================================================================================
Sterling External Authentication Server (SEAS) Fix MFT-10243
Sterling Secure Proxy (SSP) April 2019 JRE Upgrade to IBM 8.0.5.35 - May 2019
Includes Jan 2019 and Apr 2019 PSIRTs.
================================================================================

This fix provides the Java Runtime Environment (JRE) only, with instructions
on how to install it in the Customer's environment. This brings the JRE to the 
Java 1.8 SR5 FP35 (8.0.5.35) fix level from the Oracle Java January and April
2019 security refreshes.

This fix is applicable to:
         SSP6000 (Engine, CM, and PS)
         SSP3432 (Engine, CM, and PS)
         SSP3420 (Engine, CM, and PS)
         SEAS6000
         SEAS2432
         SEAS2420

Alternately, the Customer may check the fixlist of the latest iFix cumulative 
maintenance package on Fix Central to see if it includes this level of Java.  
If not, the Customer may contact Support to request that the latest build with
this Java Runtime Environment be placed on the ECuRep server.

===============================================================================
Additional Notes on this Java Runtime Environment (JRE) update
===============================================================================

MFT-10242 (CM,Engine,PS) - Upgrade SSP Engine, CM, PS, and SEAS to
MFT-10243 (SEAS)           IBM JRE 8.0.5.35 for latest security patches.

  This APAR brings the JRE to the Java 1.8 SR5 FP35 (8.0.5.35) fix level from
  the Oracle Java April 2019 security refresh. It is not a full product install
  - Steps must be followed to download the new JRE for your platform(s) and
  installed for each portion of the product.

  In addition to addressing various vulnerabilities, the java.security file
  in the jre/lib/security directory disables the use of ANON and NULL cipher
  suites.

===============================================================================
    IBM Sterling Secure Proxy Instructions for Installing a New JRE
          from IBM Fix Central for the Security Advisory.
===============================================================================

 This process will allow the Customer to pull a new JRE from the IBM Fix Central
 site and replace the existing jre directory in the various installed instances
 of Sterling Secure Proxy (SSP) Engine, SSP Configuration Manager CM (CM), and SSP
 Perimeter Server (PS). The instructions are also valid for the Sterling External
 Authentication Server (SEAS).

 STEPS 1-3 ARE DONE ONCE AND CAN BE DONE WHILE THE PRODUCT IS RUNNING.
 Steps 4 and following must be done for each instance of the SSP Engine, SSP CM,
 SSP PS, and SEAS.

 Note:  <JRE> is the platform specific tar.Z or .zip file.
 
 1. Download the <JRE> refresh pack archive file from Fix Central to a work
    directory

 2. Extract the JRE refresh pack archive file in the work directory.
      On UNIX:
        cd <work>
        uncompress <JRE>.tar.Z or gunzip <JRE>.tar.Z
        tar -xvf <JRE>.tar
      On Windows: 
        Use WinZip or equivalent to extract the jre folder from the <JRE>.zip file
		into the <work> directory.

 3. Verify the version of Java works and is the one expected by the Security
    Advisory:
      On UNIX:
		cd <work>
		./jre/bin/java -version
	  On Windows:
		cd <work>
		jre\bin\java -version
	    
    See the description at the top of this README file for the version.


 STEPS 4 AND FOLLOWING ARE DONE FOR EACH INSTANCE OF THE SSP ENGINE, SSP CM,
 SSP PERIMETER SERVER and STERLING EXTERNAL AUTHENTICATION SERVER (SEAS).

 4. Make a backup of your target <SSP Installation> directory.

 5. Stop the target Sterling Secure Proxy Engine, Configuration Manager, 
    Perimeter Server and/or Sterling External Authentication Server instance.

 6. Rename the existing <SSP Installation>/jre directory to 
    <SSP Installation>/jre_old.

 7. Copy the new jre directory from the <work> directory to your
    <SSP Installation> directory

 8. Copy 2 security policy files from the jre_old/lib/security directory
    to the new jre/lib/security directory:

       US_export_policy.jar
       local_policy.jar

 9. For SSP, ensure the following 2 jar files are in the new jre/lib/ext
    directory. Otherwise, copy from the jre_old/lib/ext directory:

       commons-ssl.jar
       ibmpemkeystore.jar

 10. Start the target SSP/SSPCM/PS/SEAS instance

 11. If there are issues starting up the target instance with the new JRE
    a) Save a copy of the bin/startEngine.out file. (startCM.out for the CM)
    b) Rename the jre directory to jre_new, and jre_old to jre, and restart.

 12. Otherwise repeat this process (starting with step 4) for each SSP Engine,
     CM, SSP Perimeter Server, and Sterling External Auth Server install.