmap. It worked for non-seccure sessions, but not for secure ones. Resolution: Now correctly build the temporary netmap node entry with the security properties from the default definition so that it can properly do the SSL handshake. RTC561382/IT24037 (CM) - (GUI,RESTAPI) Importing multiple certificates into the truststore. Customer was attempting to import a file into the truststore with multiple certificates, but it failed during XML validation. Resolution: Corrected the xsd validation for modify key entries. Also return an error for an attempt to modify an entry that does not exist. RTC561603/IT24112 (CM) - GUI listing AES ciphers for SSLv3 protocol The SSPCM GUI listed AES and ECDHE cipher suites for the SSLv3 protocol, but they are not supported by the IBM JSSE toolkit. Resolution: Removed all the AES and ECDHE ciphers for SSLv3 as there are no ciphers in the IBM JSSE toolkit which work out of the box with SSLv3. Left 3DES as a default as there must be at least one cipher to save a config. To allow SSLv3 as a protocol, see the writeup for IT07375 in this fixlist. To allow 3DES as a cipher suite, see the writeup for RTC533801. RTC561821/IT24660 (Engine) - (SFTP) Password prompted after key auth failed when "Key and Password" auth policy is used The SFTP adapter presents a password authentication prompt, even if the key authentication failed when the authentication policy is "Key and Password" Resolution: Now look for an adapter property "keyauth.reqd.before.pwdauth" set to "true" and shut down the session before password authentication if the SSH public key is not presented or if key authentication fails. Note: This also fixes a nuisance message which some Customers reported: AUTH003E Authentication request received for unknown definition: null. RTC561952/ (CM) - SSPCM - Authentication Bypass Using HTTP Verb Tampering An internal dynamic AppScan test found that SSPCM allowed unauthorized HTTP Verbs (methods). Resolution: Now ensure only valid methods are allowed. RTC562430/(Enh) (CM) - Enhancement to improve listing of certificates to include chains and pkcs12 The listCmCerts utility in the SSPCM bin directory skips certificates in pkcs12 format and only reports on the first certificate in the KeyDef (which can contain a chain of certificates, each of which can have different expiration dates). Resolution: Updated the listCmCerts utility to list certificates from a pkcs12 package, and individually report on all certificates in a key or trust chain (as 1 of 10, 2 of 10, etc). Run cmListCerts.bat (or .sh) with expireDays=365 to show the list of certificates that expire within the coming year. RTC562623/IT24251 (Engine) - SFTP logoff messages with every load balancer ping. After applying the iFix containing RTC534483, the Customer was receiving sftp SSE2726  SessionId: ... disconnected userid: null, logged at INFO level with every load balancer ping. The Customer had the adapter property load.balancer.addr=ip1;ip2 set up correctly to turn off logging for load balancer pings. Resolution: Now emit the SSE2726 disconnect message at DEBUG level if the userid is null. RTC563014/IT24648 (Engine) - SSP not failing back to primary SEAS server When an alternate external authentication server is coded in the SEAS definition and failover code detects that the "primary" address is unreachable, the adapter redirects SEAS traffic to the alternate address. However, when the primary is reachable again, the adapters do not direct SEAS traffic back to the primary SEAS. Resolution: Now determine when the "primary" SEAS is back up and restore traffic to it automatically. Issue a new SSE1852I message indicating that we are closing the secondary EA connection and contacting the primary EA again. SSE1852I Engine Name=MyEngine, Adapter Name=FTP_Proxy, EA Name=EA2. Primary EA server (EA1) is back up, closing connection to EA2 RTC563309/IT24246 (CM) - (RESTAPI) Unable to add HMAC values that are available in the SSPcm UI The REST API could not import a SFTP netmap node with HMAC values of hmac-sha256 and hmac-sha256@ssh.com. The same are available in the GUI. Resolution: Now have the REST API get the valid SSH HMACs, ciphers, etc, from the same property file as the SSP GUI so that they are in synch. RTC563311/IT24440 (Engine) - (SFTP) Client receives password prompt when netmap using a sftpPolicy set to KEY only The Customer has only one sftpPolicy with the Required Authentication Method set to 'Key'. However, SFTP clients were presented with all three auth mechanisms ("password, "publickey", and "keyboard-interactive"). Resolution: Now limit the SFTP auth methods to only those represented by the sftpPolicies pointed to by the netmap. To turn off password prompting, ensure that no sftpPolicies pointed to by the netmap include password or keyboard-interactive. RTC563378/IT24253 (Engine) - Allow suppressing content length header in CD http health check ping response RTC522918 updated the CD adapter to return a content-length header when it is configured to return an HTTP Ping response. This caused an issue for a Customer's load balancer which was hardcoded to receive the response without the content-length header. Resolution: Now support a CD adapter property to turn off the header: ping.response.include.len.header = false will turn off the content-length header again. (default is true). RTC563547/IT24449 (Engine) - Not encoding url correctly when SSP redirects to an external login page When an external logon portal is used, SSP redirects requests without a valid token to the external logon portal passing the original request as a query parameter. However, if the original request url itself has query parameters, these are not getting passed when the portal redirects back to SSP after a successful login. Resolution: Fixed the encoding of the original request url when passing as a query parameter to the external portal. RTC563781/IT24842 (Engine) - HTTP malformed upload causes hung state The HTTP Proxy was not releasing buffers in some error conditions and causing local perimeter server buffer allocation errors. This also caused other SSP Adapters to go into a stopped/hung status. Resolution: Now correctly release the buffers when an error condition is detected in the HTTP adapter. RTC564157/internal (CM) - IPV4 and IPV6 addresses not screened properly IPV6 (and IPV4) address were not being screened properly in the GUI. Resolution: Changed IPV6 and IPV4 validation to properly determine valid IP addresses. Since fields can contain a DNS name or an IP mask, updated the code to recognize that and validate properly. RTC564833/ (CM) - AppScan - Stack trace in the response body An internal dynamic AppScan test was able to get the SSPCM to generate a stack trace in the reponse body, which can be a security disclosure. Resolution: Now only send a summarized message back to browser client instead of a stacktrace RTC564992/ (CM) - SSPCM fails to start after upgrade if "admin" id previously deleted. Upgrading from SSPCM 3.4.2 iFix10 to iFix12 after deleting the default "admin" user causes an unencrypted 586034f.xml file to reappear. Once this file reappears, the CM fails to start because encryption checking fails. Resolution: Updated the SSPcm installer to not install the admin user xml if performing an upgrade to an existing configuration. Workaround (if the fix is not applied): Delete or rename the unencrypted /conf/haas/users/586034f.xml file to allow the CM to start. RTC565487/ (CM,Engine) - SSP/SEAS code signing certificate expires June 21, 2018 The code signing certificate used for SSP and SEAS expires June 21, 2018. Testing showed that both products will run after that date, but the SEAS Webstart GUI will not. Resolution: Updated the signing cert for SSP and SEAS with one which will expire on March 14, 2021. HIPER: Upgrade SEAS to the SEAS2432 (SEAS 2.4.3.0 Fixpack 2) level before June 21, 2018 to ensure that the Webstart GUI will continue working. RTC566007 (CM, Engine, PS) - SSP crashes with HSM enabled Customer with a Hardware Security Module (HSM) enabled crashes periodically with a General Protection Fault (GPF) failure in IBMPKCS11 code, which is the HSM interface code. The javacore shows a GPF with the current thread in NativePKCS11Session.getAttributeValue. Resolution: Upgraded the JRE to the 8.0 SR 5 FP 10 (8.0.5.10) level to pick up the IBMPKCS11 updates which address this problem. RTC566337/IT24733 (Engine) - SSP SFTP Adapter will not start in FIPS mode The SFTP adapters get NullPointerExceptions (NPEs) when the SSP engine starts in FIPS mode. The systemout.log also gets java.security.NoSuchAlgorithmException: no such algorithm: SHA1PRNG for provider IBMJCEFIPS Resolution: Changed to use the SHA2DRBG pseudo random number generator when initializing the SecureRandom object in FIPS mode. RTC566450/IT24790 (CM, Engine) - (SFTP) Remove the twofish* and cast* ciphers Ciphers that are no longer supported by Maverick had been included in the pre-build ssh_ciphers.properties file, which populates the GUI screens. Resolution: Removed these unsupported ciphers from the file. RTC566512/IT24843 (CM, Engine) - Add missing ciphers to FIPS list Four ciphers were missing from the list of FIPS approved ciphers that the JSSE allows to be defined. TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 Resolution: Added the missing ciphers to the list of approved ciphers RTC566675/IT25694 (Engine,PS) - (CD) Large FASP Transfers (5GB) are failing with broken pipe When C:D is using the FASP feature to send large files (e.g. 5 GB) the original C:D socket may be terminated by the firewall for inactivity while the data is sent on the FASP socket. The Perimeter Server code (local and remote) was not setting keep-alive values to override the OS settings. Resolution: Now allow setting KeepAlive variables in Perimeter Server (both Local and Remote) in SSP. Perimeter Services has been updated to allow KeepAlive variables to be set in the local perimeter.properties file. The SSP engine perimeter.properties file in /bin must be updated to enable this new support. Also, if using SSP remote perimeter servers, they must also be upgraded using the installers from this build or higher. socket.tcpKeepAlive=true (REQ -enables KeepAlive with OS default values) socket.keepAliveIdleTime=180 (OPT -time in seconds the connection is silent. OS default usually 7200) socket.probeCount=25 (OPT -number of ACK probes sent) socket.intervalTime=25 (OPT -seconds before sending a new ACK) Note: This defect is related to internal defect RTC567627. RTC566772/IT25294 (Engine) - SFTP users unable to logon using "key and password" policy (session limit exceeded) When hit with thousands of requests when the session limit is 20, the SFTP adapter did not accept new sessions since the session limit had been reached. However, after stopping and starting the SFTP adapter, sessions were still being rejected. Resolution: Now wait long enough for sessions to close properly when the SFTP adapter is stopped. A new adapter property, "sftp.adapter.shutdown.wait.secs" can be configured to specify the time to wait for sessions to close when the adapter is stopped. By default, this property is set to the SFTP adapter session timeout value. Also cleaned up spurious "System error - sftpAccessInstance is missing" messages in the systemout.log file. RTC567232/IT24869 (Engine) - (CD) SSL Protocol missing from CSP007I and SSP0240I messages After applying fix for defect 518916, the CSP007I and SSP0240I messages were not including the SSL protocol used, instead reporting Protocol=None Resolution: Now accurately report the SSL protocols used for the PNODE and SNODE sessions. RTC567296/ (Engine) - SFTP resetting failed login attempt count even when one of the auth fails SFTP is resetting the failed login attempt count even when key auth fails but password auth succeeds. Resolution: Now reset the failed login attempt count only when both auth methods (password and key) succeed. RTC567354/IT24987 (CM) - Getting non-fatal stackOverflowExceptions in log of SILENT install of SSPcm The SILENT install for SSPcm produces one or more stackOverflowExceptions in the installer log. However, the actual installation is still ok and these errors can be ignored. Resolution: Changed the installer to recognize that the installation is a SILENT install and avoid the action causing the stackOverflowException. RTC568078/IT24967 (Engine) - (CD) HSM retargeted keys get java.security.UnrecoverableKeyException - DER input not an octet string HSM keys created in SSP3418 or earlier and "retargeted" for use with the IBM JSSE were getting an UnrecoverableKeyException with CD, even though they worked with FTPs and HTTPs. Resolution: Now catch the UnrecoverableKeyException and build a temporary IBMPKCS11 keystore to load the retargeted HSM key from. RTC568408/ (Engine) - Limit userid/password fields to 256 characters Within the HTTP adapter login and change password pages, the length of the userid and password fields are not bounded, which could allow large amounts of data to be entered. This could result in a security vunerability. Resolution: Updated the logon and changepw pages to limit the userid and password fields to 256 characters. RTC568515/IT25039 (Engine) - (CD) Unable to access HSM key referenced from non-default keystore Certificates in user defined key/trust stores have the name of the keystore / truststore prepended to them followed by a colon (e.g. MyKeyStore:MyCertificate). The CD adapter was not able to retrieve the key from the HSM store with the full name. Resolution: Now strip off the keystore name and to return just the certificate name. Debug messages were also added. PSIRT10955/10418 (Engine, CM, PS) - Update JRE 1.8 to SR5 FP10 (8.0.5.10) Resolution: Update the JRE 1.8 to bring it up to the Oracle January 2018 level to satisfy the CVEs in PSIRT10418 and PSIRT10955. PSIRT 10418 - October 2017 Java CPU Advisory CVE-2017-10356 (CVSS 6.2) - Product uses JKS or JCEKS keystores PSIRT 10955 - January 2018 Java CPU Advisory CVE-2018-2633 (CVSS 8.3) - Vulnerable to specially crafted LDAP CRL URL. CVE-2018-2603 (CVSS 5.3) - Applications that use SSL/TLS. CVE-2018-2602 (CVSS 4.5) - Affects all Java deployments. CVE-2018-2588 (CVSS 4.3) - LdapLoginModule for LDAP based authentication. CVE-2018-2579 (CVSS 3.7) - Issue with getEncoded() method See http://www.ibm.com/support/docview.wss?uid=swg22017038 for the security bulletin. RTC569857/ (CM) - Improve messages for xml parsing exceptions During CM startup, a corrupt configuration file can result in a message XmlParsingException: Error on line 1: An invalid XML character was found. The message was not helpful in determining the root cause. Resolution: Updated the error message to include more information about the file, line number, and reason for the error. Example: XmlParsingException: Error on line 88 in file XxXxXxX: An invalid XML character (Unicode: 0x8) was found in the CDATA section. RTC570690/ (CM) - IBM Metric tools cannot detect SSPCM The IBM metric tools (i.e. ILMT) are not detecting the SSP CM installed instance because the *.swidtag files were not being shipped. Resolution: Now ship the swid tag file for ILMT in the SSPCM properties/version directory ibm.com_IBM_Sterling_Secure_Proxy_Configuration_Manager-3.4.3.swidtag RTC571371/IT25695 (CM) - (REST) Failure to add a new node to a netmap when an existing node has problems in its configuration Customer was attempting to add a new CD node to an existing netmap using the REST API, but got failures indicating a problem with TLS ciphers chosen and the TLS protocol. The REST API was attempting to validate all the nodes in the netmap instead of just the one being added. The failing node was from a previous build of the product that allowed the invalid combination. Resolution: Now only validate the node(s) being added or updated to a netmap using the REST API and indicate which node fails validation. During an import operation, recognize any ciphers which have ever been supported so that Export/Import operations do not result in a failure. RTC572142/DT001321 (Engine) - FTP-SSL Customers on slow line getting 226 Transfer Complete on the Control Channel prior to all data sent Large file downloads failing for FTP clients on slow connections. The 226 transfer complete message from the SI server was appearing on the control channel several minutes before the data on the data channel had been delivered, but SSP forwarded it to the FTP Client immediately, causing the client to get confused. Resolution: Updated the SSP FTP adapter to wait for the client data channel to close before sending the '226 Transfer Complete' message on the control channel. RTC572554/IT26062 (CM) - (CM) ./manageKeyCerts.sh fails when admin user defined in SEAS Customer could not run the manageKeyCerts.sh script using admin credentials defined in SEAS. Resolution: Updated the manageKeyCerts and manageCSRs tools to handle admin credentials which are managed by External Authentication. Note: Issue RTC572554 is also known internally as MFT-9866. MissingKQVs (Engine) - (CD) CSV057E missing values Z15R, DDTY, DDTS Z15R boolean to FMH7402, DDTY str and DDTS boolean to FMH71 RTC572605/IT25899 (Engine) - (CD) Upper and lower case node logs not created CD node specific logs used different cases when naming the PNODE or SNODE logs. When the PNODE, the nodename was in lower case; for the SNODE, the nodename was upper case. Since the C:D support in SSP is both reverse proxy and forward proxy, both PNODE and SNODE logs could be written. When SSP introduced the log4j2 logging package, it used a case-insensitive check for the existence of the log files, which resulted in the node specific logs being gathered by the first user of node (either as the PNODE or the SNODE). Resolution: Now use the lower case version of the SNODE nodename when creating the node specific logs. This means that the log will contain its log records regardless of whether the node is the PNODE or the SNODE. Note: Issue RTC572605 is also known internally as MFT-9867. SSP-3036/ (Engine) - (HTTP) B2Bi 6.0 rejecting HTTP requests with "400 Bad Message" error B2Bi60 has upgraded to use a later Apache Jetty version 9.4.11. This Jetty version supports a later HTTP standard where the folding of HTTP headers is not allowed and thus the requests are rejected. The Cookie header with multiple cookies is putting a CRLF and space after each cookie. Entering credentials and trying to login results in a "Bad Message 400" error. Resolution: Now eliminate the HTTP folding while passing the headers to the back end HTTP server. PSIRT11819 (CM,Engine,PS) - Update JRE 1.8 to SR5 FP17 (8.0.5.17) Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2018 level to satisfy the CVEs in PSIRT11819: CVE-2018-2783 (CVSS 7.4) TLS handshaking flaw implementing 3Shake See http://www.ibm.com/support/docview.wss?uid=ibm10729765 for the Security Bulletin. MFT-9835/IT26615 (Engine) - (CD) Timeout during FASP Close at end of large transfer. At the end of a large FASP=SSP transfer, the FASP Close operation may be discarded by the receiver if there is still a lot of data being received. This results in a timeout on the sending side waiting for a response to the FASP Close operation: CSP999E fsc-aspera-stream-transfer.log ERR Failed to receive Close Session, read timed out (errno=110) timeout:120, rsize:0 The Customer increased the timeout value in the ./bin/aspera.conf file: 360 The transfer was successful, but the timeout messages persisted. Resolution: Corrected the receiving side code to ensure that the FASP Close directive is not discarded during high activity. MFT-9898/IT26763 (Engine) - (HTTP) Userid included in URL query string parameter during password change During password change processing, the userID was getting passed in the URL, which is insecure. Resolution: Removed the userID from the URL and moved it into the HTTP headers which remain secure during the password change operation. MFT-9902/IT26640 (Engine) - (HTTP) Error messages in log after successful transfer. During successful connections to myFileGateway, the Customer is seeing numerous error messages in the logs: SSE0100E Attempt to secure client connection failed. SSP0449E Client disconnected before server connection completed. Sessions from Chrome produce more error messages than those from IE. Resolution: Cleaned up most of the spurious messages resulting from disconnects during TLS handshaking. MFT-9925/IT26416 (Engine) - Allow Customer to override minimum DH Exchange key sizes Customer has an SFTP partner which cannot support a DH key exchange size above 1024. For security reasons, the default minimum keysize that SSP will negotiate is 2048 and is the recommended value. Resolution: Now allow a property value in the SFTP adapter to override the minimum keysize required. MinDHGroupExchangeKeySize=1024 will allow a keysize of 1024. MFT-9946/IT26632 (Engine) - (CD) Alternate node in netmap not called unless specified with ip/port. Coding an "Alternate Destination" in the Advanced tab of a CD node does not work if a nodename is used from the pulldown. It is only honored if specified using the ip address and port number. Resolution: Now correctly parse for the node name in the "Alternate Destinations" specification in the Advanced tab of the CD netmap node. MFT-9961/IT26631 (Engine,CM) - (SFTP) Intermittent SignatureException The IBM Java team tightened the restrictions on how public key signatures can be encoded. This caused our SSH processing to intermittently get java.security.SignatureException failures at session startup. Resolution: Upgraded the Maverick SSH toolkits for current maintenance which works within the tighter restrictions. Upgraded to Maverick Legacy SSHD Server 1.6.47 and J2SSH Client 1.6.39. SSP-3041 (Engine,CM) - Upgrade SSP to Jetty 9.4.12 Resolution: Upgrading SSP to the latest Jetty for security and supportability. This is also known as PSIRT12571. SSP-3070 (Engine,CM) - Update SSP to Apache Active MQ 5.15.6 Resolution: Upgrading SSP to the latest Apache Active MQ for security and supportability. This is also known as PSIRT13307 MFT-9975/IT26788 (Engine) - (CM) Adding cipher suite to External Auth definition gets System Error When the CM user tries to add a new cipher suite in the Security tab of the Advanced -> External Authentication Server definition without "Use Secure Connection" checked, the SSP CM connection is broken with the message: ‘System Error. Unexpected System Error has occurred. Please sign in again. If the problem persists, contact your system administrator’. Resolution: Now disable the cipher add/remove listbox by default unless "Use Secure Connection" is checked. MFT-9981/IT27055 (Engine) - (FTP) Password prompt not retrying if SEAS auth fails When using SEAS authentication with FTP, the user is not prompted for a password if the first attempt fails. When running directly to SI, the user is allowed to reenter a bad password. Resolution: Correct the password prompting when SEAS is in use so that the session is not closed until the user exhausts the maximum allowed attempts. SSP-3233 (Engine) - (HTTP) NPE in SSO portal after Jetty upgrade After the upgrade to Jetty 9.4.12, if the SSO configuration for the HTTP adapter uses the FQDN (Fully Qualified Domain Name) of the SSP engine host as the SSO cookie name, the HTTP Portal page can fail to load. It throws a Null Pointer Exception (NPE) in the secureproxy.log and the portal page is not displayed. Resolution: Now make a check for a null domain value to avoid the NPE. Workaround: If "a.b.c.d" is the FQDN in the SSO configuration, change it to ".b.c.d" until this fix can be applied. MFT-10004/IT27002 (Engine) - (SFTP) Unable to upload files > 32k After applying the fix for MFT-9961, the Customer was unable to upload files larger than 32k with SFTP. Some clients could transfer up to 1MB before stalling. Resolution: The Maverick server toolkit sshd-1.6.47 has issues with window sizes during transfers. Reverted back to the sshd-1.6.45 build, which still contains the fix for the signature exceptions found in MFT-9961. SSP-3234 (CM,Engine) - Correct missing ActiveMQ lib Resolution: Now include the hawtbuf-1.11.jar, needed for ActiveMQ. SSP-3229/ (Engine) - (SEAS) Support for OpenDJ LDAP server Resolution: Now support the OpenDJ LDAP server for back end security queries and assertions.