=============================================================================== Maintenance for Sterling External Authentication Server SEAS6000 iFix 2 June 2019 =============================================================================== This cumulative maintenance archive includes fixes for the issues listed below. Contents: I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action II. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== ACTION - iFix images for HP, Solaris, and zLinux(s390) will no longer be placed on Fix Central. Contact Support if you need an iFix loaded to EcuRep. In SEAS6000 iFix 2 (June 2019): ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) disables anon and null cipher suites and includes a new parm for distrusting CAs. For more information, see the writeup below for PSIRT15330. In SEAS60000 iFix 1 (March 2019): NONE - In SEAS60000 GA (February 2019): ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced changes to disable SHA1 certificates. See PSIRT12959 and PSIRT13809 for more details. =============================================================================== II. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first) =============================================================================== ------------------------------------------------------------------------------- Fixes for SEAS 6.0.0.0 iFix 02 Build 135 (June 2019) ------------------------------------------------------------------------------- MFT-10204/IT28758 - Ldap bind failure after upgrade to 6.0 or 2432 iFix 4 MFT-10269/IT29043 - SEAS Custom Exit alternate URLs not attempted SEAS-686 - Log authentication failures in the audit log for command line utilities SEAS-321/ - Ability to set various fields in the GUI SEAS-434/ - Make TLSv1.2 the default protocol for secure connections SEAS-711/ - SAML token assertions without a signature in the response allowed to be validated SEAS-714/ - Provide a GUI option to specify whether SAML assertion responses must be signed MFT-10243/PSIRT15330 - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches ------------------------------------------------------------------------------- Fixes for SEAS 6.0.0.0 iFix 01 Build 110 (Mar 2019) ------------------------------------------------------------------------------- SEAS-452 - InstallAnywhere 2018 upgrade for Windows 2016 support SEAS-468/SEAS-465 - GUI description box for new SSO Token Group member does no data screening SEAS-696/No APAR - SEAS GUI Log level setting is not getting honored =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) =============================================================================== PSIRT12959, - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for security PSIRT13809 patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle October 2018 level to satisfy the CVEs in PSIRT advisories 12959 and 13809. See http://www.ibm.com/support/docview.wss?uid=ibm10872778 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced a change to disable SHA1 certificates via the jdk.certpath.disabledAlgorithms parameter in the /jre/lib/security/java.security file. For more information, read the comments in the java.security file which relate to the added parm: jdk.certpath.disabledAlgorithms= * * *, SHA1 jdkCA & usage TLSServer, SEAS-452 - InstallAnywhere 2018 upgrade for Windows 2016 support Resolution: Upgraded to InstallAnywhere 2018, which provides support for Windows 2016 Server. SEAS-468/SEAS-465 - GUI description box for new SSO Token Group member does no data screening SSO Token Synchronization was introduced in SEAS 6.0.0.0. The SSO Token Group tab contains a description field which allows any sort of unprintable data to be pasted in. Resolution: Now filter the data allowed in the SSO Token Group description field. MFT-10204/IT28758 - Ldap bind failure after upgrade to 6.0 or 2432 iFix 4 After upgrading to SEAS 6.0.0.0, the Customer's SEAS instance could not connect successfully to the LDAP server. The LDAP server was using a keycert with a Subject Alternate Name (SAN) extension which did not include the load balancer hostname in front of the LDAP server that SEAS was connecting to. Oracle Java level 1.8.0_181 introduced changes to improve LDAP support by enabling endpoint identification algorithms by default for LDAPS connections; this also results in stricter hostname validation. Resolution: Updated the startSeas.sh script (and equivalent Windows scripts and LAX files) to include a commented -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true parameter which the Customer can uncomment to correct the behavior. Another way to resolve the problem is to update the LDAP server certificate to include all possible hostnames that clients will try to connect to. MFT-10269/IT29043 - SEAS Custom Exit alternate URLs not attempted The Customer is using the custom exit for authentication through the SI XAPI "com.sterlingcommerce.component.authentication.impl.SIUserAuthExit". Within the profile they have coded the the properties specific to the SI connection: (http.auth.user=*; http.auth.password=*; url=*; alt.url.1=*) When the primary URL is active the authentication is successful, but when the URL is down, the SEAS does not try the alternate url and the authentication fails. Resolution: Improved the retry logic when the alternate SI URL fails to make sure the alternate is tried. SEAS-321/ - Ability to set various fields in the GUI Customers have been unable to change the default values for minimum password length, login lockout delay time and max login attempt in the GUI. Resolution: Include these new fields in Manage -> System Settings -> Globals. SEAS-434/ - Make TLSv1.2 the default protocol for secure connections SEAS formerly installed with TLSv1 as the default TLS protocol. Resolution: For new installs, make TLSv1.2 the default protocol everywhere a TLS secure connection is made. SEAS-686 - Log authentication failures in the audit log for command line utilities EAS was not logging the auth failures encountered by command line utilities in the audit log. Resolution: Now explicitly call the audit logger for auth failures in the command line utilities in the bin directory. SEAS-696/No APAR - SEAS GUI Log level setting is not getting honored After upgrading to log4j2 in SEAS 6.0, setting the log level in the GUI is not changing the log level used in the log being generated. Resolution: Updated the GUI to correctly change the logging level. SEAS-711/ - SAML token assertions without a signature in the response allowed to be validated When SEAS validates a token, it sends an assertion to the External Identity Provided and gets a response. It validates any digital signature in the response. However, internal testing revealed that it silently skips validation of the signature if the signature has been removed. Resolution: Now reject a token validation request when the token assertion response does not have a digital signature. See SEAS-714 for further updates. SEAS-714/ - Provide a GUI option to specify whether SAML assertion responses must be signed After SEAS-711, needed the ability to specify whether the SAML assertion responses require a digital signature. Resolution: Now provide a checkbox "Signed AuthnResponse" in the SSO Token screen to allow Customers to require that token assertions have a valid digital signature. MFT-10243/PSIRT15330 - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2019 level to satisfy the CVEs in PSIRT advisory 15330. See http://www.ibm.com/support/docview.wss?uid=ibm10885939 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) introduced a change to disable anon and null cipher suites via the jdk.tls.disabledAlgorithms parameter in the /jre/lib/security/java.security file. If your site uses these suites for testing, update your java.security file to remove the last 2 parms: jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL ACTION - The java.security file includes a new parm for distrusting CAs: jdk.security.caDistrustPolicies=SYMANTEC_TLS For more information, see the writeup in the java.security file.