=============================================================================== Maintenance for IBM Secure External Authentication Server 6.0.1.1 (SEAS6011) GA - June 2020 =============================================================================== This cumulative maintenance archive includes fixes for the issues listed below. Contents: I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action II. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== ACTION - iFix images for HP, Solaris, and zLinux(s390) will no longer be placed on Fix Central. Contact Support if you need an iFix loaded to EcuRep. ACTION - It is a good practice to take a full backup of the install directory before putting on a new build. In SEAS 6.0.1.1 (SEAS6011) GA Build 150 (June 2020): HIPER - Update JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches - See ADV0021791 and ADV0023736 for more details. In SEAS 6.0.1.0 (SEAS6010) iFix 02 Build 126 (March 2020): HIPER - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches - See PSIRT21787 for more details. In SEAS 6.0.1.0 (SEAS6010) iFix 01 Plus Build 113 (February 2020): HIPER - SEAS6010 gets "Invalid Client Alias" to LDAPs - See MFT-10847 In SEAS 6.0.1.0 (SEAS6010) General Availability (January 2020): ACTION - For a detailed list of the new features in the 6010 release, see https://www.ibm.com/support/knowledgecenter/SS4T7T_6.0.1/com.ibm.help.seas.overview.doc/seas_whats_new.html ACTION - Installation issues with Docker containers - SEAS-1190 In SEAS6000 FixPack 1 (SEAS6001) iFix 01 Build 124 (October 2019): HIPER - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches - See PSIRT17288 for more details. HIPER - Possible vulnerability in Jetty server. See PSIRT16274, PSIRT16318 In SEAS6000 FixPack 1 (SEAS6001) iFix 0 Plus Build 122 (September 2019): HIPER - Token synchronization fails during volume testing. See MFT-10545 for details. In SEAS6000 FixPack 1 (SEAS6001) General Availability (August 2019): ACTION - For a detailed list of the new features in the 6001 FixPack, please see https://www.ibm.com/support/knowledgecenter/SS4T7T_6.0.0/com.ibm.help.seas.overview.doc/seas_whats_new.html In SEAS6000 iFix 2 Plus Build 141 (July 2019): ACTION - SEAS Sample exit changes provided for moving global variables to local - See SEAS-665 for details. In SEAS6000 iFix 2 (June 2019): ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) disables anon and null cipher suites and includes a new parm for distrusting CAs. For more information, see the writeup below for PSIRT15330. In SEAS6000 iFix 1 (March 2019): NONE - In SEAS6000 GA (February 2019): ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced changes to disable SHA1 certificates. See PSIRT12959 and PSIRT13809 for more details. =============================================================================== II. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first) =============================================================================== ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.1 (SEAS6011) GA Build 150 Jun 2020 ------------------------------------------------------------------------------- New features see https://www.ibm.com/support/knowledgecenter/SS4T7T_6.0.1/com.ibm.help.seas.overview.doc/seas_whats_new.html o Apply password policy for system passphrase and admin password for new installs - See SEAS-1234 MFT-11043/ - Bind to Active Directory getting Unresolved address MFT-11147/IT33020 - CRL checking fails after upgrade to SEAS2432 iFix 7 MFT-11154/ - GUI connection to SEAS secure port fails MFT-11195/IT33131 - Mapped loginPwd not being processed properly from IBM SDS SEAS-692/ - Add HTTP header Cache-Control: max-age=0 SEAS-970/ - Uninstaller files deleted on upgrade on Linux SEAS-1024/ - GUI Auth exit radio buttons not warning if class missing SEAS-1184/SEAS-1194 - RESTAPI improved validation during import SEAS-1205/ - Set HTTP security headers on by default in GUI SEAS-1234/ - Apply password policy during new install for system passphrase and admin password SEAS-1255/SEAS-1257 - RESTAPI not encrypting LDAP ServicePrincipal password during export of Authentication, CertValidation profiles SEAS-1259/ADV0021791/ADV0023736 - Update IBM JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches SEAS-1261/ - SEAS Root Logger settings not honored across the product SEAS-1341/ - Add HTTP header Cache-Control: no-store SEAS-1345/ - SEAS health check monitoring overriding SEAS log level ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) iFix 02 Plus Build 136 Jun 2020 ------------------------------------------------------------------------------- MFT-11155/IT32979 - SEAS GUI failed keystore password update ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) iFix 02 Plus Build 135 May 2020 ------------------------------------------------------------------------------- MFT-11017/IT32542 - Deliver new log4j2.xml during upgrades SEAS-1233/ - XML External Entity (XXE) vulnerability in SEAS SEAS-1238/ - CRUD033E Operation: update failed when setting up LDAP Connection screen of LDAP authentication profile SEAS-1247/ - Supply IP address of authenticated user in SSO token validation response SEAS-1249/ - RESTAPI import error: Invalid content on element 'passwordIsPlain' ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) iFix 02 Plus Build 130 Apr 2020 ------------------------------------------------------------------------------- MFT-10999/IT32375 - SEAS GUI SSO Token Signing Key value changed when restarted MFT-11001/IT32370 - SEAS GUI Health Check Monitoring (HCM) tab won't save when HCM checkbox is checked from WebStart GUI. ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) iFix 02 Build 128 Mar 2020 ------------------------------------------------------------------------------- MFT-10898/ - (Container) Can not create APP_USER in the yaml file with GID of 1001 SEAS-1148/ - Improvements to Content-Security-Policy Header SEAS-1165/ - (GUI) Able to delete a password policy that is in use SEAS-1177/ - SEAS GUI tabs go away after changing Token Manager value SEAS-1183/ - Do not allow password policy with expiration for admins SEAS-1200/PSIRT21787 - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches. SEAS-1201/ - RestAPI encyrption/decryption of passwords SEAS-1230/ - CERT008E Exception encountered doing cert validation SSP-4244/ - (Container) Cannot start docker container after stopping it ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) iFix 01 Plus Build 113 Feb 2020 ------------------------------------------------------------------------------- MFT-10847/IT31788 - SEAS6010 gets "Invalid Client Alias" to LDAPs SEAS-992/ - Improve validation in token synchronization GUI panels SEAS-1164 - Password policy name fails to import with RESTAPI SEAS-1178 - Custom exit connecting to invalid URL gets nuisance msg ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) iFix 01 Build 110 Jan 2020 ------------------------------------------------------------------------------- SEAS-1145 - System passphrase not getting validated during upgrade when bootstrap is disabled SEAS-1175 - SEAS service not starting through command line on Windows SEAS-1190 - Installation issues with Docker containers ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) GA Build 106 Jan 2020 ------------------------------------------------------------------------------- New features see https://www.ibm.com/support/knowledgecenter/SS4T7T_6.0.1/com.ibm.help.seas.overview.doc/seas_whats_new.html o Deploying IBM Secure External Authentication Server container in Red Hat OpenShift platform; Red Hat container certification o Support for Authentication and Post-Authentication Custom Exit added to SEAS Authentication Definitions o Secure External Authentication Server now extends support for Red Hat® Directory Server o Secure External Authentication Server support for Health Check Monitoring - see SEAS-1050 o Support to prevent storage of passphrase required at startup using a utility - see SEAS-955 o Support to change administrator password at installation o Support to associate password policy to a SEAS user account - see SEAS-685 SEAS-685 - Support for Password Policy SEAS-689 - Do not log sessionids or sso tokens used for authentication SEAS-955,SEAS-944 - Generate unique encryption key at install time SEAS-1050 - Add support for SEAS health check monitoring by ICC ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) iFix 02 Plus Build 142 (Dec 2019) ------------------------------------------------------------------------------- MFT-10714/IT31373 - SEAS out of memory after 3 months MFT-10717/IT31035 - Persistent sockets for token synchronization group SEAS-1078/ - (RESTAPI) SEAS Import failing with Invalid content error ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) iFix 02 Build 138 (Dec 2019) ------------------------------------------------------------------------------- SEAS-919/ - Support for Red Hat Directory Server (RDS) SEAS-979/SEAS-980 - Support for pre-auth and post-auth custom exits ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) iFix 01 Plus Build 127 (Nov 2019) ------------------------------------------------------------------------------- MFT-10653/IT30757 - SEAS not starting when LDAP principal password contains an Ampersand (&) MFT-10678/IT30921 - Upgrade to SEAS6001 iFix00Plus Build122 gets wrong keycert, handshake failures ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) iFix 01 Build 124 (Oct 2019) ------------------------------------------------------------------------------- MFT-10358/PSIRT16274,16318 - Security upgrade to Jetty 9.4.20 MFT-10579/PSIRT17288 - Update JRE 1.8 to SR5 FP40 (8.0.5.40) sor security patches. ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) iFix 00 Plus Build 122 (Sep 2019) ------------------------------------------------------------------------------- MFT-10451/IT30080 - CM GUI presents factory cert instead of common MFT-10545/IT30239 - Token synchronization fails during volume testing MFT-10559/IT30200 - Jetty Http server uses the incorrect certificate alias ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) iFix 00 Plus Build 118 (Aug 2019) ------------------------------------------------------------------------------- MFT-10519/IT30065 - AUTH094E SSO token generation failed (Reason: Queue full) ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) GA Build 117 (Aug 2019) ------------------------------------------------------------------------------- New Features in SEAS6001 (6.0.0.0 FixPack 1) See https://www.ibm.com/support/knowledgecenter/SS4T7T_6.0.0/com.ibm.help.seas.overview.doc/seas_whats_new.html o Re-Branding: IBM Sterling External Authentication Server is now re-branded to IBM® Secure External Authentication Server o Support for new RESTful APIs o Support to export encrypted configuration with user supplied password via RESTful APIs o Allow user to supply admin password at installation ------------------------------------------------------------------------------- Fixes for SEAS 6.0.0.0 iFix 03 Build 143 (Aug 2019) ------------------------------------------------------------------------------- - No updates since iFix 02 Plus ------------------------------------------------------------------------------- Fixes for SEAS 6.0.0.0 iFix 02 Plus Build 141 (July 2019) ------------------------------------------------------------------------------- SEAS-665 - SEAS Sample exit changes provided for moving global variables to local MFT-10352/IT29527 - Exit displays LDAP password in readable format in SEAS MFT-10385/IT29587 - Token Synchronization failed from alternate SEAS MFT-10409/IT29481 - Passwords with & ampersands not authenticating through XAPI exit ------------------------------------------------------------------------------- Fixes for SEAS 6.0.0.0 iFix 02 Build 135 (June 2019) ------------------------------------------------------------------------------- MFT-10204/IT28758 - Ldap bind failure after upgrade to 6.0 or 2432 iFix 4 MFT-10269/IT29043 - SEAS Custom Exit alternate URLs not attempted SEAS-321/ - Ability to set various fields in the GUI SEAS-434/ - Make TLSv1.2 the default protocol for secure connections SEAS-686 - Log authentication failures in the audit log for command line utilities SEAS-711/ - SAML token assertions without a signature in the response allowed to be validated SEAS-714/ - Provide a GUI option to specify whether SAML assertion responses must be signed MFT-10243/PSIRT15330 - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches ------------------------------------------------------------------------------- Fixes for SEAS 6.0.0.0 iFix 01 Build 110 (March 2019) ------------------------------------------------------------------------------- SEAS-452 - InstallAnywhere 2018 upgrade for Windows 2016 support SEAS-468/SEAS-465 - GUI description box for new SSO Token Group member does no data screening SEAS-696/No APAR - SEAS GUI Log level setting is not getting honored =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) =============================================================================== PSIRT12959, - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for security PSIRT13809 patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle October 2018 level to satisfy the CVEs in PSIRT advisories 12959 and 13809. See http://www.ibm.com/support/docview.wss?uid=ibm10872778 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced a change to disable SHA1 certificates via the jdk.certpath.disabledAlgorithms parameter in the /jre/lib/security/java.security file. For more information, read the comments in the java.security file which relate to the added parm: jdk.certpath.disabledAlgorithms= * * *, SHA1 jdkCA & usage TLSServer, SEAS-452 - InstallAnywhere 2018 upgrade for Windows 2016 support Resolution: Upgraded to InstallAnywhere 2018, which provides support for Windows 2016 Server. SEAS-468/SEAS-465 - GUI description box for new SSO Token Group member does no data screening SSO Token Synchronization was introduced in SEAS 6.0.0.0. The SSO Token Group tab contains a description field which allows any sort of unprintable data to be pasted in. Resolution: Now filter the data allowed in the SSO Token Group description field. MFT-10204/IT28758 - Ldap bind failure after upgrade to 6.0 or 2432 iFix 4 After upgrading to SEAS 6.0.0.0, the Customer's SEAS instance could not connect successfully to the LDAP server. The LDAP server was using a keycert with a Subject Alternate Name (SAN) extension which did not include the load balancer hostname in front of the LDAP server that SEAS was connecting to. Oracle Java level 1.8.0_181 introduced changes to improve LDAP support by enabling endpoint identification algorithms by default for LDAPS connections; this also results in stricter hostname validation. Resolution: Updated the startSeas.sh script (and equivalent Windows scripts and LAX files) to include a commented -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true parameter which the Customer can uncomment to correct the behavior. Another way to resolve the problem is to update the LDAP server certificate to include all possible hostnames that clients will try to connect to. MFT-10269/IT29043 - SEAS Custom Exit alternate URLs not attempted The Customer is using the custom exit for authentication through the SI XAPI "com.sterlingcommerce.component.authentication.impl.SIUserAuthExit". Within the profile they have coded the the properties specific to the SI connection: (http.auth.user=*; http.auth.password=*; url=*; alt.url.1=*) When the primary URL is active the authentication is successful, but when the URL is down, the SEAS does not try the alternate url and the authentication fails. Resolution: Improved the retry logic when the alternate SI URL fails to make sure the alternate is tried. SEAS-321/ - Ability to set various fields in the GUI Customers have been unable to change the default values for minimum password length, login lockout delay time and max login attempt in the GUI. Resolution: Include these new fields in Manage -> System Settings -> Globals. SEAS-434/ - Make TLSv1.2 the default protocol for secure connections SEAS formerly installed with TLSv1 as the default TLS protocol. Resolution: For new installs, make TLSv1.2 the default protocol everywhere a TLS secure connection is made. SEAS-686 - Log authentication failures in the audit log for command line utilities EAS was not logging the auth failures encountered by command line utilities in the audit log. Resolution: Now explicitly call the audit logger for auth failures in the command line utilities in the bin directory. SEAS-696/No APAR - SEAS GUI Log level setting is not getting honored After upgrading to log4j2 in SEAS 6.0, setting the log level in the GUI is not changing the log level used in the log being generated. Resolution: Updated the GUI to correctly change the logging level. SEAS-711/ - SAML token assertions without a signature in the response allowed to be validated When SEAS validates a token, it sends an assertion to the External Identity Provided and gets a response. It validates any digital signature in the response. However, internal testing revealed that it silently skips validation of the signature if the signature has been removed. Resolution: Now reject a token validation request when the token assertion response does not have a digital signature. See SEAS-714 for further updates. SEAS-714/ - Provide a GUI option to specify whether SAML assertion responses must be signed After SEAS-711, needed the ability to specify whether the SAML assertion responses require a digital signature. Resolution: Now provide a checkbox "Signed AuthnResponse" in the SSO Token screen to allow Customers to require that token assertions have a valid digital signature. MFT-10243/PSIRT15330 - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2019 level to satisfy the CVEs in PSIRT advisory 15330. See http://www.ibm.com/support/docview.wss?uid=ibm10885939 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) introduced a change to disable anon and null cipher suites via the jdk.tls.disabledAlgorithms parameter in the /jre/lib/security/java.security file. If your site uses these suites for testing, update your java.security file to remove the last 2 parms: jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL ACTION - The java.security file includes a new parm for distrusting CAs: jdk.security.caDistrustPolicies=SYMANTEC_TLS For more information, see the writeup in the java.security file. MFT-10352/IT29527 - Exit displays LDAP password in readable format in SEAS log During execution, the SEAS custom exit was dumping some password values coded in the SEAS profile to the SEAS log. Resolution: Commented out the line in the exit which displayed the incoming values from the SEAS profile. Also added code to mask printing the values of properties which contain the strings "password", "pwd" or "passphrase" in them while adding or updating profiles. MFT-10385/IT29587 - Token Synchronization failed from secondary SEAS Customer was testing the new Token Group feature but found that when he brought down the SEAS which generated the token, and the other SEAS in the token group had not received the token yet, it failed to check with the original SEAS to validate the token. Resolution: When SEAS is a member of a token group, now correctly process a token validation request by determining if we have the token, and if not, send the request to the SEAS that generated the token and pass back its response. Also updated the process of refreshing a token that is about to expire by another token group member. MFT-10409/IT29481 - Passwords with & ampersands not authenticating through XAPI exit Passwords which contained ampersands (&) were not authenticating correctly when going through the XAPI exit which authenticates to SI/B2Bi. The value was being encoded twice when building the xml to send to SI. Resolution: Corrected the double encoding so that passwords with ampersands can authenticate correctly through the XAPI exit. SEAS-665 - SEAS Sample exit changes provided for moving global variables to local The IBM Sterling External Authentication Server (SEAS) provides sample custom exits which Customers can update and implement to customize the authentication process in their environment. Previously, the sample code in these exits used some global variables instead of local variables, which could cause problems during high concurrency processing. The problems do not occur when using dynamic routing and/or mapped credentials without the custom exits. Resolution: The sample exits, /samples/SampleAuthenticationExit.java and /samples/SampleCertValidationExit.java have been updated to move the necessary global variables into the methods that use them so that they are local and unique per thread. The source is marked with "SEAS-665" in the comments with notes describing the changes that were made to make the code thread-safe. ACTION: Customers who use these exits should either update their own custom source with the changes highlighted in the new sample source, or copy in the new sample source and reapply their custom changes to them. MFT-10451/IT30080 - CM GUI presents factory cert instead of common The Customer attempted to replace their SSP factory certificate with a new common certificate but when connecting to the GUI, the factory certificate was still presented. Resolution: Now ensure that at the low level keystore operation, the designated keycert alias is honored when the key is requested. This defect shared common code with SSP. MFT-10519/IT30065 - AUTH094E SSO token generation failed (Reason: Queue full) The Customer set up for Token Synchronization between 2 SEAS instances. Either the 2 SEAS were not both properly configured or the second SEAS was down and the tokens generated by the first SEAS were not able to be sent to the second SEAS. Eventually, SEAS stopped generating tokens and put out the AUTH094E message in the title. Resolution: Now use an "offer" method when adding a token into the token synchronization queue, which allows a timeout on the operation when the buffer is unavailable. Also prune any expired tokens in the queue. MFT-10545/IT30239 - *HIPER* Token synchronization fails during volume testing Two issues were found in volume testing of the new token synchronization feature. After the first token was created and shared with the token group there was a 2 minute delay between each additional sharing, which caused tokens to not be available. And if the SEAS token group member which needed to validate the token did not have it on hand, it erroneously skipped calling the SEAS which generated the token to do the validation. Resolution: Changed the delay between sharing tokens with other token group members from 120 seconds to 100 milliseconds (1/10 second). And when a token is not in hand when a validation request comes in, now correctly pull the SEAS member which generated the token from the token prefix and call that SEAS to do the validation. MFT-10559/IT30200 - Jetty Http server uses the incorrect certificate alias Customer added a new keycert with a new alias to replace their expired keycert. However, when they attempted to logon to the 9080 WebStart port, they were presented with the expired certficate. Resolution. Updated the HTTP server side code to ensure that we honor the keycert alias specified in the SEAS GUI. MFT-10358/PSIRT16274,16318 - Security upgrade to Jetty 9.4.20 Resolution: Update the Jetty server to satisfy the CVEs in PSIRT advisories 16274 and 16318. See http://www.ibm.com/support/docview.wss?uid=ibm11095838 for the Security Bulletin. MFT-10579/PSIRT17288 - Update JRE 1.8 to SR5 FP40 (8.0.5.40) sor security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle July 2019 level to satisfy the CVEs in PSIRT advisory 17288. See http://www.ibm.com/support/docview.wss?uid=ibm11095832 for the Security Bulletin. MFT-10653/IT30757 - SEAS not starting when LDAP principal password contains an Ampersand (&) The Customer created an LDAP definition which included an ampersand (&) character in the password. The next time SEAS was restarted, it would not come up. The startSeas.out file contained the following: INFO: Instantiated the Application class com.ibm.seas.rest.SEASRestApplication. Startup did not succeed. Terminating: com.sterlingcommerce.hadrian.common.xml.XmlParsingException: Error on line 9: The entity name must immediately follow the '&' in the entity reference. Resolution: Added logic to properly encode the password field in LDAP Bind query object MFT-10678/IT30921 - Upgrade to SEAS6001 iFix00Plus Build122 gets wrong keycert, handshake failures Customer upgraded to the latest SEAS6001 and found that it installed an SSO keycert which caused handshake failures from SSP. SEAS6001 Build 122 and 124 created an OpenSAML compatible SSO keycert if it did not detect a keycert alias in their SSL or SSO definitions, even if a keycert existed. The new keycert interfered with the existing one used for communicating with SSP and the SEAS GUI. SSP connections failed and created a backlog of timer threads which caused SEAS to go down with OutOfMemory failures. Resolution: Now during the startup process, first check if a keycert exists in the keystore. If so, add its alias to the SSL and SSO definitions. If not, create the SSO keycert and add its alias to the SSL and SSO definitions. Also changed the default SEAS heap size in startSeas.sh from 256M to 1024M. MFT-10714/IT31373 - SEAS out of memory after 3 months SEAS took an OutOfMemory (OOM) exception after 3 months with a slow leak of the "EDU.oswego.cs.dl.util.concurrent.LinkedNode" class. It was defined in older sections of the code using a queue structure which did not have a size restriction. Resolution: Updated the code which used the LinkedQueue classes and now use the BoundedLinkedQueue classes, which will keep the OOM exception from happening. MFT-10717/IT31035 - Persistent sockets for token synchronization group The communication between token synchronization group members was causing performance issues at peak loads, due to opening a new socket for each token shared or requested. Resolution: Now establish a persistent socket connection between each token group member to improve performance. Note: This fix causes the token synchronization process to perform better, which may cause some additional timing issues. SEAS-919/ - Support for Red Hat Directory Server (RDS) Resolution: Add support for Red Hat Directory Server (RDS) as an option for LDAP queries. SEAS-979/SEAS-980 - Support for pre-auth and post-auth custom exits Customers who want to add some custom authentication logic to what is already being done in mainline SEAS find themselves writing a SEAS custom exit and duplicating the existing authentication logic that ships with SEAS. Resolution: Now allow pre-authentication and post-authentication exit points in which the custom code can be inserted while using the mainline functions for normal authentication. SEAS-1078/ - (RESTAPI) SEAS Import failing with Invalid content error When exporting the SEAS configuration with pre- and post-auth exits defined and then importing it again, getting INFO SeasConfigService - Entered update SeasConfig method ERROR SeasConfigService - cvc-complex-type.2.4.a: Invalid content was found starting with element 'serverAlias'. One of '{protocol, verStamp}' is expected. line # 311 column # 14 INFO LogAuditUtils - IMPORT SEAS_CONFIGS failed with error code 204 Resolution: Updated the RESTAPI export/import code to handle the pre- and post-auth exits. SEAS-685 - Support for Password Policy ThreatModel testing called for a way to enforce password policies for users Resolution: Added support for a new password policy screen in the GUI under Manage -> Password Policy. Policies can include minimum and maximum password length requirements, special characters, repeating character restrictions, history checking and expiration days. Users assigned to a policy must adhere to the restrictions when choosing a new password. SEAS-689 - Do not log sessionids or sso tokens used for authentication Internal scans flagged that no sessionids or sso tokens used for authentication should be logged. Resolution: Now map the sessionid and sso tokens to an internal digest value and log that value instead. SEAS-955,SEAS-944 - Generate unique encryption key at install time Internal ThreatModel scanning indicated a change in the way we encrypt the system passphrase which is used to encrypt the configuration files. Resolution: On new installs and when running the disableBootstrap and enableBootstrap utilities, generate a unique hex key and store it in a file with read/write permissions for the userid of the installer only. This key is used to encrypt the passphrase the admin supplies to encrypt the configuration files. SEAS-1050 - Add support for SEAS health check monitoring by ICC Add support in SEAS to proactively send health check pings to IBM Control Center so that its up/down status can be monitored. The SEAS GUI Manage -> System Settings -> Health Check Monitoring tab allows the admin to define the ICC host and port, id and password, and frequency of pings. See online documentation for SEAS6010 for more information. Other internal stories: SEAS-1052 SEAS-1145 - System passphrase not getting validated during upgrade when bootstrap is disabled When bootstrapping is disabled, the upgrade must request the passphrase during the install in order to decrypt the configuration files. The passphrase was not getting validated when entered. Resolution: Now validate the system passphrase requested during an upgrade when bootstrapping is disabled. SEAS-1175 - SEAS service not starting through command line on Windows The SEAS service was not starting with bin\startSeas.bat on Windows. It was starting the SEAS_V6.0.0.1 service by mistake. Resolution: Updated the InstallAnywhere deck to build the startSeas.bat job with the current release variable so that the "net start SEAS_V?.?.?.?" is always built correctly when the release changes. Workaround: Change the lines in startSeas.bat to say "net start SEAS_V6.0.1.0" SEAS-1190 - Installation issues with Docker containers Resolved several issues found during beta testing of Docker containers - Removed root user password changing logic from Docker file - Added sudo package to allowing sudo command to non-root user - Added logic for passing user, pwd, uid and gid into ENV variables, to be the owner of host mounted path for host configuration data. Defaults: APP_USER=appuser, APP_USER_PWD=appuser, APP_USER_UID=3000, APP_USER_GID=3000 Note: Do NOT use User names root, spuser, cmuser, psuser or, seas or UID/GID: 0 and 1000 because these are already used inside the container. - Mapped silent installation log file with Volume host path to assist in checking the log without logging in - Please refer to the deployment YAML files bundled with the Fix Central tar file for the latest rather than the samples in the online doc. - Following are the parameters needed to start a SEAS container using Docker: ************** Deploying the new Container ************************** docker run -it -d \ -v /SEAS:/seasinstall/IBM/SEAS \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e PORT=61365 \ -e JETTY_PORT=9080 \ -e JETTY_DNS=172.20.185.197 \ -e PASSPHRASE=password \ -e USER_PASSWORD=password \ -p 9080:9080 \ -p 61365:61365 \ -p 61366:61366 \ --name SEAS \ seas-docker-image:V6.0.1.0.iFix01 /bin/bash ******************* Upgrade the deployment ************************ Note: To upgrade from a traditional install to a container platform, you must modify HOST_IP OR HOST_Name tag in the following file before the deployment. File: /conf/jetty/JettyConfigDef.xml Replace "HOST_IP OR HOST_Name" with "0.0.0.0" Note: This change is not required when upgrading from container to container. docker run -it -d \ -v /SEAS:/seasinstall/IBM/SEAS \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e JETTY_DNS=172.20.185.197 \ -p 9080:9080 \ -p 61365:61365 \ -p 61366:61366 \ --name SEAS \ seas-docker-image:V6.0.1.0.iFix01 /bin/bash MFT-10847/IT31788 - SEAS6010 gets "Invalid Client Alias" to LDAPs Customer upgraded to SEAS6001 iFix 2 and began getting the following during SSL handshaking to their LDAP server: java.lang.IllegalArgumentException: Invalid Client Alias SEND TLSv1 ALERT: fatal, description = internal_error The Customer's LDAP was requesting a client certificate but was configured not to require it. It worked before the upgrade. The SEAS keymanager was detecting a client keycert alias coded when the field was empty. The same bug existed in SEAS6010 GA. Resolution: Corrected the key manager to properly validate the existence of both the client keycertAlias and server keycertAlias. SEAS-992/ - Improve validation in token synchronization GUI panels The System Settings -> Token Group Configuration panels were confusing when trying to add a Token Group Member. The Name field value must be the Named Identity Provider name of the Token Group Member we are trying to add. Resolution: Now add a description text next to the Name field indicating it must match the Named Identity Provider name of the Token Group Member we are adding. And in the System Settings -> Globals tab when the "Enable SSO Synchronization" box is checked, verify that the Named Identity Provider is specified, otherwise report an error. SEAS-1164 - Password policy name fails to import with RESTAPI When creating a new password policy, the name could contain blanks. The RESTAPI was able to export the policy, but when importing it again, the blank in the policy name caused ERROR PasswordPolicyService - Valid characters for Name "test policy" are: "-abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.:" Resolution: Now restrict the name of the password policy being created to only contain the characters above (no blanks). SEAS-1178 - Custom exit connecting to invalid URL gets nuisance msg When an invalid URL is specified for the custom exit to connect to, it puts out "java.lang.IllegalArgumentException: Socket may not be null". Resolution: Now emit a proper error message: "ERROR HttpUserAuthExit - AUTH220D Communication failure, IBM Secure External Authentication Server could not connect to the server: https://:/myfilegateway" and also show a stacktrace if in debug mode. MFT-10898/ - (Container) Can not create APP_USER in the yaml file with GID of 1001 When trying to use a group ID (GID) of ‘1001’ in the yaml file the messages groupmod: GID '1001' already exists ERROR: Cannot set GID for appear in the APPStartup.log in the backup directory on the VM. Resolution: Now allow 1001 to be used as a group ID in a container. SEAS-1148/ - Improvements to Content-Security-Policy Header The default Content-Security-Policy HTTP header returned by the SEAS Webstart page was not acceptable to the OWASP security scanning tool. According to the tool, the value of "default-src 'self';" allowed wildcard sources or ancestors. Resolution: Now supply the following values for the Content-Security-Policy header: "default-src 'self'; img-src 'self'; style-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self';" This also required splitting the contents of the index.htm file into 3 new files: body.js, header.js, and stylesheet.css. The index.htm file is backed up prior to installing. This also tracked as PSIRT ADV0022035. SEAS-1165/ - (GUI) Able to delete a password policy that is in use A password policy file that is assigned to a user could still be deleted from the GUI. Resolution: Now check to make sure the password policy is not referenced before allowing it to be deleted. SEAS-1177/ - SEAS GUI tabs go away after changing Token Manager value In the SEAS GUI, in the Manage->SystemSettings->SSO Token tab, when the Token Manager field is changed from "SEAS-SAML" to "Custom", several other System Settings tabs go away. The System Settings must be selected again from the Manage screen to show the other tabs. Resolution: Now seamlessly allow changing the Token Manager field without losing other tabs. SEAS-1183/ - Do not allow password policy with expiration for admins A password policy with a "Days Valid" value set for an admin userid could cause the admin to be locked out when the password expires. Resolution: Now disallow a non-zero days password policy to be attached to admin users so they cannot get in a situation of being locked out of the system. The change is done both in the GUI and the REST API. SEAS-1200/PSIRT21787 - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle January 2020 level to satisfy the CVEs in PSIRT advisories 20470 and 21787. See https://www.ibm.com/support/pages/node/6116938 and https://www.ibm.com/support/pages/node/6116968 for the Security Bulletins. Also tracked internally as SEAS-1199. SEAS-1201/ - RestAPI encyrption/decryption of passwords The SEAS RESTAPI configuration export was not encrypting the password history and the new Control Center healthcheck password. Resolution: Added logic within the RESTAPI to encyrpt/decrypt the password history and the password associated with the health check connection to Control Center during export and import. SEAS-1230/ - CERT008E Exception encountered doing cert validation During regression testing with the new IBM JRE 8.0.6.5, a certificate validation test case failed with the following exception: CERT008E Exception encountered while processing certificate chain: com/ibm/security/x509/CRLDistributionPointsExtension.(Z[B)V The IBM JRE had changed the API for Certificate Revocation List processing which was incompatible with callers compiled under an older JDK. Resolution: Switched to compile SEAS with the IBM 8.0.6.5 JDK and updated the API call to use a different method to get the CRL distribution points from the certificate. SSP-4244/ - Cannot start docker container after stopping it After running "docker stop " it fails to start with a "docker start ". Logs show message: 'cannot create user "test"' Resolution: Corrected the user conflict causing the container not to start. MFT-10999/IT32375 - SEAS GUI SSO Token Signing Key value changed when restarted Customer upgraded to SEAS6010 and the Token Signing Key radio button in the System -> Manage Settings -> SSO Token tab was changed from "Auto Generated" to "Certificate Alias" and pointed to an existing keycert in the keystore. The Customer changed it back to Auto Generated and the service worked. However when they restarted SEAS it went back to Auto Generated. Resolution: Now persist the value of the Token Signing Key radio button across restarts. MFT-11001/IT32370 - SEAS GUI Health Check Monitoring (HCM) tab won't save when HCM checkbox is checked from WebStart GUI. Customer configured the System -> Manage Settings -> Health Check Monitoring tab using the WebStart GUI, but then could not save their changes. It worked from the SEAS/bin/startGUI.sh X11-based script. The EA_GUI.jnlp WebStart file was missing the persistance.jar entry, and threw a NoClassDefFoundError error on the com.sterlingcommerce.component.persistence.Persistor class. Resolution: Updated the SEAS/conf/jetty/docroot/webstart/EA_GUI.jnlp file to include the reference to the persistence.jar. Workaround: Update the SEAS/conf/jetty/docroot/webstart/EA_GUI.jnlp file to add the following line: MFT-11017/IT32542 - Deliver new log4j2.xml during upgrades The /conf/log4j2.xml file was not getting updated during a SEAS upgrade, even though a backup was being taken of it. Resolution: Now during an upgrade, overlay the existing log4j2.xml after its backup is created, so that it is current. SEAS-1233/ - XML External Entity (XXE) vulnerability in SEAS During internal security scanning, SEAS was found to be vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. It is further described in PSIRT advisory ADV0023731. Resolution: Added parser processing commands to disallow the illegal commands that caused the XXE attack. SEAS-1238/ - CRUD033E Operation: update failed when setting up LDAP Connection screen of LDAP authentication profile When configuring the LDAP authentication profile, a switch between the "Search for User DN" option, "Specify User DN" option, and the LDAP LDAP Connection Settings Tab can cause the error message, CRUD033E Operation: update failed : BindSearchName does not match query entered: FindUserDN vs. null Resolution: Now make sure that the configured value for principal Name is consistently set during a save operation to the backend. SEAS-1247/ - Supply IP address of authenticated user in SSO token validation response Resolution: This is a small enhancement to pass the IP address of the authenticated user to the back end B2Bi within the response to the SSO token validation request. For authentication and certificate validation SSO requests which supply an IP address of the incoming user, now include the IP address in the following tag in the response: auth.ipAddress 10.20.30.40 SEAS-1249/ - RESTAPI import error: Invalid content on element 'passwordIsPlain' A RESTAPI export from SEAS6001 iFix 3 and importing back into the same version was getting, "validationErrorsList : [cvc-complex-type.2.4.a: Invalid content was found starting with element 'passwordIsPlain'. One of '{port, protocol, sslInfo, verStamp}' is expected. line # 555 column # 18]. Resolution: Updated the xsd to allow the passwordIsPlain key on a RESTAPI import. MFT-11155/IT32979 - SEAS GUI failed keystore password update When trying to update the keystore password through the SEAS GUI, and the key alias has uppercase characters, the dialogue fails with - "SYST045E Specified certificate alias [ XXX ] doesn't exist in the keystore". Resolution: Ignore the case of the alias when searching for the key in the keystore, since they are always stored there in lowercase. MFT-11043/ - Bind to Active Directory getting Unresolved address Customer attempting to set up an LDAP query but getting the following: AUTH002E Ldap Bind failed for service principal x.x.x.x:389 Cause: ConnectionException: java.net.SocketException: Unresolved address. AUTH200D Communication failure, could not connect to the LDAP server. The Customer had misconfigured their LDAP connection definition and put the LDAP bind "CN=..." info in the local socket ipaddress field. Resolution: Added an error message at the time of the failed bind on the local IP address in order to catch this problem earlier: ERROR binding ldap socket local address to . MFT-11147/IT33020 - CRL checking fails after upgrade to SEAS2432 iFix 7 The Customer, who had Certificate Revocation List (CRL) checking enabled, upgraded to SEAS2432 iFix 7 and began seeing ERROR CertValidator - CERT005E Failed to complete required CRL check. Problem 1 of 1: Insufficient information to locate CRL for issuer: CN=... This is a companion to issue SEAS-1230. Resolution: Switched to compile SEAS with the IBM 8.0.6.5 JDK and updated the API call to use a different method to get the CRL distribution points from the certificate. MFT-11154/ - GUI connection to SEAS secure port fails The Customer was trying to access their SEAS secure port from the Webstart GUI, but kept getting unhelpful messages which indicated a handshake failure after the connection was made: ClientConnectionException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure Resolution: Added diagnostics on the client side which more clearly showed that the problem was in connecting to the port (a firewall issue) rather than a handshake error. MFT-11195/IT33131 - Mapped loginPwd not being processed properly from IBM SDS The Customer is using the IBM Secure Directory Server (ISDS) for their LDAP server and pulling mapped credentials to their back end protocol server. The ISDS server returns the loginPwd value as a binary byte array rather than a string, so it is not handled correctly. Resolution: Now handle the mapped loginPwd field whether it comes as a byte array or a string value. Also, mask the loginPwd when tracing in the log. SEAS-692/ - Add HTTP header Cache-Control: max-age=0 Internal security testing indicated that our HTTP headers should contain the Cache-Control: max-age=0 parm. Resolution: Now set cache-control = "no-cache, must-revalidate, max-age=0" in the HTTP headers returned. SEAS-970/ - Uninstaller files deleted on upgrade on Linux During an upgrade install on Linux, the Uninstaller script was getting added with the wrong name and then deleted. Resolution: Now build the install script in the UninstallerData directory so that it can be executed with ./"Uninstall IBM Secure External Authentication Server 6.0.1.1" SEAS-1024/ - GUI Auth exit radio buttons not warning if class missing Found that one could select the radio buttons for the pre- and post- auth exits and click OK without any warning that there is no class name or properties specified. Resolution: Now put out an error dialog, "'Pre' Custom Exit is selected but no class provided. Either un-check, or provide a valid fully qualified class name." SEAS-1184/SEAS-1194 - RESTAPI improved validation during import Internal testing found inconsistent validation of supplied values during RESTAPI import operations. Resolution: Now do more robust validation of input data during RESTAPI import operations, including common SQL injection signatures. SEAS-1205/ - Set HTTP security headers on by default in GUI Defect RTC557573 from January 2018 allowed the ability to add HTTP security headers to Webstart GUI sessions if a box was checked in the GUI. By default, the box was not checked during an install. Resolution: Now set the Manage -> System Settings -> Globals "Enable HTTP security Header for webstart" checkbox to true by default. SEAS-1234/ - Apply password policy during new install for system passphrase and admin password Resolution: New installs of SEAS will impose a password policy during the install process requiring the system passphrase and admin password to be 6 to 28 characters in length with at least one upper case letter, one lower case, one digit, and one special character (“!@#$%^&”) with not more than 2 consecutive characters repeated. SEAS-1255/SEAS-1257 - RESTAPI not encrypting LDAP ServicePrincipal password during export of Authentication, CertValidation profiles The ServicePrincipal password in the LDAPQuery definition was not being encrypted during a RESTAPI export or get operation of the Authentication or CertValidation profiles. Resolution: Now encrypt/decrypt the LDAP ServicePrincipal password during import/export/get operations. SEAS-1259/ADV0021791/ADV0023736 - Update IBM JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2020 level to satisfy the CVEs in PSIRT advisories ADV0021791 and ADV0023736. See https://www.ibm.com/support/pages/node/61????? and https://www.ibm.com/support/pages/node/61????? for the Security Bulletins. The ADV0021791 was tracked internally as SEAS-1235. SEAS-1261/ - SEAS Root Logger settings not honored across the product Customers setting in /conf/log4j2.xml were not getting debug output from most classes in the product unless a specific was coded for that class. Resolution: Corrected the LogManager class name in every class which was still using the Log4j format instead of the newer Log4j2 format. SEAS-1341/ - Add HTTP header Cache-Control: no-store Internal OWASP testing indicated that our HTTP headers should contain the Cache-Control: no-store parm. Resolution: Now set cache-control = "no-cache, no-store, must-revalidate, max-age=0" in the HTTP headers returned. SEAS-1345/ - SEAS health check monitoring overriding SEAS log level When running with SEAS health check monitoring, the thread was changing the root logging level set from the GUI. Resolution: Modified the heath monitoring thread to only update the healthmonitoring appender log level instead of overriding the root log level.