=============================================================================== Maintenance for Sterling External Authentication Server SEAS2430 Fixpack 2 (SEAS2432) iFix 11 - June 2021 =============================================================================== This cumulative maintenance archive includes fixes for the issues listed below. Contents: I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action II. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== ACTION/HIPER - All Customers are encouraged to move to the TLSv1.2 security protocol, and eliminate TLSv1 and TLSv1.1 connections. Future releases of the IBM JRE 8 will disable TLSv1 and TLSv1.1 by default. ACTION - iFix images for HP, Solaris, and zLinux(s390) will no longer be placed on Fix Central. Contact Support if you need an iFix loaded to EcuRep. ACTION - It is a good practice to take a full backup of the install directory before putting on a new build. In SEAS 3.4.3.2 (SEAS3432) iFix 11 Build 262 (June 2021): HIPER - Addressed various security advisories (security bulletins forthcoming): ADV0027664 - Upgrade httpcomponents-client toolkit ADV0031827 - Upgrade Eclipse Jetty tooolkit ADV0031888 - Resource leakage vulnerability In SEAS2430 Fixpack 2 (SEAS2432) iFix 10 Plus Build 250 (January 2021): HIPER - Updated code signing certificate for signing jarfiles. See SSP-4965. In SEAS2430 Fixpack 2 (SEAS2432) iFix 10 Plus Build 250 (January 2021): HIPER - New Jetty keeps SEAS from coming up if multiple keycerts are detected - See MFT-11742 In SEAS2430 Fixpack 2 (SEAS2432) iFix 10 Build 249 (January 2021): HIPER - Update JRE 1.8 to SR6 FP15 (8.0.6.15) for security patches - See PSIRT ADV0026225 for more details. HIPER - Address vulnerability in Eclipse Jetty toolkit. See ADV0028030. In SEAS2430 Fixpack 2 (SEAS2432) iFix 09 Build 235 (September 2020): HIPER - Address vulnerability in Apache Commons Codec toolkit. See ADV0025470 In SEAS2430 Fixpack 2 (SEAS2432) iFix 08 Build 233 (July 2020): HIPER - Update JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches - See ADV0021791 and ADV0023736 for more details. HIPER - XML External Entity (XXE) vulnerability in SEAS - See SEAS-1233 (PSIRT ADV0023731) for more details. HIPER - Incomplete Content-Security-Policy Header - SEAS-1148 (PSIRT ADV0022035) for more details. In SEAS2430 Fixpack 2 (SEAS2432) iFix 07 Build 224 (March 2020): HIPER - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches - See PSIRT21787 for more details. In SEAS2430 Fixpack 2 (SEAS2432) iFix 06 Build 208 (October 2019): HIPER - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches - See PSIRT17288 for more details. HIPER - Possible vulnerability in Jetty server. See PSIRT16274, PSIRT16318 In SEAS2430 Fixpack 2 (SEAS2432) iFix 5 Plus Build 204 (July 2019): ACTION - SEAS Sample exit changes provided for moving global variables to local - See SEAS-665 for details. In SEAS2430 Fixpack 2 (SEAS2432) iFix 5 (June 2019): ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) disables anon and null cipher suites and includes a new parm for distrusting CAs. For more information, see the writeup below for PSIRT15330. In SEAS2430 Fixpack 2 (SEAS2432) iFix 4 (February 2019): HIPER - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for security patches - See PSIRT12959 and PSIRT13809 for more details. In SEAS2430 Fixpack 2 (SEAS2432) iFix 3 (December 2018): HIPER - Possible vulnerability in Jetty server. See PSIRT12571/SEAS-405 In SEAS2430 Fixpack 2 (SEAS2432) iFix 2 (August 2018): HIPER - Update JRE 1.8 to SR5 FP17 (8.0.5.17) for security patches - See PSIRT11819 for more details. In SEAS2430 Fixpack 2 (SEAS2432) iFix 1 (May 2018): HIPER - Update JRE 1.8 to SR5 FP10 (8.0.5.10) for security patches - See PSIRT10955 for more details. In SEAS2430 Fixpack 2 (SEAS2432) (March 2018): HIPER - SSP/SEAS code signing certificate expires June 21, 2018. Upgrade SEAS before that date to keep the SEAS Webstart GUI running. See RTC565487. In SEAS2430 iFix 5 Plus Build 132 (January 2018): ACTION - If there are customizations to the log4j property files, the Customer must retrofit them after the upgrade. See RTC557073 ACTION - Add HTTP security headers to webstart sessions - see RTC557573 In SEAS2430 iFix 5 (October 2017): HIPER - Upgrade to Java 8.0.4.10 for Java July 2017 security fixes. In SEAS2430 iFix 4 (April 2017): HIPER - Upgrade to Java 1.8 for Java January 2017 security fixes. ACTION - Java 1.8 will not install on Redhat 5. See RTC533801 for details ACTION - Disables Triple-DES (3DES-CBC) and DES ciphers. See RTC533801 for details =============================================================================== II. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first) =============================================================================== =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 11 Build 262 (Jun 2021) =============================================================================== o New with in SEAS 2.4.3.2 iFix 11: - Addressed various security advisories (see defects with ADV00* below) MFT-12001/IT37433 - Lost connection to EA server error during high load SEAS-1547/ADV0027664 - Upgrade httpcomponents-client to 4.5.13 SEAS-1549/ADV0031888 - Resource leakage vulnerability found in scan SEAS-1589/ADV0031827 - Upgrade Eclipse Jetty to 9.4.41 SEAS-1604/ - startSeas.bat in SEAS2432 has wrong service name SEAS-1612 - Improperly handled clientConnectionException during SSL Handshake =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 10 Build 253 (Mar 2021) =============================================================================== SSP-4965/ - Updated code signing certificate for signing jarfiles =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 10 Build 249 (Jan 2021) =============================================================================== MFT-11742/IT35559 (CM) - Jetty failure at SEAS startup after upgrade to iFix 10 Customers installing the new SSPCM or SEAS for iFix 10 could not bring up the SSPCM or SEAS. The error message was KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead) The new Jetty for PSIRT ADV0028030 introduced a requirement of having only one CA-signed keycert in the keystore unless using a server form of the SslContextFactory class. The problem could also occur with one Subject Alternative Name (SAN) keycert which has multiple hosts. Resolution: Updated our Jetty instance to use the SslContextFactory$Server class as required when SAN certificates or multiple signed certificates are present in the keystore. =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 10 Build 249 (Jan 2021) =============================================================================== MFT-11359/IT33971 - AUTH061E NullPointerException during AttributeAssertion [VerifySSHPublicKey] MFT-11367/IT34033 - Nullpointer in SingleSignonServiceImpl MFT-11500/IT34551 - NULL pointer exception during script engine allocation SEAS-1430/ADV0026225 - Upgrade IBM JRE to 8.0.6.15 level for security patches SEAS-1478/ADV0028030 - Update Jetty toolkit to v9.4.34 for security patches =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 09 Plus Build 235 (Sep 2020) =============================================================================== SEAS-1429/ - Vulnerability in Apache Commons Codec =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 08 Plus Build 233 (Jul 2020) =============================================================================== SEAS-1247/ - Supply IP address of authenticated user in SSO token validation response SEAS-1259/ADV0021791/ADV0023736 - Update IBM JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 07 Plus Build 231 (Jun 2020) =============================================================================== MFT-11043/ - Local bind address misconfiguration hard to diagnose MFT-11147/IT33020 - CRL checking fails after upgrade to SEAS2432 iFix 7 MFT-11154/ - GUI connection to SEAS secure port fails MFT-11195/IT33131 - Mapped loginPwd not being processed properly from IBM SDS SEAS-1148/ - Improvements to Content-Security-Policy Header SEAS-1233/ - XML External Entity (XXE) vulnerability in SEAS SEAS-1238/ - CRUD033E Operation: update failed when setting up LDAP Connection screen of LDAP authentication profile =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 07 Build 224 (Mar 2020) =============================================================================== SEAS-1177/ - SEAS GUI tabs go away after changing Token Manager value SEAS-1200/PSIRT21787 - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches. SEAS-1230/ - CERT008E Exception encountered doing cert validation =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 06 Plus Build 221 (Feb 2020) =============================================================================== MFT-10847/IT31788 - "Invalid Client Alias" connecting to LDAPs MFT-10887/ (CM,Engine,PS,SEAS) - GPF in SSP engine MFT-10904/ (CM,Engine,PS,SEAS) - GPF in SSP engine SEAS-1178 - Custom exit connecting to invalid URL gets nuisance msg =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 06 Plus Build 219 (Dec 2019) =============================================================================== MFT-10653/IT30757 - SEAS not starting when LDAP principal password contains an Ampersand (&) MFT-10714/IT31373 - SEAS out of memory after 3 months =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 06 Build 208 (Oct 2019) =============================================================================== MFT-10358/PSIRT16274,16318 - Security upgrade to Jetty 9.4.20 MFT-10579/PSIRT17288 - Update JRE 1.8 to SR5 FP40 (8.0.5.40) sor security patches. =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 05 Plus Build 205 (Sept 2019) =============================================================================== MFT-10559/IT30200 - Jetty Http server uses the incorrect certificate alias =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 05 Plus Build 204 (July 2019) =============================================================================== MFT-10352/IT29527 - Exit displays LDAP password in readable format in SEAS log MFT-10409/IT29481 - Passwords with & ampersands not authenticating through XAPI exit SEAS-665 - SEAS Sample exit changes provided for moving global variables to local =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 05 Build 196 (June 2019) =============================================================================== SEAS-686 - Log authentication failures in the audit log for command line utilities SEAS-452 - InstallAnywhere 2018 upgrade for Windows 2016 support MFT-10243/PSIRT15330 - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 04 Plus Build 191 (May 2019) =============================================================================== MFT-10204/IT28758 - Ldap bind failure after upgrade to 6.0 or 2432 iFix 4 MFT-10269/IT29043 - SEAS Custom Exit alternate URLs not attempted =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 04 Build 189 (Feb 2019) =============================================================================== PSIRT12959, - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for security PSIRT13809 patches. =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 03 Plus Build 187 (Feb 2019) =============================================================================== MFT-10069/IT27973 - SEAS getting NPE on 2.4.3.2, Fix 3 when Jetty Webstart port defined as secure MFT-10122/IT27880 - SEAS doesn't allow forward slash (/) in username =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 03 Build 182 (Dec 2018) =============================================================================== MFT-10009/IT27016 - SEAS ldapImportTool.sh does not log exception when wrong FQDN/PORT in the properties file. PSIRT12571 - SEAS upgrade to Jetty 9.4.11 (Also SEAS-405) SSP-3229/ - Support for OpenDJ LDAP server =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 02 Plus Build 171 (Sep 2018) =============================================================================== MFT-9831/ - Certificate CRL revocation check fails after upgrade SEAS-405/ - SEAS upgrade to Jetty 9.4.11 =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 02 Build 169 (Aug 2018) =============================================================================== RTC571266/ - Change password fails when LDAP policy retrieval fails RTC572431/IT25834 - NullPointerExceptions (NPEs) in log after upgrade PSIRT11819 - Update JRE 1.8 to SR5 FP17 (8.0.5.17) =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 01 Plus Build 165 (July 2018) =============================================================================== RTC565836/IT25733 - SEAS authentication timeout in Custom Exit RTC571139/ - CRL Definition Wizard not working correctly after upgrade =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 01 Build 163 (May 2018) =============================================================================== RTC555070/IT24422 - Support password change through OpenLDAP server RTC567335/ - Upgrade Apache Components HttpClient to 4.5.5 level RTC565836/ - SEAS authentication timeout - clean up stack trace RTC567354/IT24987 - Getting non-fatal stackOverflowExceptions in log during SILENT install PSIRT10955/10418 - Update JRE 1.8 to SR5 FP10 (8.0.5.10) =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 00 Plus Build 158 (Apr 2018) =============================================================================== RTC566430/ - Remove Spring Framework libraries =============================================================================== Fixes for SEAS2432 (SEAS 2.4.3.0 Fixpack 2) iFix 00 Plus Build 157 (Apr 2018) =============================================================================== RTC564014/IT24444 - Failure authenticating with HttpBasicAuthentication(SEAS) RTC564476/internal - SEAS web port is not being opened on IPV6 RTC564477/internal - SEAS accepting invalid IPV6 addresses in several fields RTC565040/IT24732 - Excessive error messages for SSPDummyUser pings =============================================================================== Fixes for SEAS 2.4.3.0 Fixpack 2 (SEAS2432 GA), Build 152 (March 2018) =============================================================================== RTC555099/ - Enhancement for HTTP proxy for CRL checking RTC555100/ - Enhancement to Choose Specific Protocols from Distribution Point CRL URL's RTC555102/ - Enhancement to suppress load balancer messages RTC560939/ - Redirect console output to a log file RTC545164/ - Add LDAP User Mapping to the generic authentication configuration RTC548827/ - IPv6 support for SSP and SEAS RTC559372/IT24331 - SEAS certificate and public key authentication fails after migrating to IBM SDSv64 from Tivoli RTC560023/IT23857 - SHA2 and SHA3 Cipher Suites not available when selecting "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" RTC565487/ - *HIPER* SSP/SEAS code signing certificate expires June 21, 2018 =============================================================================== Fixes for SEAS 2.4.3.0 iFix 5 Plus, Build 132 (January 2018) =============================================================================== RTC129184 - Internal tag names used in EA UI interface and log RTC507936 - Unpredictable install directory when backspace settings not set correctly RTC542362 - Customized EA_GUI.jnlp file overwritten during upgrade RTC553646 - SEAS scripts failing after SEAS protocol update RTC555328/IT23537 - Invalid realm failure during SSO token validation RTC555414 - Passphrase pre-populated on a new install on Windows RTC555750/IT23303 - Jetty web server version found in server response header RTC557073/IT23495 - Engine fails to start after upgrading from pre-SSP3420 RTC557573/IT23598 - Add HTTP security headers to webstart sessions RTC557954/IT23539 - Connections are failing authentication or getting dropped =============================================================================== Fixes for SEAS 2.4.3.0 iFix 5, Build 117 (October 2017) =============================================================================== PSIRT9227 - Update JRE 1.8 to SR4 FP10 (8.0.4.10) RTC553583 - Tivoli LDAP Policy was not being retrieved after upgrade to IBM Security Directory Server =============================================================================== Fixes for SEAS 2.4.3.0 iFix 4 Plus, Build 115 (October 2017) =============================================================================== RTC550367/IT22489 - NPE in custom token manager after upgrade =============================================================================== Fixes for SEAS 2.4.3.0 iFix 4 Plus, Build 112 (September 2017) =============================================================================== RTC544478/IT22277 - Add support for IBM Security Access Manager (ISAM) v9 RTC548403/IT22242 - Avoid NPE when null ssh public key is returned from LDAP =============================================================================== Fixes for SEAS 2.4.3.0 iFix 4 Plus, Build 108 (June 2017) =============================================================================== RTC542640/IT21204 - Turn off world-writable files =============================================================================== Fixes for SEAS 2.4.3.0 iFix 4 Plus, Build 107 (June 2017) =============================================================================== RTC536554/IT20855 - Allow special characters in SEAS password fields RTC539439/IT20855 - SEAS GUI fails to start with non-IBM JRE =============================================================================== Fixes for SEAS 2.4.3.0 iFix 4, Build 104 (April 2017) =============================================================================== RTC533801/ - Upgrade to Java 1.8 for Java January 2017 security fixes RTC534100/IT20072 - Unable to start SEAS v2.4.3 using startSeas.bat on Windows RTC535210/ - RAS Enhancement - Add new startSeas.log, switches for heap dumps and SSL debugging =============================================================================== Fixes for SEAS 2.4.3.0 iFix 3 Plus, Build 101 (March 2017) =============================================================================== RTC533475/IT19864 - Assertion fails "element not found" when using custom attribute =============================================================================== Fixes for SEAS 2.4.3.0 iFix 3 Plus, Build 100 (March 2017) =============================================================================== RTC531980/IT19604 - Correlator id not returned for SSO token validation request from CEUNIX. =============================================================================== Fixes for SEAS 2.4.3.0 iFix 3, Build 99 (February 2017) =============================================================================== RTC524012/ - ldapImportTool unable to add sshPublicKey into Oracle LDAP RTC525080/IT18868 - All SEAS processes queued when 5 active transactions are delayed RTC525605/ - ldapImportTool support to include password policy name during upload RTC527345/IT19159 - Unable to edit existing Authentication Profile RTC527354/IT19159 - Unable to negotiate TLS1.2 when FIPS mode ON RTC528040/IT19158 - Unable to set some TLSv1.2 ciphers RTC528047/IT19156 - Unable to import seas_ad.ldf into Active Directory =============================================================================== Fixes for SEAS 2.4.3.0 iFix 2, Build 89 (December 2016) =============================================================================== No Defect/IT17228 - Upgraded SEAS to IBM JRE 1.7 SR9FP50 for latest security patches RTC508170/ - Allow token validation for CEUNIX RTC510283/RFE468574 - Allow SEAS to verify Hostnames RTC511666/IT17151 - Unable to invoke iKeyman on Solaris 10. RTC513984/ - Enhancement to allow silent Installs for SEAS RTC514318/IT17374 - SSH Public Key authentication through IBM SEAS fails due to trailing blank spaces RTC516324/ - SEAS does not start if passphrase contains “&” character RTC519864/IT17988 - 2 ciphers missing from SEAS supported ciphersuites list =============================================================================== Fixes for SEAS 2.4.3.0 iFix 1, Build 74 (July 2016) =============================================================================== RTC507060/no APAR - NumberFormatException during ip address conversion RTC498507/no APAR - The '-' character is not allowed in the username for SEAS system users RTC504692/IT15781 - Error after importing CEUNIX user data through LdapImportTool =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) =============================================================================== RTC129184 - Internal tag names used in EA UI interface and log When an invalid value was specified in the SEAS GUI on the Manage / System Settings screen, the error message used the internal tag name rather than the name on the screen. Example: Invalid number specified for 'tagName.acceptTimeout' Resolution: Resolution: Corrected the error messages within the SEAS GUI System Settings screens when these fields failed validation: 'Accept Timeout', 'Read Timeout', 'Connect Timeout', 'Request Thread Pool Size', 'Service Thread Pool Size', 'Session Idle Timeout', 'SSL Handshake Timeout', 'Token Expiration Period' and 'Class Name' (from SSO Token/Custom screen) RTC504692/IT15781 - Error after importing CEUNIX user data through LdapImportTool The Customer was unable to establish SSL connections after the SEAS Truststore default password was changed during the execution of the LdapImportTool script. Resolution: Now ensure that the configured SEAS Truststore Password value is not overridden by default values. RTC507060/ no APAR - NumberFormatException during ip address conversion. Resolution: Changed the logic to avoid the NumberFormatException. RTC507936 - Unpredictable install directory when backspace settings not set correctly Inputting data to InstallAnywhere during installation and using the backspace or cursor arrow keys results in bad data. This comes about when the stty terminal settings are not set up correctly. The install directory value may display correctly, but end up containing unprintable backspace or arrow keys in them. Resolution: Added code to inspect for backspace and cursor keystrokes and correct the data inputted. RTC498507/ no APAR - The '-' character is not allowed in the username for SEAS system users Resolution: The SEAS username validation logic has been modified to allow hyphens in system user names. No Defect/IT17228 - Upgrade SEAS to IBM JRE 1.7 SR9FP50 for latest security patches This JRE includes the quarterly Java security patches through July 2016. See http://www.ibm.com/support/docview.wss?uid=swg21991287 for details. RTC508170/ - Allow token validation for CEUNIX Enhancement to allow CEUNIX to do token validation using the password field. RTC510283/RFE468574 - Allow SEAS to verify Hostnames There was no mechanism to perform DNS checks during certificate validation through SEAS Resolution: IBM SEAS has been modified to allow for DNS hostname checking during certificate validation. When the "Check hostname DNS" field is enabled in SEAS, the user IP address will be matched with information in the user certificate's SAN or certificate CN. RTC511666/IT17151 - Unable to invoke iKeyman on Solaris 10. The IBM hybrid JRE on Solaris delivers ikeyman as a call to the native Java with a class to execute. However, if the JAVA_HOME doesn't point to the IBM JRE, it gets "Could not find or load main class com.ibm.gsk.ikeyman.Ikeyman" Resolution: Corrected Solaris installers for SEAS, SSP, SSP_CM and PS to modify jre/bin/ikeyman so that it always invokes the installed IBM JRE. RTC513984/ - Enhancement to allow silent Installs for SEAS InstallAnywhere Silent Install is a feature which allows for automated installs without questions and answers from the console. It can be used for repetitive installs at Customer sites. The administrator first does the product install in "record" mode which builds an installation properties file for subsequent silent installs in "replay" mode. The SSP Engine, CM, PS, and SEAS have all been updated to allow silent installs. RTC514318/IT17374 - SSH Public Key authentication through IBM SEAS fails due to trailing blank spaces Resolution: Added logic to trim retrieved SSH PUBLIC key from the LDAP before using them in the SSH PUBLIC KEY authentication process. RTC516324/ - SEAS does not start if passphrase contains “&” character If the SEAS passphrase is changed to include an ampersand "&" character, the system will not start. Gets Startup did not succeed. Terminating: com.sterlingcommerce.hadrian. common.xml.XmlParsingException: Error on line 4: The entity name must immediately follow the '&' in the entity reference. Resolution: Escaped the system password field with the CDATA tag so that the xml converter will work properly RTC519864/IT17988 - 2 ciphers missing from SEAS supported ciphersuites list The ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 were not included as supported cipher suites for TLSv1.2. Resolution: Added these ciphers into ssl_tls_ciphers.properties so that they show up on a SEASCipherConfigTool.sh -c protocol=TLSV1.2 command. RTC524012/ - ldapImportTool unable to add sshPublicKey into Oracle ODSEE The ldapImportTool, which is used during Connect:Enterprise for UNIX migrations to SI/SFG, was not properly loading SSH public keys to a target Oracle ODSEE database. Resolution: Now properly load an SSH public key to Oracle systems RTC525080/IT18868 - All SEAS processes queued when 5 active transactions are delayed Customer was using a SEAS custom exit to process certain types of authentication. If the exit processing got hung, five processes would use up all the available threads, effectively locking out all work on the system, whether the authentication went through the custom exit or not. Resolution: Introduced 2 new System Global variables in the GUI to allow a configurable number of threads to process authentications. Service Thread Pool Size controls the number of threads to process authentications, token validations, custom exits, etc. Requests Thread Pool Size controls the number of threads to process incoming connections to SEAS. The default for both variables is 10 threads, with a minimum of 5 and a maximum of 500. RTC525605/ - ldapImportTool support to include password policy name during upload Customer needed the ability to include the name of the LDAP password policy for each user loaded into LDAP. Now provide a way in the ldapImportTool.properties to specify the name of an LDAP password policy for each user loaded. RTC527345/IT19159 - Unable to edit existing Authentication Profile SEAS admin user created an authentication profile that uses the searchDN option, but once it was saved, it could not be edited again. All tabs get an error. Resolution: Added an appropriate password mask, to keep from getting a cyclical error. RTC527354/IT19159 - Unable to negotiate TLS1.2 when FIPS mode ON When running in FIPS MODE, the Secure Accepter will not negotiate to accept connections using TLS 1.2. Resolution: Now allow TLSv1.1 and TLSv1.2 under FIPS mode. RTC528040/IT19158 - Unable to set some TLSv1.2 ciphers The Customer wants to limit which TLSv1.2 cipher suites can be used. The SEASCipherConfigTool -u eaSslProtocol=TLSv1.2 eaCiphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, command was not working because these 2 ciphers were missing from the ssl_tls_ciphers.properties file. Resolution. Updated the ssl_ssl_tls_ciphers.properties file to include the 2 missing ciphers and now ship the file in the SEAS jar instead of in the conf directory. RTC528047/IT19156 - Unable to import seas_ad.ldf into Active Directory The AD schema provided by SEAS was missing an end of attribute delimeter, so the imports were unsuccessful. Resolution: Corrected the missing end of attribute delimiter in the SEAS AD schema. RTC531980/IT19604 - Correlator id not returned for SSO token validation request from CEUNIX. When CEUNIX sent in a SSO token validation request with a correlation id, SEAS was not returning the correlation id with the authentication response. Resolution: Now return the correlation id for a SSO token validation. RTC533475/IT19864 - Assertion fails "element not found" when using custom attribute Attribute Assertion Processor was not handling Assertion of the form {attr[ldapQuery].yyyyy, xxxxx} properly during attribute resolution. Instead of using ldapQuery.yyyyy to resolve yyyyy within LDAP query attributes, it is using ldapQuery.yyyyyy,xxxxx which results in the wrong value being used in the assertion process. Resolution: Added logic to separate the default value from the actual attribute before resolving the attribute value from query attribute map. RTC533801/ - Upgrade to Java 1.8 for Java January 2017 security fixes Resolution: Upgrade to IBM JRE 1.8 SR4.1 to take advantage of the improved security features. This level of JRE addresses several Java vulnerabilities documented in the Security Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22001965 ACTION: Java 1.8 will not install on Redhat 5. See this web page for more details: https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.lnx.80.doc/user/supported_env_80.html ACTION: Disables Triple-DES (3DES_EDE_CBC) and DES ciphers. If your site requires 3DES ciphers (because you have not switched to AES128 or AES256), You may edit the /jre/lib/security/java.security and change the following line from jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede to jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DESede Note that the new Java 1.8 contains the following new parameters in the ./jre/lib/security/java.security file. See that file for additional comments. # IBMJCE and IBMSecureRandom SecureRandom seed source. securerandom.source=file:/dev/urandom securerandom.strongAlgorithms=SHA2DRBG:IBMJCE # Controls compatibility mode for the JKS keystore type. keystore.type.compat=true (allows JKS or PKCS12 format) jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ DSA keySize < 1024 (DSA keysize parm added) # Algorithm restrictions for signed JAR files jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024 (all new) # Algorithm restrictions for SSL/TLS processing jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede (Note: Disabling 3DES_EDE_CBC, DESede is new for this release) # Legacy algorithms for SSL/TLS processing (used as last resort) jdk.tls.legacyAlgorithms (New in 1.8, but not configured) # Policy for the XML Signature secure validation mode. jdk.xml.dsig.secureValidationPolicy=\ disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\ maxTransforms 5,\ maxReferences 30,\ disallowReferenceUriSchemes file http https,\ minKeySize RSA 1024,\ minKeySize DSA 1024,\ noDuplicateIds,\ noRetrievalMethodLoops RTC534100/IT20072 - Unable to start SEAS v2.4.3 using startSeas.bat on Windows Customer attempted to start SEAS2430 with the \bin\startSeas.bat file, but it was pointing to the SEAS 2.4.2.0 service. Resolution: Added the correct Windows service verbiage, 'net start SEAS_V2.4.3.0', to startSeas.bat. RTC535210/ - RAS Enhancement - Add new startSeas.log, switches for heap dumps and SSL debugging Reliability/Availability/Serviceability (RAS) enhancement to the startSeas.sh and startSeas.bat scripts. 1) By default, capture heap dumps also when asked for a user javacore dump. 2) Add Java SSL Debug parms (# Z=...) so they can be uncommented and used. 3) Start generating a /bin/startSeas.log file with a one line entry for each startup of the SEAS server. RTC539439/IT20855 - SEAS GUI fails to start with non-IBM JRE If the Customer was using a non-IBM JRE when calling the SEAS Webstart GUI, it would put out java.security.NoSuchProviderException: no such provider: IBMJCE and would not start up. Resolution: Updated the Security Properties handler to use the default security provider from the local JRE instead of IBMJCE. RTC536554/IT20855 - Allow special characters in SEAS password fields SEAS was unable to save certain special characters, such as the ampersand (&) in password fields, e.g. the principal password in an LDAP connection definition. Resolution: Added logic to the SEAS server configuration converter module to protect special characters in password values, so they can be saved. RTC542640/IT21204 - Turn off world-writable files Customer has a requirement that no files be created with write privileges by all users (i.e. UNIX "Other" ......RW.). By default, the JRE creates a temporary directory under /tmp/.com_ibm_tools_attach for monitoring programs to attach to (e.g. Dynatrace). One file based on the pid called attachNotificationSync has permissions of -rw-rw-rw-. Resolution: Added -Dcom.ibm.tools.attach.enable=no to all scripts associated with SSP, SSPCM, PS, and SEAS so that these world-writable files would no longer be created. ACTION: If you use third party monitoring tools to monitor SSP or SEAS, you may need to change to -Dcom.ibm.tools.attach.enable=yes in the startup scripts. RTC542362 - Customized EA_GUI.jnlp file overwritten during upgrade The Customer upgraded SEAS and found that it overwrote his updates to the EA_GUI.jnlp file, which is used to launch the SEAS GUI. He had configured it to connect to SEAS with https. Resolution: Now save a copy of ./conf/jetty/docroot/webstart/EA_GUI.jnlp during an upgrade install to EA_GUI.jnlp.bak. RTC544478/IT22277 - Add support for IBM Security Access Manager (ISAM) v9 Tivoli Access Manager (TAM) 5.1 has been end-of-life'd and has been replaced with IBM Security Access Manager (ISAM) v7, 8, and 9. Resolution: Now support ISAM v9 for back end security queries and assertions. If support for older TAM is required, Customer can add Java property -DenableTAM51=true to continue back level calls. RTC545164/ - Add LDAP User Mapping to the generic authentication configuration Currently the Mapped credentials which can be configured when using the 'Generic' auth (e.g custom exit like SIUserAuthExit_Xapi) are fixed. Resolution: Updated the GUI to provide an Attribute Query feature within the 'Generic' (custom exit) auhentication definition. It will allow retrieving mapped credentials, etc, from LDAP similar to the other authentication types. RTC548403/IT22242 - Avoid NPE when null ssh public key is returned from LDAP SSH key authentication was getting a NullPointerException (NPE) after applying SEAS2430 iFix 3 Plus Build 101 or above. The Customer was using an LDAP query for their SSH key with a scope of "subTree" instead of "one level" and some of the public keys returned were null. Resolution: Added logic to detect when a null ssh public key is returned for users that have the loginCredential container associated with them. RTC548827/ - IPv6 support for SSP and SEAS Resolution: Added support for iPv6 by - Removing the disabling IPV6 from the startup script - Changed the validators in all address fields to allow IPV6 addresses where IPV4 addresses were allowed  Note for the SEAS Web port (default 9080): - If you only want an IPV4 listen to be opened, specify a DNS name in /conf/jetty/JettyConfigDef.xml that resolves to an IPV4 address on the SEAS machine or specify the IPV4 address of the server where SEAS is being installed. - If you only want an IPV6 listen to be opened, specify a DNS name that resolves to an IPV6 address on the SEAS machine or specify the IPV6 address of the server where SEAS is being installed. - If you want both an IPV4 listen and an IPV6 listen to be opened, specify 0.0.0.0 RTC550367/IT22489 - NPE in custom token manager after upgrade Getting a NullPointerException during authentication of an SSH key when using a custom token manager. RTC50817 introduced code to check if a password field might be populated with a SEAS token so that Connect:Enterprise for UNIX could participate in Single Signon processing. However, it was not validating the password field before calling the custom SSO token manager with a null value. Resolution:  Now check for a null password field before checking to see if it may contain a SSO token. Also did some cleanup on log messages to make the logs more readable: - Changed the date format and shortened thread and class names - Changed SSP failover logging (sspDUMMYprofile) to TRACE mode - Attempt to suppress some messages so that SEAS can run in INFO mode to get general flow. PSIRT9227 - Update JRE 1.8 to SR4 FP10 (8.0.4.10) Resolution: Update the JRE 1.8 to bring it up to the Oracle July 2017 level for all the security patches. RTC553583 - Tivoli LDAP Policy was not being retrieved after upgrade to IBM Security Directory Server IBM Security Directory Server (ISDS) 6.x is the follow on product for IBM Tivoli LDAP, which has been discontinued. Note, this defect is also linked to RFE529909 - Support for IBM Security Directory Server 6.4. Resolution: SEAS now supports queries to IBM Security Directory Server 6.x. RTC553646 - SEAS scripts failing after SEAS protocol update The SEAS command line scripts could fail if the SEAS accepter was changed to run with TLS 1.2 only. Resolution: Changed the SEAS Command line client to default to SSL_TLSv2 (SSLv3 - TLSv1.2) when establishing TLS connectivity. RTC555070/IT24422 - Support password change through OpenLDAP server SEAS did not support user password changes when running against an Oracle LDAP, OpenLDAP, or Apache LDAP server. If a new or reset userid had the must-change password flag set, SEAS would not recognize it and pass back the proper values to SSP to allow the user to supply a new password. Resolution: Implemented logic to allow for proper password change against Oracle, Open, and Apache LDAP servers. RTC555099/ - Enhancement for HTTP proxy for CRL checking Customer had a requirement for SEAS Certificate Revocation List (CRL) checking to go through a proxy instead of going straight through to the internet. Resolution: Added support for sending the CRL requests through a proxy server. RTC555100/ - Enhancement to Choose Specific Protocols from Distribution Point CRL URL's When using "Process Distribution Points during CRL Check", SEAS attempts to make a connection to all the URL's from the distribution point object which can cause failures and unwanted errors in the log files. Resolution: Now allow the Admin to configure which protocols to allow when doing CRL checking. In the Certificate Validation Definition Wizard, when "CRL check required" and "Process Distribution Points during CRL Check" are checked, the following protocols are automatically selected but can be unchecked: HTTP, HTTPS, LDAP, and LDAPS. RTC555102/ - Enhancement to suppress load balancer messages The Customer uses a load balancer in front of their SEAS, and needed a way to turn off the unwanted log activity generated from the load balancer pings. Resolution: Include a new field in Manage -> System Settings -> Globals. Under Load Balancer Management / Load Balancer IP Addresses, the IP address(es) can be specified (comma separated). Ensure the "Enable Load Balancer Logging" is unchecked to turn off the logging. RTC555328/IT23537 - Invalid realm failure during SSO token validation If a Customer runs SEAS with a custom token manager, and any of their tokens are created without SEAS involved, SEAS is not able to validate the token because it does a check to ensure that the token was generated by SEAS. The error message is: ERROR SingleSignonServiceImpl - AUTH091E SSO token validation failed (Reason: invalid realm). Resolution: Now only validate the token realm if SEAS is using the default simpleSAML token manager. If a custom token manager is in use, the token could have been generated outside of SEAS and would not have a SEAS realm. RTC555414 - Passphrase pre-populated on a new install on Windows A new install on Windows shows the system passphrase field pre-populated With ********. Resolution: Changed the install to not pre-populate the $PASSPHRASE$ variable. RTC555750/IT23303 - Jetty web server version found in server response header Jetty is sending its version in the HTML Header (considered a security risk by some scanners). Resolution: Configured Jetty to not send its server version. RTC557073/IT23495 - Engine fails to start after upgrading from pre-SSP3420 Upgrade installs of SEAS, SSPcm or SSP engine did not replace the log4j property files and in some cases, the SSP CM and/or SSP engine will not come up properly. Resolution: The installer (during an upgrade) will make a copy of the following log4j files and append a date/time stamp to the name before replacing the file with the current version: bin/log.properties conf/log.properties conf/log4j.properties conf/log4j2.xml ACTION: If there are customizations to the log4j property files, the Customer must retrofit them after the upgrade. RTC557573/IT23598 - Add HTTP security headers to webstart sessions Resolution: Provide an Admin GUI option in the Manage system -> Globals tab which allows secure HTTP headers to be inserted for webstart sessions. By checking the box entitled, "Enable HTTP security headers for webstart", the administrator can enable the following HTTP headers in Webstart sessions: X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Strict-Transport-Security, and Content Security Policy. Note: Build139 disabled Content-Security-Policy by default. RTC557954/IT23539 - Connections are failing authentication or getting dropped Customer is running with a SEAS Custom exit and when there are many concurrent connections, some are getting dropped or failing. Tried adding the SEAS Java parms -Dhttp.exit.cache.client=true and the SEAS HTTP custom exit property pre-authenticate=true, but they were only partially effective. Resolution: Updated the HttpUserAuthExit to use a Multi-Threaded Http ConnectionManager instead of the SimpleHttpConnectionManager. Also now cache HttpClient objects by default. RTC559372/IT24331 - SEAS certificate and public key authentication fails after migrating to IBM SDSv64 from Tivoli The Customer upgraded from a version of Tivoli LDAP to its follow on product, IBM Security Directory Server (ISDS), version 6. The new product returned the sshPublicKey in binary mode in accordance with RFC 2252, instead of in Base64 encoded form, which SEAS was used to. The change resulted in failed authentications. Resolution: Now handle sshPublicKeys and certificates returned from LDAP in either Binary or Base64 encoded format. Workaround: Consult ISDS product documentation about a setting in the ibmsldap.conf file, ibm-slapdSetenv: IBMLDAP_ATTR_INCLUDE_BINARY=FALSE which returns the binary attributes in the old format for compatibility. RTC560023/IT23857 - SHA2 and SHA3 Cipher Suites not available when selecting "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" When selecting "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" there were no SHA256 or SHA384 cipher suites listed. Resolution: Now default to 18 cipher suites, including at least 5 each of SHA256 and SHA384 for the following protocol selections: "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" (Also known as SSL_TLSv2) "TLSv1, TLSv1.1, or TLSv1.2" (New, called TLS_ONLY) "TLSv1.2" RTC560939/ - Redirect console output to a log file Currently when Java ssl debugging is turned on in SEAS, the output goes to the /bin/startSeas.out file and does not have any timestamps nor does it roll over. Resolution: Added support for SSL debugging output to go to a log4j logger which supports timestamps and a file appender (>logs/systemout.log). RTC564014/IT24444 - Failure authenticating with HttpBasicAuthentication(SEAS) When the two exits: SIUserAuthExit_Xapi and HttpUserAuthExit are used together, the SSL connection to the backend fails for one of them. Resolution: Changed the HttpUserAuthExit to register its "Protocol" object under a different string "myhttps" instead of "https" to avoid the conflict. RTC564476/internal - SEAS web port is not being opened on IPV6 The SEAS installer sets up Jetty to bind to a specific IPV4 address unless overriden by the user. Resolution: Changed the installer to default to 0.0.0.0 as the DNS name for the servlet container which allows Jetty to allow any address (IPV4 or IPV6) to connect. RTC564477/internal - SEAS accepting invalid IPV6 addresses in several fields The validation of Host Name in several panels was simply screening for invalid characters. Resolution: Now always validate Host Name in all fields and recognize IPV4 and IPV6 addresses and screen them properly. RTC565040/IT24732 - Excessive error messages for SSPDummyUser pings from SEAS user exit The Customer was seeing excessive error messages and stack traces for the sspDummyUser ping events when using the SEAS custom user exit. Resolution: Added logic to suppress excessive logging when the UserId is SSPDummyUser or the SEAS profile is SSPDummyProfile during SEAS user exit authentication. RTC565487/ - SSP/SEAS code signing certificate expires June 21, 2018 The code signing certificate used for SSP and SEAS expires June 21, 2018. Testing showed that both products will run after that date, but the SEAS Webstart GUI will not. Resolution: Updated the signing cert for SSP and SEAS with one which will expire on March 14, 2021. HIPER: Upgrade SEAS to the SEAS2432 (SEAS 2.4.3.0 Fixpack 2) level before June 21, 2018 to ensure that the Webstart GUI will continue working. RTC565836/IT25733 - SEAS authentication timeout in Custom Exit Getting timeouts on some clients connecting to SSP. SSP sends the authentication request to SEAS but it never receives the response back and hence the connection fails. The Customer's Custom Exit was returning a null value in the SEAS audit logs list, and SEAS dropped the response. Resolution: Added logic to handle null values in the audit logs list. Also cleaned up stack trace while debugging the timeout issue. RTC566430/ - Remove Spring Framework libraries The Spring Framework toolkit libraries have been shipped with the product but they are not used. Resolution: No longer ship the Spring Framework libraries. RTC567335/ - Upgrade Apache Components HttpClient to 4.5.5 level Need to upgrade the Apache Commons HttpClient 3.1 toolkit which is end of life. Resolution: Updated the Apache Components HttpClient toolkit to 4.5.5. Changed the HttpUserAuthExit and SIUserAuthExit_Xapi exits to use the same. RTC567354/IT24987 - Getting non-fatal stackOverflowExceptions in log during SILENT install The SILENT install for SEAS produces one or more stackOverflowExceptions in the installer log. However, the actual installation is still ok and these errors can be ignored. Resolution: Changed the installer to recognize that the installation is a SILENT install and avoid the action causing the stackOverflowException. PSIRT10955/10418 - Update JRE 1.8 to SR5 FP10 (8.0.5.10) Resolution: Update the JRE 1.8 to bring it up to the Oracle January 2018 level to satisfy the CVEs in PSIRT10418 and PSIRT10955. PSIRT 10418 - October 2017 Java CPU Advisory CVE-2017-10356 (CVSS 6.2) - Product uses JKS or JCEKS keystores PSIRT 10955 - January 2018 Java CPU Advisory CVE-2018-2633 (CVSS 8.3) - Vulnerable to specially crafted LDAP CRL URL. CVE-2018-2603 (CVSS 5.3) - Applications that use SSL/TLS. CVE-2018-2602 (CVSS 4.5) - Affects all Java deployments. CVE-2018-2588 (CVSS 4.3) - LdapLoginModule for LDAP based authentication. CVE-2018-2579 (CVSS 3.7) - Issue with getEncoded() method See http://www.ibm.com/support/docview.wss?uid=swg22017040 for the Security Bulletin. RTC571139/ - CRL Definition Wizard not working correctly after upgrade After upgrading to SEAS 2.4.3.2 iFix 1, the CRL Definition Wizard in the GUI was not allowing the [ Match Attributes ] on [LDAP Parameters] to be set during initial setup. Resolution: Now use the correct match attribute label in the internal GUIProperties.properties.prebuild file. RTC571266/ - Change password fails when LDAP policy retrieval fails During a password change operation via SEAS, if there is a failure during the LDAP password policy retrieval, the user is not allowed to complete the password change. Resolution: Now allow the user to proceed with the password change operation when the LDAP password policy retrieval fails. RTC572431/IT25834 - NullPointerExceptions (NPEs) in log after upgrade Customer getting NPEs in the logs when the SEAS is attempting to retrieve a password policy. The error did not seem to cause a problem with production processing. Resolution: Corrected the NPEs so they don't clutter up the log. Note: The defect RTC572431 is also known internally as MFT-9861. PSIRT11819 - Update JRE 1.8 to SR5 FP17 (8.0.5.17) Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2018 level to satisfy the CVEs in PSIRT11819: CVE-2018-2783 (CVSS 7.4) TLS handshaking flaw implementing 3Shake See http://www.ibm.com/support/docview.wss?uid=ibm10729767 for the Security Bulletin. MFT-9831/ - Certificate CRL revocation check fails after upgrade When the Certificate Revocation List (CRL) is in DER format, it was being converted into string data after upgrading to SEAS 2.4.3.2 iFix 1. This caused the CRL processing to fail. Resolution: The module which retrieves the CRL has been updated to return binary data in all instances. SEAS-405/ - SEAS upgrade to Jetty 9.4.11 Enhancement to upgrade Jetty from the 7.0.1 level to the 9.4.11 level for improved security and functionality. This is also known as PSIRT12571. MFT-10009/IT27016 - SEAS ldapImportTool.sh does not log exception when wrong FQDN/PORT in the properties file. The ldapImportTool, which is used during Connect:Enterprise for UNIX migrations to SI/SFG, was not notifying of a failed connection to the LDAP server. Resolution: Added a check for a failed connection and put out an error message. SSP-3229/ - Support for OpenDJ LDAP server Resolution: Now support the OpenDJ LDAP server for back end security queries and assertions. MFT-10069/IT27973 - SEAS getting NPE on 2.4.3.2, Fix 3 when Jetty Webstart port defined as secure After upgrading to SEAS2432 iFix 3, Customer got the following when starting the product: ManagedJettyService - EXCEPTION start() – java.lang.NullPointerException at org.eclipse.jetty.server.AbstractConnector. (AbstractConnector.java:197) ServiceManagerImpl - Startup did not succeed. Terminating The Customer had set to true in their SEAS Webstart (9080) port definition at /conf/jetty/JettyConfigDef.xml Resolution: The Jetty implementation, which had recently been upgraded in SEAS2432 iFix 3, was updated to correctly support https. MFT-10122/IT27880 - SEAS doesn't allow forward slash (/) in username Customer using Active Directory reported that SEAS authentication from ICC returns the below error when there is a forward slash (/) in the username. LDAP: error code 49 - 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1 Resolution: SEAS was modified to allow a forward slash as a valid character in a username being validated. PSIRT12959, - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for security PSIRT13809 patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle October 2018 level to satisfy the CVEs in PSIRT advisories 12959 and 13809. See http://www.ibm.com/support/docview.wss?uid=ibm10872778 for the Security Bulletin. MFT-10204/IT28758 - Ldap bind failure after upgrade to 6.0 or 2432 iFix 4 After upgrading to SEAS 6.0.0.0, the Customer's SEAS instance could not connect successfully to the LDAP server. The LDAP server was using a keycert with a Subject Alternate Name (SAN) extension which did not include the load balancer hostname in front of the LDAP server that SEAS was connecting to. Oracle Java level 1.8.0_181 introduced changes to improve LDAP support by enabling endpoint identification algorithms by default for LDAPS connections; this also results in stricter hostname validation. Resolution: Updated the startSeas.sh script (and equivalent Windows scripts and LAX files) to include a commented -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true parameter which the Customer can uncomment to correct the behavior. Another way to resolve the problem is to update the LDAP server certificate to include all possible hostnames that clients will try to connect to. MFT-10269/IT29043 - SEAS Custom Exit alternate URLs not attempted The Customer is using the custom exit for authentication through the SI XAPI "com.sterlingcommerce.component.authentication.impl.SIUserAuthExit". Within the profile they have coded the the properties specific to the SI connection: (http.auth.user=*; http.auth.password=*; url=*; alt.url.1=*) When the primary URL is active the authentication is successful, but when the URL is down, the SEAS does not try the alternate url and the authentication fails. Resolution: Improved the retry logic when the alternate SI URL fails to make sure the alternate is tried. SEAS-686 - Log authentication failures in the audit log for command line utilities EAS was not logging the auth failures encountered by command line utilities in the audit log. Resolution: Now explicitly call the audit logger for auth failures in the command line utilities in the bin directory. SEAS-452 - InstallAnywhere 2018 upgrade for Windows 2016 support Resolution: Upgraded to InstallAnywhere 2018, which provides support for Windows 2016 Server. MFT-10243/PSIRT15330 - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2019 level to satisfy the CVEs in PSIRT advisory 15330. See http://www.ibm.com/support/docview.wss?uid=ibm10885939 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) introduced a change to disable anon and null cipher suites via the jdk.tls.disabledAlgorithms parameter in the /jre/lib/security/java.security file. If your site uses these suites for testing, update your java.security file to remove the last 2 parms: jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL ACTION - The java.security file includes a new parm for distrusting CAs: jdk.security.caDistrustPolicies=SYMANTEC_TLS For more information, see the writeup in the java.security file. MFT-10352/IT29527 - Exit displays LDAP password in readable format in SEAS log During execution, the SEAS custom exit was dumping some password values coded in the SEAS profile to the SEAS log. Resolution: Commented out the line in the exit which displayed the incoming values from the SEAS profile. Also added code to mask printing the values of properties which contain the strings "password", "pwd" or "passphrase" in them while adding or updating profiles. MFT-10358/PSIRT16274,16318 - Security upgrade to Jetty 9.4.20 Resolution: Update the Jetty server to satisfy the CVEs in PSIRT advisories 16274 and 16318. See http://www.ibm.com/support/docview.wss?uid=ibm11095838 for the Security Bulletin. MFT-10409/IT29481 - Passwords with & ampersands not authenticating through XAPI exit Passwords which contained ampersands (&) were not authenticating correctly when going through the XAPI exit which authenticates to SI/B2Bi. The value was being encoded twice when building the xml to send to SI. Resolution: Corrected the double encoding so that passwords with ampersands can authenticate correctly through the XAPI exit. SEAS-665 - SEAS Sample exit changes provided for moving global variables to local The IBM Sterling External Authentication Server (SEAS) provides sample custom exits which Customers can update and implement to customize the authentication process in their environment. Previously, the sample code in these exits used some global variables instead of local variables, which could cause problems during high concurrency processing. The problems do not occur when using dynamic routing and/or mapped credentials without the custom exits. Resolution: The sample exits, /samples/SampleAuthenticationExit.java and /samples/SampleCertValidationExit.java have been updated to move the necessary global variables into the methods that use them so that they are local and unique per thread. The source is marked with "SEAS-665" in the comments with notes describing the changes that were made to make the code thread-safe. ACTION: Customers who use these exits should either update their own custom source with the changes highlighted in the new sample source, or copy in the new sample source and reapply their custom changes to them. MFT-10559/IT30200 - Jetty Http server uses the incorrect certificate alias Customer added a new keycert with a new alias to replace their expired keycert. However, when they attempted to logon to the 9080 WebStart port, they were presented with the expired certficate. Resolution. Updated the HTTP server side code to ensure that we honor the keycert alias specified in the SEAS GUI. MFT-10579/PSIRT17288 - Update JRE 1.8 to SR5 FP40 (8.0.5.40) sor security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle July 2019 level to satisfy the CVEs in PSIRT advisory 17288. See http://www.ibm.com/support/docview.wss?uid=ibm11095832 for the Security Bulletin. MFT-10653/IT30757 - SEAS not starting when LDAP principal password contains an Ampersand (&) The Customer created an LDAP definition which included an ampersand (&) charcater in the password. The next time SEAS was restarted, it would not come up. The startSeas.out file contained the following: INFO: Instantiated the Application class com.ibm.seas.rest.SEASRestApplication. Startup did not succeed. Terminating: com.sterlingcommerce.hadrian.common.xml.XmlParsingException: Error on line 9: The entity name must immediately follow the '&' in the entity reference. Resolution: Added logic to properly encode the password field in LDAP Bind query object MFT-10714/IT31373 - SEAS out of memory after 3 months SEAS took an OutOfMemory (OOM) exception after 3 months with a slow leak of the "EDU.oswego.cs.dl.util.concurrent.LinkedNode" class. It was defined in older sections of the code using a queue structure which did not have a size restriction. Resolution: Updated the code which used the LinkedQueue classes and now use the BoundedLinkedQueue classes, which will keep the OOM exception from happening. MFT-10847/IT31788 - "Invalid Client Alias" connecting to LDAPs SEAS emitted the following during SSL handshaking to their LDAP server: java.lang.IllegalArgumentException: Invalid Client Alias SEND TLSv1 ALERT: fatal, description = internal_error The Customer's LDAP was requesting a client certificate but was configured not to require it. But the SEAS keymanager was detecting a client keycert alias coded when the field was empty. Resolution: Corrected the key manager to properly validate the existence of both the client keycertAlias and server keycertAlias. MFT-10887/ (CM,Engine,PS,SEAS) - GPF in SSP engine The SSP Engine terminated with a General Protection Fault (GPF) when the JVM tried to get an internal structure from a terminated thread. Resolution: Installed the IBM JRE 8.0.6.5 to resolve the GPF. MFT-10904/ (CM,Engine,PS,SEAS) - GPF in SSP engine The SSP Engine terminated with a General Protection Fault (GPF) in the IBMPKCS11 area. Resolution: Installed the IBM JRE 8.0.6.5 to resolve the GPF. SEAS-1177/ - SEAS GUI tabs go away after changing Token Manager value In the SEAS GUI, in the Manage->SystemSettings->SSO Token tab, when the Token Manager field is changed from "SEAS-SAML" to "Custom", several other System Settings tabs go away. The System Settings must be selected again from the Manage screen to show the other tabs. Resolution: Now seamlessly allow changing the Token Manager field without losing other tabs. SEAS-1178 - Custom exit connecting to invalid URL gets nuisance msg When an invalid URL is specified for the custom exit to connect to, it puts out "java.lang.IllegalArgumentException: Socket may not be null". Resolution: Now emit a proper error message: "ERROR HttpUserAuthExit - AUTH220D Communication failure, IBM Secure External Authentication Server could not connect to the server: https://:/myfilegateway" and also show a stacktrace if in debug mode. SEAS-1200/PSIRT21787 - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle January 2020 level to satisfy the CVEs in PSIRT advisories 20470 and 21787. See https://www.ibm.com/support/pages/node/6116938 and https://www.ibm.com/support/pages/node/6116968 for the Security Bulletins. Also tracked internally as SEAS-1199. SEAS-1230/ - CERT008E Exception encountered doing cert validation During regression testing with the new IBM JRE 8.0.6.5, a certificate validation test case failed with the following exception: CERT008E Exception encountered while processing certificate chain: com/ibm/security/x509/CRLDistributionPointsExtension.(Z[B)V The IBM JRE had changed the API for Certificate Revocation List processing which was incompatible with callers compiled under an older JDK. Resolution: Switched to compile SEAS with the IBM 8.0.6.5 JDK and updated the API call to use a different method to get the CRL distribution points from the certificate. MFT-11043/ - Local bind address misconfiguration hard to diagnose The Customer has mistakenly put LDAP bind information (CN=xxx) into the local bind address field of their LDAP connection definition, which is intended for a TCPIP local socket address. Instead of a useful error msg which would highlight the misconfiguration, the LDAP connection failed with AUTH002E Ldap Bind failed for service principal host:port Cause: com.sterlingcommerce.hadrian.common.net.ConnectionException: java.net.SocketException: Unresolved address. Resolution: Added diagnostics to print an error message when the local TCP side of the socket fails to bind to the supplied address, along with the local bind address info that failed. MFT-11147/IT33020 - CRL checking fails after upgrade to SEAS2432 iFix 7 The Customer, who had Certificate Revocation List (CRL) checking enabled, upgraded to SEAS2432 iFix 7 and began seeing ERROR CertValidator - CERT005E Failed to complete required CRL check. Problem 1 of 1: Insufficient information to locate CRL for issuer: CN=... This is a companion to issue SEAS-1230. Resolution: Switched to compile SEAS with the IBM 8.0.6.5 JDK and updated the API call to use a different method to get the CRL distribution points from the certificate. MFT-11154/ - GUI connection to SEAS secure port fails The Customer was trying to access their SEAS secure port from the Webstart GUI, but kept getting unhelpful messages which indicated a handshake failure after the connection was made: ClientConnectionException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure Resolution: Added diagnostics on the client side which more clearly showed that the problem was in connecting to the port (a firewall issue) rather than a handshake error. MFT-11195/IT33131 - Mapped loginPwd not being processed properly from IBM SDS The Customer is using the IBM Secure Directory Server (ISDS) for their LDAP server and pulling mapped credentials to their back end protocol server. The ISDS server returns the loginPwd value as a binary byte array rather than a string, so that it is not handled correctly. Resolution: Now handle the mapped loginPwd field whether it comes as a byte array or a string value. Also, mask the loginPwd when tracing in the log. SEAS-1148/ - Improvements to Content-Security-Policy Header The default Content-Security-Policy HTTP header returned by the SEAS Webstart page was not acceptable to the OWASP security scanning tool. According to the tool, the value of "default-src 'self';" allowed wildcard sources or ancestors. Resolution: Now supply the following values for the Content-Security-Policy header: "default-src 'self'; img-src 'self'; style-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self';" This also required splitting the contents of the index.htm file into 3 new files: body.js, header.js, and stylesheet.css. The index.htm file is backed up prior to installing. This also tracked as PSIRT ADV0022035. See https://www.ibm.com/support/pages/node/6249399 for the Security Bulletin. SEAS-1233/ - XML External Entity (XXE) vulnerability in SEAS During internal security scanning, SEAS was found to be vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. It is further described in PSIRT advisory ADV0023731. Resolution: Added parser processing commands to disallow the illegal commands that caused the XXE attack. See https://www.ibm.com/support/pages/node/6249317 for the Security Bulletin. SEAS-1238/ - CRUD033E Operation: update failed when setting up LDAP Connection screen of LDAP authentication profile When configuring the LDAP authentication profile, a switch between the "Search for User DN" option, "Specify User DN" option, and the LDAP LDAP Connection Settings Tab can cause the error message, CRUD033E Operation: update failed : BindSearchName does not match query entered: FindUserDN vs. null Resolution: Now make sure that the configured value for principal Name is consistently set during a save operation to the backend. SEAS-1247/ - Supply IP address of authenticated user in SSO token validation response Resolution: This is a small enhancement to pass the IP address of the authenticated user to the back end B2Bi within the response to the SSO token validation request. For authentication and certificate validation SSO requests which supply an IP address of the incoming user, now include the IP address in the following tag in the response: auth.ipAddress 10.20.30.40 SEAS-1259/ADV0021791/ADV0023736 - Update IBM JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2020 level to satisfy the CVEs in PSIRT advisories ADV0021791 and ADV0023736. See https://www.ibm.com/support/pages/node/6249381 and https://www.ibm.com/support/pages/node/6249391 for the Security Bulletins. The ADV0021791 was tracked internally as SEAS-1235. SEAS-1429/ - Vulnerability in Apache Commons Codec HIPER: Updated the Apache Commons Codec toolkit to v1.15 to address PSIRT advisory ADV0025470 - CVEID: 177835 (CVSS: 7.5). See https://www.ibm.com/support/pages/node/6339801 for security bulletin. MFT-11359/IT33971 - AUTH061E NullPointerException during AttributeAssertion [VerifySSHPublicKey] SEAS was doing many successful SSH public key authentications, then they all began failing with NullPointerExceptions (NPEs). Messages received: AssertionProcessor - Exception processing assertion: java.lang.NullPointerException AUTH061E Exception encountered while evaluating authentication AttributeAssertion[VerifySSHPublicKey]: null. Other SEAS going to the same LDAP were not failing. Restarting the failing SEAS resolved the NPEs. Resolution: Added defensive code in areas that appeared vulnerable, especially checking for null values in our map of LDAP variables, the LDAP query response, and the assertion string itself. We also added code to print the assertion expression in case of an exception during processing it. Also added diagnostic stack traces in the area that the NPEs were thrown to catch the exact location for further diagnosis. MFT-11367/IT34033 - Nullpointer in SingleSignonServiceImpl The Customer is monitoring their logs for NullPointerExceptions (NPEs) and seeing the following: ERROR SingleSignonServiceImpl - AUTH094E SSO token generation failed (Reason: null). ERROR SingleSignonServiceImpl - java.lang.NullPointerException This caused only the one session to fail, no further fallout. Resolution: Added defensive code to check for null values in the areas around token generation, including before scanning the tokenGroup and tokenRealm lists. Also added code to print more relevant messages and stack traces closer to where the null values may be presenting themselves. MFT-11500/IT34551 - NULL pointer exception during script engine allocation SEAS is getting ERROR AssertionProcessor - java.lang.NullPointerException at com.sterlingcommerce.hadrian.common.util.HadrianScriptingEngine.eval(). This is in the area where we process an assertion (i.e. compare a value from LDAP with a supplied value, such as a user’s SSH public key). SEAS requested a script processing engine, but failed to check whether the engine was actually allocated before calilng it. Resolution: Now allocate only one script engine during class load instead of getting a new one with every call. If a null pointer is detected, make 3 attempts to re-establish a good script engine. SEAS-1430/ADV0026225 - Upgrade IBM JRE to 8.0.6.15 level for security patches Resolution: Update the IBM JRE to satisfy the CVEs in the Oracle July 2020 CPU, PSIRT advisory 26225. See https://www.ibm.com/support/pages/node/6398778 for the Security Bulletin. SEAS-1478/ADV0028030 - Update Jetty toolkit to v9.4.34 for security patches Resolution: Updated the Eclipse Jetty toolkit to 9.4.34 to mitigate CVE-2020-27216, dealing with elevated privileges. This is PSIRT advisory 28030. See https://www.ibm.com/support/pages/node/6398776 for the Security Bulletin. MFT-11742/IT35559 (CM) - Jetty failure at SEAS startup after upgrade to iFix 10 Customers installing the new SSPCM or SEAS for iFix 10 could not bring up the SSPCM or SEAS. The error message was KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead) The new Jetty for PSIRT ADV0028030 introduced a requirement of having only one CA-signed keycert in the keystore unless using a server form of the SslContextFactory class. The problem could also occur with one Subject Alternative Name (SAN) keycert which has multiple hosts. Resolution: Updated our Jetty instance to use the SslContextFactory$Server class as required when SAN certificates or multiple signed certificates are present in the keystore. SSP-4965/ - Updated code signing certificate for signing jarfiles The code signing certificate for signing jar files expires March 14, 2021. Internal testing with dates beyond the expiration date showed no side effects on starting and running SEAS. However, the Webstart GUI would reject jar files after the expiration date of the signing certificate. Workaround: Use the bin/startGUI.sh script to invoke the SEAS GUI in an X11 session. Resolution: Now sign all jars with an IBM jar signing certificate which expires in 2031. MFT-12001/IT37433 - Lost connection to EA server error during high load During high load when using the XAPI custom exit for authentication through B2Bi, the connection to SI intermittently took too long (6 minutes). This caused SSP to think that SEAS was unresponsive 1 minute later and it took the adapter down: SSP0361E Stopping listener for adapter xxx: !Lost connection to EA server The connection timeout parm in the XAPI exit was not being passed correctly to the HttpClient toolkit. The default connTimeout is 30 seconds which would have allowed the connection to fail and retry before SSP timed its connection out. Resolution: Correctly pass the connection timeout parm in the custom XAPI exit to the HttpClient toolkit. SEAS-1547/ADV0027664 - Upgrade httpcomponents-client to 4.5.13 An internal scan suggested a newer version of the httpcomponents-client toolkit. Upgraded to the 4.5.13 version of the httpcomponents-client toolkit. This also fixes several serialization and URL processing issues. See https://www.ibm.com/support/pages/node/6471615 for the Security Bulletin. SEAS-1549/ADV0031888 - Resource leakage vulnerability found in scan An internal scan revealed that resources were not being closed properly in all circumstances, resulting in memory leakage. Resolution: Now close the resources properly to avoid the memory issues. See https://www.ibm.com/support/pages/node/6471615 for the Security Bulletin. SEAS-1589/ADV0031827 - Upgrade Eclipse Jetty to 9.4.41 An internal scan suggested a newer version of the Jetty toolkit. Resolution: Upgraded the Jetty toolkit to the 9.4.41 level. See https://www.ibm.com/support/pages/node/6471615 for the Security Bulletin. SEAS-1604/ - startSeas.bat in SEAS2432 has wrong service name When starting SEAS2432 using the startSeas.bat on Windows, it used a service name of SEAS_V6.0.0.0. Resolution: Corrected the startSeas.bat to use a service name of SEAS_V2.4.3.2. SEAS-1612 - Improperly handled clientConnectionException during SSL Handshake The SEAS GUI client was failing to make a TLS/SSL connection when the default protocol was not set to TLSv1.2 because a ClientConnectionException was not being handled properly. Resolution: Added logic to handle the ClientConnectionException properly so that the retry logic for the connection may kick in.