================================================================================ Fixlist for IBM Secure Proxy 6.0.0.0 FixPack 1 (SP6001) iFix 01 October 2019 ================================================================================ This cumulative maintenance iFix includes the GA release of SSP Engine and SSP Configuration Manager 6.0.0.0 as well as the fixes for the issues mentioned below. The install images for the SSP Engine, CM and PS may be used to install a new image or upgrade an existing image in place. Contents: I. HIPER fixes / Fixes requiring Action by iFix II. Summary of Fixes by iFix/Build (Latest iFix / Builds first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== ACTION - iFix images for HP, Solaris, and zLinux(s390) will no longer be placed on Fix Central. Contact Support if you need an iFix loaded to EcuRep. In SP6000 Fixpack 1 (SP6001) iFix 01 (October 2019): HIPER - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches - See PSIRT17288 for more details. HIPER - Possible vulnerability in Jetty server. See PSIRT16274, PSIRT16318 In SP6000 Fixpack 1 (SP6001) iFix 00 Plus (September 2019): ACTION - SSP can run out of threads if SEAS goes down and the SFTP adapter does not have failover coded. See MFT-10402 In SP6000 FixPack 1 (SP6001) General Availability (August 2019): ACTION - For a detailed list of the new features in the 6001 FixPack, please see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.0/com.ibm.help.ssp.overview.doc/ssp_whats_new.html In SSP6000 iFix 2 (June 2019): ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) disables anon and null cipher suites and includes a new parm for distrusting CAs. For more information, see the writeup below for PSIRT15330. ACTION - New feature to restrict access to pages under the /Signon directory. If you have added additional files or directories as part of customizing the Login portal (/Signon directory), you must add whitelist entries for them similar to the existing entries in the new /bin/portal/pages.properties file. See SSP-3542 for details. In SSP60000 iFix 1 (March 2019): NONE - In SSP60000 GA (February 2019): ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced changes to disable SHA1 certificates. See PSIRT12959 and PSIRT13809 for more details. =============================================================================== II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) Fixes are marked as Engine and CM (Configuration Manager) =============================================================================== ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) iFix 01 Build 124 Oct 2019 ------------------------------------------------------------------------------- MFT-10357/PSIRT16274,16318 (Engine,CM) - Security upgrade to Jetty 9.4.20 MFT-10485/IT30344 (Engine) - (SFTP) OutOfMemoryError "Java heap space" crash MFT-10578/PSIRT17288 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches. MFT-10608/IT30643 (Engine) - (SFTP) Added client ciphers as well as negotiated ciphers in logging. ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) iFix 00 Plus Build 122 Oct 2019 ------------------------------------------------------------------------------- MFT-10541/IT30346 (CM) - (RESTAPI) userStore API update throwing exception on CLI. MFT-10559/IT30200 (CM) - Jetty Http server uses incorrect certificate alias MFT-10564/IT30532 (Engine) - Blacklist not displaying messages for SFTP protocol ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) iFix 00 Plus Build 119 Sep 2019 ------------------------------------------------------------------------------- MFT-10402/IT30050 (Engine) - *HIPER* (SFTP) OutOfMemory (out of threads) when SEAS goes down with no failover coded MFT-10483/IT30076 (CM) - RESTAPI activity leads to OutOfMemory (OOM) full of AuthenticationResource, JMS objects SSP-3530/ (CM) - REST API issues when importing from older CM SSP-3810/ (CM) - REST API xsd failure for ssoConfig and sysGlobals SSP-3833/ (CM) - RESTAPI failure on userstore entry without password policy. ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) GA Build 114 Aug 2019 ------------------------------------------------------------------------------- New Features - see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.0/com.ibm.help.ssp.overview.doc/ssp_whats_new.html o Support to include HTTP host header and client IP address in requests forwarded to backend HTTP servers o Additional configuration fields to support SSO and external SAML IdP o Support to export encrypted configuration data via RESTful APIs o Allow user to supply admin password at installation o Rebrand the product name to IBM® Secure Proxy ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 03 Build 203 Aug 2019 ------------------------------------------------------------------------------- SSP-3788/ (Engine) - Installation JPEG picture contains wrong product name ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 02 Plus Build 198 July 2019 ------------------------------------------------------------------------------- MFT-10422/IT29819 (Engine) - (HSM) FTPS data channel hangs during SSL handshake with HSM enabled MFT-10444/IT29840 (CM) - RESTAPI script fails if the admin user is defined to use external authentication MFT-10470/IT29827 (Engine) - HTTP 500 message for /Signon/login.html after upgrade to SSP6000 iFix 2+ B189. SSP-3771/ - Add direction arrows ===> for readability in FTP logs ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 02 Plus Build 189 July 2019 ------------------------------------------------------------------------------- MFT-10207/IT29589 (Engine) - (HTTP) Getting myFileGateway "Session expired" popup using passthrough authentication ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 02 Build 181 June 2019 ------------------------------------------------------------------------------- MFT-10242/PSIRT15330 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches. ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 01 Plus Build 177 June 2019 ------------------------------------------------------------------------------- MFT-9915/IT29131 (Engine) - Memory leak in logging area causes OutOfMemory MFT-10325/IT29109 (CM) - RESTAPI Issues with importing keyDefEntries. MFT-10341/IT29130 (Engine) - (HTTP) Directory traversal issue MFT-10368/IT29310 (Engine) - SSP Nodes getting into deadlock state MFT-10374/IT29318 (CM) - (RESTAPI) Unable to import keyDefEntries MFT-10382/IT29278 (PS) - More Secure PS (MSPS) scripts on Windows have wrong service name SSP-3542/ (Engine) - Only allow selected whitelisted pages under /Signon to be rendered by engine SSP-3561/ (Engine) - HSM IBMPKCS11 sample config files SSP-3597/ (Engine,CM,PS) - InstallAnywhere 2018 upgrade SSP-3698/ (Engine) - Adapter and netmap logs going to secureproxy.log instead, missing log files ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 01 Plus Build 148 May 2019 ------------------------------------------------------------------------------- MFT-9906/IT28592 (Engine) - (HSM,CD) Intermittent timeout during SSL handshake MFT-9976/IT28591 (Engine) - (HSM,CD) Unable to open HSM keystore during SSL Handshake MFT-10129/IT27075 (Engine) - (HTTP) Failures in HTTP adapters after upgrade to SSP 3.4.3.2 iFix 3 MFT-10206/IT28929 (CM) - Problem with SSPcm certificate renewal process MFT-10218/IT28554 (Engine) - SSP sending FTP STOR command multiple times, leading to '451 - session in inconsistent state' MFT-10219/IT28683 (Engine) - (SFTP) All SFTP clients timing out connecting to back end SFTP adapters MFT-10241/IT28986 (CM) - SSPRestAPI fails with SNI handshake from client MFT-10250/IT29018 (Engine) - OutOfMemory during SFTP transfer after upgrade MFT-10257/IT28968 (Engine, CM) - Sporadic loss of data during bulk transfer of multiple files via Filezilla FTP client SSP-3023/RTC569596 (CM,Engine) - (SFTP) Upgrade Maverick to latest 1.7.xx for additional ciphers SSP-3132/ (CM,Engine) - Make TLSv1.2 the default protocol for secure connections SSP-3525/ (CM) - SSO Configuration allowing invalid characters SSP-3531/ (CM) - Correct legacy "TLS_ONLY" value to correct JSSE equivalent SSP-3592/ (Engine) - Prompt for HSM password in configureHsmPassword utility SSP-3660/ (Engine) - Add limit to number of data buffers being cached in FTP ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 01 Build 115 Mar 2019 ------------------------------------------------------------------------------- MFT-10020/IT27450 (CM) - Peer Address Pattern now allows starting or ending with * SSP-2968/No APAR (CM) - Allow HTTP response header overrides SSP-3109/SSP-3578 (CM) - Better help in change password screen SSP-3444/No APAR (CM) - Internal AppScan - CSRF - Login SSPNonce SSP-3446/No APAR (CM) - (GUI) Adapters listed out of order in monitor SSP-3451/No APAR (CM) - (GUI) Ensure HTTP Header values only have ASCII characters SSP-3458/No APAR (CM) - Internal AppScan - HTTP cookies SSP-3511/No APAR (CM, Engine) - (PeSIT) Netmap not accepting wildcard entries SSP-3515/No APAR (Engine) - Improving messages for PeSIT user blacklisting SSP-3525/No APAR (CM) - SAML 2.0 related field validations SSP-3579/No APAR (CM) - SFTP netmap peer address pattern with multiple "?" wildcards fails with PatternSyntaxException SSP-3584/SSP-3597 (CM,Engine,PS,SEAS) - Support for Windows 2016 SSP-3606/No APAR (CM) - (REST API) Unable to import XML with httpSecurityHeaders =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) Fixes are marked as Engine, CM (Configuration Manager), and PS (Perimeter) =============================================================================== PSIRT12959, (Engine,CM,PS) - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for PSIRT13809 security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle October 2018 level to satisfy the CVEs in PSIRT advisories 12959 and 13809. See http://www.ibm.com/support/docview.wss?uid=ibm10872758 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced a change to disable SHA1 certificates via the jdk.certpath.disabledAlgorithms parameter in the /jre/lib/security/java.security file. For more information, read the comments in the java.security file which relate to the added parm: jdk.certpath.disabledAlgorithms= * * *, SHA1 jdkCA & usage TLSServer, MFT-9906/IT28592 (Engine) - (HSM,CD) Intermittent timeout during SSL handshake When using an HSM device to store SSL private keys, the SSL handshake sometimes timed out because it took longer than 5 minutes to pull the key from the keystore. The PNode disconnected due to timeout. Symptom: CSP900E Logged Exception : java.net.SocketException: Underlying socket is not connected Resolution: Eliminated 2 redundant loads of the HSM keystore which were causing a delay. Also added some extra debug to help track the flow leading up to the handshake. MFT-9915/IT29131 (Engine) - Memory leak in logging area causes OutOfMemory A slow memory leak in the log4j2 logging subsystem led to an OutOfMemory (OOM) exception crash of the SSP engine after several weeks. Analysis of the heap dumps showed the following: The class "org.apache.logging.log4j.core.appender.AbstractManager" occupies 1,904,050,896 (89.23%) bytes. The memory is accumulated in one instance of "java.util.HashMap$Node[]". For each new session in which logging was enabled, the logging system was adding a new appender to write to the log file, even though in most cases, one already existed for that file. Resolution: Corrected the logic which decided whether a new logging appender was required so that duplicate entries would not longer accumulate and cause an OOM exception. MFT-9976/IT28591 (Engine) - (HSM,CD) Unable to open HSM keystore during SSL Handshake Customer running a Gemalto (Luna) HSM device was unable to open the device during an SSL handshake for a CD process. The HSM keystore passphrase supplied with the confgureHsmPassphrase.sh was not working. Symptom: CSP900E Logged Exception : java.io.IOException - Vendor defined error (0x80000067) Resolution: Now correctly provide the HSM passphrase to the Luna device at SSP initialization time so it can be initialized. Also added better stack traces to help show if the problem is in IBMPKCS11, JSSE, or HSM code. MFT-10020/IT27450 (CM) - Peer Address Pattern now allows starting or ending with * On the Netmap Inbound Node Definition screens for CD, FTP, HTTP, and SFTP, the ability to have peer address patterns which started or ended with *, ex: *.company.com or www.company.* was broken. Also known internally for SSP6000 branch as SSP-3562. SSP-3357 provided REST API support to match the GUI changes. Resolution: Corrected the parser which was keeping these patterns from working. MFT-10129/IT27075 (Engine) - (HTTP) Failures in HTTP adapters after upgrade to SSP 3.4.3.2 iFix 3 After Customer applied SSP3432 iFix 3, certain HTTP transactions were failing with: SSP175E Invalid HTTP Request method. Client possibly attempting SSL/TLS connection. SSP0231E Invalid data from client (Exception unmarshalling) - com.sterlingcommerce.csp.jetty.io.ValidationFailedException, null Resolution: Now wait till a full request line is received before calling validateMethod() MFT-10206/IT28929 (CM) - Problem with SSPcm certificate renewal process When using the CM GUI to update a keycert which is also used for connecting to SEAS, the copy of the certificate in the /conf/system/cmkeystore is not updated. If CM users are authenticated by SEAS, the connections to SEAS fail with an expired certificate. During connections to SEAS from the CM, the truststore and keystore entries needed for the connection were being copied from the configuration to the cmtruststore and cmkeystore, respectively to assist in the connection. But if an entry already existed, it was not updated. Resolution: Updated the CM code which connects to SEAS to build the the temporary keystore and truststore in memory rather than updating the files in /conf/system. MFT-10207/IT29589 (Engine) - (HTTP) Getting myFileGateway "Session expired" popup using passthrough authentication Since the Jetty upgrade in 3.4.3.2 iFix 2 Plus Build 263, Customers were getting several strange behaviors connecting to myFileGateway via HTTP doing passthrough. Customers who had the front end (inbound) connection secured and the back end (outbound) session non-secure were getting a "Session expired due to inactivity" popup immediately from myFileGateway. Other Customers found that even if both sides of the session were secured, when they logged off and back on, they got the "Session expired" message. Resolution: Corrected the code to send all cookies back and forth between the two sessions and to correctly send cookies based on the Security attribute. MFT-10218/IT28554 (Engine) - SSP sending FTP STOR command multiple times, leading to '451 - session in inconsistent state' A client attempted to send a large number of files during a single FTP session through SSP to a B2Bi backend. The first few transfers succeeded, but then SSP happened to send the STOR command to the server twice in a row causing the backend to respond with 451 Requested action aborted: session in inconsistent state. All subsequent uploads in the session then failed with the same error. Corrected this timing issue by always clearing the cached command queue before returning to the 'CommandHandler' state. MFT-10219/IT28683 (Engine) - (SFTP) All SFTP clients timing out connecting to back end SFTP adapters SFTP adapters were stalling when making connections to the backend SFTP server because a getLocalHost operation was hanging. Resolution: Updated the SFTP backend session setup logic to no longer do the getLocalHost operation to find the local NIC for the connection to the back end. This is already handled by the SSP local Perimeter Server code. Workaround: Supply the SFTP Adapter property sftp.listenAddress = nnn.nn.nnn.nn to supply the local NIC address. MFT-10241/IT28986 (CM) - SSPRestAPI fails with SNI handshake from client The Customer replaced their factory certificate with a self-signed keycert using a wildcard in the common name: CN=*.si.com. When submitting the sspRestAPI.sh script, the TLS ClientHello message included a server_name extension, which caused the connection to fail with /sspcmrest/sspcm/rest/session org.eclipse.jetty.http.BadMessageException: 400: Host does not match SNI The REST API client was not inserting HTTP header host name during connection to the SSP CM, and the Jetty on the CM server side was set to enforce SNI checking if the client indicated it. Resolution: Corrected the client side of the RESTAPI to allow the HTTP header host name to be set in the sspRestAPI.properties so that it matches the CN of Client's public key CN. Also changed the behavior of the CM to disable the SNI checking if the k=-Dssp.cm.jetty.sni.enable=false is set in the startCM.sh script. MFT-10250/IT29018 (Engine) - OutOfMemory during SFTP transfer after upgrade Customer applied SSP3432 iFix 4 Plus Build 291 and encountered OutOfMemory (OOM) crash when transferring files with SFTP. The build included a new Maverick toolkit which changed the way it managed buffers during transfers. The heap dump contained tens of thousands of com/maverick/ssh/Packet objects. Resolution: Updated the API calls to use the new CreatePacket method in the Maverick toolkit, which is the preferred method of managing the memory. MFT-10257/IT28968 (Engine, CM) - Sporadic loss of data during bulk transfer of multiple files via Filezilla FTP client Customer attempting to upload 500 files with Filezilla was getting many files missing and missing data in the files which were transferred. The utility was sending data before SSP had signalled it was ready to receive. Resolution: Now maintain a temporary buffer to hold the data sent from the FTP client before SSP is ready to receive it. See also SSP-3660. SSP-2968/No APAR (CM) - Allow HTTP response header overrides Resolution: Allow the user to be able to override the default values for these response headers: X-Frame-Options, X-XSS-Protection, Content Security Policy, X-Content-Type-Options and Strict-Transport-Security SSP-3023/RTC569596 (CM,Engine) - (SFTP) Upgrade Maverick to latest 1.7.xx for additional ciphers The Maverick 1.6.x toolkit goes out of support at the end of 2019. Also, there have been requests for additional ciphers which are provided in the 1.7.x toolkit. Resolution: Now utilize the Maverick J2SSH client and SSHD server toolkits, which also supply the following new ciphers New ciphers: aes128-gcm@openssh.com, aes256-gcm@openssh.com New macs: hmac-ripemd160, hmac-ripemd160-etm@openssh.com hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com New groups: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256@libssh.org SSP-3109/SSP-3578 (CM) - Better help in change password screen When the password policy is used for CM users, there should be better messages in the change password screen. Resolution: Added popup assistance messages such as, "Your password is required to contain at least one of the following characters `#@$%^&* " And, "Confirm password must match New Password". SSP-3444/No APAR (CM) - Internal AppScan - CSRF - Login SSPNonce An internal APPScan revealed that CM GUI sessions were using an insufficient authentication method. Resolution: Now validate the value of the "Referer" header and use a one-time nonce for each submitted form. SSP-3446/No APAR (CM) - (GUI) Adapters listed out of order in monitor tab In the CM monitor tab, the Engine status lines were in alphanumeric order but the adapter lines were not. Resolution: Corrected the monitor screen to display the adapters in alphanumeric order. SSP-3451/No APAR (CM) - (GUI) Ensure HTTP Header values only have ASCII characters Http headers need to be validated to make sure that values are in ascii format. Resolution: Now validate the HTTP headers for ASCII data. SSP-3458/No APAR (CM) - Internal AppScan - HTTP cookies An internal APPScan recommended some updates for HTTP cookies used to access the GUI. Resolution: Now set the domain and path for HTTP cookies containing session identifiers to an appropriately restricted value for the site. SSP-3511/No APAR (CM, Engine) - (PeSIT) Netmap not accepting wildcard entries The PeSIT protocol netmap for inbound entries was not allowing wildcard patterns, such as "CX1*" or "CX2*", only a full wildcard "*" or full names. Resolution: Now allow the PeSIT netmap to accept peer address patterns. SSP-3515/No APAR (Engine) - Improving messages for PeSIT user blacklisting When using the new blacklisting feature introduced in SSP 6.0, the IP address blacklisting works for PeSIT and indicates that the session was rejected because the address was blacklisted. But while the user blacklisting locked the PeSIT user, the log did not say it was because of blacklisting. Resolution: Now put out SSP0511E message for locked userid which indicates the PeSIT account was locked due to blacklisting. SSP-3525/No APAR (CM) - SAML 2.0 related field validations In the Advanced / SSO Configuration screen, the new SAML 2.0 fields introduced in SSP 6.0 were not being validated fully. Resolution: Now do URL validation for - Service Provider ID, External Portal Login URL, and the External Portal Logout URL. Also for Fully Qualified Host Names, added a similar validation for the Primary Destination Address field, which means the FQDN for SSO will not accept any kind of IP pattern or peer address pattern. ** SSP-3579/No APAR (CM) - SFTP netmap peer address pattern with multiple "?" wildcards fails with PatternSyntaxException SFTP netmap peer address pattern that contained two or more "?" characters was throwing exception *--*java.util.regex.PatternSyntaxException: Dangling meta character. Resolution: Now allow multiple ? characters in the SFTP netmap peer address pattern. SSP-3584/SSP-3597 (CM,Engine,PS,SEAS) - Support for Windows 2016 Resolution: Add support for Windows 2016 - Upgraded all installers to use InstallAnywhere 2018 SP1. SSP-3606/No APAR (CM) - (REST API) Unable to import XML with httpSecurityHeaders The new HTTP Security Header overrides introduced in SSP-2968 were not being handled correctly by the RESTAPI import tool. Resolution: Modified the SSP 6.0 sysglobals.xsd to accept the httpSecurityHeader & cookie domain fields. SSP-3660/ (Engine) - Add limit to number of data buffers being cached in FTP This is an extension of MFT-10257. Resolution: Added new FTP adapter property ftp.max.data.buffers.cache=50 to limit number of data buffers being cached in FTP to avoid an out of memory issue. The value must be an integer > zero and <= 999. MFT-10325/IT29109 (CM) - RESTAPI Issues with importing keyDefEntries. Customer attempting to use the REST API to import a key certificate, but getting, "Create key operation failed. - Error parsing request: expected root xml element to be elements but received keyStoreDef". Workaround: Set N=-DvalidateThruXSD=false in the bin/startCM.sh. Resolution: Updated the XSD syntax definition file to allow user to provide input xml with tag as the root. Also made changes to the createKeyDef, modifyKeyDefEntries and deleteKeyDefEntries apis to make them work correctly with the CLI. Now also removed the ability to add or delete certificates in the internal CM->System->Certificate Stores, since they do not allow updates from the GUI either. MFT-10341/IT29130 (Engine) - (HTTP) Directory traversal issue Customer noticed that URLs including ..//..//, which is a common directory traversal hack, were being passed back to SI/SFG to be handled. Resolution: Added code to strip the intervening dots and slashes using canonical methods, further protecting the backend server. MFT-10357/PSIRT16274,16318 (Engine,CM) - Security upgrade to Jetty 9.4.20 Resolution: Update the Jetty server to satisfy the CVEs in PSIRT advisories 16274 and 16318. See http://www.ibm.com/support/docview.wss?uid=ibm11095826 for the Security Bulletin. MFT-10368/IT29310 (Engine) - SSP Nodes getting into deadlock state After applying SSP3432 iFix 4 Plus Build 295, the Customer found that several nodes were hanging, caused by threads in a deadlocked state. Resolution: Corrected a locking mechanism introduced by defect MFT-10257 which caused threads to be deadlocked. MFT-10374/IT29318 (CM) - (RESTAPI) Unable to import keyDefEntries Customer exported their CM configuration using the RESTAPI but could not import it back in. They were getting "cvc-complex-type.2.4.a: Invalid content was found starting with element 'keyauthReqdBeforePwdauth'" Resolution: Updated the xsd definition file to allow the keyauthReqdBeforePwdauth keyword on import. MFT-10382/IT29278 (PS) - More Secure PS (MSPS) scripts on Windows have wrong service name When installing a Perimeter Server on Windows as a More Secure PS, the startPSservice.cmd and stopPSservice.cmd scripts are generated without the engine hostname in the service name, so that they will not actually start or stop the service. Resolution: Updated the InstallAnywhere step for a More Secure Perimeter Server to add the Engine host to the Windows Service name: SSP_PerimeterServer_%EnginePort%_$EngineHost$ SSP-3132/ (CM,Engine) - Make TLSv1.2 the default protocol for secure connections SSP formerly installed with TLSv1 as the default TLS protocol. Resolution: For new installs, make TLSv1.2 the default protocol everywhere a TLS secure connection is made. SSP-3525/ (CM) - SSO Configuration allowing invalid characters The CM->Advanced->SSO Configuration was allowing special characters other than "-", "_", "." and ":" in the "Fully Qualified Hostname" field. Resolution: Now ensure that the hosthame value only uses standard characters. SSP-3531/ (CM) - Correct legacy "TLS_ONLY" value to correct JSSE equivalent An older configuration may contain the "TLS_ONLY" protocol value, which resulted in "java.security.NoSuchAlgorithmException: TLS_ONLY SSLContext not available" Resolution: Now automatically convert TSL_ONLY to the correct JSSE equivalent. SSP-3542/ (Engine) - Only allow selected whitelisted pages under /Signon to be rendered by engine Clients accessing the SSP HTTP proxy adapter login portal send requests with a URL path starting with /Signon/. Currently SSP will render any html pages and resources under the login dir configured (/Signon/). Resolution: Updated the Http Proxy in SSP to white list the html pages and other resources being rendered to the client. A new property file is created at /bin/portal/pages.properties. Secure proxy will render only the files listed in this properties file. If a page request is made to a file not in the properties file, the following error is returned: Engine_host is currently unable to handle this request. ACTION: If you have added additional files or directories as part of customizing the Login portal (/Signon directory), you must add whitelist entries for them similar to the existing entries in the new /bin/portal/pages.properties file. SSP-3561/ (Engine) - HSM IBMPKCS11 sample config files SSP was shipping the Luna 5.0 configuration file for Customers who use HSM boxes, even though that version is no longer supported. Resolution: Now ship the Lunx 6.0 configuration file in the /conf directory and include all the supported IBMPKCS11 sample config files in a new file called /conf/PKCS11ConfigFiles.zip. SSP-3592/ (Engine) - Prompt for HSM password in configureHsmPassword utility The configureHsmPassword utility only allowed specifying the HSM password on the command line which exposes the password in the system log. Resolution: The configureHsmPassword utility now prompts for the HSM password and does not echo the typing. SSP-3597/ (Engine,CM,PS) - InstallAnywhere 2018 upgrade Resolution: Upgraded to InstallAnywhere 2018, which provides support for Windows 2016 Server. SSP-3698/ (Engine) - Adapter and netmap logs going to secureproxy.log instead, missing log files The fix for MFT-9915 caused the adapter and netmap logs to no longer be created, with all logging going to the secureproxy.log. Resolution: Corrected the fix to not create a new appender for a new session if the appender and logger already existed, but to use the existing proven method when starting to log to a new file. MFT-10242/PSIRT15330 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2019 level to satisfy the CVEs in PSIRT advisory 15330. See http://www.ibm.com/support/docview.wss?uid=ibm10885937 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) introduced a change to disable anon and null cipher suites via the jdk.tls.disabledAlgorithms parameter in the /jre/lib/security/java.security file. If your site uses these suites for testing, update your java.security file to remove the last 2 parms: jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL ACTION - The java.security file includes a new parm for distrusting CAs: jdk.security.caDistrustPolicies=SYMANTEC_TLS For more information, see the writeup in the java.security file. MFT-10402/IT30050 (Engine) - *HIPER* (SFTP) OutOfMemory (out of threads) when SEAS goes down with no failover coded Customer defined an SFTP adapter which uses SEAS External Authentication but did not have failover properties coded. When the SEAS became unreachable for several hours, new connections and load balancer pings continued to be directed to the SEAS for authentication until the JRE used up all available threads based on the numprocs alotted to the user. The adapter's max session value was ignored when in this state. Resolution: Firmed up the code in the following ways: 1) When at the adapter max session count, shut down any new session without calling SEAS. 2) If a new session comes in and EA is detected down, shut down the session and report a system failure to the caller. 3) If EA authentication fails for any reason, since we do not have a token, bypass calling SEAS to invalidate the token during session shutdown. Workaround/Best practice: Define failover properties in each SFTP adapter that uses SEAS to ensure that when SEAS or SI is detected to be down, the adapter will turn off its listener to stop incoming traffic until SEAS and SI are detected to be up again: failover.detection.enabled true failover.detection.mode continuous failover.poll.interval 15 (seconds) MFT-10422/IT29819 (Engine) - (HSM) FTPS data channel hangs during SSL handshake with HSM enabled The HSM keystore was taking a long time to load during the ssl handshake which resulted in session timeouts. Resolution: Now load the HSM keystore during engine startup time and keep it in memory to speed up subsequent handshakes. Also, reload the HSM keystore periodically based on the value of the RELOAD_HSM_KEYSTORE_TIME parm in the /bin/security.property file, default 15 (minutes). MFT-10444/IT29840 (CM) - RESTAPI script fails if the admin user is defined to use external authentication The RESTAPI was doing local authentication in addition to external auth when the admin user running the RESTAP was defined as using EA. Resolution: Now properly authenticate users defined as external auth when running the RESTAPI. MFT-10470/IT29827 (Engine) - HTTP 500 message for /Signon/login.html after upgrade to SSP6000 iFix 2+ B189. The new blacklist/whitelist feature in SSP6000 was interfering with the portal pages (/Signon, etc) on a UNIX/Linux sytem. The whitelist page list in /bin/portal/pages.properties used backward slashes for all the page names, which was only compatible with Windows systems. Resolution: Changed all the white listed page names to use forward slashes as the path separator. And now in the code, convert the path to forward slash to compare no matter if it is UNIX or Windows. MFT-10483/IT30076 (CM) - RESTAPI activity leads to OutOfMemory (OOM) full of AuthenticationResource, JMS objects The Customer is making heavy use of the REST API to update their configuration. After many sessions, the CM gets an OOM exception because the memory is full of AuthenticationResource objects. Also, at one point the Customer had JMS logging configured in the CM system tab without a JMS queue activated to receive the data which filled the memory with a JmsPublisherProxy object. Resolution: Now ensure that the AuthenticationResource session object is cleaned up at the end of each RESTAPI session. Also, maintain a limit of JMS queue objects so that we don't overflow the memory when the JMS queue is not active. MFT-10485/IT30344 (Engine) - (SFTP) OutOfMemoryError "Java heap space" crash The SFTP adapter was adding to a backendRegistrarMap object each time a session opened a corresponding session to the back end SI server. However, in some cases, the placeholder in the map was not getting cleaned out at logoff time. The heap dump showed that 91% of the memory was consumed by one class "com.sterlingcommerce.cspssh.daemon.SftpAccessManager", and one object java.util.HashMap$Node[]. Resolution: Now ensure that the session entry is cleaned out at logoff time from the backendRegistrarMap. SSP-3530/ (CM) - REST API issues when importing from older CM Internal testing found several issues when importing a configuration with the REST API which was exported from an older version of SSP. The got syntax errors with the 'createdBy' and 'formatVer' elements, the import rejected expired certificates and cipher suites which had been deprecated, and the factory certificate was not replaced. Resolution: Updated the RESTAPI import logic to recognize and include artifacts from older versions to make upgrades between versions more seamless. SSP-3771/ - Add direction arrows ===> for readability in FTP logs Resolution: Added some directional arrows in the logging for FTP control channel traffic to make it easier to follow the flow of data between the client and SSP and between SSP and the back end server. Examples: ===> RECV fr Client: SEND to Server ===>: RECV fr Server <===: <=== SEND to Client: SSP-3788/ (Engine) - Installation JPEG picture contains wrong product name Resolution: Updated the JPEG file to contain the correct product name. SSP-3810/ (CM) - REST API xsd failure for ssoConfig and sysGlobals XSD validation failures for ssoConfig and SysGlobals were preventing update and import operations. Resolution: Updated the xsd files to include all the correct elements. SSP-3833/ (CM) - RESTAPI failure on userstore entry without password policy. REST API import of SSP CM user was failing with invalid passwordPolicy when the user had no password policy assigned. Resolution: Now allow CM users having no password policy to be imported. MFT-10541/IT30346 (CM) - (RESTAPI) userStore API update throwing exception on CLI. After a userStore update operation using the RESTAPI Command Line Interface if the xml contained "" the operation reports success but then gets a message: org.xml.sax.SAXParseException: The processing instruction target matching "[xX][mM][lL]" is not allowed. Resolution: Now remove the offending xml so the parse exception does not occur. MFT-10559/IT30200 (CM) - Jetty Http server uses incorrect certificate alias Customer added a new keycert with a new alias to replace their expired keycert. However, when they attempted to logon to GUI, they were presented with the expired certficate. Resolution. Updated the HTTP server side code to ensure that we honor the keycert alias listed in the configureCmSsl.sh -s utility. MFT-10564/IT30532 (Engine) - Blacklist not displaying messages for SFTP protocol When an SFTP user was found on the blacklist, the session was terminated, but the reason was not logged. Resolution: Now put out a new log message so show that the blacklisted user session has been terminated: SSE2900 : UserId test3 is Blacklisted.Terminating session. /10.20.30.40:1234 MFT-10578/PSIRT17288 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle July 2019 level to satisfy the CVEs in PSIRT advisory 17288. See http://www.ibm.com/support/docview.wss?uid=ibm11089580 for the Security Bulletin. MFT-10608/IT30643 (Engine) - (SFTP) Added client ciphers as well as negotiated ciphers in logging. After installing SSP3432 iFix 5, Customer lost visibility in the logs of the SFTP clients available ciphers and hmacs. The Customer needed this debug info for a project to ensure their clients would be able to run with stronger ciphers. Resolution: Added back in a DEBUG message, "Key Exchange Init Details :", which contains the key exchange, ciphers, macs, etc that the client is capable of. Another message, "Negotiated Ciphers Details :" shows the ones chosen for the session.