================================================================================ Fixes in Sterling Secure Proxy (SSP) 3.4.2.0 iFix 18 - June 2019 ================================================================================ This cumulative maintenance archive includes the GA release of SSP Engine 3.4.2.0 and SSP Configuration Manager 3.4.2.0 plus the fixes for the issues mentioned below. Contents: I. HIPER fixes / Fixes requiring Action by iFix II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== ACTION - iFix images for HP, Solaris, and zLinux(s390) will no longer be placed on Fix Central. Contact Support if you need an iFix loaded to EcuRep. In SSP3420 iFix 18 (June 2019): ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) disables anon and null cipher suites and includes a new parm for distrusting CAs. For more information, see the writeup below for PSIRT15330. In SSP3420 iFix 17 (February 2019): HIPER - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for security patches - See PSIRT12959 and PSIRT13809 for more details. In SSP3420 iFix 16 (December 2018): HIPER - Possible vulnerability in Jetty server. See PSIRT12571/SSP-3041 HIPER - Possible vulnerability in Apache Active MQ. See PSIRT13307/SSP-3070 In SSP3420 iFix 15 (August 2018): HIPER - HTTP adapter issues when upgrading to B2Bi (SI) 6.0. Requires upgrade to SSP3420 iFix 15 - See SSP-3036 for details HIPER - Update JRE 1.8 to SR5 FP17 (8.0.5.17) for security patches - See PSIRT11819 for more details. In SSP3420 iFix 14 (May 2018): HIPER - Update JRE 1.8 to SR5 FP10 (8.0.5.10) for security patches - See PSIRT10955 for more details. In SSP3420 iFix 13 (April 2018): HIPER - SSP/SEAS code signing certificate expires June 21, 2018. Upgrade SEAS before that date to keep the SEAS Webstart GUI running. See RTC565487. In iFix 12 Plus (January 2018): HIPER - Update Apache Commons FileUpload toolkit for vulnerabiity - See PSIRT10042 ACTION - If you have customized the log4j property files, you will need to retrofit the changes after the upgrade from the backups provided. In iFix 12 (October 2017): HIPER - Update JRE 1.8 to SR4 FP10 (8.0.4.10) for security patches - See PSIRT9227 ACTION - Allow adding/manipulating HTTP headers from backend servers to front end browsers. See RTC552273. ACTION - The default SSP Factory Certificate, expired on December 1, 2017. See RTC541553 if you have not replaced it yet In iFix 11 Plus (June 2017): HIPER - EAProxy deadlock due to method serialization - see RTC538773 ACTION - If you use third party monitoring tools to monitor SSP or SEAS, please see RTC542640 for info on world-writable files. In iFix 11 BUILD367 (April 2017): HIPER - Upgrade to Java 1.8 for Java January 2017 security fixes ACTION - Java 1.8 will not install on Redhat 5. See RTC533801 for details ACTION - Java.security file disables Triple-DES (3DES-CBC) and DES ciphers. See RTC533801 for details In iFix 10 BUILD343 (January 2017): HIPER - Deadlock/hang in failover code - See RTC516359 for details HIPER - CD failures after upgrade from SSP3418 to SSP3430 iFix 2 - See RTC524219 for details and workaround HIPER - 100% CPU in Maverick toolkit after a few days - See RTC524897 In iFix 9 Build333 (December 2016): HIPER - See IT17228 for information on the upgrade to IBM JRE 1.7 SR9FP50 for the latest Java security patches in the CM, Engine and PS. HIPER - See "PSIRT 5869" for security patch related to commons-fileupload-1.3.2.jar HIPER - Thousands of sockets in TIME_WAIT when JMS listener down - See RTC522699 HIPER - System outage with too many open file handles - see RTC517621 Action - SFTP Hashmacs hmac-sha256 and hmac-sha512 renamed to hmac-sha2-256 and hmac-sha2-512, respectively. See RTC492052 for details Action - Allow server only certificates for CD client authentication. See IT18066 is you need to configure this differently. Action - Ability to externalize delay for CD HttpPingResponse. See IT18178 for details. Action - See IT15063 for information on configuring the SFTP rekey counts In iFix 8 Build286 (July 2016): HIPER - Session starts rejected in Perimeter Server due to "too many open files", or "max concurrent circuits reached" - See IT15041 for details In iFix 7 (March 2016): HIPER - Local PS getting high CPU / Fast wakeup messages - see IT14117 for for details HIPER - JRE7.0.9.30 upgrade turns off MD5 support by default - see IT13805 for details Action - Ensure no MD2/MD5/RC4 certificates or ciphers in use HIPER - Update to Apache Commons-collections library for PSIRT 4202 - See IT12342 for details Action - SFTP Hashmacs hmac-sha256 and hmac-sha512 renamed to hmac-sha2-256 and hmac-sha2-512, respectively. See RTC492052 for details In iFix 5 (September 2015): HIPER - Engine fails with CSP057E 16 Exception - java.lang.OutOfMemory Error: Java heap space - see RTC473228 for details In iFix 4 (August 2015): HIPER - TLS connection fails when local PS log level is set to DEBUG - see RTC471053 for details HIPER - SSP3420 C:D sessions getting java.net.SocketException: Too many open files - See RTC468626 for details In iFix 3 (June 2015): Action - JRE upgrade turns off RC4 support by default - see IT08982 for details In iFix 2 (May 2015): HIPER - SSP3420 crashes with OutOfMemory Exception when SFTP users get locked out *HIPER* - See RTC463125 for details HIPER - SSH Client using SFTP protocol version 4 fails after iFix 1 - See RTC463822 for details In iFix 1 (Mar 2015): Action - JRE upgrade turns off SSLv3 support by default - see IT07375 for details =============================================================================== II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) Fixes are marked as Engine and CM (Configuration Manager) =============================================================================== =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 18 Build 470 (June 2019) MFT-10218/IT28554 (Engine) - SSP sending FTP STOR command multiple times, leading to '451 - session in inconsistent state' MFT-10219/IT28683 (Engine) - (SFTP) All SFTP clients timing out connecting to back end SFTP adapters MFT-10242/PSIRT15330 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches. MFT-10341/IT29130 (Engine) - (HTTP) Directory traversal issue SSP-3597/ (Engine,CM,PS) - InstallAnywhere 2018 upgrade =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 17 Build 466 (February 2019) PSIRT12959, (Engine,CM,PS) - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for PSIRT13809 security patches. RTC572605/IT25899 (Engine) - (CD) Upper and lower case node logs not created MFT-10035/IT27649 (Engine) - (CD) Routing type "PNODE_Specified, and then Standard (mixed)" fails to route to standard snode. =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 16 Build 462 (December 2018) No changes beyond iFix 15. =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 15 Plus Build 460 (November 2018) MFT-9961/IT26631 (Engine,CM) - (SFTP) Intermittent SignatureException PSIRT12571 (Engine,CM) - Upgrade SSP to Jetty 9.4.12 (See MFT-3041) PSIRT13307 (Engine,CM) - Update SSP to Apache Active MQ 5.15.6 (See SSP-3070) MFT-9898/IT26763 (Engine) - (HTTP) Userid included in URL query string parameter during password change MFT-9975/IT26788 (CM) - Adding cipher suite to External Auth definition gets System Error MFT-10004/IT27002 (Engine) - (SFTP) Unable to upload files > 32k =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 15 Plus Build 453 (September 2018) MFT-9925/IT26416 (Engine) - Allow Customer to override minimum DH Exchange key sizes =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 15 Build 452 (August 2018) SSP-3036/ (Engine) - (HTTP) B2Bi 6.0 rejecting HTTP requests with "400 Bad Message" error PSIRT11819 (CM,Engine,PS) - Update JRE 1.8 to SR5 FP17 (8.0.5.17) =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 14 Plus Build 446 (August 2018) RTC566772/IT25294 (Engine) - SFTP users unable to logon using "key and password" policy (session limit exceeded) RTC567627/ (Engine,PS) - Perimeter Server to allow setting keepAlive Values RTC568408/ (Engine) - Limit userid/password fields to 256 characters RTC570690/ (CM) - IBM Metric tools cannot detect SSPCM RTC572142/DT001321 (Engine) - FTP-SSL Customers on slow line getting 226 Transfer Complete on the Control Channel prior to all data sent =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 14 Build 439 (May 2018) PSIRT10955/10418 (Engine, CM, PS) - Update JRE 1.8 to SR5 FP10 (8.0.5.10) =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 13 Plus Build 438 (May 2018) RTC563781/IT24842 (Engine) - HTTP malformed upload causes hung state RTC566007 (CM, Engine, PS) - SSP crashes with HSM enabled RTC566337/IT24733 (Engine) - SSP SFTP Adapter will not start in FIPS mode RTC567354/IT24987 (CM) - Getting non-fatal stackOverflowExceptions in log of SILENT install of SSPcm =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 13 Build 434 (April 2018) RTC564992/ (CM) - SSPCM fails to start after upgrade if "admin" id previously deleted. RTC565487/ (CM,Engine) - SSP/SEAS code signing certificate expires June 21, 2018 =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 12 Plus Build 432 (March 2018) RTC556199/IT23554 (CM/Engine) - SSP import replace in HSM fails if key with same alias already exists in HSM RTC557073/IT23495 (Engine,CM) - Engine fails to start after upgrading from pre-SSP3420 RTC557173/IT23483 (Engine,CM) - PeSIT adapter cannot use TLS 1.1 and 1.2 PSIRT10042/IT12342 (CM) - Vulnerability in Apache Commons FileUpload RTC559115/IT23828 (PS) - Install failed - "CIP_List is not set" when interface not found RTC560800/IT24125 (Engine) - (CD) CSP057E KQV keyword "FSOK" found in FM71, but not defined in XML schema definition RTC561603/IT24112 (CM) - GUI listing AES ciphers for SSLv3 protocol RTC562430/(Enh) (CM) - Enhancement to improve listing of certificates to include chains and pkcs12 RTC563547/IT24449 (Engine) - Not encoding url correctly when SSP redirects to an external login page =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 12 Plus Build 424 (December 2017) RTC497412/ (Engine) - Inbound FTPS fails when client cert has server flag RTC503335/ (Engine) - (CD) Logging improvements for Certificate issues RTC507936/ (Engine, CM) - Unpredictable install directory when backspace settings not set correctly RTC522918/ (Engine) - Include content-length header in CD Health check ping response RTC550295/IT23475 (PS) - Perimeter Services Messages ALWAYS getting logged only under DEBUG RTC551786/IT23476 (Engine) - Updated Maverick to SSHD 1.6.41, J2SSH 1.6.34 RTC553906/ (Engine) - (HTTP) 'must change password' does not work if browser makes favicon request RTC554088/IT23494 (Engine) - Support EPSV and EPRT FTPs commands RTC554173/IT23167 (CM) - CM scripts not honoring the TLS protocol version from CM security Sytem Settings RTC554225/ (CM) - Poor error message when importing expired certificate RTC555530/ (Engine) - SFTP log showing parameter place holders: {1} RTC556393/ (Engine) - Improve SSP logging for C:D XDR keyword error RTC556544/ (CM) - Improve console output for sspRestAPI script when connection cannot be made. =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 12 Build 416 (October 2017) PSIRT9227 (Engine, CM, PS) - Update JRE 1.8 to SR4 FP10 (8.0.4.10) RTC503335/ (Engine) - (CD) Improve certificate failure logging RTC524639/ (Engine) - Bad format in one user auth key keeps SFTP RTC538332 adapters from coming up RTC528506/ (Engine,CM) - Remove/rename seas.log from CM, engine RTC548552/IT22537 (Engine) - Intermittent SFTP transfers through SSP show as an "ABORT" in SFG RTC550367/ (Engine) - Set correlator on EA failover ping request so it can be suppressed in EA log RTC552273/ (Engine) - Security Headers causing errors in rendering SSO HTTP proxy portal pages RTC554185/ (CM) - Unable to display and import certificate chains into truststore. =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 11 Plus Build 411 (October 2017) RTC488587/ (PS) - Show SSP version/build at startup in PS log RTC552345/IT22825 (CM) - SHA2 and SHA3 Cipher Suites not available when selecting "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 11 Plus Build 403 (September 2017) RTC505548/ (Engine) - CD Proxy shows CM monitoring status as active, though the less secure remote PS is down. RTC550068/IT22538 (Engine) - SFTP leaving leftover sessions. RTC551227/IT22491 (Engine) - Avoid Perimeter race condition causing C:D z/OS error message (SVTM091I and SVTM090I) =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 11 Plus Build 401 (September 2017) RTC528288 (CM) - Allow space char at end of SFTP Adapter prompt RTC547559/IT22014 (CM) - Allow REST API to run concurrently, support better format for encrypted passwords RTC550968 (Engine) - New HTTP headers cause problem with Chrome =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 11 Plus Build 397 (August 2017) RTC537305/IT20816 (Engine) - SSP Engine OutOfMemory (OOM) exception when CD adapter gets out of sync with local PS RTC504499/ (Engine) - (CD) Common name (CN=) can be last entry in subject. RTC541553/ (CM,Engine) - Factory cert expiring December 1, 2017 RTC542811/IT21439 (Engine) - SFTP with zlib compression is not working RTC543000/IT21407 (Engine) - Option to roll over log files at midnight RTC544511/IT21482 (Engine,CM) - New protocol option for TLSv1-v1.2 only RTC545321/IT21567 (CM) - (REST) Password corruption on HTTPnetmap RTC545903/IT21596 (Engine) - (REST) Error loading C:D Adapter with EA PS RTC546159/IT21867 (Engine) - Error resuming an SFTP transfer RTC546604/IT22033 (Engine) - SSP Engine needs to send HTTP security headers =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 11 Plus Build 378 (June 2017) RTC533345/ (Engine) - (CD) Session fails because "End user tried to act as a CA" RTC535517/IT20520 (Engine) - Error on first block when enabling data encryption RTC536899/ (CM) - SSP REST API import errors detected RTC538591/IT20896 (CM) - Error accessing certificates in the trusted keystore after upgrade from 3.4.1.8 RTC538758/IT20889 (Engine) - Avoid NPE when SFTP adapter shut down RTC538773/IT21115 (Engine) - (Failover) EAProxy deadlock due to method serialization RTC539383/IT20879 (CM) - Unable to see the all trusted certificates in Netmap > Outbound > Security RTC540353/IT20845 (CM) - RestAPI import failed with ERROR SspCMConfigService - sysGlobalsDef Host required RTC540861/IT21120 (PS) - PS upgrade fails to replace JRE when jre directory is owned by another user/group RTC542091/IT21139 (CM) - (CD) Include all ciphers for PNODE Controls RTC542503/IT21213 (CM) - (REST) Add more information to error message when importing SSH KeyDef RTC542640/IT21204 (CM,Engine,PS) - Turn off world-writable files =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 11 Build 367 (April 2017) RTC525304/ (Engine) - Performance test fails for HTTPS and FTPS RTC525694/IT18971 (CM) - Large certificate serial number appears incorrectly in SSPCM RTC527009/IT19026 (Engine) - FTPS client connects, but LIST command delayed RTC527354/IT19159 (CM) - TLS1.2 is not negotiating when FIPS mode ON RTC527355/ (CM,Engine) - SSP CM not PUSHing configured SSH Local User Keys to SSP Engine RTC528659/IT20207 (Engine) - SSP restarted due to OOM errors RTC528702/IT19672 (CM,Engine) Install failure causes secure protocols to fail after upgrade RTC529446/IT19332 (Engine) - Unable to use HSM keystore without password RTC529453 (CM) - Ship a separate security.properties for SSP CM RTC529530 (CM,Engine) (HSM) No longer ship setupHSM.bat or .sh and remove them if they exist. RTC530844/IT19443 (Engine) - (CD) Allow client-only certs in server authentication. RTC530859/IT19451 (Engine) - (CD) Accept "TLS" and change to "TLSv1" RTC532302/IT19647 (CM) - REST: Don't require truststore for http inbound node if client auth is not enabled RTC532854/IT19863 (CM) - REST API unable to use TLS1.2 to SSP CM Web RTC533058/ (CM,Engine) - Shutdown scripts hang with JRE 1.8 on AIX RTC533482/ (Engine) - CD transfers not working with SSLv3 RTC533580/ (CM) - REST unable to import exported configurations RTC533680/IT20027 (Engine) - RU size negotiated to 16259 when using Secure+ on one CD node and non-secure on the other. RTC533801/ (CM,Engine,PS) - Upgrade to Java 1.8 for Java January 2017 security fixes RTC533907/ (Engine,CM) - InstallAnywhere on Windows shows ERROR: Failure in the CopyJreLib step RTC534665/IT20206 (Engine) - Invalid CD copy step causesNullPointerException in PasCdCbDelegate.getLocalCBType() RTC534678/IT20082 (Engine) - ILMT not discovering Sterling Secure Proxy 3420 RTC535210/ (Engine) - RAS Enhancement - Add new switches for heap dumps and SSL debugging RTC536410/ (Engine) - Spurious RejectedExecutionExceptions in log during load testing RTC536506/IT20338 (Engine) - SFTP maverick log getting numerous exceptions for each SFTP logoff. No Defect (Engine) - Additional KQV values for C:D FM71 - ZEDC =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 10 Build 343 (January 2017) RTC524897/IT18695 (Engine) - 100% CPU in Maverick toolkit after a few days RTC525887/ (Engine) - FTPS data channel hangs when CEU is back end RTC526163/ (Engine) - Avoid erroneous PASV response from server =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 9 Plus Build 339 (January 2017) RTC517058/IT17567 (Engine) - FTPS data connection timeouts after upgrade to SSP 3.4.2 or 3.4.3. RTC525081/IT18698 (Engine) - Numerous Maverick NullPointerExceptions in systemout.log after SSP3420 iFix 9 RTC525909/ (Engine) - Error messages "peer not authenticated" in load test logs for C:D sessions RTC525956/ (Engine) - SFTP concurrency test produces number of NPEs =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 9 Plus Build 338 (December 2016) RTC516359/IT18163 (Engine) - Deadlock/hang in failover code RTC523287/IT18529 (Engine) - SEAS-Agent timeouts are hanging other SFTP Adapters including ones not dependent on SEAS RTC524219/IT18552 (Engine) - CD failures after upgrade from SSP3418 to SSP3430 iFix 2 =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 9 Build 333 (December 2016) RTC512573/IT18260 (Engine) - HTTP connections fail with SSE0102E secure connection failures after upgrade to SSP 3.4.2 RTC517621/IT17983 (Engine,PS) - Too many open file handles lsof output “can't identify protocol” entries RTC518916/IT18164 (Engine) - CD "PNODE Host controls SSL Protocol" netmap setting fails in some circumstances RTC519253/IT18066 (Engine) - (CD) Allow server only certificates for client authentication RTC519510/IT18176 (CM,Engine) - Do not enforce common name checking if CD client authentication not turned on RTC520046/IT17985 (CM) - Unable to use a custom channel name in the JMS configuration RTC520758/IT18178 (CM) - Externalize delay for CD HttpPingResponse. RTC521075/IT18187 (CM) - 2 special characters in CM password when special characters required RTC521835/IT18266 (Engine) - Do not seed SecureRandom when using HSM with CD RTC522699/IT18216 (CM) - Thousands of sockets in TIME_WAIT when JMS listener down =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 8 Plus Build 325 (November 2016) RTC513451/IT17846 (CM,Eng) - Updated to use Maverick sshd 1.6.27, j2ssh 1.6.23, common 1.6.11 RTC514315/IT17373 (CM) - Remove comments from existing keycerts in SSP keystores RTC519253/ (Engine) - Allow server only certificates for client auth RTC519864/IT17988 (Engine) - 2 ciphers missing from supported ciphersuites list RTC519966/ (CM) - Admin user can't be deleted in SSPCM RTC520046/IT17985 (CM) - Unable to use custom channel name in the JMS configuration =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 8 Plus Build 320 (October 2016) No Defect/IT17228 (CM,Eng, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR9FP50 for latest security patches PSIRT 5869 (CM) - Updated to use commons-fileupload-1.3.2.jar RTC493866/ (Engine,PS) - Too many open file handles RTC496054/ (CM) - Error messages found in installation and CMS logs for both Engine and CM. RTC502863/IT16819 (CM,Eng) - (SFTP) Support hmac-sha256 & hmac-sha256@ssh.com RTC505522/IT16713 (Engine) - (FTP/S) Enabling CCC causes transfers to fail RTC508303/ (Engine) - (CD) CD Windows gets XXDR021I going to z/OS RTC510634/IT16823 (Engine) - (SFTP) SCP presents a RC 1 after successful GET RTC510635/IT16815 (Engine) - HSM certificates causing SSP0229E Exception RTC511478/RFE511476 (CM,Eng)- (SFTP) Force one line password prompt RTC511666/IT17151 (CM) - Unable to invoke iKeyman on Solaris 10. RTC513206/IT17358 (CM) - SSPCM allows the password change step to be bypassed RTC513984/ (Engine, - Enhancement to allow silent Installs for SSP, CM, PS) SSPCM, PS and SEAS RTC514315/IT17373 (CM) - Import of CA trusted file with multiple CA Certs gets corrupted RTC516459/IT17419 (CM) - The manageCSRs.sh script gets a NullPointerException when attempting to create a CSR =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 8 Plus Build 295 (August 2016) RTC505344/IT16081 (Engine) - Change password portal doesn't work if user is mapped from SEAS. RTC508526/IT16700 (CM) - IBM SSPCM User is notified when the login account becomes locked RTC508872/IT16456 (Engine) - SFTP public key auth failures cause locked accounts sooner in SSP3420. RTC509062/IT16642 (PS) - PS More Secure Install Issues on Windows =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 8 Build 286 (July 2016) RTC485398 (Engine) - C:D File transfers fail with certificate issues RTC492949/IT15184 (Engine) - (SFTP) Getting DH_GEX group out of range RTC494013/IT15074 (Engine) - (HTTP) Client is not receiving the 500 Error message from SSO login failure RTC495433/IT14514 (CM) - manageKeyCerts import fails with java.lang.NullPointerException RTC496040/IT15910 (Engine) - SFTP client script causes FIN_WAIT2 on SSP server RTC496133/IT15041 (Engine) - Session starts rejected in PS due to "too many open files", or "max concurrent circuits reached" RTC496371/IT14589 (Engine) - (SFTP) Key-only authentication failing when mapped password not present RTC496962/IT16065 (Engine) - CD Adapter failures causing high CPU on Engine, Max concurrent circuits reached:4096 on PS RTC497030/IT14809 (Engine) - (CD) SSP handshake failure with CDSA after upgrading to SI 5.2.6.1. RTC497033/IT14757 (Engine) - Dummy object unmarshalling error for PerimeterServerConfig RTC497092/IT14615 (Engine) - Engine Shutdown issue RTC500038/IT15916 (Engine) - Intermittent failures with concurrent SSL handshakes RTC500069/IT15063 (Engine) - SFTP transfers stalling at 627MB or the sftp_rekeycount limit in the adapter. RTC501172/ (CM) - CM ManagedAccepterService fails to startup causing logins to fail RTC501513/IT15516 (CM) - Vulnerability issues found with SSPcm HTTP Headers RTC501735/IT15517 (Engine) - (SFTP) Key Exchange Exception encountered when FIPS enabled RTC502844/IT15531 (CM) - Unable to import PCKS12 SHA2 certs using configureCmSsl utility RTC503126/IT15568 (CM) - (REST API) Unable to create CM user who uses External Authentication RTC503895/IT15606 (CM) - (REST API) Delete Netmap Node entry request returns success but the node still exists RTC504462/IT15808 (PS) - Installation of SSP Perimeter Server package creates a single Windows Service and starting/shutting down the PS service starts/stops all of them RTC505169/IT15947 (CM) - HTTP Security headers were missing. RTC505320/IT15946 (CM) - Traversal of SSP CM Webapp root RTC505321/IT16020 (CM) - Accessing SSP CM using expired session id RTC505585/IT15949 (CM) - SSP CM allows methods other than GET or POST RTC505702/IT16080 (CM) - Enhancements to password policy rules =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 7 Build 257 (March 2016) RTC480977/Enhance (CM,Engine) - (SFTP) Support for SHA2 macs and exchange No RTC /IT12342 (CM) - Update to Apache Commons-collections library for PSIRT 4202 No RTC / (PS) - Add info to differentiate SSP PS from SI PS RTC479958/IT13168 (Engine) - (FTP) Getting TLS security negotiation failed when retrieving 0 byte file RTC482830/ (Engine) - CD adapter port left in CLOSE-WAIT state when failover polling detects routing outage RTC485091/IT13200 (CM) - SSPCM may be vulnerable to a Cross Frame Scripting attack RTC486931/IT13592 (Engine) - (SFTP) Multiple Maverick stack-trace msgs logged when an SFTP client disconnects RTC488537/IT13196 (Engine) - (SFTP) Transfers getting occasional java.lang.ArithmeticException: / by zero RTC488638/ (CM) - Elliptical Curve EC private keys fail to import RTC488079/IT13769 (Engine) - (SFTP) SSH port forwarding allowed on SFTP adapter RTC492023/IT13805 (CM,Engine,PS) - Upgraded SSP Engine, CM, and PS to IBM JRE 7.0.9.30 for latest security patches. RTC492052/IT13855 (CM,Engine) - (SFTP) Sha2 connections fail due to mismatched MAC names RTC492951/IT14035 (Engine) - (FTP) Debug logging show passwords in clear RTC493866/IT14117 (Engine) - (PS) High CPU, fast wakeups in local PS log =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 6 Build 231 (November 2015) SSP3418 Upgrade (CM) - New SspCMCertConvertUtil tool to convert keys to SSP3420/SSP3430 format before upgrade RTC468593/IT10631 (PS,Engine) - (PS) Proxy Local Interface does not setup listener on a specific interface. RTC475458/IT11735 (Engine) - C:D Adapter configuration push causes listener to mishandle new connections No RTC (Engine) - C:D Logging improvement to display client certificate during C:D Secure+ SSL handshake when client authentication turned on. RTC478044/IT11857 (Engine) - C:D Execute on Success Step Injection (RUN TASK) replaces variable with encoded characters RTC479400/IT12069 (CM) - Unable to import OpenSSL keycerts into SSP3420 System Certificate Store RTC480314/IT12099 (CM,Engine) - Incorrect timestamp showing in audit logs in SSP3420 RTC480325/IT12111 (Engine) - Stopping CD Adapter causes other adapters on same outbound PS to timeout RTC480882/IT11993 (Engine) - Mapped userid from SEAS is not honored when using SSO for SFTP and HTTP proxies RTC481064/ (Engine) - HTTP Proxy Adapter not catching invalid method =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 5 (September 2015) RTC473228/IT10611 (Engine) - (CD) Engine fails with CSP057E 16 Exception - java.lang.OutOfMemory Error: Java heap space *HIPER* RTC474077/IT10648 (Engine) - (CD) Getting non-fatal CSP057E 16 Exception: peer not authenticated on every transfer RTC474304/IT10682 (CM) - Logging Level reset to NONE when navigating netmap screens RTC461598 (Engine) - Various logging enhancements, mainly in CD processing JRE Upgrade (CM,Engine,PS) - Upgraded SSP Engine, CM, and PS to IBM JRE 7 SR9 FP10 for latest security patches. RTC476225 (Engine,CM) - SSP3420 iFix 3 and 4 missing SSLv3 courtesy message at startup. =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 4 (August 2015) RTC465113/IT09708 (CM, Engine) - Unsupported PKCS8 format on SHA256 private key after upgrade to SSP3420 RTC465226/ (Engine) - Change from IBMSecureRandom to SHA2DRBG to remain FIPS 140-2 compliant beyond 2015 RTC466081/ (Engine) - SCP sessions time out (hang) RTC468626/IT09823 (Engine) - SSP3420 C:D sessions getting java.net.SocketException: Too many open files *HIPER* RTC468588/IT09809 (Engine) - Connections using Non-Secure+ on the pnode leg and Secure+ on the snode leg fail RTC469108/IT09790 (CM) - Unable to create PESIT nodes with the same IP/Port combinations RTC469924/IT10252 (Engine) - PeSIT unable to do LogonID mapping RTC469964/IT09808 (Engine) - In FIPS mode, cipher selection limited to non-ECDHE cipher suites under Java 6. RTC469968/ (CM,Engine) - Support for SSP Automatic Shutdown RTC471053/ (Engine) - TLS connection fails when local PS log level is set to DEBUG *HIPER* RTC472174/ (CM) - Error adding C:D netmap entries with duplicate IP/ports in SSP3420 RTC473126 (CM) - OutOfMemory error in CM after numerous large configuration updates No Defect (Engine) - Turned off JRE CBC protection to avoid C:D FMH failures after Secure+ handshake =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 3 Build 201 (June 2015) Enhancement (CM, Engine) - Support for SCP (SSH Secure Copy) in the SFTP adapter RTC469640/IT09670 (Engine) - Memory creep in SFTP when node level logging turned on. No Defect/IT08982 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM JRE 7 SR9 for latest security patches. =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 2 Build 169 (May 2015) RTC453484/IT06751 (CM,Engine) - Passwords partially visible on command line when pasting instead of typing RTC463125/IT08601 (Engine) - SSP3420 crashes with OutOfMemory Exception when SFTP users get locked out *HIPER* RTC462627/IT08718 (CM) - Unable to authenticate SSP CM users via SEAS & LDAP since upgrade of SSP 3.4.1.8 to 3.4.2 RTC463822/IT08800 (Engine) - (SFTP) SSH Client using SFTP protocol version 4 fails Minor Update (PS) - Increase Perimeter Server Maxheap to 1024M =============================================================================== Summary of Fixes for SSP 3.4.2.0 iFix 1 Build 157 (Mar 2015) RTC443906/IT04691 (CM) - REST API Unable to add C:D netmap entries RTC447381/IT05432 (CM) - REST API Creation of Perimeter Servers in More Secure zone fails RTC447386/IT05434 (CM) - REST API Unable to create engines listening on same port on different IPs RTC447746/IT05435 (CM) - REST API unable to create SSOConfig RTC448111/IT05497 (CM) - REST API Unable to add HTTP netmap entries RTC449216/IT05932 (CM) - REST API unable to add Properties with String values in SFTP Adapters RTC449220/IT05931 (CM) - REST API unable to add more than one Trusted Certificate for FTP Outbound netmap node RTC450252/IT06739 (CM) - REST API multiple issues with SSH keystores and netmaps. RTC451341/IT06259 (CM) - REST API: the setTrustedCertName method is not available for FTP Outbound Netmap RTC449219/IT07269 (Engine) - Transmission failure with checkpoint-restart and extended compression RTC451959/IT06748 (Engine) - SSP3420 error at startup when enabling syslog facility in log.properties RTC451962/IT06750 (Engine) - RuntimeException: Incorrect passphrase after upgrade to SSP3420 CM RTC453348/IT06749 (Engine) - SSP will not come up after replacing keystore passphrase with one having an ampersand RTC453767/IT07086 (CM) - REST API: Adding new key in invalid format gives successful return code. No Defect/IT06628 (Engine) - Upgraded Castor toolkit to address PSIRT vulnerability No Defect/IT07375 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default Enhancement (CM, Engine) - Dynamic routing based on inbound node, userid, or Connect:Direct PNode Enhancement (CM, Engine) - HSM Support using IBMPKCS11 provided with the IBM JRE No Defect/IT07778 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 FP10+IV70681 for latest security patches, including the FREAK vulnerability. RTC457005/IT07549 (Engine) SSP3420 won't start due to "incorrect passphrase". RTC458209/IT07550 (CM) REST API: Adapter creation fails if pingResponse field has spaces in its value RTC458216/IT07551 (CM) REST API: Create HTTP Adapters with REST APIs fails with SSO Configuration error RTC460780/ (CM,Engine) Certificate chaining error when selecting multiple CA certs =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) Fixes are marked as Engine, CM (Configuration Manager), and PS (Perimeter) =============================================================================== SSP3418 Upgrade (CM) - New SspCMCertConvertUtil tool to convert keys to SSP3420/SSP3430 format before upgrade Some Customers who upgraded to SSP3420/SSP3430 had SHA256 keycerts in PKCS#8 PEM format in their keystore, which is the way they were stored in the pre-SSP3420 CM. After upgrading, these keys could not be read by the new IBM toolkit, due to a couple of OID fields. Resolution: Now supply a new SspCMCertConvertUtil with the SSP3418 CM which can be run just before upgrading to SSP3430 to convert the keystore(s) in place to PKCS#12 format, which is the format that SSP3430 uses. Once the conversion is done, the SSP3418CM image must be upgraded immediately to SSP3430CM. Here are the steps for using the new script. 1) Obtain the latest 3418 maintenance (iFix 8+ or higher) and the latest 3430 maintenance (iFix 1 or higher) on Fix Central: http://www.ibm.com/support/fixcentral/swg/selectFixes? parent=ibm~Other%2Bsoftware& product=ibm/Other+software/Sterling+Secure+Proxy& release=3.4.1.8&platform=All&function=all 2) Shut down and back up your existing 341x Engine, CM and PS instances. 3) Upgrade the 341x CM to the latest 3418 SSPM CM patch 4) Run bin/SspCMCertConvertUtil.sh (or .bat) 5) Select Yes to convert existing 3418 SSP CM keycerts or select no to exit the script 6) If yes is selected, this script will first backup the entire SSP CM current conf instance 7) Script will then convert all SSP CM keycerts that are in 341x format into SSP3420/SSP3430 CM keycert format 8) Once the script runs to completion, upgrade the SSP CM, Engine, and PS instances to SSP3430 9) Note: Once the script is run, the SSP3418 conf directory may no longer be used for SSP3418. Either convert to SSP3430 or restore the backed up copy. Note: If there is a need to go back to 341x, restore the backed up copies. The alternative is to upgrade directly to SSP3430, import the PCKS12 versions of your SHA256 keycerts into your system key store and point your netmaps to the new versions. No Defect/IT07375 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default Note that with this new JRE, SSP only allow TLS sessions by default and will reject SSLv3 sessions. If the SSLv3 protocol is required until trading partners can switch to TLS, then for UNIX/Linux, add the -Dcom.ibm.jsse2.disableSSLv3=false property to the Java startup line(s) in the bin/startEngine.sh script. For Windows, add the property to the " lax.nl.java.option.additional=" line in the bin\SSPengine$.lax file. In addition, edit the /jre/lib/security/java.security to change the following line from jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 to jdk.tls.disabledAlgorithms=RC4, MD5withRSA, DH keySize < 768 See http://www-01.ibm.com/support/docview.wss?uid=swg21695265 for more information. No Defect/IT07778 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 FP10+IV70681 for latest security patches, including the FREAK vulnerability. This brings the JRE to the Java 1.7 SR8 FP10 fix level from the Oracle Java January 2015 security refresh, plus the IV70681 APAR fix level, which addresses the recent “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability. See http://www-01.ibm.com/support/docview.wss?uid=swg21699829 for more information. RTC443906/IT04691 (CM) - REST API Unable to add C:D netmap entries Connect:Direct Netmap creation fails when running the REST API Sample program. The SSPCMRestService_*.log would display an error that states the netmap creation failed, and refers to the cms.log file. Resolution: Modified the validation logic to match what's done in the CM. RTC447381/IT05432 (CM) - REST API Creation of Perimeter Servers in More Secure zone fails When creating a perimeter server in the more secure zone using the REST API the following error will occur even if the localPort and the listenPort are equal: Create perimeterServer operation failed. - perimeterServerDef localPort and listenPort must be equal for type PERIMETER_SERVER_MORE_SECURE. Resolution: Correctly compare the localPort and listenPort, so that if they are equal the perimeter server will be created. RTC447386/IT05434 (CM) - REST API Unable to create engines listening on same port on different IPs When creating an engine using the REST API that has the same port as an existing engine the following error will occur even if the two engines are running on different hosts: EngineService - java.lang.Exception: Port in use. Pick a different port. StackTrace: java.lang.Exception: Port in use. Pick a different port. The HTTP response code from the REST API will be 406 Not Acceptable. Resolution: The code has been changed so that engines with the same port, but different hosts can be created. RTC447746/IT05435 (CM) - REST API unable to create SSOConfig When creating an SSO configuration using the REST API an error will occur if defApplicationUrl or ssoCookieDomain are not specified, even though these attributes should not be required. If the configuration has an internal portal type, then an error will occur if applicationLoginUrl is not provided, even though it should not be required. Resolution: The code has been changed so that these attributes are not required by the REST API. RTC448111/IT05497 (CM) - REST API Unable to add HTTP netmap entries When creating an HTTP netmap using the REST API, the following error will occur if any of the outbound nodes use a secure connection. Validation error: Invalid cipher suites specified. Valid cipher suites are[PNODE, SSL3-ONLY, TLS1-ONLY, TLS1, SSL3, TLS1/2HI, SSL3/2HI, SSL] Resolution: The code has been changed so that the correct list of valid cipher suites is used to validate outgoing nodes. RTC449216/IT05932 (CM) - REST API unable to add Properties with String values in SFTP Adapters When creating a C:D or SFTP adapter using the REST API it is not possible to create properties that have string values. For SFTP adapters, it is not possible to add more that one property to a single adapter. Resolution: The code has been changed so that SFTP and C:D adapters can have properties with string values. SFTP adapters created with the REST API can now have more than one property. RTC449219/IT07269 (Engine) - Transmission failure with checkpoint-restart and extended compression Customer using C:D Secure Plus transfer of large file using Checkpoint/ Restart, Extended Compression and SSL Blocking (SSLB) and a TCP comm.bufsize of 64k. At a specific point in the transfer, just before a checkpoint record is taken, SSP sends an RU with only 3 bytes of data and the receiving C:D z/OS does not handle it properly. The result is a decompression failure and MSG_SVTO022I. SSP was not correctly filling up the output SSL Blocking buffers which caused the 3 bytes to be sent in its own RU rather than in the larger 64k RU. Workarounds: Transfer with comm.bufsize of 48k, or raise the checkpoint interval. Resolution: Corrected the logic in the SSL Blocking class to add blobs to the outgoing SSLB buffer on the basis of size only and not limit the number of blobs per buffer. RTC449220/IT05931 (CM) - REST API unable to add more than one Trusted Certificate for FTP Outbound netmap node When creating a C:D, FTP, HTTP, or PeSIT netmap using the REST API, it is not possible to add more that one trusted certificate to inbound or outbound nodes in the netmap. Resolution: The code has been changed so that multiple trusted certificates can be added to a single node. RTC450252/IT06739 (CM) - REST API multiple issues with SSH keystores and netmaps. There are three separate issues with the REST API that have been corrected. The first issue is that when creating a new authorized user key store or adding a new key to an existing key store, the validation of the keys will fail even if the keys are valid. The response from the REST service will be ERROR com.ibm.sspcm.rest.services.KeyStoreService - Invalid SSH Trusted Key specified. Please verify the SSH trusted certificate key. The second issue is that when a netmap is created, or nodes are added to an existing netmap using the REST API, multiple nodes within the same netmap can have the same name. This applies to inbound nodes for C:D and PeSIT netmaps as well as both inbound and outbound nodes for HTTP, FTP, and SFTP netmaps. The third issue is that when adding a user to a user store there is no way to specify an SSH authorized key store and keys. Even if the keystore and keys are included in the request, the rest service will not add them to the user configuration. Resolution: For the first problem, the code has been changed to correctly validate user keys. For the second problem, a check has been added to ensure that multiple nodes within the same netmap do not have the same name. For the third problem, the rest service has been updated so that if an SSH authorized key store and keys are included in the request to add a new user, they will be added to the current configuration. RTC451341/IT06259 (CM) - REST API: the setTrustedCertName method is not available for FTP Outbound Netmap When creating an FTP netmap using the REST API, it is not possible to add a list of trusted certificates to an outbound node using the setTrustedCertName method. Resolution: Added the setTrustedCertName method for FTP outbound nodes. RTC451959/IT06748 (Engine) - SSP3420 error at startup when enabling syslog facility in log.properties When the syslog facility is activated in bin/log.properties for the SSP3420 Engine or CM, one would get an error like this at startup: Error while converting string [17] to type [class org.apache.logging.log4j.core.net.Facility]. Using default value [LOCAL0]. java.lang.IllegalArgumentException: No enum constant org.apache.logging.log4j.core.net.Facility.17 The new log4j2 toolkit did not understand the integer values from the previous toolkit. Resolution: Updated the code to convert the integer values to the required keywords used by log4j2. RTC451962/IT06750 (Engine) - RuntimeException: Incorrect passphrase after upgrade to SSP3420 CM Getting RuntimeException: Incorrect passphrase after upgrading the Sterling Secure Proxy Configuration Manager (SSPCM) from a prior version. During the upgrade of the SSPCM, the passphrase bootstrap file conf/system/sb.enc should have been changed to sb2.enc. At startup, SSPCM attempted to obtain the passphrase from the sb2.enc file and reported an incorrect passphrase. Resolution: Updated the install/upgrade code to ensure that the conf/system/sb2.enc file is created. Now read the passphrase from sb2.enc if it exists and sb.enc as a fallback. Also updated messages to more accurately pinpoint whether the passphrase problem is because of missing bootstrap files or because of an invalid entry. RTC453348/IT06749 (Engine) - SSP will not come up after replacing keystore passphrase with one having an ampersand The engine or CM may not start correctly after using bin/configureEngineSsl.bat (.sh) or bin/configureCmSsl.bat (.sh) to change the keystore password to a string containing special characters. Depending on the location of the special character in the string, the error message will be something like: Startup did not succeed. Terminating: com.sterlingcommerce.hadrian.common.xml.XmlParsingException: Error on line 10: The reference to entity "pass" must end with the ';' delimiter. Resolution: Code has been added to correctly handle special characters within passwords. RTC453484/IT06751 (CM,Engine) - Passwords partially visible on command line when pasting instead of typing If a password or passphrase is pasted into the command line instead of typed when running any of the scripts in the bin directory, all of the characters except for the last are visible. Resolution: The code which reads passwords has been updated with a better method of hiding passwords regardless of the speed at which the characters arrive. RTC453767/IT07086 (CM) - REST API: Adding new key in invalid format gives successful return code. When using the REST API to add certificates to an existing key store or certificate store, the rest service may return a successful response even if the request was not formatted correctly. The new key of certificate may not appear in the GUI, even though the response from the rest service was successful. It is also possible that the certificate or key will be created, but the certificate data field on the GUI will be empty. Resolution: The code validation has been updated to return an error message, and prevent the key or certificate from being added to the GUI if the request is invalid. Enhancement (CM, Engine) - Dynamic routing based on inbound node, userid, or Connect:Direct PNode Allow the outbound node to be chosen dynamically based on userid (for HTTP and FTP sessions), inbound IP address (for HTTP sessions) or the inbound PNode (for Connect:Direct sessions). See the Release Notes and online product documentation for SSP3420 iFix 1 for more information. Enhancement (CM, Engine) - HSM Support using IBMPKCS11 provided with the IBM JRE SSP is updated to use the IBM PKCS11 security provider that comes with IBM JRE to communicate and operate Hardware Security Module (HSM) adapters. See the Release Notes and online product documentation for SSP3420 iFix 1 for more information. RTC457005/IT07549 (Engine) SSP3420 won't start due to "incorrect passphrase". After changing the passphrase for the engine or configuration manager, it may fail to start with the error: Exception in thread “main” java.lang.RuntimeException:Incorrect passphrase. This error will occur if the encrypted password happens to contain the newline character as the first byte. Resolution: Now correctly handle encrypted passphrases with the newline character as the first byte. RTC458209/IT07550 (CM) REST API: Adapter creation fails if pingResponse field has spaces in its value Creating an HTTP, C:D, or PeSIT adapter using the REST API may fail if the pingResponse field contains spaces or special characters. The response from the REST service will be: 204 NO_CONTENT Please check the CMS log file for errors Create adapter operation failed. ERROR Valid characters for Name are:  "-abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_." Resolution: The validation logic for HTTP, C:D, and PeSIT adapters has been changed to allow spaces and special characters in the pingResponse field. RTC458216/IT07551 (CM) REST API: Create HTTP Adapters with REST APIs fails with SSO Configuration error Creating an HTTP adapter using the REST API may fail if it references an SSO Configuration. Below is the response from the REST service even if the SSO Configuration exists. 204 NO_CONTENT Please check the CMS log file for errors Create adapter operation failed. ERROR SSO Configuration sso_config_name not found Resolution: Now correctly determine if the SSO configuration is valid. RTC460780/ (CM,Engine) Certificate chaining error when selecting multiple CA certs Customer upgraded to SSP3420 and discovered that when multiple certificates are selected in a netmap, sessions do not complete their SSL/TLS handshaking properly. PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error Resolution: Now properly trim the certs as the stream is fed into the TrustManager and ensure that all certs are delivered. RTC461598 (Engine) - Various logging enhancements, mainly in CD processing Various logging enhancements - Add CD adapter name and sessionid to messsages sent to syslog - Better diagnostics (not stack traces) when CD Secure+ sessions fail - Ensure CD Error sessions end with ERROR message, not INFO - Added dump of CD FMH68 from PNode at debug level - Cleaned up excessive linefeeds during TLS tracing in systemout.log - For minimal but effective TLS tracing in systemout.log, use the following in the SSP or SEAS java startup line: -Djavax.net.debug=ssl:handshake RTC462627|IT08718 (CM) - Unable to authenticate SSP CM users via SEAS & LDAP since upgrade of SSP 3.4.1.8 to 3.4.2 In SSP3420, if a customer is using seas to authenticate CM users and has ssl setup for this connection, then we are unable to secure the ssl connection between the cm and seas. To verify that the customer is seeing this issue, they will notice that if they look at the ssl output from the cm that they see the following: "RequestHandler Pool Worker - 2, handling exception: java.lang.IllegalArgumentException:" Resolution: The original problem was that the CM was unable to understand the certificate format that we are using in 3.4.2.0. We added support for the new format. RTC463125/IT08601 (Engine) - SSP3420 crashes with OutOfMemory Exception when SFTP users get locked out *HIPER* In SSP3420, when an SFTP user gets locked out after 3 failed login attempts, the subsequent attempts against the userid are rejected, but the session count gets incremented and the session objects are not freed, eventually resulting in an OutOfMemory exception which crashes the Engine. This issue is considered High Impact PERvasive (HIPER) The logs will show many sessions with SSE2612 ... Login prevented (account locked). User xxx ... Followed by a SSE2654 Session limit of xxx has been exceeded and eventually (likely days later) an OutOfMemory exception which takes the engine down. Resolution: Now detect the failed login attempt and call the logoff operation to decrement the session count and free the session memory. RTC463822|IT08800 (Engine) - (SFTP) SSH Client using SFTP protocol version 4 fails In SSP3420, if a customer is using an sftp client configured to use an sftp version of 4 or higher, the Customer will have issues during the handshake. Depending upon this client, this may present itself as an issue in opening up the root directory. Resolution: SSP had an issue in how we handle the initial handshake in sftp SSP only supports sftpv3, but during a handshake we were allowing a client to continue using sftpv4 or above. We added code to make sure that an sftp handshake negotiates to version 3, which allows for SSP to correctly negotiate the sftp version between the client and backend server. Minor Update (PS) - Increase Perimeter Server Maxheap to 1024M Resolution: Increased the Perimeter Server Java MaxHeap from 512M to 1024M. Also, as a reference, the PServer_install.properties file in the install directory contains a line which identifies this as a SSP PS instead of a B2Bi (SI) PS. # ## IBM Sterling Secure Proxy (SSP) Perimeter Server ## No Defect/IT08982 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM JRE 7 SR9 for latest security patches. This revision of the JRE turns off the RC4 cipher suites and turns on CBC protection by default. See http://www-01.ibm.com/support/docview.wss?uid=swg21903468 for more information. Enhancement (CM, Engine) - Support for SCP (SSH Secure Copy) in the SFTP adapter Enhancement to add the SCP protocol to the SFTP adapter. RTC465113/IT09708 (CM, Engine) - Unsupported PKCS8 format on SHA256 private key after upgrade to SSP3420 SSP3418 Customer had a keycert with a private key signed using a SHA256 algorithm (generated by Certificate Wizard). When the Customer upgraded to SSP3420, the SSL handshake failed with the message Exception processing input certificate - java.security.cert. CertificateException - Unsupported PKCS8 format. oid1=[1.2.840.113549.1.5.13], oid2=[1.2.840.113549.1.5.12] Workaround: Use the following steps in Certificate Wizard to put the keycert into PKCS12 format so that it can be imported into the SSP CM: 1) Starting with the keycert in PEM format (contains "Begin Private Key") 2) Bring up the Certificate Wizard and navigate to the "Generate Key Certificate" tab 3) Enter the private key part of the pkcs8 keycert in the private key file edit field 4) Enter the rest of the certificate(s) from keycert in the certificate file name field. You can try specify the same keycert file for both and it may pick the pieces it needs. 5) Choose the output keycert format - PKCS12 and generate the output file 6) Import the pkcs12 keycert into the CM. Resolution: If the keycert used in the above workaround contains multiple CA's, this fix will allow the generated PKCS12 file to be imported into the SSPCM. RTC465226/ (Engine) - Change from IBMSecureRandom to SHA2DRBG to remain FIPS 140-2 compliant beyond 2015 The IBMSecureRandom Pseudo Random Number Generator will lose its FIPS compliance after December 2015. Resolution: Now use the SHA2DRBG generator to maintain FIPS compliance beyond 2015. RTC466081/ (Engine) - SCP sessions time out (hang) SCP sessions can hang, caused by a deadlock situation between 2 threads: [thread-1] is waiting to lock com.maverick.events.EventServiceImplementation which is held by [thread-2]. [thread-2] is waiting to lock com.maverick.ssh2.Ssh2Session which is held by [thread-1]. Resolution: Removed a fireEvent operation during a close call which was causing the deadlock. RTC468588/IT09809 (Engine) - Connections using Non-Secure+ on the pnode leg and Secure+ on the snode leg fail When a Connect:Direct netmap has a non-Secure+ PNODE on the inbound side going to a Secure+ SNODE on the outbound side, the connection fails. Resolution: Now handshake properly on both sides of the connection so that the non-secure to secure connection will work. RTC468593/IT10631 (PS,Engine) - (PS) Proxy Local Interface does not setup listener on a specific interface. When installing the Perimeter Server with the "More Secure Zone" option and placing a specific IPAddr in the Proxy Local Interface option The PS listens on all interfaces instead of the specified local interface. Resolution: Now include updated Perimeter Server code which binds on selected Proxy Local Interface. RTC468626/IT09823 (Engine) - SSP3420 C:D sessions getting java.net.SocketException: Too many open files *HIPER* SSP3420 Customers running many simultaneous C:D transfers through SSP getting a java.net.SocketException: Too many open files error. These open files are sockets which have not been closed. Resolution: Now close every used socket at the end of a C:D transfer. RTC469108/IT09790 (CM) - Unable to create PESIT nodes with the same IP/Port combinations When defining a new node in a PESIT netmap with a duplicate IP and port, the save operation will fail with: "There is already a node with that address & port, named: xxxxxxxx." However, PESIT netmaps should allow duplicate IP/Port combinations as long as the nodename is different. Resolution: Now allow duplicate IP/Port combinations in PESIT netmaps as long as the nodenames are different. RTC469640/IT09670 (Engine) - Memory creep in SFTP when node level logging turned on. When running with logging turned on for SFTP inbound or outbound nodes in a netmap, a small memory leak occurs with every session. A logging appender was being allocated whether or not the log was already going. Resolution: Now properly check for an existing appender before creating a new one when doing SFTP node level logging. RTC469924/IT10252 (Engine) - PeSIT unable to do LogonID mapping The LogonID Mapping values in the PeSIT netmap were not being honored. Resolution: Corrected the PeSIT netmap logic to allow LogonID Mapping: - Pass-through for PNODE (Default) - Replace LogonID with LogonID mapped in External Authentication - Replace LogonID with Netmap LogonID RTC469964/IT09808 (Engine) - In FIPS mode, cipher selection limited to non-ECDHE cipher suites under Java 6. Resolution: Updated the FIPS module to allow ECDHE cipher suites when running in FIPS mode under Java 7, which is what is distributed now. TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 RTC469968/ (CM,Engine) - Support for SSP Automatic Shutdown Enhancement to allow shutting down the SSP CM or engine without prompting for a userid or password. Syntax: /bin/stopCM.sh mode=auto /bin/stopEngine.sh mode=auto RTC471053/ (Engine) - TLS connection fails when local PS log level is set to DEBUG *HIPER* TLS connection fails when Local PS log level is set to DEBUG on the SSP Engine Advanced TAB. Getting message: SSP0229E Exception Securing connection or Sending data, com.sterlingcommerce.perimeter.ssl.TLSInitException - java.lang.NullPointerException Resolution: Updated the perimeter.jar file, which corrects the NullPointerException. RTC472174/ (CM) - Error adding C:D netmap entries with duplicate IP/ports in SSP3420 Customer uses SSP to initiate C:D transfers to a trading partner with SSP in front of their system. In this case, all nodes on the remote system will use the same IP address and port. After applying SSP3420 iFix 2, the Customer could not add new nodes to their netmap, because they were flagged as duplicate IP/Port combinations. Resolution: Removed the check for duplicate IP/Port combinations in the C:D Netmap screens. RTC473126 (CM) - OutOfMemory error in CM after numerous large configuration updates When numerous large configuration updates are made in the GUI, the CM may get an OutOfMemoryError in the Java PermGen area: WARN AccepterImpl - Fast wakeup condition detected. ERROR AccepterImpl - Could not handle fast wakeup condition - before handleRequest - java.lang.OutOfMemoryError: PermGen space Resolution: Added the Java VM option -XX:MaxPermSize=512m in the startupCM.bat/sh and InstallAnywhere properties file SSPcm$.lax. No Defect (Engine) - Turned off JRE CBC protection to avoid C:D FMH failures after Secure+ handshake The IBM JRE1.7 SR9 in iFix 3 turned on CBC protection by default. The "protection" causes packets to be broken up into small pieces which some C:D instances cannot handle without new maintenance being applied. The CBC protection feature became available in 2011 for the BEAST vulnerability, which affects browser (HTTP client) sessions. Resolution: Added the -Djsse.enableCBCProtection=false to the startEngine.sh script so that C:D sessions will not be affected. RTC473228/IT10611 (Engine) - (CD) Engine fails with CSP057E 16 Exception - java.lang.OutOfMemory Error: Java heap space *HIPER* After applying SSP3420 iFix 3 and running multiple CD sessions, the SSP engine was going down with the message: CSP057E 16 Exception - java.lang.OutOfMemory Error: Java heap space A session object was being referenced by its object name rather than its sessionid and was not being freed correctly, causing an OutOfMemory condition. Resolution: Now reference the session object by its sessionid, so that its memory will be released at the end of the session. RTC474077/IT10648 (Engine) - (CD) Getting non-fatal CSP057E 16 Exception: peer not authenticated on every transfer When a Connect:Direct inbound node in the netmap specifies Secure+ but does not specify Client Authentication in the Security tab, the incoming sessions may get a spurious message CSP057E 16 Exception: peer not authenticated on every transfer, even though the transfer succeeds. Resolution: No longer put out the erroneous error message. RTC474304/IT10682 (CM) - Logging Level reset to NONE when navigating netmap screens When navigating in the CM GUI in the FTP, HTTP, and SFTP netmaps, the logging level in the Advanced tab may be reset to NONE when switching away from the Advanced tab. Resolution: Added checks to ensure the logging level in the Advanced tab is maintained when switching between tabs. JRE Upgrade (CM,Engine,PS) - Upgraded SSP Engine, CM, and PS to IBM JRE 7 SR9 FP10 for latest security patches. See http://www-01.ibm.com/support/docview.wss?uid=swg21965964 for more information. RTC475458/IT11735 (Engine) - CD Adapter configuration push causes listener to mishandle new connections When updating the listening port of a C:D adapter without stopping and starting the adapter, the configuration push leaves the adapter in an unusable state. It appears to be listening on the new port, but will not accept new connections. Connections which come in eventually time out and the sockets are left in CLOSE_WAIT status. Another similar scenario is when an external PS on the inbound side is brought down and back up, the C:D adapter port ends up in the same state as above. Resolution: Updated the C:D adapter listener code to properly handle the case when it loses connection to the listening port. It now re-establishes the listener correctly. RTC476225 (Engine,CM) - SSP3420 iFix 3 and 4 missing SSLv3 courtesy message at startup. A couple of courtesy messages were added to the startEngine.out and startCM.out files in SSP3420 iFix 2 to indicate whether SSLv3 was enabled. "Info: SSLv3 is disabled by default. Only TLS will be used." or "Warning: SSLv3 is allowed because -Dcom.ibm.jsse2.disableSSLv3=false is set." The product was honoring the ability to enable the SSLv3 protocol in iFix 3 and 4, but the courtesy messages were missing. Resolution: Updated the startup code to include the SSLv3 courtesy messages again. RTC478044/IT11857 (Engine) - C:D Execute on Success Step Injection (RUN TASK) replaces variable with encoded characters Some of the variables used in Step Injection parameters e.g DESTFILE, are not getting replaced properly. They are left in Base64 encoded mode when presented to the SNode. Resolution: Fixed an issue with the base64 encoding and decoding of the values for these replacement parameters. RTC479400/IT12069 (CM) - Unable to import OpenSSL keycerts into SSP3420 System Certificate Store After upgrading to SSP3420, Customer was unable to import system keys which start with "-----BEGIN RSA PRIVATE KEY-----", which is the native format for encrypted private keys generated by OpenSSL. Resolution: Updated the CM import code to be more inclusive of system key types to import. Now handle the RSA PRIVATE KEY format as well as the DSA PRIVATE KEY format. No RTC (Engine) - C:D Logging improvement to display client certificate during C:D Secure+ SSL handshake when client authentication turned on. No RTC /IT12342 (CM) - Update to Apache Commons-collections library for PSIRT 4202 An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Sterling Secure Proxy. See http://www.ibm.com/support/docview.wss?uid=swg21971412 for more information. SSP3420CM Build235 and above ships with the correct commons-collections-3.2.2.jar file. No RTC / (PS) - Add info to differentiate SSP PS from SI PS The installed copies of the SSP and SI versions of the Perimeter Server can be difficult to distinguish. An SSP PS should not be run by SI and an SI PS should not be run by SSP. Resolution: Added a file called SSP_PServer_install.properties in the SSP PS install directory to visually know that the PS installation is for SSP. RTC479958/IT13168 (Engine) - (FTP) Getting TLS security negotiation failed when retrieving 0 byte file When executing an FTP command that results in no data being returned on the data channel (such as retrieving an empty file), it is possible that a TLS handshake error will occur while trying to secure the data stream connection. Resolution: Added code to ensure the handshake completes before closing the data stream connection. RTC497412/ (Engine) - Inbound FTPS fails when client cert has server flag FTPS client fails the SSL handshake because it is using a certificate marked for Server use only. Resolution: Now provide better diagnostics in the error message so that the client can be instructed to get a certificate marked Client only or Server plus Client. Now the error message will say: [TLSCheck.certificateCallback] Entered: 4 (TRUST_ERROR_OTHER - could be server-only certificate used for client auth or client-only certificate used for server auth or broken chain, etc) RTC480314/IT12099 (CM,Engine) - Incorrect timestamp showing in audit logs in SSP3420 After upgrading to SSP3420, the Audit log tags and were missing, and the only timestamp