================================================================================ Fixlist for IBM Secure Proxy 6.0.1.1 (SP6011) iFix 02 September 2020 ================================================================================ This cumulative maintenance iFix includes the GA release of SSP Engine and SSP Configuration Manager 6.0.1.0 as well as the fixes for the issues mentioned below. The install images for the SSP Engine, CM and PS may be used to install a new image or upgrade an existing image in place. Contents: I. HIPER fixes / Fixes requiring Action by iFix II. Summary of Fixes by iFix/Build (Latest iFix / Builds first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== ACTION - iFix images for HP, Solaris, and zLinux(s390) will no longer be placed on Fix Central. Contact Support if you need an iFix loaded to EcuRep. ACTION - It is a good practice to take a full backup of the install directory before putting on a new build. In SP 6.0.1.1 (SP6011) iFix 02 Build 193 (September 2020): HIPER - Address vulnerability in Apache Commons Codec toolkit. See ADV0025470 In SP 6.0.1.1 (SP6011) iFix 01 Plus Build 188 (September 2020): HIPER - Upgraded Maverick SSH toolkits to the 1.7.32 level for thread deadlock issue. See MFT-11273 for details. In SP 6.0.1.1 (SP6011) iFix 01 Build 180 (August 2020): ACTION: The procedure to deploy IBM Secure Proxy using a Docker Container has changed. For more information see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.1/com.ibm.help.ssp.overview.doc/ssp_whats_new.html. In SP 6.0.1.1 (SP6011) GA Build 150 (June 2020): ACTION: An Engine and any remote Perimeter Servers associated with its ACTION: adapters must be upgraded to the 6011 level at the same time to ACTION keep their PS code in sync. Otherwise the adapters will fail to ACTION: start with "Unable to connect to remote perimeter server..." ACTION: See SSP-3966 for details. HIPER - Update JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches - See PSIRTs ADV0021791 and ADV0023736 for more details. HIPER - XML External Entity (XXE) vulnerability in SSP - See SSP-4323 (PSIRT ADV0023731 for more details. In SP 6.0.1.0 (SP6010) iFix 02 Build 134 (March 2020): HIPER - Update JRE 1.8 to SR6 FP05 (8.0.6.5) for security patches - See PSIRT ADV0021787 for more details. HIPER - Missing secure attribute in encrypted session (SSL) cookie - See SSP-3793 (PSIRT ADV0022033) for more details. In SP 6.0.1.0 (SP6010) General Availability (January 2020): ACTION - For a detailed list of the new features in the 6010 release, see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.1/com.ibm.help.ssp.overview.doc/ssp_whats_new.html ACTION - Installation issues with Docker containers - See SSP-4220 In SP6000 Fixpack 1 (SP6001) iFix 01 (October 2019): HIPER - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches - See PSIRT17288 for more details. HIPER - Possible vulnerability in Jetty server. See PSIRT16274, PSIRT16318 In SP6000 Fixpack 1 (SP6001) iFix 00 Plus (September 2019): ACTION - SSP can run out of threads if SEAS goes down and the SFTP adapter does not have failover coded. See MFT-10402 In SP6000 FixPack 1 (SP6001) General Availability (August 2019): ACTION - For a detailed list of the new features in the 6001 FixPack, please see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.0/com.ibm.help.ssp.overview.doc/ssp_whats_new.html ACTION - RESTAPI requires new X-Passphrase keyword for exporting, importing sensitive objects: sspCMConfigs, Netmaps, Keystores, sysSslInfo, globals. See https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.0/com.ibm.help.ssp.apis.doc/CommonFiles/rest_api_request_headers.html In SSP6000 iFix 2 (June 2019): ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) disables anon and null cipher suites and includes a new parm for distrusting CAs. For more information, see the writeup below for PSIRT15330. ACTION - New feature to restrict access to pages under the /Signon directory. If you have added additional files or directories as part of customizing the Login portal (/Signon directory), you must add whitelist entries for them similar to the existing entries in the new /bin/portal/pages.properties file. See SSP-3542 for details. In SSP60000 iFix 1 (March 2019): NONE - In SSP60000 GA (February 2019): ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced changes to disable SHA1 certificates. See PSIRT12959 and PSIRT13809 for more details. =============================================================================== II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) Fixes are marked as Engine and CM (Configuration Manager) =============================================================================== ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 01 Plus Build 193 Sep 2020 ------------------------------------------------------------------------------- SSP-4702/ (Engine) - REST API Authentication on B2Bi fails when it goes through SSP SSP-4640/ (CM,Engine) - Vulnerability in Apache Commons Codec ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 01 Plus Build 188 Sep 2020 ------------------------------------------------------------------------------- MFT-11238/ (Engine) - Windowing issues in Maverick code MFT-11273/IT33922 (Engine) - JVM thread deadlock in Maverick code SSP-3583/ (CM) - unauthorized.jsp does not display IBM in header title stacktrace in CM log file SSP-4138/ (CM) - manageKeyCerts cannot copy non-HSM keycert SSP-4662/ (CM) - RESTAPI missing validations of Password Policy SSP-4668/ (CM) - RESTAPI allows empty eaAuthProfile and eaCertProfile tags to be imported SSP-4670/ (CM) - RESTAPI services do not report exception ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 01 Build 180 Aug 2020 ------------------------------------------------------------------------------- New Features in SP 6.0.1.1. iFix 01 Docker Changes - The procedure to deploy IBM Secure Proxy using a Docker Container has changed. For more information, see Deploying IBM Sterling Secure Proxy using a Docker container at https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.1/com.ibm.help.ssp.overview.doc/ssp_whats_new.html. HELM Chart Support - This iFix allows the IBM Sterling Secure Proxy users to deploy their applications in a Kubernetes base containerized environment using Helm Chart. For more information see the above link. MFT-11130/IT33879 (Engine) - Intermittent requests to SEAS timing out MFT-11139/IT33786 (Engine) - During load testing, SEAS shows ERROR "AUTH037E Authentication request missing password." SSP-4675/ (CM) - NullPointerException adding trustedCert ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 00 Plus Build 166 Aug 2020 ------------------------------------------------------------------------------- MFT-11287/IT33627 (CM) - Allow comma and apostrophe in CM key passwords MFT-11293/IT33828 (Engine) - 229 response for FTP EPSV causes problems with some partners ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 00 Plus Build 163 Jul 2020 ------------------------------------------------------------------------------- MFT-11269/IT33625 (PS) - PS silent install gving bad port error SSP-3804/ (Engine, CM) - Passphrase validation in silent install SSP-4450/ (CM) - Add checkboxes to Password Policy in SSP CM SSP-4480/ (CM) - RESTAPI add missing validations SSP-4529/ (CM) - Allow CM login page from root (/) SSP-4597/ (Engine,CM) - Install rejects password with $$ SSP-4620/ (Engine,CM) - Set TLSv1.2 protocol for CM, Engine and Web Server (Jetty) ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) GA Build 151 Jun 2020 ------------------------------------------------------------------------------- New features see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.1/com.ibm.help.ssp.overview.doc/ssp_whats_new.html o Support to scan inbound CD data in transit via Secure Proxy for virus and malware scan - See SSP-4309 o Apply password policy for system passphrase and admin password for new installs - See SSP-3701 o Upgrade Perimeter Server code to same as B2Bi 6.0.3.2 - See SSP-3966 MFT-11042/ (Engine,PS) - Getting IOException: Too many open files SSP-3582/ (Engine) - Blacklisted events are logged as ERROR messages SSP-3701/ (Engine,CM) - Apply password policy for system passphrase and admin password for new installs SSP-3966/ (Engine,PS) - Upgrade Perimeter Server code to same as B2Bi 6.0.3.2 SSP-4016/ (CM) - RESTAPI import does not update Jetty Server alias SSP-4190/ (Engine) - Getting IllegalBlockSizeException after upgrade SSP-4198/ (CM) - configureCmSsl -s utility not showing all certs SSP-4308/ (Engine,CM) - Add password policy for command line changePassphrase utility SSP-4309/SSP-4322 (Engine,CM) - Support for ICAP Anti-Virus Scanning in C:D SSP-4310/SSP-4445 (Engine,CM,PS) - Update JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches. SSP-4510/ (Engine,CM) - (SFTP) Allow reject option when ICAP session limit is exceeded SSP-4590/ (Engine) - Missing HTTP headers in response from MFG ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.0 (SP6010) iFix 02 Plus Build 147 Jun 2020 ------------------------------------------------------------------------------- MFT-11200/IT33098 (Engine) - NPE in Maverick logs ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.0 (SP6010) iFix 02 Plus Build 145 May 2020 ------------------------------------------------------------------------------- MFT-11151/IT32957 (Engine) - SSP6010 upgrade fails on Windows ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.0 (SP6010) iFix 02 Plus Build 143 May 2020 ------------------------------------------------------------------------------- MFT-10874/ (Engine) - Engine listCerts.sh not working in 6010 MFT-10995/IT32374 (Engine) - SFTP adapter hung in a stopping state MFT-11060/IT32769 (Engine) - SFTP Getting SSE2654 Session limit exceeded on wrong adapter(s) MFT-11075/IT32687 (CM) - Change to SFTP Policy in 6.0.1.0 greyed out the Pass-Through option for Password and Key MFT-11106/IT32810 (CM) - Unable to delete default self signed certificate from SSPCM SSP-4215/ (CM) - RESTAPI import error - Invalid cipher suite specified twofish256-cbc SSP-4323/SEAS-1233 (Engine) - XML External Entity (XXE) vulnerability in SSP SSP-4346/ (Engine) - SFTP ICAP AntiVirus scanning getting spurious RuntimeException: no messages in ICAP cache ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.0 (SP6010) iFix 02 Build 134 Mar 2020 ------------------------------------------------------------------------------- MFT-10765/IT31672 (CM) - 6.0.0.1F1 with Client Auth not working with SAN certs, getting ERR_BAD_SSL_CLIENT_AUTH_CERT MFT-10779 (CM) - RESTAPI import errors with backupDir and urlMapEntry MFT-10853/IT31763 (CM) - (GUI) SSPcm user binds to LDAP twice with SEAS for single login MFT-10887/ (CM,Engine,PS,SEAS) - GPF in SSP engine MFT-10889/IT32078 (CM) - (GUI) CM session timeout still allows partial access of the GUI function MFT-10898/ (CM,Engine,PS) - (Container) Can not create APP_USER in the yaml file with GID of 1001 MFT-10903/IT32096 (CM,Engine) - configureCmSsl and configureEngineSsl not adding certificate chain to cmtrustore or truststore MFT-10904/ (CM,Engine,PS,SEAS) - GPF in SSP engine MFT-10959/IT32191 (CM) - (GUI) Unable to update keystore with certain PFX keys. PEM format works SSP-3771/ (CM) - Updates to make CM logging more readable SSP-3793/ (CM) - Missing secure attribute in encrypted session (SSL) cookie SSP-4182/ (CM) - ICAP configuration field validation issues SSP-4183/ (CM,Engine) - Files with temporary names not getting AV scanned SSP-4195/ (CM) - RESTAPI ICAP field validation errors for empty maxSessions file extensions SSP-4202/ (CM) - SSPCM was allowing unsupported HTTP methods to be processed SSP-4207/ (CM, Engine) - New Engine install fails while importing keycert if engine port is in use SSP-4223/ (Engine) - Excessive logging on idle SFTP adapter SSP-4236/PSIRT21787 (Engine,CM,PS) - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches. SSP-4244/ (Engine,CM,PS) - Cannot start docker container after stopping it ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.0 (SP6010) iFix 01 Build 121 Jan 2020 ------------------------------------------------------------------------------- MFT-10779 (CM) - RESTAPI import errors with backupDir and urlMapEntry SSP-4186 (Engine,CM) - System passphrase not getting validated during upgrade when bootstrap is disabled SSP-4200 (Engine,CM) - Installer needs to confirm key passwords SSP-4208 (Engine) - HSM command line clients cannot connect to engine SSP-4220 (Engine,CM) - Installation issues with Docker containers ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.0 (SP6010) GA Build 116 Jan 2020 ------------------------------------------------------------------------------- New features see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.1/com.ibm.help.ssp.overview.doc/ssp_whats_new.html o Deploying IBM Secure Proxy containers in Red Hat OpenShift platform; Red Hat container certification o Support to scan inbound data in transit via Secure Proxy for virus and malware scan - See SSP-3834. o Support to secure connection between Engine and Configuration Manager using self-signed certificates - See SSP-3543 o Support to prevent storage of passphrase required at start up using a utility - see SSP-3854 o Support to set administrator password at installation SSP-3540 (Engine) - Do not log sessionids or sso tokens used for authentication SSP-3543 (CM, Engine) - Generate keys at install time SSP-3612 (Engine,CM) - Make Security Headers active by default for the HTTP adapter SSP-3803 (Engine,CM) - Generate unique encryption key at install time SSP-3834 (Engine,CM) - Support for ICAP Anti-Virus Scanning in SFTP SSP-3854 (Engine,CM) - New disableBootstrap command-line utility SSP-4120 (CM) - Update Apache Commons BeanUtils to 1.9.4 ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) iFix 01 Plus Build 136 Jan 2020 ------------------------------------------------------------------------------- MFT-10616/IT30591 (CM) - REST API fails with "The processing instruction target matching "[xX][mM][lL]" is not allowed" MFT-10656/IT30692 (CM) - SSPCM “Enable SSP CM startup backup” field in CM System settings has no effect MFT-10692/IT30823 (CM) - (FTP) EPSV command giving wrong response MFT-10704/IT31049 (Engine) - Engine audit logs contain hashed passwords MFT-10737/IT31341 (Engine) - Unable to login to the CM after upgrade MFT-10749/IT31534 (CM) - NPE during RESTAPI session cleanup. MFT-10762/IT31135 (Engine) - (CD) SSP incorrectly logs stepname of run task and run job C:D process steps MFT-10774/IT31439 (Engine) - (CD) CSP032E 4 KQV keyword "RLS2" found in FM70, but not defined in XML schema definition MFT-10832/IT31500 (Engine) - (HTTP) Duplicate Host Header attribute SEAS-1083/ (Engine) - (HTTP) Password change on SSO portal clears all policies on password policy display tab ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) iFix 01 Build 124 Oct 2019 ------------------------------------------------------------------------------- MFT-10357/PSIRT16274,16318 (Engine,CM) - Security upgrade to Jetty 9.4.20 MFT-10485/IT30344 (Engine) - (SFTP) OutOfMemoryError "Java heap space" crash MFT-10578/PSIRT17288 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches. MFT-10608/IT30643 (Engine) - (SFTP) Added client ciphers as well as negotiated ciphers in logging. ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) iFix 00 Plus Build 122 Oct 2019 ------------------------------------------------------------------------------- MFT-10541/IT30346 (CM) - (RESTAPI) userStore API update throwing exception on CLI. MFT-10559/IT30200 (CM) - Jetty Http server uses incorrect certificate alias MFT-10564/IT30532 (Engine) - Blacklist not displaying messages for SFTP protocol ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) iFix 00 Plus Build 119 Sep 2019 ------------------------------------------------------------------------------- MFT-10402/IT30050 (Engine) - *HIPER* (SFTP) OutOfMemory (out of threads) when SEAS goes down with no failover coded MFT-10483/IT30076 (CM) - RESTAPI activity leads to OutOfMemory (OOM) full of AuthenticationResource, JMS objects SSP-3530/ (CM) - REST API issues when importing from older CM SSP-3810/ (CM) - REST API xsd failure for ssoConfig and sysGlobals SSP-3833/ (CM) - RESTAPI failure on userstore entry without password policy. ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) GA Build 114 Aug 2019 ------------------------------------------------------------------------------- New Features - see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.0/com.ibm.help.ssp.overview.doc/ssp_whats_new.html o Support to include HTTP host header and client IP address in requests forwarded to backend HTTP servers. See SSP-3667 for more information o Additional configuration fields to support SSO and external SAML IdP o Support to export encrypted configuration data via RESTful APIs - ACTION: Requires new X-Passphrase keyword for exporting, importing sensitive objects: sspCMConfigs, Netmaps, Keystores, sysSslInfo, globals. See SSP-3539. o Require user to supply admin password at new installation. See SSP-3537 o Rebrand the product name to IBM® Secure Proxy MFT-10355/ (Engine) - Getting myFileGateway "Session expired" popup. MFT-10451/IT30080 (CM) - CM GUI presents factory cert instead of common SSP-3536/ (CM,Engine) - Log authentication failures for command line utilities in audit log SSP-3537/ (CM) - Require admin password to be set during new CM installation SSP-3539/ (CM) - (RESTAPI) Require password when exporting and importing sensitive configuration objects SSP-3599, SSP-3603/ (Engine) - Support for Web Session for HTTP SSO sessions SSP-3667/ (CM) - Support for X-Forwarded* HTTP headers SSP-3763/ (Engine/CM) - Restrict permissions of the Unix bootstrap file ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 03 Build 203 Aug 2019 ------------------------------------------------------------------------------- SSP-3788/ (Engine) - Installation JPEG picture contains wrong product name ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 02 Plus Build 198 July 2019 ------------------------------------------------------------------------------- MFT-10422/IT29819 (Engine) - (HSM) FTPS data channel hangs during SSL handshake with HSM enabled MFT-10444/IT29840 (CM) - RESTAPI script fails if the admin user is defined to use external authentication MFT-10470/IT29827 (Engine) - HTTP 500 message for /Signon/login.html after upgrade to SSP6000 iFix 2+ B189. SSP-3771/ - Add direction arrows ===> for readability in FTP logs ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 02 Plus Build 189 July 2019 ------------------------------------------------------------------------------- MFT-10207/IT29589 (Engine) - (HTTP) Getting myFileGateway "Session expired" popup using passthrough authentication ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 02 Build 181 June 2019 ------------------------------------------------------------------------------- MFT-10242/PSIRT15330 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches. ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 01 Plus Build 177 June 2019 ------------------------------------------------------------------------------- MFT-9915/IT29131 (Engine) - Memory leak in logging area causes OutOfMemory MFT-10325/IT29109 (CM) - RESTAPI Issues with importing keyDefEntries. MFT-10341/IT29130 (Engine) - (HTTP) Directory traversal issue MFT-10368/IT29310 (Engine) - SSP Nodes getting into deadlock state MFT-10374/IT29318 (CM) - (RESTAPI) Unable to import keyDefEntries MFT-10382/IT29278 (PS) - More Secure PS (MSPS) scripts on Windows have wrong service name SSP-3542/ (Engine) - Only allow selected whitelisted pages under /Signon to be rendered by engine SSP-3561/ (Engine) - HSM IBMPKCS11 sample config files SSP-3597/ (Engine,CM,PS) - InstallAnywhere 2018 upgrade SSP-3698/ (Engine) - Adapter and netmap logs going to secureproxy.log instead, missing log files ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 01 Plus Build 148 May 2019 ------------------------------------------------------------------------------- MFT-9906/IT28592 (Engine) - (HSM,CD) Intermittent timeout during SSL handshake MFT-9976/IT28591 (Engine) - (HSM,CD) Unable to open HSM keystore during SSL Handshake MFT-10129/IT27075 (Engine) - (HTTP) Failures in HTTP adapters after upgrade to SSP 3.4.3.2 iFix 3 MFT-10206/IT28929 (CM) - Problem with SSPcm certificate renewal process MFT-10218/IT28554 (Engine) - SSP sending FTP STOR command multiple times, leading to '451 - session in inconsistent state' MFT-10219/IT28683 (Engine) - (SFTP) All SFTP clients timing out connecting to back end SFTP adapters MFT-10241/IT28986 (CM) - SSPRestAPI fails with SNI handshake from client MFT-10250/IT29018 (Engine) - OutOfMemory during SFTP transfer after upgrade MFT-10257/IT28968 (Engine, CM) - Sporadic loss of data during bulk transfer of multiple files via Filezilla FTP client SSP-3023/RTC569596 (CM,Engine) - (SFTP) Upgrade Maverick to latest 1.7.xx for additional ciphers SSP-3132/ (CM,Engine) - Make TLSv1.2 the default protocol for secure connections SSP-3525/ (CM) - SSO Configuration allowing invalid characters SSP-3531/ (CM) - Correct legacy "TLS_ONLY" value to correct JSSE equivalent SSP-3592/ (Engine) - Prompt for HSM password in configureHsmPassword utility SSP-3660/ (Engine) - Add limit to number of data buffers being cached in FTP ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 01 Build 115 Mar 2019 ------------------------------------------------------------------------------- MFT-10020/IT27450 (CM) - Peer Address Pattern now allows starting or ending with * SSP-2968/No APAR (CM) - Allow HTTP response header overrides SSP-3109/SSP-3578 (CM) - Better help in change password screen SSP-3444/No APAR (CM) - Internal AppScan - CSRF - Login SSPNonce SSP-3446/No APAR (CM) - (GUI) Adapters listed out of order in monitor SSP-3451/No APAR (CM) - (GUI) Ensure HTTP Header values only have ASCII characters SSP-3458/No APAR (CM) - Internal AppScan - HTTP cookies SSP-3511/No APAR (CM, Engine) - (PeSIT) Netmap not accepting wildcard entries SSP-3515/No APAR (Engine) - Improving messages for PeSIT user blacklisting SSP-3525/No APAR (CM) - SAML 2.0 related field validations SSP-3579/No APAR (CM) - SFTP netmap peer address pattern with multiple "?" wildcards fails with PatternSyntaxException SSP-3584/SSP-3597 (CM,Engine,PS,SEAS) - Support for Windows 2016 SSP-3606/No APAR (CM) - (REST API) Unable to import XML with httpSecurityHeaders =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) Fixes are marked as Engine, CM (Configuration Manager), and PS (Perimeter) =============================================================================== PSIRT12959, (Engine,CM,PS) - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for PSIRT13809 security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle October 2018 level to satisfy the CVEs in PSIRT advisories 12959 and 13809. See http://www.ibm.com/support/docview.wss?uid=ibm10872758 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced a change to disable SHA1 certificates via the jdk.certpath.disabledAlgorithms parameter in the /jre/lib/security/java.security file. For more information, read the comments in the java.security file which relate to the added parm: jdk.certpath.disabledAlgorithms= * * *, SHA1 jdkCA & usage TLSServer, MFT-9906/IT28592 (Engine) - (HSM,CD) Intermittent timeout during SSL handshake When using an HSM device to store SSL private keys, the SSL handshake sometimes timed out because it took longer than 5 minutes to pull the key from the keystore. The PNode disconnected due to timeout. Symptom: CSP900E Logged Exception : java.net.SocketException: Underlying socket is not connected Resolution: Eliminated 2 redundant loads of the HSM keystore which were causing a delay. Also added some extra debug to help track the flow leading up to the handshake. MFT-9915/IT29131 (Engine) - Memory leak in logging area causes OutOfMemory A slow memory leak in the log4j2 logging subsystem led to an OutOfMemory (OOM) exception crash of the SSP engine after several weeks. Analysis of the heap dumps showed the following: The class "org.apache.logging.log4j.core.appender.AbstractManager" occupies 1,904,050,896 (89.23%) bytes. The memory is accumulated in one instance of "java.util.HashMap$Node[]". For each new session in which logging was enabled, the logging system was adding a new appender to write to the log file, even though in most cases, one already existed for that file. Resolution: Corrected the logic which decided whether a new logging appender was required so that duplicate entries would not longer accumulate and cause an OOM exception. MFT-9976/IT28591 (Engine) - (HSM,CD) Unable to open HSM keystore during SSL Handshake Customer running a Gemalto (Luna) HSM device was unable to open the device during an SSL handshake for a CD process. The HSM keystore passphrase supplied with the confgureHsmPassphrase.sh was not working. Symptom: CSP900E Logged Exception : java.io.IOException - Vendor defined error (0x80000067) Resolution: Now correctly provide the HSM passphrase to the Luna device at SSP initialization time so it can be initialized. Also added better stack traces to help show if the problem is in IBMPKCS11, JSSE, or HSM code. MFT-10020/IT27450 (CM) - Peer Address Pattern now allows starting or ending with * On the Netmap Inbound Node Definition screens for CD, FTP, HTTP, and SFTP, the ability to have peer address patterns which started or ended with *, ex: *.company.com or www.company.* was broken. Also known internally for SSP6000 branch as SSP-3562. SSP-3357 provided REST API support to match the GUI changes. Resolution: Corrected the parser which was keeping these patterns from working. MFT-10129/IT27075 (Engine) - (HTTP) Failures in HTTP adapters after upgrade to SSP 3.4.3.2 iFix 3 After Customer applied SSP3432 iFix 3, certain HTTP transactions were failing with: SSP175E Invalid HTTP Request method. Client possibly attempting SSL/TLS connection. SSP0231E Invalid data from client (Exception unmarshalling) - com.sterlingcommerce.csp.jetty.io.ValidationFailedException, null Resolution: Now wait till a full request line is received before calling validateMethod() MFT-10206/IT28929 (CM) - Problem with SSPcm certificate renewal process When using the CM GUI to update a keycert which is also used for connecting to SEAS, the copy of the certificate in the /conf/system/cmkeystore is not updated. If CM users are authenticated by SEAS, the connections to SEAS fail with an expired certificate. During connections to SEAS from the CM, the truststore and keystore entries needed for the connection were being copied from the configuration to the cmtruststore and cmkeystore, respectively to assist in the connection. But if an entry already existed, it was not updated. Resolution: Updated the CM code which connects to SEAS to build the the temporary keystore and truststore in memory rather than updating the files in /conf/system. MFT-10207/IT29589 (Engine) - (HTTP) Getting myFileGateway "Session expired" popup using passthrough authentication Since the Jetty upgrade in 3.4.3.2 iFix 2 Plus Build 263, Customers were getting several strange behaviors connecting to myFileGateway via HTTP doing passthrough. Customers who had the front end (inbound) connection secured and the back end (outbound) session non-secure were getting a "Session expired due to inactivity" popup immediately from myFileGateway. Other Customers found that even if both sides of the session were secured, when they logged off and back on, they got the "Session expired" message. Resolution: Corrected the code to send all cookies back and forth between the two sessions and to correctly send cookies based on the Security attribute. MFT-10218/IT28554 (Engine) - SSP sending FTP STOR command multiple times, leading to '451 - session in inconsistent state' A client attempted to send a large number of files during a single FTP session through SSP to a B2Bi backend. The first few transfers succeeded, but then SSP happened to send the STOR command to the server twice in a row causing the backend to respond with 451 Requested action aborted: session in inconsistent state. All subsequent uploads in the session then failed with the same error. Corrected this timing issue by always clearing the cached command queue before returning to the 'CommandHandler' state. MFT-10219/IT28683 (Engine) - (SFTP) All SFTP clients timing out connecting to back end SFTP adapters SFTP adapters were stalling when making connections to the backend SFTP server because a getLocalHost operation was hanging. Resolution: Updated the SFTP backend session setup logic to no longer do the getLocalHost operation to find the local NIC for the connection to the back end. This is already handled by the SSP local Perimeter Server code. Workaround: Supply the SFTP Adapter property sftp.listenAddress = nnn.nn.nnn.nn to supply the local NIC address. MFT-10241/IT28986 (CM) - SSPRestAPI fails with SNI handshake from client The Customer replaced their factory certificate with a self-signed keycert using a wildcard in the common name: CN=*.si.com. When submitting the sspRestAPI.sh script, the TLS ClientHello message included a server_name extension, which caused the connection to fail with /sspcmrest/sspcm/rest/session org.eclipse.jetty.http.BadMessageException: 400: Host does not match SNI The REST API client was not inserting HTTP header host name during connection to the SSP CM, and the Jetty on the CM server side was set to enforce SNI checking if the client indicated it. Resolution: Corrected the client side of the RESTAPI to allow the HTTP header host name to be set in the sspRestAPI.properties so that it matches the CN of Client's public key CN. Also changed the behavior of the CM to disable the SNI checking if the k=-Dssp.cm.jetty.sni.enable=false is set in the startCM.sh script. MFT-10250/IT29018 (Engine) - OutOfMemory during SFTP transfer after upgrade Customer applied SSP3432 iFix 4 Plus Build 291 and encountered OutOfMemory (OOM) crash when transferring files with SFTP. The build included a new Maverick toolkit which changed the way it managed buffers during transfers. The heap dump contained tens of thousands of com/maverick/ssh/Packet objects. Resolution: Updated the API calls to use the new CreatePacket method in the Maverick toolkit, which is the preferred method of managing the memory. MFT-10257/IT28968 (Engine, CM) - Sporadic loss of data during bulk transfer of multiple files via Filezilla FTP client Customer attempting to upload 500 files with Filezilla was getting many files missing and missing data in the files which were transferred. The utility was sending data before SSP had signalled it was ready to receive. Resolution: Now maintain a temporary buffer to hold the data sent from the FTP client before SSP is ready to receive it. See also SSP-3660. SSP-2968/No APAR (CM) - Allow HTTP response header overrides Resolution: Allow the user to be able to override the default values for these response headers: X-Frame-Options, X-XSS-Protection, Content Security Policy, X-Content-Type-Options and Strict-Transport-Security SSP-3023/RTC569596 (CM,Engine) - (SFTP) Upgrade Maverick to latest 1.7.xx for additional ciphers The Maverick 1.6.x toolkit goes out of support at the end of 2019. Also, there have been requests for additional ciphers which are provided in the 1.7.x toolkit. Resolution: Now utilize the Maverick J2SSH client and SSHD server toolkits, which also supply the following new ciphers New ciphers: aes128-gcm@openssh.com, aes256-gcm@openssh.com New macs: hmac-ripemd160, hmac-ripemd160-etm@openssh.com hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com New groups: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256@libssh.org SSP-3109/SSP-3578 (CM) - Better help in change password screen When the password policy is used for CM users, there should be better messages in the change password screen. Resolution: Added popup assistance messages such as, "Your password is required to contain at least one of the following characters `#@$%^&* " And, "Confirm password must match New Password". SSP-3444/No APAR (CM) - Internal AppScan - CSRF - Login SSPNonce An internal APPScan revealed that CM GUI sessions were using an insufficient authentication method. Resolution: Now validate the value of the "Referer" header and use a one-time nonce for each submitted form. SSP-3446/No APAR (CM) - (GUI) Adapters listed out of order in monitor tab In the CM monitor tab, the Engine status lines were in alphanumeric order but the adapter lines were not. Resolution: Corrected the monitor screen to display the adapters in alphanumeric order. SSP-3451/No APAR (CM) - (GUI) Ensure HTTP Header values only have ASCII characters Http headers need to be validated to make sure that values are in ascii format. Resolution: Now validate the HTTP headers for ASCII data. SSP-3458/No APAR (CM) - Internal AppScan - HTTP cookies An internal APPScan recommended some updates for HTTP cookies used to access the GUI. Resolution: Now set the domain and path for HTTP cookies containing session identifiers to an appropriately restricted value for the site. SSP-3511/No APAR (CM, Engine) - (PeSIT) Netmap not accepting wildcard entries The PeSIT protocol netmap for inbound entries was not allowing wildcard patterns, such as "CX1*" or "CX2*", only a full wildcard "*" or full names. Resolution: Now allow the PeSIT netmap to accept peer address patterns. SSP-3515/No APAR (Engine) - Improving messages for PeSIT user blacklisting When using the new blacklisting feature introduced in SSP 6.0, the IP address blacklisting works for PeSIT and indicates that the session was rejected because the address was blacklisted. But while the user blacklisting locked the PeSIT user, the log did not say it was because of blacklisting. Resolution: Now put out SSP0511E message for locked userid which indicates the PeSIT account was locked due to blacklisting. SSP-3525/No APAR (CM) - SAML 2.0 related field validations In the Advanced / SSO Configuration screen, the new SAML 2.0 fields introduced in SSP 6.0 were not being validated fully. Resolution: Now do URL validation for - Service Provider ID, External Portal Login URL, and the External Portal Logout URL. Also for Fully Qualified Host Names, added a similar validation for the Primary Destination Address field, which means the FQDN for SSO will not accept any kind of IP pattern or peer address pattern. ** SSP-3579/No APAR (CM) - SFTP netmap peer address pattern with multiple "?" wildcards fails with PatternSyntaxException SFTP netmap peer address pattern that contained two or more "?" characters was throwing exception *--*java.util.regex.PatternSyntaxException: Dangling meta character. Resolution: Now allow multiple ? characters in the SFTP netmap peer address pattern. SSP-3584/SSP-3597 (CM,Engine,PS,SEAS) - Support for Windows 2016 Resolution: Add support for Windows 2016 - Upgraded all installers to use InstallAnywhere 2018 SP1. SSP-3606/No APAR (CM) - (REST API) Unable to import XML with httpSecurityHeaders The new HTTP Security Header overrides introduced in SSP-2968 were not being handled correctly by the RESTAPI import tool. Resolution: Modified the SSP 6.0 sysglobals.xsd to accept the httpSecurityHeader & cookie domain fields. SSP-3660/ (Engine) - Add limit to number of data buffers being cached in FTP This is an extension of MFT-10257. Resolution: Added new FTP adapter property ftp.max.data.buffers.cache=50 to limit number of data buffers being cached in FTP to avoid an out of memory issue. The value must be an integer > zero and <= 999. MFT-10325/IT29109 (CM) - RESTAPI Issues with importing keyDefEntries. Customer attempting to use the REST API to import a key certificate, but getting, "Create key operation failed. - Error parsing request: expected root xml element to be elements but received keyStoreDef". Workaround: Set N=-DvalidateThruXSD=false in the bin/startCM.sh. Resolution: Updated the XSD syntax definition file to allow user to provide input xml with tag as the root. Also made changes to the createKeyDef, modifyKeyDefEntries and deleteKeyDefEntries apis to make them work correctly with the CLI. Now also removed the ability to add or delete certificates in the internal CM->System->Certificate Stores, since they do not allow updates from the GUI either. MFT-10341/IT29130 (Engine) - (HTTP) Directory traversal issue Customer noticed that URLs including ..//..//, which is a common directory traversal hack, were being passed back to SI/SFG to be handled. Resolution: Added code to strip the intervening dots and slashes using canonical methods, further protecting the backend server. MFT-10357/PSIRT16274,16318 (Engine,CM) - Security upgrade to Jetty 9.4.20 Resolution: Update the Jetty server to satisfy the CVEs in PSIRT advisories 16274 and 16318. See http://www.ibm.com/support/docview.wss?uid=ibm11095826 for the Security Bulletin. MFT-10368/IT29310 (Engine) - SSP Nodes getting into deadlock state After applying SSP3432 iFix 4 Plus Build 295, the Customer found that several nodes were hanging, caused by threads in a deadlocked state. Resolution: Corrected a locking mechanism introduced by defect MFT-10257 which caused threads to be deadlocked. MFT-10374/IT29318 (CM) - (RESTAPI) Unable to import keyDefEntries Customer exported their CM configuration using the RESTAPI but could not import it back in. They were getting "cvc-complex-type.2.4.a: Invalid content was found starting with element 'keyauthReqdBeforePwdauth'" Resolution: Updated the xsd definition file to allow the keyauthReqdBeforePwdauth keyword on import. MFT-10382/IT29278 (PS) - More Secure PS (MSPS) scripts on Windows have wrong service name When installing a Perimeter Server on Windows as a More Secure PS, the startPSservice.cmd and stopPSservice.cmd scripts are generated without the engine hostname in the service name, so that they will not actually start or stop the service. Resolution: Updated the InstallAnywhere step for a More Secure Perimeter Server to add the Engine host to the Windows Service name: SSP_PerimeterServer_%EnginePort%_$EngineHost$ SSP-3132/ (CM,Engine) - Make TLSv1.2 the default protocol for secure connections SSP formerly installed with TLSv1 as the default TLS protocol. Resolution: For new installs, make TLSv1.2 the default protocol everywhere a TLS secure connection is made. SSP-3525/ (CM) - SSO Configuration allowing invalid characters The CM->Advanced->SSO Configuration was allowing special characters other than "-", "_", "." and ":" in the "Fully Qualified Hostname" field. Resolution: Now ensure that the hosthame value only uses standard characters. SSP-3531/ (CM) - Correct legacy "TLS_ONLY" value to correct JSSE equivalent An older configuration may contain the "TLS_ONLY" protocol value, which resulted in "java.security.NoSuchAlgorithmException: TLS_ONLY SSLContext not available" Resolution: Now automatically convert TSL_ONLY to the correct JSSE equivalent. SSP-3542/ (Engine) - Only allow selected whitelisted pages under /Signon to be rendered by engine Clients accessing the SSP HTTP proxy adapter login portal send requests with a URL path starting with /Signon/. Currently SSP will render any html pages and resources under the login dir configured (/Signon/). Resolution: Updated the Http Proxy in SSP to white list the html pages and other resources being rendered to the client. A new property file is created at /bin/portal/pages.properties. Secure proxy will render only the files listed in this properties file. If a page request is made to a file not in the properties file, the following error is returned: Engine_host is currently unable to handle this request. ACTION: If you have added additional files or directories as part of customizing the Login portal (/Signon directory), you must add whitelist entries for them similar to the existing entries in the new /bin/portal/pages.properties file. SSP-3561/ (Engine) - HSM IBMPKCS11 sample config files SSP was shipping the Luna 5.0 configuration file for Customers who use HSM boxes, even though that version is no longer supported. Resolution: Now ship the Lunx 6.0 configuration file in the /conf directory and include all the supported IBMPKCS11 sample config files in a new file called /conf/PKCS11ConfigFiles.zip. SSP-3592/ (Engine) - Prompt for HSM password in configureHsmPassword utility The configureHsmPassword utility only allowed specifying the HSM password on the command line which exposes the password in the system log. Resolution: The configureHsmPassword utility now prompts for the HSM password and does not echo the typing. SSP-3597/ (Engine,CM,PS) - InstallAnywhere 2018 upgrade Resolution: Upgraded to InstallAnywhere 2018, which provides support for Windows 2016 Server. SSP-3698/ (Engine) - Adapter and netmap logs going to secureproxy.log instead, missing log files The fix for MFT-9915 caused the adapter and netmap logs to no longer be created, with all logging going to the secureproxy.log. Resolution: Corrected the fix to not create a new appender for a new session if the appender and logger already existed, but to use the existing proven method when starting to log to a new file. MFT-10242/PSIRT15330 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2019 level to satisfy the CVEs in PSIRT advisory 15330. See http://www.ibm.com/support/docview.wss?uid=ibm10885937 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) introduced a change to disable anon and null cipher suites via the jdk.tls.disabledAlgorithms parameter in the /jre/lib/security/java.security file. If your site uses these suites for testing, update your java.security file to remove the last 2 parms: jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL ACTION - The java.security file includes a new parm for distrusting CAs: jdk.security.caDistrustPolicies=SYMANTEC_TLS For more information, see the writeup in the java.security file. MFT-10355/ (Engine) - Getting myFileGateway "Session expired" popup. MFG was showing "Session expired popup" when logging in via SSP using passthrough. SSP was only sending one Set-Cookie to the client, even if there were multiple Set-Cookies from the backend. Also, the Secure attribute in Set-Cookie was not getting set according to the security setting of the inbound connection. Resolution: Now do Set-Cookies properly to prevent session expire popUps to be shown. MFT-10402/IT30050 (Engine) - *HIPER* (SFTP) OutOfMemory (out of threads) when SEAS goes down with no failover coded Customer defined an SFTP adapter which uses SEAS External Authentication but did not have failover properties coded. When the SEAS became unreachable for several hours, new connections and load balancer pings continued to be directed to the SEAS for authentication until the JRE used up all available threads based on the numprocs alotted to the user. The adapter's max session value was ignored when in this state. Resolution: Firmed up the code in the following ways: 1) When at the adapter max session count, shut down any new session without calling SEAS. 2) If a new session comes in and EA is detected down, shut down the session and report a system failure to the caller. 3) If EA authentication fails for any reason, since we do not have a token, bypass calling SEAS to invalidate the token during session shutdown. Workaround/Best practice: Define failover properties in each SFTP adapter that uses SEAS to ensure that when SEAS or SI is detected to be down, the adapter will turn off its listener to stop incoming traffic until SEAS and SI are detected to be up again: failover.detection.enabled true failover.detection.mode continuous failover.poll.interval 15 (seconds) MFT-10422/IT29819 (Engine) - (HSM) FTPS data channel hangs during SSL handshake with HSM enabled The HSM keystore was taking a long time to load during the ssl handshake which resulted in session timeouts. Resolution: Now load the HSM keystore during engine startup time and keep it in memory to speed up subsequent handshakes. Also, reload the HSM keystore periodically based on the value of the RELOAD_HSM_KEYSTORE_TIME parm in the /bin/security.property file, default 15 (minutes). MFT-10444/IT29840 (CM) - RESTAPI script fails if the admin user is defined to use external authentication The RESTAPI was doing local authentication in addition to external auth when the admin user running the RESTAP was defined as using EA. Resolution: Now properly authenticate users defined as external auth when running the RESTAPI. MFT-10451/IT30080 (CM) - CM GUI presents factory cert instead of common The Customer attempted to replace their SSP factory certificate with a new common certificate with the ./configureCmSsl.sh -u commonCert= command. The CM and Web certs showed to be using the new alias. However, when connecting to the CM GUI, the SSL certificate displayed was the SSP factory certificate. Resolution: Now ensure that at the low level keystore operation, the designated keycert alias is honored when the key is requested. Workaround: After the new commonCert has been added, delete the "factory" alias using the ./configureCmSsl.sh -d alias=factory MFT-10470/IT29827 (Engine) - HTTP 500 message for /Signon/login.html after upgrade to SSP6000 iFix 2+ B189. The new blacklist/whitelist feature in SSP6000 was interfering with the portal pages (/Signon, etc) on a UNIX/Linux sytem. The whitelist page list in /bin/portal/pages.properties used backward slashes for all the page names, which was only compatible with Windows systems. Resolution: Changed all the white listed page names to use forward slashes as the path separator. And now in the code, convert the path to forward slash to compare no matter if it is UNIX or Windows. MFT-10483/IT30076 (CM) - RESTAPI activity leads to OutOfMemory (OOM) full of AuthenticationResource, JMS objects The Customer is making heavy use of the REST API to update their configuration. After many sessions, the CM gets an OOM exception because the memory is full of AuthenticationResource objects. Also, at one point the Customer had JMS logging configured in the CM system tab without a JMS queue activated to receive the data which filled the memory with a JmsPublisherProxy object. Resolution: Now ensure that the AuthenticationResource session object is cleaned up at the end of each RESTAPI session. Also, maintain a limit of JMS queue objects so that we don't overflow the memory when the JMS queue is not active. MFT-10485/IT30344 (Engine) - (SFTP) OutOfMemoryError "Java heap space" crash The SFTP adapter was adding to a backendRegistrarMap object each time a session opened a corresponding session to the back end SI server. However, in some cases, the placeholder in the map was not getting cleaned out at logoff time. The heap dump showed that 91% of the memory was consumed by one class "com.sterlingcommerce.cspssh.daemon.SftpAccessManager", and one object java.util.HashMap$Node[]. Resolution: Now ensure that the session entry is cleaned out at logoff time from the backendRegistrarMap. SSP-3530/ (CM) - REST API issues when importing from older CM Internal testing found several issues when importing a configuration with the REST API which was exported from an older version of SSP. The got syntax errors with the 'createdBy' and 'formatVer' elements, the import rejected expired certificates and cipher suites which had been deprecated, and the factory certificate was not replaced. Resolution: Updated the RESTAPI import logic to recognize and include artifacts from older versions to make upgrades between versions more seamless. SSP-3771/ - Add direction arrows ===> for readability in FTP logs Resolution: Added some directional arrows in the logging for FTP control channel traffic to make it easier to follow the flow of data between the client and SSP and between SSP and the back end server. Examples: ===> RECV fr Client: SEND to Server ===>: RECV fr Server <===: <=== SEND to Client: SSP-3788/ (Engine) - Installation JPEG picture contains wrong product name Resolution: Updated the JPEG file to contain the correct product name. SSP-3810/ (CM) - REST API xsd failure for ssoConfig and sysGlobals XSD validation failures for ssoConfig and SysGlobals were preventing update and import operations. Resolution: Updated the xsd files to include all the correct elements. SSP-3833/ (CM) - RESTAPI failure on userstore entry without password policy. REST API import of SSP CM user was failing with invalid passwordPolicy when the user had no password policy assigned. Resolution: Now allow CM users having no password policy to be imported. MFT-10541/IT30346 (CM) - (RESTAPI) userStore API update throwing exception on CLI. After a userStore update operation using the RESTAPI Command Line Interface if the xml contained "" the operation reports success but then gets a message: org.xml.sax.SAXParseException: The processing instruction target matching "[xX][mM][lL]" is not allowed. Resolution: Now remove the offending xml so the parse exception does not occur. MFT-10559/IT30200 (CM) - Jetty Http server uses incorrect certificate alias Customer added a new keycert with a new alias to replace their expired keycert. However, when they attempted to logon to GUI, they were presented with the expired certficate. Resolution. Updated the HTTP server side code to ensure that we honor the keycert alias listed in the configureCmSsl.sh -s utility. MFT-10564/IT30532 (Engine) - Blacklist not displaying messages for SFTP protocol When an SFTP user was found on the blacklist, the session was terminated, but the reason was not logged. Resolution: Now put out a new log message so show that the blacklisted user session has been terminated: SSE2900 : UserId test3 is Blacklisted.Terminating session. /10.20.30.40:1234 MFT-10578/PSIRT17288 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle July 2019 level to satisfy the CVEs in PSIRT advisory 17288. See http://www.ibm.com/support/docview.wss?uid=ibm11089580 for the Security Bulletin. MFT-10608/IT30643 (Engine) - (SFTP) Added client ciphers as well as negotiated ciphers in logging. After installing SSP3432 iFix 5, Customer lost visibility in the logs of the SFTP clients available ciphers and hmacs. The Customer needed this debug info for a project to ensure their clients would be able to run with stronger ciphers. Resolution: Added back in a DEBUG message, "Key Exchange Init Details :", which contains the key exchange, ciphers, macs, etc that the client is capable of. Another message, "Negotiated Ciphers Details :" shows the ones chosen for the session. SSP-3536/ (CM,Engine) - Log authentication failures for command line utilities in audit log This defect is the result of internal proactive Threat Model testing. Resolution: Now log authentication failures for the following command line utilities (*.bat or *.sh): CM: changePassphrase, configureAccepter, configureCmSsl listCmCerts, manageCSRs, manageKeyCerts, startCM, stopCM.bat Engine: changePassphrase, configureAccepter, configureEngineSsl, configureHsmPassword, listCerts, startEngine, stopEngine SSP-3537/ (CM) - Require admin password to be set during new CM installation This defect is the result of internal proactive Threat Model testing. Resolution: On new installs (not upgrades) of the SSP Configuration Manager, request and confirm a valid password for the admin id. This is to keep all installations of SSP from having the same default admin password. SSP-3539/ (CM) - (RESTAPI) Require password when exporting and importing sensitive configuration objects This defect is the result of internal proactive Threat Model testing. Resolution/ACTION: Now require a new X-Passphrase keyword for exporting or importing sensitive configuration objects: sspCMConfigs, Netmaps, Keystores, sysSslInfo, globals. The exported configuration data will be encrypted with the supplied passphrase and cannot be imported without supplying the same. SSP-3599, SSP-3603/ (Engine) - Support for Web Session for HTTP SSO sessions The HTTP adapter creates a TCP session id for every connection from a client/browser. But SSO sessions may involve multiple connections tied with an authenticated web sessionid. This becomes more crucial when adding more features related to support for SAML external IdP. Resolution: This new feature is only applicable when 'Application Authentication' is selected for the HTTP policy and SSO is selected for the HTTP Proxy Adapter. Now create a unique web session id after authentication and supply it via a websessionid cookie. At logout or timeout, invalidate the web session id and clear the websessionid cookie. SSP-3667/ (CM) - Support for X-Forwarded* HTTP headers Currently SSP HTTP proxy adapter modifies the host header received from the client to match the host specified in the outbound node before sending it back to the backend HTTP Server. Resolution: Add the capability to forward the IP details of the incoming HTTP connection to Sterling Integrator. This defect is in response to Customer enhancement requests SSP-I-77 and SSP-I-80. If the HTTP Proxy adapter property "passthru.client.host.header" is specified and set to true, the host header from the client/browser will be passed as is to the backend Server. Otherwise keep the current behavior. SSP-3763/ (Engine/CM) - Restrict permissions of the Unix bootstrap file Resolution: During a new install, set the permissions for the password bootstrap file to 600 (owner RW only). MFT-10616/IT30591 (CM) - REST API fails with "The processing instruction target matching "[xX][mM][lL]" is not allowed" After upgrading the SSPCM to 3.4.3.2 iFix 5, the RESTAPI call for SSH key modification fails with "The processing instruction target matching "[xX][mM][lL]" is not allowed. line # 1 column # 40". The input xml contained '' at the beginning, but that was not a problem in previous builds. Resolution: Now remove xml headers which during validation are being inserted after the root tag. MFT-10656/IT30692 (CM) - SSPCM “Enable SSP CM startup backup” field in CM System settings has no effect Attempted to configure CM to not backup at startup by unchecking “Enable SSP CM startup backup” (From SSP Dashboard, System -> System Settings -> CM System Settings -> Globals). After saving the page and coming back, the field is checked again. Resolution: Now handle the negative case when the CM Backup checkbox is not selected. MFT-10692/IT30823 (CM) - (FTP) EPSV command giving wrong response The original MFT-9148 fix to support FTP's Extended PASV (EPSV) and Extended PORT (EPRT) RFC returned responses should be based on whether SSP detected IPv6 addresses. If SSP is on a machine in IPv6 mode, the response for the EPSV command was the PASV response. Now return the response to the PASV or EPSV command based on the command entered rather than on whether we detect that IPv6 addressing is in play. For PASV, the response continues to be, 227 Entering Passive Mode (127,0,0,1,153,178). For EPSV, the response is 229 Entering Extended Passive Mode (|||58792|). MFT-10704/IT31049 (Engine) - Engine audit logs contain hashed passwords The SSP engineAuditEvent entry for a configuration push contained Base64 hashed password values for the admin id and some keycerts. Resolution: Now replace the hashed password values in the audit logs with asterisks (****). MFT-10749/IT31534 (CM) - NPE during RESTAPI session cleanup. RESTAPI sessions are maintained in a map and get cleaned up after a set amount of inactivity by the RestAPI_SessionCleanup thread. If any problem happens during cleanup, the map entry is not cleared and the thread attempts to logoff the same session every minute, getting a NullPointerException (NPE) on each attempt. Resolution: Now ensure each portion of the RESTAPI session cleanup gets a chance to run so the map is cleared. MFT-10762/IT31135 (Engine) - (CD) SSP incorrectly logs stepname of run task and run job C:D process steps SSP was logging a hardcoded stepname "SameStep" during a Connect:Direct run task or run job process step. Resolution: Now log the actual stepname in the RUN JOB, RUN TASK and SUBMIT processes. MFT-10737/IT31341 (Engine) - Unable to login to the CM after upgrade After upgrading SSP Linux to 6.0.0.1 the Customer would login to CM but immediately get “Unauthorized Access Attempted" messages. The Customer's load-balancing setup was generating different IP addresses for each connection to the SSP CM Dashboard and the Content Manager. Resolution: Turned off checking for matching IP addresses between the SSPCM Dashboard and Content Manager webapp sessions. MFT-10774/IT31439 (Engine) - (CD) CSP032E 4 KQV keyword "RLS2" found in FM70, but not defined in XML schema definition SSP uses xsd files to validate the CD FMH's going through. As the various CD groups develop new features, we periodically must add new keywords (KQV) they may have created. Resolution: Add support for the following KQV values FMH70: RLS2 FMH71: DEXP,DEXR,DSFF,DSFS,DMXF,SDVF,SMXG,SDVE,DDVF,DDSY,DMXG,DDVE FMH7402: ZECR,ZIFR,ZIFS,NODA,SDTP,DDTP,SDVE,DDVE,SISM,DISM,SMXG,DMXG MFT-10832/IT31500 (Engine) - (HTTP) Duplicate Host Header attribute The SSP HTTP adapter was adding duplicate "HOST: serverIp:serverPort" to the requests going to the backend. Resolution: Added logic to make sure that duplicate HOST headers were not sent to the backend. Internally fixed as SSP-3820. SEAS-1083/ (Engine) - (HTTP) Password change on SSO portal clears all policies on password policy display tab When a user changed their password through the SSO portal, an unexpected method was being called to clear the cookies. Resolution: Removed the inadvertant method from being called to clear the cookies. SSP-3540 (Engine) - Do not log sessionids or sso tokens used for authentication Internal scans flagged that no sessionids or sso tokens used for authentication should be logged. Resolution: Now map the sessionid and sso tokens to an internal value and log that value. SSP-3543 (CM, Engine) - Generate keys at install time Internal ThreatModel scanning indicated that we should no longer install an SSP Factory Certificate to be used by all Customers. The factory certificate was used to secure communication between the CM and engine(s). Resolution: On new installs of the CM or Engine, generate a self-signed certificate or allow Customers to import their own keycert during the install process. If a self-signed cert is generated, it is also securely exported so that it can be imported into the other component(s). SSP-3612 (Engine,CM) - Make Security Headers active by default for the HTTP adapter Resolution: Now set the Strict-Transport-Security, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy and X-Frame-Options to be on by default while leaving the ability to change them or turn them off. SSP-3803 (Engine,CM) - Generate unique encryption key at install time Internal ThreatModel scanning indicated a change in the way we encrypt the system passphrase which is used to encrypt the configuration files. Resolution: On new installs of the CM or Engine, generate a unique hex key and store it in a file with read/write permissions for the userid of the installer only. This key is used to encrypt the passphrase the installer supplies which encrypts the configuration files. SSP-3834 (Engine,CM) - Support for ICAP Anti-Virus Scanning in SFTP Enhancement to support in-flight anti-virus scanning of small to medium size files being uploaded through the SFTP adapter. See online documentation for SSP6010 for more details. Requires McAfee Web Gateway ICAP server. Other internal stories SSP-3912, SSP-3913, SSP-4018, SSP-4061 SSP-3854 (Engine,CM) - New disableBootstrap command-line utility Follow on to SSP-3803, which only applied to new installs. Created a disableBootstrap utility, which in conjunction with the existing enableBootstrap utility will change the system generated hex key used in bootstrap support. SSP-4120 (CM) - Update Apache Commons BeanUtils to 1.9.4 Internal BlackDuck scan recommended upgrade of Apache Commons BeanUtils. Resolution: Upgraded Apache Commons BeanUtils jars from 1.9.3 to 1.9.4 MFT-10779 (CM) - RESTAPI import errors with backupDir and urlMapEntry Using the RESTAPI to import a configuration from a late SSP3432 or SSP6001 instance. Getting errors on the following in the cms.log and the import fails: cvc-complex-type.2.4.d: Invalid content was found starting with element 'urlMapEntry'. No child element is expected at this point. line # 3671 column # 14 Also getting the same error for the element "backupDir" Resolution: Added the recent keywords urlMapEntry and backupDir to the valid list in the xsd so that the RESTAPI will recognize them. SSP-4186 (Engine,CM) - System passphrase not getting validated during upgrade when bootstrap is disabled When bootstrapping is disabled, the upgrade must request the passphrase during the install in order to decrypt the configuration files. The passphrase was not getting validated when entered. Resolution: Now validate the system passphrase requested during an upgrade when bootstrapping is disabled. SSP-4200 (Engine,CM) - Installer needs to confirm key passwords During a new SSP install of the CM or Engine, when generating a self-signed keycert, we prompt for a password for the private key, and also for encrypting the key when exporting it to the other component. However, we do not confirm the password, so if a Customer mis-types it and it's not what they think it is, it's lost. Resolution: Now prompt and confirm the password for the private key generated during a new install and also the password for the exported copy of the key. SSP-4208 (Engine) - HSM command line clients cannot connect to engine After the upgrade to SSP6010, the HSM command line utilities manageKeyCerts and manageCsrs no longer connected to the SSP Engine/HSM because of changes made to support xml-based keystores. These clients were not updated with the correct logic for establishing a secure connection between CM and the Engine. Resolution: Updated the underlying logic to load configured xml-based keystores and truststores and dynamically convert them to java-based JKS keystores for the duration of the utility. SSP-4220 (Engine,CM) - Installation issues with Docker containers Resolved several issues found during beta testing of Docker containers - Removed root user password changing logic from Docker file - Added sudo package to allowing sudo command to non-root user - Added logic for passing user, pwd, uid and gid into ENV variables, to be the owner of host mounted path for host configuration data. Defaults: APP_USER=appuser, APP_USER_PWD=appuser, APP_USER_UID=3000, APP_USER_GID=3000 Note: Do NOT use User names root, spuser, cmuser, psuser or, seas or UID/GID: 0 and 1000 because these are already used inside the container. - Combined PROD and NON_PROD license variables into LICENSE_TYPE variable - Mapped silent installation log file with Volume host path to assist in checking the log without logging in - Please refer to the deployment YAML files bundled with the Fix Central tar file for the latest rather than the samples in the online doc. - Following are the parameters needed to start the various containers using Docker: ********** Deploying the new SSPCM Container: ********************* docker run -it -d \ -v /SPcm:/spinstall/IBM/SPcm \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e LICENSE_ACCEPTED=true \ -e PORT=62366 \ -e JETTY_PORT=8443 \ -e PASSPHRASE=password \ -e USER_PASSWORD=password \ -e KEY_CERT_EXPORT=true \ -e KEY_CERT_FILE_NAME=defkeyCert.txt \ -e KEY_CERT_ALIAS=keycert \ -e KEY_CERT_STORE_PASSPHRASE=password \ -e KEY_CERT_ENCRYPT_PASSPHRASE=password \ -p 8443:8443 \ --name SPcm \ sp-cm-docker-image:V6.0.1.0.iFix01 /bin/bash ************ Upgrade the SSPCM deployment ***************** docker run -it -d \ -v /SPcm:/spinstall/IBM/SPcm \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e LICENSE_ACCEPTED=true \ -p 8443:8443 \ --name SPcm \ sp-cm-docker-image:V6.0.1.0.iFix01 /bin/bash ************* Deploying the new SSP Engine Container *************** docker run -it -d \ -v /SP:/spinstall/IBM/SP \ -v /defkeyCert.txt:/spinstall/defkeyCert.txt \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1001 \ -e APP_USER_GID=1002 \ -e LICENSE_ACCEPTED=true \ -e LICENSE_TYPE=1 \ -e PORT=63366 \ -e PASSPHRASE=password \ -e KEY_CERT_EXPORT=false \ -e KEY_CERT_ALIAS=keycert \ -e KEY_CERT_FILE_NAME=defkeyCert.txt \ -e KEY_CERT_ENCRYPT_PASSPHRASE=password \ -p 63366:63366 \ -p 30820:30820 \ --name SPEngine \ sp-engine-docker-image:V6.0.1.0.iFix01 /bin/bash ************** Upgrade the SSP Engine deployment **************** docker run -it -d \ -v /SP:/spinstall/IBM/SP \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1001 \ -e APP_USER_GID=1002 \ -e LICENSE_ACCEPTED=true \ -e LICENSE_TYPE=1 \ -p 63366:63366 \ -p 30820:30820 \ --name SPEngine \ sp-engine-docker-image:V6.0.1.0.iFix01 /bin/bash ************ Deploying the new Less Secure PS Container ************** docker run -it -d \ -v /PSLessSecure:/spinstall/IBM/PServer \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e NETWORK_ZONE_SECURE=false \ -e PS_PORT=30810 \ -e PS_SECURE_IF=* \ -e PS_EXTERNAL_IF=* \ -p 30810:30810 \ -p 20010-20020:20010-20020 \ --name PSLessSecure \ sp-ps-docker-image:V6.0.1.0.iFix01 /bin/bash ************* Upgrade the Less Secure PS deployment ***************** docker run -it -d \ -v /home/durgesh/base/PSLessSecure:/spinstall/IBM/PServer \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e NETWORK_ZONE_SECURE=false \ -p 30810:30810 \ -p 20010-20020:20010-20020 \ --name PSLessSecure \ sp-ps-docker-image:V6.0.1.0.iFix01 /bin/bash ************ Deploying the new More Secure PS Container ************** docker run -it -d \ -v /home/durgesh/base/PSMoreSecure:/spinstall/IBM/PServer \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e NETWORK_ZONE_SECURE=true \ -e PS_PORT=0 \ -e PS_SECURE_IF=* \ -e PS_EXTERNAL_IF=* \ -e REMOTE_PORT=30820 \ -e REMOTE_ADDRESS=172.20.185.196 \ --name PSMoreSecure \ sp-ps-docker-image:V6.0.1.0.iFix01 /bin/bash ************* Upgrade the More Secure PS deployment ***************** docker run -it -d \ -v /home/durgesh/base/PSMoreSecure:/spinstall/IBM/PServer \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e NETWORK_ZONE_SECURE=true \ --name PSMoreSecure \ sp-ps-docker-image:V6.0.1.0.iFix01 /bin/bash MFT-10765/IT31672 (CM) - 6.0.0.1F1 with Client Auth not working with SAN certs, getting ERR_BAD_SSL_CLIENT_AUTH_CERT Customer has client authentication turned on for browser connectivity to the SSPCM dashboard, as well as client certificates configured with Subject Alternate Name. SSL handshakes from browsers were failing with "No subject alternative names matching IP address xx.xx.xx.xx found" in the CM log. Resolution: Allow the Customer to override the new behavior in the JRE by uncommenting -DsspcmDisableClientEndpointIdentification=true in the startCM.sh script. This tells the CM to ignore the hostname discrepancy in the SAN cert. MFT-10779 (CM) - RESTAPI import errors with backupDir and urlMapEntry Using the RESTAPI to import a configuration from a late SSP3432 or SSP6001 instance. Getting errors on the following in the cms.log and the import fails: cvc-complex-type.2.4.d: Invalid content was found starting with element 'urlMapEntry'. No child element is expected at this point. line # 3671 column # 14 Also getting the same error for the element "backupDir" Resolution: Added the recent keywords urlMapEntry and backupDir to the valid list in the xsd so that the RESTAPI will recognize them. MFT-10853/IT31763 (CM) - (GUI) SSPcm user binds to LDAP twice with SEAS for single login When SSPCM users are configured to authenticate through SEAS, they are authenticating twice to LDAP, once for the dashboard, and again under the covers for the configuration manager. Resolution: When authenticating CM users through SEAS, request an SSO token on the first authentication from the dashboard, and then pass the token to SEAS on the authentication from the configuration manager, avoiding the second call to LDAP. MFT-10887/ (CM,Engine,PS,SEAS) - GPF in SSP engine The SSP Engine terminated with a General Protection Fault (GPF) when the JVM tried to get an internal structure from a terminated thread. Resolution: Installed the IBM JRE 8.0.6.5 to resolve the GPF. MFT-10889/IT32078 (CM) - (GUI) CM session timeout still allows partial access of the GUI function Often when a CM GUI session times out (ie, after 30 minutes of inactivity), the user is allowed to complete a save operation, though they get a message that they must login again. Resolution: Now implement an HttpSessionListener for the SSPDashboard and Content web apps, which ensure that the GUI timeout is enforced before a save operation is allowed. MFT-10898/ (CM,Engine,PS) - (Container) Can not create APP_USER in the yaml file with GID of 1001 When trying to use a group ID (GID) of ‘1001’ in the yaml file the messages groupmod: GID '1001' already exists ERROR: Cannot set GID for appear in the APPStartup.log in the backup directory on the VM. Resolution: Now allow 1001 to be used as a group ID in a container. MFT-10903/IT32096 (CM,Engine) - configureCmSsl and configureEngineSsl not adding certificate chain to cmtrustore or truststore When adding a keycert to the keystore using the configureCmSsl or configureEngineSsl utilities, they were not adding the certificate chain to the cmtrustore or truststore. Resolution: Now add or update the certificate chain from the keycert into the appropriate truststore. MFT-10904/ (CM,Engine,PS,SEAS) - GPF in SSP engine The SSP Engine terminated with a General Protection Fault (GPF) in the IBMPKCS11 area. Resolution: Installed the IBM JRE 8.0.6.5 to resolve the GPF. SSP-3771/ (CM) - Updates to make CM logging more readable Resolution: Shortened some thread names within the CM to make the log lines narrower. Also merged some redundant lines in the debug log to lower the output. SSP-3793/ (CM) - Missing secure attribute in encrypted session (SSL) cookie SSP CM does not append "http-only" and "secure" security attributes for cookies that are sent back to the browser client. Resolution: Now add "http-only" and "secure" attributes to JSESSIONID cookies. Also known as PSIRT ADV0022033. See https://www.ibm.com/support/pages/node/6249281 for the Security Bulletin. SSP-4182/ (CM) - ICAP configuration field validation issues In the ICAP configuration panel, the Service Name and File Type fields were allowing binary non-printable characters and not displaying an error. Resolution: Now reject the bad field values and prompt the user for good ones. SSP-4183/ (CM,Engine) - Files with temporary names not getting AV scanned The ICAP AV Scanning feature for SFTP has a feature to scan only files with extensions specified in the ICAP Configuration. However, some clients (e.g. WinScp) append “filepart” as a temporary extension for large file uploads. Workaround: add "filepart" to the extensions list in the ICAP configuration. For example, if exe is an extension chosen, add exe.filepart along with exe in the ICAP configuration. Resolution: Added support for an adapter property “sftp.client.temp.ext.names=ext1,ext2,..,extn” in the ICAP Configuration. SSP will append these client specific extensions to each extension chosen for scanning when determining the extension match for ICAP AV scanning. SSP-4195/ (CM) - RESTAPI ICAP field validation errors for empty maxSessions file extensions RESTAPI import of ICAP configuration data allowed empty file extensions to be added and an empty maxSessions field got an error message related to numeric conversion rather than about the empty field. Resolution: Now do proper validations for empty file extensions and maxSessions fields. SSP-4202/ (CM) - SSPCM was allowing unsupported HTTP methods to be processed The SSPCM was allowing unsupported HTTP methods, such as PUT ot BOGUS, to be processed. Resolution: Now return a 403 Forbidden when an unsupported HTTP method is encountered. SSP-4207/ (CM, Engine) - New Engine install fails while importing keycert if engine port is in use During a new Engine install, the install fails while importing the keycert generated by the CM if the engine port is in use. The install log shows FATAL ERROR - class com.sterlingcommerce.csp.install.IA_ImportOrGenerateEngDfltCert FatalInstallException: Import Operation Failure even though there is nothing wrong with the certificate import. Resolution: Now check if a port number selected during an engine or CM install is already active at the time of selection and give the user a chance to change it or ignore the alert. SSP-4223/ (Engine) - Excessive logging on idle SFTP adapter During internal testing, found that the SFTP adapter could sometimes emit a couple of messages excessively in DEBUG mode, even when idle. SSE2621 sw is before setting interest ops SSE2621 sw is after setting interest ops Resolution: Changed the message number to SSE2998, which only gets emitted when the log level is DEBUG and the property log.debug.detail = 2 is set in the adapter properties tab. SSP-4236/PSIRT21787 (Engine,CM,PS) - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle January 2020 level to satisfy the CVEs in PSIRT advisories 20470 and 21787. See https://www.ibm.com/support/pages/node/6116926 and https://www.ibm.com/support/pages/node/6116962 for the Security Bulletins. Also tracked internally as SSP-4235. SSP-4244/ (Engine,CM,PS) - Cannot start docker container after stopping it After running "docker stop " on the Engine, CM or PS, it fails to start with a "docker start ". Logs show message 'cannot create user "test"' Resolution: Corrected the user conflict causing the container not to start. MFT-10874/ (Engine) - Engine listCerts.sh not working in 6010 The Engine listCerts.sh command did not work in 6.0.1.0 GA, giving a message "No certificates match the specified criteria." When SSP was converted to store configured key certificates and public keys, this utility was not modified to recognize the current formats for storing key certificates and public keys. Resolution: Modified the ListCerts utility to recognize the current key certificate and public key storage format. MFT-10959/IT32191 (CM) - (GUI) Unable to update keystore with certain PFX keys. PEM format works The SSP CM is unable to handle a PFX keycert format when there is a missing or unspecified label for either the private key or the associated public key. Resolution: Corrected SSP CM to be able to import PFX keycert format even when there is missing or unspecified label for the keycert or public key. MFT-10995/IT32374 (Engine) - SFTP adapter hung in a stopping state 2 pairs of synchronized methods in the SFTP failover code were causing a deadlock condition. One failover thread was trying to start an outbound route while another was stopping a listener after a failed connection and a deadlock occurred. The Engine had to be restared to clear the condition. Resolution: Replaced the method synchronization on 2 pairs of stop/start methods with synchronization on a local object instead. MFT-11060/IT32769 (Engine) - SFTP Getting SSE2654 Session limit exceeded on wrong adapter(s) The first SFTP adapter to come up was getting any "SSE2654 Session limit of xx has been exceeded" irrespective of the source adapter of the event. Resolution: Corrected the way the loggers are assigned to adapters at startup. MFT-11075/IT32687 (CM) - Change to SFTP Policy in 6.0.1.0 greyed out the Pass-Through option for Password and Key The SFTP Policy screen was changed in 6.0.1.0 to grey out the Pass-Through option when "Password and Key" is specified. While it is not possible to do Pass-Through when specifying "Key" or "Password or Key", we are guaranteed to have a password to pass through to the back with "Password and Key". Resolution: Allow Pass-through (again) on the SFTP policy screen when "Password and Key" is specified. MFT-11106/IT32810 (CM) - Unable to delete default self signed certificate from SSPCM Customers trying to delete a previous keycert using the configureCmSsl tool could get "***Cannot delete certificate with alias "xxxx". The certificate is currently selected for use." Using the configureCmSsl tool with the -s option did not show the certificate in use anywhere. Resolution: Incorporated portion of SSP-4335 fix which ensures that the configureCmSsl.sh update commonCert operation updates all 4 locations for the client and server certificate for the SSLInfo and JettyConfig defintions. Also provide more information about where the certs are in use when trying to delete them. SSP-4215/ (CM) - RESTAPI import error - Invalid cipher suite specified twofish256-cbc Some SFTP ciphers have been deprecated, and when trying to import from an older RESTAPI export, were causing the import to fail in the latest CM with "Invalid cipher suite specified twofish256-cbc". Resolution: Now allow the import to continue but remove deprecated SFTP ciphers with a warning message. If all ciphers are removed, substitute our default SFTP ciphers instead. SSP-4323/SEAS-1233 (Engine) - XML External Entity (XXE) vulnerability in SSP During internal security scanning, SSP was found to be vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. It is further described in PSIRT advisory ADV0023731. Resolution: Added parser processing commands to disallow the illegal commands that caused the XXE attack. Fixed in code as SEAS-1233. See https://www.ibm.com/support/pages/node/6249331 for the Security Bulletin. SSP-4346/ (Engine) - SFTP ICAP AntiVirus scanning getting spurious RuntimeException: no messages in ICAP cache When using the SFTP ICAP AntiVirus scanning, as the file is uploaded to the backend server, it generates the following spurious error at the end of the transfer which does not affect the file upload function. java.lang.RuntimeException: System error - no messages in ICAP cache Resolution: Removed an extra call to SSH_FXP_CLOSE which was causing the nuisance error. MFT-11151/IT32957 (Engine) - SSP6010 upgrade fails on Windows When upgrading to SSP6010 on Windows, the install was failing with, "IBM Sterling Secure Proxy Engine services running. The installation cannot proceed while the services are running." This happened on the engine or CM even though all SSP services were stopped. Resolution: Corrected a test in the install process which was erroneously detecting that the SP-V6.0.1.0-engine or SP-V6.0.1.0-cm services were running. MFT-11200/IT33098 (Engine) - NPE in Maverick logs SFTP connections were failing intermittently, and the maverick.log contained many instances of com.maverick.ssh.ExecutorOperationSupport - Caught exception in operation remainingTasks=1 java.lang.NullPointerException: null Resolution: Corrected the NullPointerException in the SftpSubSys local_init method when a connection comes in. MFT-11042/ (Engine,PS) - Getting IOException: Too many open files SSP adapters were reporting "Too many open files" errors which used up all resources and blocked other partners from connecting to the Customer. They increased their kernel nofiles setting from 4096 to 8192, which helped to delay the outages. The local SSP Perimeter Server code was intermittently not cleaning up sockets at session end, which allowed file descriptors to accumulate. Resolution: Updated the old PS4060602 Perimeter Server jar files to the PS6000302 level. See SSP-3966 for description and important ACTION. SSP-3582/ (Engine) - Blacklisted events are logged as ERROR messages When sessions from blacklisted IPs or using blackisted userids were rejected the messages were coming out in the logs as ERROR, which made it difficult to separate out other ERROR messages in the logs. Resolution: Now log the blacklisted messages as WARN instead of ERROR SSP-3701/ (Engine,CM) - Apply password policy for system passphrase and admin password for new installs Resolution: New installs of SSP will impose a password policy during the install process requiring the system passphrase and admin password to be 6 to 28 characters in length with at least one upper case letter, one lower case, one digit, and one special character (“!@#$%^&”) with not more than 2 consecutive characters repeated. SSP-3966/ (Engine,PS) - Upgrade Perimeter Server code to same as B2Bi 6.0.3.2 The SSP Perimeter Server code is obtained from the B2Bi team at Precisely/ Syncsort. It had not been refreshed in several releases, causing issues such as MFT-11042 above. Resolution: Updated the SSP local and remote Perimeter Server code to use the PS6000302 code level as is shipped with B2Bi 6.0.3.2. This is an upgrade from the PS4060602 code we were shipping with. This defect also tracked internally as SSP-4233. ACTION: An Engine and any remote Perimeter Servers associated with its ACTION: adapters must be upgraded to the 6011 level at the same time to ACTION keep their PS code in sync. Otherwise the adapters will fail to ACTION: start with "Unable to connect to remote perimeter server..." SSP-4016/ (CM) - RESTAPI import does not update Jetty Server alias For a RESTAPI full CM export, the Jetty SSL configuration definition information was not being included. So a RESTAPI import was not updating the Jetty SSL configuration for the WebStart GUI. Resolution: Now export the Jetty config def information during a full RESTAPI CM export, so it can be used during a subsequent import. SSP-4190/ (Engine) - Getting IllegalBlockSizeException after upgrade After replacing the common CM and Engine certificate and upgrading to SSP6010, the engine would not start, with, "Startup did not succeed. Terminating: java.io.IOException: javax.crypto.IllegalBlockSizeException: Input length (with padding) not multiple of 16 bytes" Resolution: Added a flag in the internal engine configuration file to indicate whether the keystore and truststore xml files are encrypted. SSP-4198/ (CM) - configureCmSsl -s utility not showing all certs With SSP6010, the configureCmSsl -s utility di not show all the keycerts and certs in the keystore and truststore in the defSslInfo.xml file. When the keystore type was switched from java-keystore (jks) to an xml-based keystore, the display/show functionality stopped working. Resolution: Added logic to restore the display/show functionality in the configureCmSsl script. SSP-4308/ (Engine,CM) - Add password policy for command line changePassphrase utility Resolution: Now use the same password policy which was added in SSP-3701 to the changePassphrase utility in the Engine and CM. New passwords will need to be 6 to 28 characters in length with at least one upper case letter, one lower case, one digit, and one special character (“!@#$%^&”) with not more than 2 consecutive characters repeated. SSP-4309/SSP-4322 (Engine,CM) - Support for ICAP Anti-Virus Scanning in C:D Enhancement to support in-flight anti-virus scanning of small to medium size files being uploaded through the C:D adapter. Since C:D is a forward or reverse proxy, it can also be used for pulling files into the secure zone. See online documentation for SSP6011 for more details. Simlar to SSP-3834 for SFTP, it requires the McAfee Web Gateway ICAP server. Other internal stories: SSP-4358, SSP-4374, SSP-4485. SSP-4310/SSP-4445 (Engine,CM,PS) - Update JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2020 level to satisfy the CVEs in security PSIRT advisories ADV0021791 and ADV0023736. https://www.ibm.com/support/pages/node/6249355 and https://www.ibm.com/support/pages/node/6249371 for the Security Bulletins. SSP-4510/ (Engine,CM) - (SFTP) Allow reject option when ICAP session limit is exceeded Resolution: Adding a second option in the ICAP GUI Advanced tab to reject a file upload or send the file as "unscanned" for the following situations: - IO error or connection error with ICAP Server (already done) - ICAP server Max session limit is exceeded (new) SSP-4590/ (Engine) - Missing HTTP headers in response from MFG Internal OWASP testing showed that when logging in to MFG, the HTTP headers Cache-control and X-Content-Type-Options were not being returned. Resolution: Now supply the missing headers when front-ending the MFG application. MFT-11269/IT33625 (PS) - PS silent install gving bad port error During a silent install, if the port value is incorrect, the install gets into an infinite loop resulting in a stackOverflow error. Resolution: Added custom Java code to handle the error condition and exit the install with a message to in install log SSP-3804/ (Engine, CM) - Passphrase validation in silent install During a silent install, there were no rules for validating and confirming the passphrases and passwords supplied. Resolution: On a new install in Silent Install mode, verify the length of the passphrase / password (6 to 28), and ensure it contains an upper case, lower case, digit, and a special character (!@#$%^&). SSP-4450/ (CM) - Add checkboxes to Password Policy in SSP CM Resolution: Add checkboxes in SSPcm -> Advanced -> Password Policy to allow the administrator to turn off the requirement for Capital characters, Small charcaters, and/ or digits. SSP-4480/ (CM) - RESTAPI add missing validations As changes have been made to the SSPCM GUI, some validations have not kept up in the RESTAPI. Resolution: Updated the RESTAPI policy validators for SFTP, FTP, CD, and HTTP. SSP-4529/ (CM) - Allow CM login page from root (/) Resolution: Now allow the CM login page to be accessible from root "/" as well as the "/SSPDashboard" context path. SSP-4597/ (Engine,CM) - Install rejects password with $$ A new install of SSP would not accept passwords with multiple dollar ($) symbols, such as Pa$$w0rd or Pa$wor$d123. Resolution: Now correctly handle passwords with multiple dollar ($) symbols. SSP-4620/ (Engine,CM) - Set TLSv1.2 protocol for CM, Engine and Web Server (Jetty) On a new install, the default protocol for communication between the CM and Engine and the Web GUI was IBM's SSL_TLSv2. This allowed connections to protocols SSLv3 (disallowed), TLS, TLSv1.1, or TLSv1.2. Resolution: To improve security, brand new installs will set the secure protocol to TLSv1.2 across the board. MFT-11287/IT33627 (CM) - Allow comma and apostrophe in CM key passwords SSP CM does not support comma and apostrophe character in key certificate passwords. Resolution: Now allow commas and apostrophes as valid characters for key certificate passwords. MFT-11293/IT33828 (Engine) - 229 response for FTP EPSV causes problems with some partners Fix RTC556199 in SSP3430 enabled IPV6 in SSP, but the responses to the FTP Extended PASV (EPSV) and Extended PORT (EPRT) commands were wrongly tied to whether the machine that SSP was running on was IPv6 enabled. If it was not, it returned a 227 response for the EPSV instead of the correct 229 response. This behavior was corrected in the fix for MFT-10692. However, some partners got used to the wrong behavior and depended on a 227 PASV response being returned for an EPSV command. When the Customer upgraded to an iFix which contained MFT-10692, partner the scripts stopped working. Resolution: Added support for a new FTP adapter property, "ftp.return.pasv.response.for.epsv", which if set to "true" causes that adapter to return the 227 PASV response to a EPSV command. Also fixed a problem where the 227 response on an IPv6 enabled machine displayed the IP address in IPv6 format "0:0:0:0:0:0:0:1" instead of comma separated IPv4 format "127,0,0,1" as the RFC requires. MFT-11130/IT33879 (Engine) - Intermittent requests to SEAS timing out Occasionally, when several requests came in on the CD adapter at the same time requesting SEAS certificate validation, the last request sent timed out 3 minutes later when the socket was closed. The low level write of the bytes to the SEAS socket was not doing a flush of the data to make sure that it was properly presented to SEAS. Resolution: Now ensure that each SEAS request written on the socket has a proper ending of the data so that it is immediately recognized by SEAS. MFT-11139/IT33786 (Engine) - During load testing, SEAS shows ERROR "AUTH037E Authentication request missing password." If SFTP adapter session limit exceed the max limit during load test, it was still trying to connect with SEAS resulting in missing password error in the Customer load test environment. Resolution: Moved session limit check earlier in sftp adapter so that it does not make an unnecessary connection to SEAS. SSP-4675/ (CM) - NullPointerException adding trustedCert Getting a NullPointerException while adding a trusted certificate for the Jetty webserver using the cmConfigureSsl utiity. Resolution: Now use the proper method for adding trusted certificates for XML-based keystores. MFT-11238/ (Engine) - Windowing issues in Maverick code The Maverick toolkit which supplies our SFTP support had some issues with TCP windowing. Resolution: Upgraded the Maverick toolkits to the 1.7.32 level. MFT-11273/IT33922 (Engine) - JVM thread deadlock in Maverick code The Customer's monitoring software noticed that there were several pairs of SFTP threads deadlocked on each other. This deadlock was fixed in the Maverick 1.7.22 release, while we were running 1.7.20. Resolution: Upgraded the Maverick toolkits to the 1.7.32 level. SSP-3583/ (CM) - unauthorized.jsp does not display IBM in header title When the unauthorized.jsp page was displayed, it said Secure Proxy, not IBM Secure Proxy as it should. Resolution: Updated the unauthorized.jsp page to display IBM Secure Proxy. SSP-4670/ (CM) - RESTAPI services do not report exception stacktrace in CM log file SSP CM Rest API services are not logging exception stacktraces thereby making problem resolution more time consuming. Resolution: Added logic to extract the full exception stacktrace when an error occurs and write it into the SSP CM log files SSP-4138/ (CM) - manageKeyCerts cannot copy non-HSM keycert The manageKeyCerts utility was getting a Nullpointer exception when trying to copy a non-hsm certificate. Resolution: Now correctly copy all types of keycerts. SSP-4662/ (CM) - RESTAPI missing validations of Password Policy The RESTAPI was not properly validating new tags in the password policy definition. Resolution: Now correctly validate the following tags during RESTAPI import when presented, but do not require them from older exports: , , , , and . SSP-4668/ (CM) - RESTAPI allows empty eaAuthProfile and eaCertProfile tags to be imported During a RESTAPI import, the CM does not throw any exception if , or is an empty value. Resolution: Now fail the import if the , or is present but contains an empty value. SSP-4702/ (Engine) - REST API Authentication on B2Bi fails when it goes through SSP MFG 2.0 uses HTTP Authorization header with scheme of "bearer". SSP only supported "basic". SSP rejected the header and did not pass it to the back end MFG 2.0, which caused it to fail. Resolution: Now support the "bearer" Http Authorization header and pass it to the back end server. SSP-4640/ (CM,Engine) - Vulnerability in Apache Commons Codec HIPER: Updated the Apache Commons Codec toolkit to v1.15 to address PSIRT advisory ADV0025470 - CVEID: 177835 (CVSS: 7.5). See https://exchange.xforce.ibmcloud.com/vulnerabilities/177835 for more information.