================================================================================ Fixlist for Sterling Secure Proxy SSP3432 (3.4.3.0 Fixpack 2) iFix 13 Includes HIPER fix for Log4j CVE-2021-44228 December 2021 ================================================================================ This cumulative maintenance iFix includes the GA release of SSP Engine and SSP Configuration Manager 3.4.3.0 Fixpack 2 (SSP3432) as well as the fixes for the issues mentioned below. The install images for the SSP Engine, CM and PS may be used to install a new image or upgrade an existing image in place. Contents: I. HIPER fixes / Fixes requiring Action by iFix II. Summary of Fixes by iFix/Build (Latest iFix / Builds first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== ACTION/HIPER - All Customers are urged to move to the TLSv1.2 security protocol, and eliminate TLSv1 and TLSv1.1 connections. Future releases of the IBM JRE 8 will disable TLSv1 and TLSv1.1 by default. ACTION - iFix images for HP, Solaris, and zLinux(s390) will no longer be placed on Fix Central. Contact Support if you need an iFix loaded to EcuRep. ACTION - It is a good practice to take a full backup of the install directory before putting on a new build. In SSP3432 (3.4.3.0 Fixpack 2) iFix 13 (December 2021): HIPER - ADV0040089 - Log4j CVE-2021-44228 JNDILookup issue See MFT-12762/ADV0040089 for details. In SSP3432 (3.4.3.0 Fixpack 2) iFix 12 (August 2021): HIPER - Addressed various security advisories (links to security bulletins under fix descriptions): ADV0028445 - Oracle Java Oct 2020 CPU deferred CVE ADV0029859 - Oracle Java Jan 2021 CPU ADV0031846 - Risky cryptographic algorithm vulnerability ADV0031847 - Hard-coded secrets vulnerability ADV0031848 - Weak hash vulnerability ACTION: For this iFix, the TLSv1 and TLSv1.1 protocols continue to be allowed. In the next iFix, they will be disabled by default. Customers should change all TLS connections to use the TLSv1.2 protocol. In SSP3432 (3.4.3.0 Fixpack 2) iFix 11 (June 2021): HIPER - Addressed various security advisories (links to security bulletins under fix descriptions): ADV0027664 - Upgrade httpcomponents-client tooolkit ADV0031827 - Upgrade Eclipse Jetty toolkit ADV0031888 - Resource leakage In SSP3432 (3.4.3.0 Fixpack 2) iFix 10 Plus (March 2021): HIPER - Updated code signing certificate for signing jarfiles. See SSP-4965. In SSP3432 (3.4.3.0 Fixpack 2) iFix 10 Plus (March 2021): HIPER - Revert to older Maverick SFTP toolkit to alleviate hangs during uploading and downloading of files. See MFT-11830 for details. In SSP3432 (3.4.3.0 Fixpack 2) iFix 10 Plus (January 2021): HIPER - New Jetty keeps SSPCM from coming up if multiple keycerts are detected - See MFT-11742 In SSP3432 (3.4.3.0 Fixpack 2) iFix 10 (January 2021): HIPER - Update JRE 1.8 to SR6 FP15 (8.0.6.15) for security patches - See PSIRT ADV0026225 for more details. HIPER - Address vulnerability in Eclipse Jetty toolkit. See ADV0028030. HIPER - Address vulnerability in Apache ActiveMQ toolkit. See ADV0027000. In SSP3432 (3.4.3.0 Fixpack 2) iFix 9 (September 2020): HIPER - Address vulnerability in Apache Commons Codec toolkit. See ADV0025470 In SSP3432 (3.4.3.0 Fixpack 2) iFix 8 Plus Build 389 (September 2020): HIPER - Upgraded Maverick SSH toolkits to the 1.7.32 level for thread deadlock and OutOfMemory issues. See MFT-11273 for details. ACTION: SFTP key sizes, both yours and your trading partners, MUST be 1024 bits or higher. Ensure that key sizes are adequate before migrating to production. See MFT-11273 for details. In SSP3432 (3.4.3.0 Fixpack 2) iFix 8 (July 2020): ACTION: An Engine and any remote Perimeter Servers associated with its ACTION: adapters must be upgraded to the 3432 iFix 8 level at the same time ACTION: to keep their PS code in sync. Otherwise the adapters will fail to ACTION: start with "Unable to connect to remote perimeter server..." ACTION: See SSP-3966 for details. HIPER - Update JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches - See PSIRTs ADV0021791 and ADV0023736 for more details. HIPER - Missing secure attribute in encrypted session (SSL) cookie - See SSP-3793 (PSIRT ADV0022033) for more details. HIPER - XML External Entity (XXE) vulnerability in SSP - See SSP-4323 (PSIRT ADV0023731 for more details. In SSP3432 (3.4.3.0 Fixpack 2) iFix 7 (March 2020): HIPER - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches - See PSIRT21787 for more details. In SSP3432 (3.4.3.0 Fixpack 2) iFix 6 (October 2019): HIPER - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches - See PSIRT17288 for more details. HIPER - Possible vulnerability in Jetty server. See PSIRT16274, PSIRT16318 In SSP3432 (3.4.3.0 Fixpack 2) iFix 5 Plus (August 2019): ACTION - SSP can run out of threads if SEAS goes down and the SFTP adapter does not have failover coded. See MFT-10402 In SSP3432 (3.4.3.0 Fixpack 2) iFix 5 (June 2019): ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) disables anon and null cipher suites and includes a new parm for distrusting CAs. For more information, see the writeup below for PSIRT15330. In SSP3432 (3.4.3.0 Fixpack 2) iFix 4 (February 2019): HIPER - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for security patches - See PSIRT12959 and PSIRT13809 for more details. In SSP3432 (3.4.3.0 Fixpack 2) iFix 3 (December 2018): HIPER - Possible vulnerability in Jetty server. See PSIRT12571/SSP-30410 HIPER - Possible vulnerability in Apache Active MQ. See PSIRT13307/SSP-3070 In SSP3432 (3.4.3.0 Fixpack 2) iFix 2 (August 2018): HIPER - HTTP adapter issues when upgrading to B2Bi (SI) 6.0. Requires upgrade to SSP3432 iFix 2 - See SSP-3036 for details HIPER - Update JRE 1.8 to SR5 FP17 (8.0.5.17) for security patches - See PSIRT11819 for more details. In SSP3432 (3.4.3.0 Fixpack 2) iFix 1 (May 2018): HIPER - Update JRE 1.8 to SR5 FP10 (8.0.5.10) for security patches - See PSIRT10955 for more details. In SSP3432 (3.4.3.0 Fixpack 2) (March 2018): HIPER - SSP/SEAS code signing certificate expires June 21, 2018. Upgrade SEAS before that date to keep the SEAS Webstart GUI running. See RTC565487. In SSP3430 iFix 5 Plus (January 2018): HIPER - Possible vulnerability in Apache Commons Fileupload toolkit. See PSIRT10042. ACTION - If you have any customizations to the log4j property files, you must retrofit them after the upgrade. See RTC557073. ACTION - The default SSP Factory Certificate, expired on December 1, 2017. See RTC541553 if you have not replaced it yet ACTION - If REST imports fail due to XSD validation, see RTC557986 for a way to turn off XSD validation temporarily In SSP3430 iFix 5 (October 2017): HIPER - Update JRE 1.8 to SR4 FP10 (8.0.4.10) for security patches - See PSIRT9227 ACTION - Allow adding/manipulating HTTP headers from backend servers to front end browsers. See RTC552273. In SSP3430 iFix 4 Plus (Sept 2017): HIPER - SSP login portal pages do not get displayed properly in Chrome in SSP 343 ifix4 plus builds (160-165) see RTC550968/RTC546604 for details. ACTION - Add the two following properties in SSP CM GUI HTTP Proxy Adapter Properties to bypass sending these headers: Content-Security-Policy.override = ignore X-Content-Type-Options.override = ignore Later version SSP 343 ifix4 plus build 166 bypasses these two headers by default and no need to add the above properties. In SSP3430 iFix 4 Plus (June 2017): HIPER - EAProxy deadlock due to method serialization - see RTC538773 ACTION - If you use third party monitoring tools to monitor SSP or SEAS, please see RTC542640 for info on world-writable files. In SSP3430 iFix 4 (April 2017): HIPER - Upgrade to Java 1.8 for Java January 2017 security fixes ACTION - Java 1.8 will not install on Redhat 5. See RTC533801 for details ACTION - Java.security file disables Triple-DES (3DES-CBC) and DES ciphers. See RTC533801 for details In SSP3430 iFix 3 Plus (March 2017): HIPER - FTPS client connects, but LIST command delayed. See IT19026 HIPER - SFTP adapter won't come up when HSM is enabled. See IT19491 Action - Allow client-only certificates for CD server authentication. See IT19443 if you need to configure this differently. In SSP3430 iFix 3 (January 2017): HIPER - FTPS data connection timeouts after upgrade to SSP 3.4.2 or 3.4.3 - See RTC517058 for details. HIPER - Deadlock/hang in failover code - See RTC516359 for details HIPER - CD failures after upgrade to SSP3420 iFix 9 or SSP3430 iFix 2 - See RTC524219 for details and workaround HIPER - 100% CPU in Maverick toolkit after a few days - See RTC524897 In SSP3430 iFix 2 (December 2016): HIPER - See IT17228 for information on the upgrade to IBM JRE 1.7 SR9FP50 for the latest Java security patches in the CM, Engine and PS. HIPER - See "PSIRT 5869" for security patch related to commons-fileupload-1.3.2.jar HIPER - Thousands of sockets in TIME_WAIT when JMS listener down - See RTC522699 HIPER - System outage with too many open file handles - see RTC517621 Action - Allow server only certificates for CD client authentication. See IT18066 if you need to configure this differently. Action - Ability to externalize delay for CD HttpPingResponse. See IT18178 for details. Action - See IT15063 for information on configuring the SFTP rekey counts In SSP3430 iFix 1 (July 2016): Action - JRE upgrade turns off SSLv3 support by default - see IT07375 HIPER - CD Adapter failures causing high CPU - See RTC496962 Action - SFTP Hashmacs hmac-sha256 and hmac-sha512 renamed to hmac-sha2-256 and hmac-sha2-512, respectively. See RTC492052 for details =============================================================================== II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) Fixes are marked as Engine and CM (Configuration Manager) =============================================================================== =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 13 Build 440 Dec 2021 MFT-12762/ADV0040089 (CM/Engine) - Log4j CVE-2021-44228 JNDILookup issue SSP-5698/ (CM, Engine) - SSL debug output not going to systemout.log =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 12 Plus Build 436 Sep 2021 SSP-4956/ADV0028445 (CM,Engine) - IBM JRE 8.0.6.30 for Solaris and HP =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 12 Build 433 Aug 2021 SSP-4956/ADV0028445 (CM,Engine) - Oracle Java Oct 2020 CPU deferred CVE SSP-5012/ADV0031846 (CM,Engine) - Risky cryptographic algorithm vulnerability SSP-5016/ADV0031847 (CM,Engine) - Hard-coded secrets vulnerability SSP-5080/ADV0031848 (CM,Engine) - Weak hash vulnerability SSP-5093/ADV0029859 (CM,Engine) - Oracle Java Jan 2021 CPU SSP-5116/IJ33416 (Engine) - CD TLSv1 sessions fail with "SSLv2Hello is not enabled" in new IBM JRE 8.0.6.25 =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 11 Build 429 Jun 2021 o New with SP 3.4.3.2 iFix 11: - Addressed various security advisories (see defects with ADV00* below) MFT-11853/IT36501 (Engine) - Invalid Eyecatcher exception in logs SSP-4714/ (CM) - SSPCM Fresh install gets ERROR on Solaris SSP-4986/ (CM) - Unable to update webCiphers with ConfigureCmSslTool SSP-5021/ADV0031888 (CM) - Resource leakage vulnerability found in scan SSP-5022/ADV0027664 (CM,Engine) - Upgrade httpcomponents-client to 4.5.13 SSP-5077/ADV0031827 (CM,Engine) - Upgrade Eclipse Jetty to 9.4.41 SSP-5096/ (CM) - Keystore and Truststore passwords dumped in =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 10 Plus Build 418 Mar 2021 SSP-4965/ (CM,Engine) - Updated code signing certificate for signing jarfiles =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 10 Plus Build 414 Mar 2021 MFT-11830/IT36115 (Engine) - SFTP transfers stall with Maverick 1.7.32 =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 10 Plus Build 413 Jan 2021 MFT-11683/IT35628 (Engine) - SFTP disconnects when >500 files in a mailbox MFT-11742/IT35559 (CM) - Jetty failure at CM startup after upgrade to iFix 03 =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 10 Build 411 Jan 2021 MFT-11467/IT34992 (Engine) - Problem with HTML rewrite - connection close SSP-4706/ADV0026225 - Upgrade IBM JRE to 8.0.6.15 level for security patches SSP-4710/ADV0027000 (Engine) - Upgrade Apache ActiveMQ to 5.16 for security patches SSP-4812/ADV0028030 (Engine,CM) - Update Jetty toolkit to 9.4.34 for security patches =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 09 Plus Build 394 Nov 2020 MFT-11238/IT34624 (Engine) - (SFTP) Negative message length SshException for DATA packet from non-standard server MFT-11309/IT34732 (Engine) - (SFTP) SSE2640 sshd channel closing when local window size goes below 32k SSP-4799/ (Engine,CM) - Allow configurable window and packet size limits for SFTP. =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 09 Build 393 Sep 2020 SSP-4640/ (CM,Engine) - Vulnerability in Apache Commons Codec =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 08 Plus Build 389 Sep 2020 MFT-11273/IT33922 (Engine) - JVM thread deadlocks in Maverick code; OutOfMemory during large SFTP download =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 08 Plus Build 388 Aug 2020 MFT-11130/IT33879 (Engine) - Intermittent requests to SEAS timing out MFT-11139/IT33786 (Engine) - During load testing, SEAS shows ERROR "AUTH037E Authentication request missing password." =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 08 Build 378 Jul 2020 MFT-11042/ (Engine,PS) - Getting IOException: Too many open files SSP-3793/ (CM) - Missing secure attribute in encrypted session (SSL) cookie SSP-3966/ (Engine,PS) - Upgrade Perimeter Server code to same as B2Bi 6.0.3.2 SSP-4323/SEAS-1233 (Engine) - XML External Entity (XXE) vulnerability in SSP SSP-4310/SSP-4445 (Engine,CM,PS) - Update JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches. =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 07 Plus Build 376 Jun 2020 MFT-11200/IT33098 (Engine) - NPE in Maverick logs =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 07 Plus Build 370 Apr 2020 MFT-11018/ (CM,Engine) - Support for diffie-hellman-group14-sha256 in SSP3432 =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 07 Plus Build 368 Apr 2020 MFT-10959/IT32191 (CM) - (GUI) Unable to update keystore with certain PFX keys. PEM format works MFT-10995/IT32374 (Engine) - SFTP adapter deadlock in failover code =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 07 Build 365 Mar 2020 MFT-10903/IT32096 (CM,Engine) - configureCmSsl and configureEngineSsl not adding certificate chain to cmtrustore or truststore SSP-4236/PSIRT21787 (Engine,CM,PS) - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches. SSP-4223/ (Engine) - Excessive logging on idle SFTP adapter =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 06 Plus Build 364 Feb 2020 MFT-10887/ (CM,Engine,PS,SEAS) - GPF in SSP engine MFT-10904/ (CM,Engine,PS,SEAS) - GPF in SSP engine SSP-3771/ (CM) - Updates to make CM logging more readable =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 06 Plus Build 362 Feb 2020 MFT-10765/IT31672 (CM) - 6.0.0.1F1 with Client Auth not working with SAN certs, getting ERR_BAD_SSL_CLIENT_AUTH_CERT MFT-10853/IT31763 (CM) - (GUI) SSPcm user binds to LDAP twice with SEAS for single login =============================================================================== Summary of Fixes for SSP3432 (3430 Fixpack 2) iFix 06 Plus Build 361 Jan 2020 MFT-10774/IT31439 (Engine) - (CD) CSP032E 4 KQV keyword "RLS2" found in FM70, but not defined in XML schema definition =============================================================================== Summary of Fixes for SSP3432 (3.4.3.0 Fixpack 2) iFix 06 Plus Build 359 December 2019 MFT-10762/IT31135 (Engine) (CD) SSP incorrectly logs stepname of run task and run job C:D process steps =============================================================================== Summary of Fixes for SSP3432 (3.4.3.0 Fixpack 2) iFix 06 Plus Build 353 November 2019 MFT-10704/IT31049 (Engine) Engine audit logs contain hashed passwords =============================================================================== Summary of Fixes for SSP3432 (3.4.3.0 Fixpack 2) iFix 06 Plus Build 349 November 2019 MFT-10692/IT30823 (CM) (FTP) EPSV command giving wrong response =============================================================================== Summary of Fixes for SSP3432 (3.4.3.0 Fixpack 2) iFix 06 Plus Build 348 October 2019 MFT-10616/IT30591 (CM) REST API fails with "The processing instruction target matching "[xX][mM][lL]" is not allowed" MFT-10656/IT30692 (CM) SSPCM “Enable SSP CM startup backup” field in CM System settings has no effect =============================================================================== Summary of Fixes for SSP3432 (3.4.3.0 Fixpack 2) iFix 06 Build 341 October 2019 MFT-10357/PSIRT16274,16318 (Engine,CM) - Security upgrade to Jetty 9.4.20 MFT-10578/PSIRT17288 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches. MFT-10608/IT30643 (Engine) - (SFTP) Added client ciphers as well as negotiated ciphers in logging. =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 05 Plus Build 331 September 2019 MFT-10485/IT30344 (Engine) - (SFTP) OutOfMemoryError "Java heap space" crash MFT-10541/IT30346 (CM) - (RESTAPI) userStore API update throwing exception on CLI. =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 05 Plus Build 325 September 2019 MFT-10483/IT30076 (CM) - RESTAPI activity leads to OutOfMemory (OOM) full of AuthenticationResource, JMS objects SSP-3530/ (CM) - Rest API issues when importing from older CM =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 05 Plus Build 319 August 2019 MFT-10402/IT30050 (Engine) - *HIPER* (SFTP) OutOfMemory (out of threads) when SEAS goes down with no failover coded MFT-10444/IT29840 (CM) - RESTAPI fails if CM user defined to use external authentication MFT-10451/IT30080 (CM) - CM GUI presents factory cert instead of common =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 05 Plus Build 314 July 2019 MFT-10422/IT29819 (Engine) - (HSM) FTPS data channel hangs during SSL handshake with HSM enabled SSP-3771/ - Add direction arrows ===> for readability in FTP logs =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 05 Plus Build 311 July 2019 MFT-10207/IT29589 (Engine) - (HTTP) Getting myFileGateway "Session expired" popup using passthrough authentication =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 05 Build 308 June 2019 MFT-10242/PSIRT15330 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches. =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 04 Plus Build 306 June 2019 SSP-3698/ (Engine) - Adapter and netmap logs going to secureproxy.log instead, missing log files =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 04 Plus Build 302 May 2019 MFT-9915/IT29131 (Engine) - Memory leak in logging area causes OutOfMemory MFT-10325/IT29109 (CM) - RESTAPI Issues with importing keyDefEntries. MFT-10341/IT29130 (Engine) - (HTTP) Directory traversal issue MFT-10368/IT29310 (Engine) - SSP Nodes getting into deadlock state MFT-10382/IT29278 (PS) - More Secure PS (MSPS) scripts on Windows have wrong service name SSP-3561/ (Engine) - HSM IBMPKCS11 sample config files SSP-3597/ (Engine,CM,PS) - InstallAnywhere 2018 upgrade =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 04 Plus Build 295 May 2019 MFT-10206/IT28929 (CM) - Problem with SSPcm certificate renewal process MFT-10241/IT28986 (CM) - SSPRestAPI fails with SNI handshake from client MFT-10250/IT29018 (Engine) - OutOfMemory during SFTP transfer after upgrade MFT-10257/IT28968 (Engine, CM) - Sporadic loss of data during bulk transfer of multiple files via Filezilla FTP client SSP-3660/ (Engine) - Add limit to number of data buffers being cached in FTP =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 04 Plus Build 291 April 2019 SSP-3023/RTC569696 (CM,Engine) - (SFTP) Upgrade Maverick to latest 1.7.xx for additional ciphers =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 04 Plus Build 289 April 2019 MFT-10219/IT28683 (Engine) - (SFTP) All SFTP clients timing out connecting to back end SFTP adapters =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 04 Plus Build 287 March 2019 MFT-9906/IT28592 (Engine) - (HSM,CD) Intermittent timeout during SSL handshake MFT-9976/IT28591 (Engine) - (HSM,CD) Unable to open HSM keystore during SSL Handshake MFT-10218/IT28554 (Engine) - SSP sending FTP STOR command multiple times, leading to '451 - session in inconsistent state' SSP-3446/ (CM) - Adapters in SSP CM monitor screen out of order =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 04 Build 282 February 2019 MFT-10020/IT27450 (CM) - Peer Address Pattern now allows starting or ending with * PSIRT12959, (Engine,CM,PS) - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for PSIRT13809 security patches. =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 03 Plus Build 280 February 2019 MFT-10089/IT27917 (Engine) - (SFTP) With FIPS_MODE = True in the security.properties file, SFTP connections fail MFT-10129/IT27075 (Engine) - (HTTP) Failures in HTTP adapters after SSP upgrade to version 3.4.3.2 iFix 3) =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 03 Plus Build 278 January 2019 MFT-10029/IT27654 (Engine) - (HTTP) SSP Change Password Policy link not working correctly MFT-10035/IT27649 (Engine) - (CD) Routing type "PNODE_Specified, and then Standard (mixed)" fails to route to standard snode. =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 03 Build 274 December 2018 MFT-9898/IT26763 (Engine) - (HTTP) Userid included in URL query string parameter during password change MFT-9981/IT27055 (Engine) - (FTP) Password prompt not retrying if SEAS auth fails SSP-3229/ (Engine) - (SEAS) Support for OpenDJ LDAP server PSIRT12571 (Engine,CM) - Upgrade SSP to Jetty 9.4.12 (See MFT-3041) PSIRT13307 (Engine,CM) - Update SSP to Apache Active MQ 5.15.6 (See SSP-3070) =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 02 Plus Build 268 November 2018 MFT-10004/IT27002 (Engine) - (SFTP) Unable to upload files > 32k SSP-3234 (CM,Engine) - Correct missing ActiveMQ lib =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 02 Plus Build 266 November 2018 MFT-9975/IT26788 (Engine) - (CM) Adding cipher suite to External Auth definition gets System Error SSP-3233 (Engine) - (HTTP) NPE in SSO portal after Jetty upgrade =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 02 Plus Build 263 October 2018 MFT-9902/IT26640 (Engine) - (HTTP) Error messages in log after successful transfer. MFT-9946/IT26632 (Engine) - (CD) Alternate node in netmap not called unless specified with ip/port. MFT-9961/IT26631 (Engine,CM) - (SFTP) Intermittent SignatureException SSP-3041 (Engine,CM) - Upgrade SSP to Jetty 9.4.12 SSP-3070 (Engine,CM) - Update SSP to Apache Active MQ 5.15.6 =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 02 Plus Build 257 October 2018 MFT-9835/IT26615 (Engine) - (CD) Timeout during FASP Close at end of large transfer. =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 02 Plus Build 256 September 2018 MFT-9925/IT26416 (Engine) - Allow Customer to override minimum DH Exchange key sizes =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 02 Build 255 August 2018 No Defect/ (Engine) - (CD) CSV057E missing values Z15R, DDTY, DDTS RTC572605/IT25899 (Engine) - (CD) Upper and lower case node logs not created SSP-3036/ (Engine) - (HTTP) B2Bi 6.0 rejecting HTTP requests with "400 Bad Message" error PSIRT11819 (CM,Engine,PS) - Update JRE 1.8 to SR5 FP17 (8.0.5.17) =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 01 Plus Build 249 August 2018 RTC572142/DT001321 (Engine) - (FTPS) Customers on slow line getting 226 Transfer Complete on the Control Channel prior to all data sent RTC572554/IT26062 (CM) - (CM) ./manageKeyCerts.sh fails when admin user defined in SEAS =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 01 Plus Build 246 July 2018 RTC569857/ (CM) - (CM) Improve messages for xml parsing exceptions RTC571371/IT25695 (CM) - (REST) Failure to add a new node to a netmap when an existing node has problems in its configuration =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 01 Plus Build 244 July 2018 RTC566675/IT25694 (Engine,PS) - (CD) Large FASP Transfers (5GB) are failing with broken pipe RTC566772/IT25294 (Engine) - (SFTP) Users unable to logon using "key and password" policy (session limit exceeded) RTC568408/ (Engine) - (HTTP) Limit userid/password fields to 256 characters RTC570690/ (CM) - IBM Metric tools cannot detect SSPCM =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 01 Build 237 May 2018 RTC567296/ (Engine) - (SFTP) resetting failed login attempt count even when one of the auth fails RTC567354/IT24987 (CM) - (Install) Getting non-fatal stackOverflowExceptions in log of SILENT install of SSPcm PSIRT10955/10418 (Engine, CM, PS) - Update JRE 1.8 to SR5 FP10 (8.0.5.10) =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 00 Plus Build 235 May 2018 RTC561821/IT24660 (Engine) - (SFTP) Password prompted after key auth failed when "key and password" auth policy is used RTC566007 (CM, Engine, PS) - (HSM) SSP crashes with HSM enabled =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 00 Plus Build 234 May 2018 RTC566450/IT24790 (CM, Engine) - (SFTP) Remove the twofish* and cast* ciphers RTC566512/IT24843 (CM, Engine) - (FTPS) Add missing ciphers to FIPS list RTC567232/IT24869 (Engine) - (CD) SSL Protocol missing from CSP007I and SSP0240I messages RTC568078/IT24967 (Engine) - (CD) HSM retargeted keys get java.security.UnrecoverableKeyException - DER input not an octet string RTC568515/IT25039 (Engine) - (CD) Unable to access HSM key referenced from non-default keystore =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432) iFix 00 Plus Build 229 April 2018 RTC563781/IT24842 (Engine) - (HTTP) malformed upload causes hung state RTC564157/internal (CM) - IPV4 and IPV6 addresses not screened properly RTC564992/ (CM) - (Install) SSPCM fails to start after upgrade if "admin" id previously deleted. RTC566337/IT24733 (Engine) - (SFTP) Adapter will not start in FIPS mode =============================================================================== Summary of Fixes for SSP 3.4.3.0 Fixpack 2 (SSP3432 GA) Build 222 (March 2018) RFE547267/ (CM) - Enhancement - Ability to disallow concurrent SSP CM sessions RTC548827/ (CM,Engine) - IPv6 support for SSP and SEAS RTC561952/ (CM) - (CM) - Authentication Bypass Using HTTP Verb Tampering RTC563014/IT24648 (Engine) - SSP not failing back to primary SEAS server RTC563311/IT24440 (Engine) - (SFTP) Client receives password prompt when netmap using a sftpPolicy set to KEY only RTC563547/IT24449 (Engine) - (HTTP) Not encoding url correctly when SSP redirects to an external login page RTC564833/ (CM) - (CM) AppScan - Stack trace in the response body RTC565487/ (CM,Engine) - SSP/SEAS code signing certificate expires June 21, 2018 =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 5 Plus Build 208 (March 2018) RTC104091/ (Engine) - (CD) Let PS (local or remote) do DNS resolution RTC458227/ (Engine) - Update the inbound Reverse DNS Lookup message with the hostname for better diagnostics RTC521499/ (CM) - (RESTAPI) HTTP Netmap import failing without truststore even though no client authentication RTC560800/IT24125 (Engine) - (CD) CSP057E KQV keyword "FSOK" found in FM71, but not defined in XML schema definition RFE547267/ (CM) - (GUI,RESTAPI) Update sysGlobals.xsd with allowMultipleSessionsPerUser tag RTC558982/IT24252 (CM) - (CM) NPE importing keycert with comma, asterisk or exclamation mark in password. RTC561255/IT24036 (Engine) - (CD) Unable to use Secure+ with Wild Card Nodename feature - %DEFAULT_NODE RTC561382/IT24037 (CM) - (GUI,RESTAPI) Importing multiple certificates into the truststore. RTC561603/IT24112 (CM) - (CM) GUI listing AES ciphers for SSLv3 protocol RTC562430/(Enh) (CM) - (CM) Enhancement to improve listing of certificates to include chains and pkcs12 RTC562623/IT24251 (Engine) - (SFTP) logoff messages with every load balancer ping. RTC563309/IT24246 (CM) - (RESTAPI) Unable to add HMAC values that are available in the SSPcm UI RTC563378/IT24253 (Engine) - (CD) Allow suppressing content length header in http health check ping response =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 5 Plus Build 202 (January 2018) PSIRT10042/IT23654 (CM) - (CM) Possible vulnerability in Apache Commons Fileupload toolkit RTC556199/IT23554 (CM/Engine) - (HSM) SSP import replace in HSM fails if key with same alias already exists in HSM RTC557073/IT23495 (Engine,CM) - (Install) Engine fails to start after upgrading from pre-SSP3420 RTC557173/IT23483 (Engine,CM) - (PeSIT) Add TLSv1.1 and 1.2 protocols RTC557986/IT23827 (CM) - (REST) API responds with 200/OK on invalid netmap XML input RTC559115/IT23828 (PS) - (Install) Install failed - "CIP_List is not set" when interface not found RTC559657/IT23829 (CM) - (REST) Distinguish in CM logs between REST API and CM GUI configuration updates =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 5 Plus Build 194 (December 2017) RTC550295/IT23475 (PS) - (PS) Perimeter Services Messages ALWAYS getting logged only under DEBUG RTC551786/IT23476 (Engine) - (SFTP) Updated Maverick to SSHD 1.6.41, J2SSH 1.6.34 RTC554088/IT23494 (Engine) - (FTPS) Support EPSV and EPRT commands RTC556393/ (Engine) - (CD) Improve SSP logging for XDR keyword error RTC556544/ (CM) - (REST) Improve console output for sspRestAPI script when connection cannot be made. =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 5 Plus Build 190 (November 2017) RTC497412/ (Engine) - Inbound FTPS fails when client cert has server flag RTC503335/ (Engine) - (CD) Logging improvements for Certificate issues RTC507936/ (Engine, CM) - (Install) Unpredictable install directory when backspace settings not set correctly RTC522918/ (Engine) - (CD) Include content-length header in CD Health check ping response RTC553906/ (Engine) - (HTTP) 'must change password' does not work if browser makes favicon request RTC554173/IT23167 (CM) - (CM) scripts not honoring the TLS protocol version from CM security System Settings RTC554225/ (CM) - (CM) Poor error message when importing expired certificate RTC555530/ (Engine) - (SFTP) log showing parameter place holders: {1} =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 5 Build 187 (October 2017) PSIRT9227 (Engine, CM, PS) - Update JRE 1.8 to SR4 FP10 (8.0.4.10) RTC503335/ (Engine) - (CD) Improve certificate failure logging RTC503536/ (Engine) - (HTTP) Client is not receiving the 500 error message from SSO login failure RTC524639/ (Engine) - (SFTP) Bad format in one user auth key keeps RTC538332 adapters from coming up RTC528506/ (Engine,CM) - (Install) Remove/rename seas.log from CM, engine RTC548552/IT22537 (Engine) - (SFTP) Intermittent transfers through SSP show as an "ABORT" in SFG RTC550367/ (Engine) - (SEAS) Set correlator on EA failover ping request so it can be suppressed in EA log RTC552273/ (Engine) - (HTTP) Security Headers causing errors in rendering SSO HTTP proxy portal pages =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 184 (October 2017) RTC488587/ (PS) - (PS) Show SSP version/build at startup in PS log RTC552345/IT22825 (CM) - (CD,FTPS,HTTP) SHA2 and SHA3 Cipher Suites not available when selecting "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 168 (September 2017) RTC505548/ (Engine) - (CD) CM monitor shows CD adapter status as active, though the less secure remote PS is down. RTC546370/IT22549 (Engine) - (SFTP) One line password prompt not working RTC550068/IT22538 (Engine) - (SFTP) Leaving leftover sessions. RTC551227/IT22491 (Engine) - (CD) Avoid Perimeter race condition causing C:D z/OS error messages (SVTM091I and SVTM090I) =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 166 (September 2017) RTC528288 (CM) - (SFTP) Allow space char at end of password prompt RTC547559/IT22014 (CM) - (REST) Allow API to run concurrently, support better format for encrypted passwords RTC550113 (CM) - (CM) Error writing to UDP audit syslog when configuration change record exceeds 65k RTC550278/IT22371 (Engine) - (Pesit) Allow Pre-connection phase to be optional with TCP connections RTC550968 (Engine) - (HTTP) New headers cause problem with Chrome =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 160 (August 2017) RTC543000/IT21407 (Engine) - Option to roll over log files at midnight RTC546604/IT22033 (Engine) - (HTTP) SSP Engine needs to send HTTP security headers =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 156 (August 2017) RTC505365/ (CM) - (REST) Unable to create CM user using ExternalAUTH RTC542811/IT21439 (Engine) - (SFTP) problem with zlib compression - Windows RTC546159/IT21867 (Engine) - (SFTP) Error resuming a transfer =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 154 (July 2017) RTC535333/ (Engine,CM) - Data Collector updates RTC504499/ (Engine) - (CD) Common name (CN=) can be last entry in subject. RTC541553/ (CM,Engine) - Factory cert expiring December 1, 2017 RTC542811/IT21439 (Engine) - (SFTP) zlib compression is not working RTC544511/IT21482 (Engine,CM) - (CD,FTPS,HTTP) New protocol option for TLS1.0-1.2 only RTC544966/ (Engine) - (SFTP) Correct 5 second delay at the beginning of a session RTC545321/IT21567 (CM) - (REST) Password corruption on HTTPnetmap RTC545688/IT21592 (Engine) - (CD) Common name can contain comma RTC545903/IT21596 (Engine) - (REST) Error loading C:D Adapter with EA PS =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 146 (June 2017) RTC536410/ (Engine) - (SFTP) Spurious RejectedExecutionExceptions in log during load testing RTC537525/IT21212 (CM) - (CM) configureCmSsl script gets error - No supported private key marker found in PEM stream RTC542091/IT21139 (CM) - (CD) Include all ciphers for PNODE Controls RTC542503/IT21213 (CM) - (REST) Add more information to error message when importing SSH KeyDef RTC542640/IT21204 (CM,Engine,PS) - (Install) Turn off world-writable directories =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 139 (June 2017) RTC533345/ (Engine) - (CD) Session fails because "End user tried to act as a CA" RTC535517/IT20520 (Engine) - (CD) Error on first block when enabling data encryption RTC538591/IT20896 (CM) - (CM) Error accessing certificates in the trusted keystore after upgrade from 3.4.1.8 RTC538773/IT21115 (Engine) - (Failover) EAProxy deadlock due to method serialization RTC540861/IT21120 (PS) - (PS) Upgrade fails to replace JRE when jre directory is owned by another user/group =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Plus Build 135 (June 2017) RTC534483/IT20590 (Engine) - (SFTP) adapter policy (password+key) doesn't report failed logon attempts RTC536899/ (CM) - (REST) API import errors detected RTC536951/IT20749 (CM) - (CM) Hashed password display RTC537305/IT20816 (Engine) - (CD) SSP Engine OutOfMemory (OOM) exception when adapter gets out of sync with local PS RTC538758/IT20889 (Engine) - (SFTP) Avoid NPE when SFTP adapter shut down RTC539383/IT20879 (CM) - (CM) Unable to see the all trusted certificates in Netmap > Outbound > Security RTC540353/IT20845 (CM) - (REST) Import failed with ERROR SspCMConfigService - sysGlobalsDef Host required =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 4 Build 123 (April 2017) RTC528659/IT20207 (Engine) - (SFTP) SSP restarted due to OOM errors RTC533058/ (CM,Engine) - Shutdown scripts hang with JRE 1.8 on AIX RTC533482/IT20234 (Engine) - (CD) Transfers not working with SSLv3 RTC533801/ (CM,Engine,PS) - Upgrade to Java 1.8 for Java January 2017 security fixes RTC534665/IT20206 (Engine) - (CD) Invalid copy step causes NPE in validation RTC536506/IT20338 (Engine) - (SFTP) Maverick log getting numerous exceptions for each SFTP logoff. =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 115 (April 2017) RTC531365/IT19649 (CM) - (CM) Users unable to change password after upgrade RTC532854/IT19863 (CM) - (REST) API unable to use TLS1.2 to SSP CM Web RTC533580/ (CM) - (REST) unable to import exported configurations RTC533680/IT20027 (Engine) - (CD) RU size negotiated to 16259 when using Secure+ on one CD node and non-secure on the other. RTC533907/ (Engine,CM) - InstallAnywhere on Windows shows ERROR: Failure in the CopyJreLib step RTC534003/IT19950 (CM) - Error when executing configureCmSsl.sh RTC535210/ (Engine) - RAS Enhancement - Add new startEngine.log, switches for heap dumps and SSL debugging =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 112 (March 2017) RTC528702/IT19672 (CM,Engine) Install failure causes secure protocols to fail after upgrade RTC529443/IT19491 (Engine) - SFTP adapter won't come up when HSM is enabled. RTC529446/IT19332 (Engine) - Unable to use HSM keystore without password RTC529453 (CM) - Ship a separate security.properties for SSP CM RTC529530 (CM,Engine) (HSM) No longer ship setupHSM.bat or .sh and remove them if they exist. RTC530844/IT19443 (Engine) - (CD) Allow client-only certs in server authentication. RTC530859/IT19451 (Engine) - (CD) Accept "TLS" and change to "TLSv1" RTC531976/IT19734 (Engine) - SFTP sessions fail when HSM is enabled RTC532302/IT19647 (CM) - REST: Don't require truststore for http inbound node if client auth is not enabled =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 105 (February 2017) RTC525304/ (Engine) - Performance test fails for HTTPS and FTPS RTC527354/IT19159 (CM) - TLS1.2 is not negotiating when FIPS mode ON =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 104 (February 2017) RTC525694/IT18971 (CM) - Large certificate serial number appears incorrectly in SSPCM RTC527283/IT19153 (CM) - SSP 3.4.3 CM in Windows Uninstall shows Version 3.4.2.0; 'Help' points to v3.4.2 content =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Plus Build 101 (February 2017) RTC524274/IT19027 (Engine) - (HSM) FTPS not working with HSM certificates after upgrading from 3.4.1.7 to 3.4.3 RTC525585/IT18998 (CM) - HTTP netmap logging level reset to NONE if Routing Node tab selected RTC527009/IT19026 (Engine) - FTPS client connects, but LIST command delayed RTC527355/ (CM,Engine) - SSP CM not PUSHing configured SSH Local User Keys to SSP Engine No Defect (Engine) - Additional KQV values for C:D FM71 - ZEDC =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 3 Build 99 (January 2017) RTC524897/IT18695 (Engine) - 100% CPU in Maverick toolkit after a few days RTC525887/ (Engine) - FTPS data channel hangs when CEU is back end RTC526163/ (Engine) - Avoid erroneous PASV response from server =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 2 Plus Build 94 (January 2017) RTC517058/IT17567 (Engine) - *HIPER* FTPS data connection timeouts after upgrade to SSP 3.4.2 or 3.4.3. RTC525081/IT18698 (Engine) - Numerous Maverick NullPointerExceptions in systemout.log after SSP3420 iFix 9 RTC525909/ (Engine) - Error messages "peer not authenticated" in load test logs for C:D sessions RTC525956/ (Engine) - SFTP concurrency test produces number of NPEs =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 2 Plus Build 87 (December 2016) RTC516359/IT18163 (Engine) - Deadlock/hang in failover code RTC523287/IT18529 (Engine) - SEAS-Agent timeouts are hanging other SFTP Adapters including ones not dependent on SEAS RTC524219/IT18552 (Engine) - CD failures after upgrade from SSP3418 to SSP3430 iFix 2 =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 2 Build 83 (December 2016) RTC500069/IT15063 (Engine) - SFTP transfers stalling at 627MB or the sftp_rekeycount limit in the adapter. RTC523578/ (Engine) - (HSM) CD Protocol unable to use keycert in HSM =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 81 (December 2016) RTC512573/IT18260 (Engine) - HTTP connections fail with SSE0102E secure connection failures after upgrade to SSP 3.4.2 RTC518916/IT18164 (Engine) - CD "PNODE Host controls SSL Protocol" netmap setting fails in some circumstances RTC519253/IT18066 (Engine) - (CD) Allow server only certificates for client authentication RTC519510/IT18176 (CM,Engine) - Do not enforce common name checking if CD client authentication not turned on RTC520046/IT17985 (CM) - Unable to use a custom channel name in the JMS configuration RTC520758/IT18178 (CM) - Externalize delay for CD HttpPingResponse. RTC521075/IT18187 (CM) - 2 special characters in CM password when special characters required RTC521835/IT18266 (Engine) - (HSM) SecureRandom failure using HSM with CD RTC522699/IT18216 (CM) - Thousands of sockets in TIME_WAIT when JMS listener down =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 75 (November 2016) RTC508303/ (Engine) - CDzOS via SSP produces XXDR021I in CD Windows statistics. RTC513451/IT17846 (CM,Engine) - Updated to use Maverick sshd 1.6.27, j2ssh 1.6.23 RTC514315/IT17373 (CM) - Import of CA trusted file with multiple CA Certs gets corrupted RTC517621/IT17983 (Engine,PS) - Too many open file handles lsof output “can't identify protocol” entries RTC519864/IT17988 (Engine) - 2 ciphers missing from supported ciphersuites list RTC519966/IT18001 (CM) - Admin user can't be deleted in SSPCM Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 69 (October 2016) No Defect/IT17228 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR9FP50 for latest security patches PSIRT 5869 (CM) - Updated to use commons-fileupload-1.3.2.jar RTC496054/ (CM) - Error messages found in installation and CMS logs for both Engine and CM. RTC493866/IT14117 (Engine) - (PS) Too many fast wakeups in perimeter.log RTC508898/ (Engine) - (CD) With CHECKPOINT and FASP=SSP; SUSPEND hangs session RTC508901/ (Engine) - (CD) Submit process on Snode using FASP does not end session gracefully RTC510635/IT16815 (Engine) - (HSM) Certificates causing SSP0229E Exception Securing connection or Sending data, java.lang.NoClassDefFoundError - com.sterlingcommerce.security.util.SCIHSMManager RTC511154/IT16980 (Engine) - (CD) C:D adapter fails to send "Http Ping Response" string consistently RTC511666/IT17151 (CM) - Unable to invoke iKeyman bundled with SSP on Solaris 10 with error: "Could not find or load main class com.ibm.gsk.ikeyman.Ikeyman" RTC511903/IT17121 (Engine) - (SFTP) Slow upload speed via SSP on Solaris RTC511928/IT17359 (CM) - (HSM) Cannot delete old certificates in the CM HSM Keys list after upgrade RTC513206/IT17358 (CM) - SSPCM allows the password change step to be bypassed RTC513984/ (Engine, - Enhancement to allow silent Installs for SSP, CM, PS) SSPCM, PS and SEAS RTC516459/IT17419 (CM) - The manageCSRs.sh script gets a NullPointerException when attempting to create a CSR Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 47 (August 2016) RTC502863/IT16819 (CM,Eng) - (SFTP) Support hmac-sha256 & hmac-sha256@ssh.com RTC504898/IT16824 (CM) - (REST) XMLSchemas for Import RESTAPI Requests RTC505522/IT16713 (Engine) - (FTP/S) Enabling CCC causes transfers to fail RTC508526/IT16700 (CM) - Allow CM Admin to control locked account msgs RTC509062/IT16642 (PS) - (PS) Install issues with Windows service names RTC510313/IT16560 (CM,Eng) - (SFTP) Allow buffer lengths greater than 128K RTC510634/IT16823 (Engine) - (SFTP) SCP presents a RC 1 after successful GET RTC511478/RFE511476 (CM,Eng)- (SFTP) Force one line password prompt Summary of Fixes for SSP 3.4.3.0 iFix 1 Plus Build 34 (August 2016) RTC507008/IT16396 (Engine) - (CD) Memory usage increases and process slowdown with C:D wildcard copies. RTC508872/IT16456 (Engine) - SFTP public key auth failures cause locked accounts sooner in SSP3430. RTC509910/IT16488 (Engine) - (CD) SSP3430 causing data overrruns when inbound unencrypted, outbound secure. =============================================================================== Summary of Fixes for SSP 3.4.3.0 iFix 1 Build 29 (July 2016) SSP3418 Upgrade (CM) - New SspCMCertConvertUtil tool to convert keys to SSP3420/SSP3430 format before upgrade No Defect/IT07375 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default RTC492052/IT13855 (CM,Engine) - (SFTP) Sha2 connections fail due to mismatched MAC names RTC494013/IT15074 (Engine) - (HTTP) Client is not receiving the 500 Error message from SSO login failure RTC495433/IT14514 (CM) - (HSM) manageKeyCerts import fails with java.lang.NullPointerException RTC496040/IT15910 (Engine) - SFTP client script causes FIN_WAIT2 on SSP server RTC496133/IT15041 (Engine) - Session starts rejected in PS due to "too many open files", or "max concurrent circuits reached" RTC496371/IT14589 (Engine) - (SFTP) Key-only authentication failing when mapped password not present RTC496962/IT16065 (Engine) - CD Adapter failures causing high CPU on Engine, Max concurrent circuits reached:4096 on PS RTC492949/IT15184 (Engine) - (SFT) Getting DH_GEX group out of range RTC497030/IT14809 (Engine) - (CD) SSP handshake failure with CDSA after upgrading to SI 5.2.6.1. RTC497033/IT14757 (Engine) - Dummy object unmarshalling error for PerimeterServerConfig RTC497092/IT14615 (Engine) - Engine Shutdown issue RTC500038/IT15916 (Engine) - Intermittent failures with concurrent SSL handshakes RTC501172/ (CM) - CM ManagedAccepterService fails to startup causing logins to fail RTC501513/IT15516 (CM) - Vulnerability issues found with SSPcm HTTP Headers RTC501735/IT15517 (Engine) - (SFTP) Key Exchange Exception encountered when FIPS enabled RTC502844/IT15531 (CM) - Unable to import PCKS12 SHA2 certs using configureCmSsl utility Logging Improvement (Engine) - C:D certificate failure logging improvements RTC503126/IT15568 (CM) - (REST API) Unable to create CM user who uses External Authentication RTC503895/IT15606 (CM) - (REST API) Delete Netmap Node entry request returns success but the node still exists RTC504462/IT15808 (PS) - Installation of SSP Perimeter Server package creates a single Windows Service and s starting/shutting down the PS service starts/stops all of them RTC505169/IT15947 (CM) - HTTP Security headers were missing. RTC505320/IT15946 (CM) - Traversal of SSP CM Webapp root RTC505321/IT16020 (CM) - Accessing SSP CM using expired session id RTC505585/IT15949 (CM) - SSP CM allows methods other than GET or POST RTC505702/IT16080 (CM) - Enhancements to password policy rules =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) Fixes are marked as Engine, CM (Configuration Manager), and PS (Perimeter) =============================================================================== SSP3418 Upgrade (CM) - New SspCMCertConvertUtil tool to convert keys to SSP3420/SSP3430 format before upgrade Some Customers who upgraded to SSP3420/SSP3430 had SHA256 keycerts in PKCS#8 PEM format in their keystore, which is the way they were stored in the pre-SSP3420 CM. After upgrading, these keys could not be read by the new IBM toolkit, due to a couple of OID fields. Resolution: Now supply a new SspCMCertConvertUtil with the SSP3418 CM which can be run just before upgrading to SSP3430 to convert the keystore(s) in place to PKCS#12 format, which is the format that SSP3430 uses. Once the conversion is done, the SSP3418CM image must be upgraded immediately to SSP3430CM. Here are the steps for using the new script. 1) Obtain the latest 3418 maintenance (iFix 8+ or higher) and the latest 3430 maintenance (iFix 1 or higher) on Fix Central: http://www.ibm.com/support/fixcentral/swg/selectFixes? parent=ibm~Other%2Bsoftware& product=ibm/Other+software/Sterling+Secure+Proxy& release=3.4.1.8&platform=All&function=all 2) Shut down and back up your existing 341x Engine, CM and PS instances. 3) Upgrade the 341x CM to the latest 3418 SSPM CM patch 4) Run bin/SspCMCertConvertUtil.sh (or .bat) 5) Select Yes to convert existing 3418 SSP CM keycerts or select no to exit the script 6) If yes is selected, this script will first backup the entire SSP CM current conf instance 7) Script will then convert all SSP CM keycerts that are in 341x format into SSP3420/SSP3430 CM keycert format 8) Once the script runs to completion, upgrade the SSP CM, Engine, and PS instances to SSP3430 9) Note: Once the script is run, the SSP3418 conf directory may no longer be used for SSP3418. Either convert to SSP3430 or restore the backed up copy. Note: If there is a need to go back to 341x, restore the backed up copies. The alternative is to upgrade directly to SSP3430, import the PCKS12 versions of your SHA256 keycerts into your system key store and point your netmaps to the new versions. No Defect/IT07375 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR8 for latest security patches which turn off SSLv3 support by default This JRE was included with SSP3430 GA. SSP only allow TLS sessions by default and will reject SSLv3 sessions. If the SSLv3 protocol is required until trading partners can switch to TLS, then for UNIX/Linux, add the -Dcom.ibm.jsse2.disableSSLv3=false property to the Java startup line(s) in the bin/startEngine.sh script. For Windows, add the property to the " lax.nl.java.option.additional=" line in the bin\SSPengine$.lax file. In addition, edit the /jre/lib/security/java.security to change the following line from jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 to jdk.tls.disabledAlgorithms=RC4, MD5withRSA, DH keySize < 768 See http://www.ibm.com/support/docview.wss?uid=swg21695265 for more information. No Defect/IT17228 (CM,Engine, - Upgraded SSP Engine, CM, and PS to IBM PS) JRE 1.7 SR9FP50 for latest security patches This JRE includes the quarterly Java security patches through July 2016. See http://www.ibm.com/support/docview.wss?uid=swg21991287 for details. PSIRT 5869 (CM) - Updated to use commons-fileupload-1.3.2.jar Resolution: Upgraded to use commons-fileupload-1.3.2.jar to resolve a possible security vulnerability. For more information, see http://www.ibm.com/support/docview.wss?uid=swg21995611. RTC104091/ (Engine) - (CD) Let PS (local or remote) do DNS resolution The CD Adapter has always done DNS resolution on the local host, even when the Perimeter Server definition Advanced tab specified "Perform DNS Resolution" "At Perimeter Server Host". In most cases, it required the addresses of CD nodenames to be specified as IP addresses rather than hostnames. Resolution: Now have the CD adapter honor the setting in the PS definition for "Perform DNS Resolution" (either "At Local Host" or "At Perimeter Server Host"). RTC458227/ (Engine) - Update the inbound Reverse DNS Lookup message with the hostname for better diagnostics When there are hostnames in the inbound netmap list instead of IP addresses the DNS resolution process does not echo the hosthames in the log, nor identify which nodename matched. Resolution: Now echo the hostname with the IP address it resolves to and indicate which nodename matches if a match is made: DEBUG Resolved: to: 9.8.7.6 INFO SSP104I Session Proceeding after Node match: HTTP_In RTC488587/ (PS) - Show SSP version/build at startup in PS log There is a desire for support purposes to determine at a glance whether a Perimeter Server (PS) is for SSP (vs. B2Bi) and if so, which version and build of SSP it was from. Resolution: At a glance, the SSP PS install directory contains a file called SSP_PServer_install.properties, which distinguishes it from a B2Bi PS. Now the PSLogger.* file at startup will contain a string SSP.INSTALLED.VERSION, which will list the build the installer came from. grep SSP.INSTALLED.VERSION PSLogger.* SSP.INSTALLED.VERSION=SSP 3.4.2.0 iFix11+ Build 411 RTC492052/IT13855 (CM,Engine) - (SFTP) Sha2 connections fail due to mismatched MAC names Customer was attempting to configure their SFTP to use HMACs of 256 or higher. SFTP handshakes were getting a mismatch of the hmac algorithm names. SSP was presenting "hmac-sha256" and "hmac-sha512", but should have been using "hmac-sha2-256" and "hmac-sha2-512". Resolution: Now properly present the "hmac-sha2-256" and "hmac-sha2-512" hmac names. Action: If you have previously selected the "hmac-sha256" or "hmac-sha512" HMacs in the adapter Security tab or the netmap node Security tab, they will be de-selected during this upgrade, and you must reselect the "hmac-sha2-256" and/or "hmac-sha2-512" hmacs. RTC492949/IT15184 (Engine) - (SFTP) Getting DH_GEX group out of range Customer running with newer openSSH command line client getting DH_GEX group out of range during session initialization. Resolution: Updated the SFTP Maverick toolkits to SSHD 1.6.17 (front end server side) and J2SSH 1.6.15 (back end client side) for more advanced Diffie-Hellman Key negotiation. RTC493866/IT14117 (Engine) - (PS) Too many fast wakeups in perimeter.log After applying SSP3430 iFix 1, the perimeter.log began receiving the following messages in DEBUG mode: com.sterlingcommerce.perimeter - NioDispatcher.block() -- too many fast wakeups, rebuilding selector. com.sterlingcommerce.perimeter - NioDispatcher.block() - wakeup after 0, result: 0, fastwakeups: 1001 Resolution: Corrected the perimeter.properties file to match the new version shipping since iFix 1. Also added the following parameter to the bottom of the bin/perimeter.properties file to turn off the NIO dispatcher in the local perimeter server: perimeter.niodispatcher=false RTC494013/IT15074 (Engine) - (HTTP) Client is not receiving the 500 Error message from SSO login failure HTTP client logging onto the SSO portal and then onto Sterling File Gateway is getting a blank screen instead of a 500 error message when the login fails. Resolution: Added the text "Internal Server Error" to the message body for the 500 error response and pass it back to the user on login failure. RTC495433/IT14514 (CM) - (HSM) manageKeyCerts import fails with java.lang.NullPointerException The manageKeyCerts.sh utility fails with "Unexpected exception: java.lang.NullPointerException" when attempting to import a PKCS12 keycert into HSM. Resolution: Changed manageKeyTool to persist imported keys by saving off the private key. RTC496040/IT15910 (Engine) - SFTP client script causes FIN_WAIT2 on SSP server When SFTP proxy adapter times out on the client, the socket connection stays in FIN_WAIT2 state. Resolution: Modifed code related to close functionality. RTC496054/ (CM) - Error messages found in installation and CMS logs for both Engine and CM. Numerous error messages seen in log during installation or configuration update: ERROR SspEngineBuilder - routing type STD. They were introduced by Build 54. Resolution: Removed the superfluous message. RTC496133/IT15041 (Engine) - Session starts rejected in PS due to "too many open files", or "max concurrent circuits reached" After several hours or days of running, the Perimeter Server can get the message, "Too many open files", or "Max concurrent circuits reached: size is:4096", and all incoming connections are rejected. The C:D adapter was not closing the connections from the load balancer heartbeat pings correctly, causing an accumulation of circuits in the PS and leftover file descriptors showing up in a lsof command. Customers with a ulimit of 1024 for max open files per user will get the former message, while others will get the latter. Resolution: Updated the C:D adapter code to better handle a load balancer ping operation which does not do a clean close of the socket after connecting. These connections should get cleaned up by the Java garbage collector over time. The Customer should also set the kernel ulimit max open files value to 4096 or higher to allow time for the normal recycling of the load balancer ping sockets. RTC496371/IT14589 (Engine) - (SFTP) Key-only authentication failing when mapped password not present If an SFTP policy is configured to use a mapped routing key name from SEAS to connect to the backend server, a Null Pointer Exception can occur if the user does not have a mapped password defined.  When attempting to connect to the SSP SFTP adapter, the user will not be able to login, and the following exception will occur in the adapter log: java.lang.NullPointerException at java.lang.String.        at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.registerBackend        at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.logonUserHelper        at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.logonUser        at com.sterlingcommerce.cspssh.daemon.SftpAccessManager.verifyPassword        at com.sterlingcommerce.cspssh.daemon.SftpAccessInstance.verifyPassword Resolution: Now correctly handle the situation where SEAS returns a mapped routing key name, but not a mapped password. RTC496962/IT16065 (Engine) - CD Adapter failures causing high CPU on Engine, Max concurrent circuits reached:4096 on PS When the C:D adapter recovers from a connection failure to the More Secure Perimeter Server, it restarts its listener on the inbound PS but no longer services connections coming in. As the load balancer continues to hit the CD port, it can lead to a "Max concurrent circuits reached: 4096" error on the PS and all inbound traffic turned away. Resolution: Corrected the recovery logic in the CD adapter to ensure that the inbound listener is brought up and the adapter continues to service connections. RTC497030/IT14809 (Engine) - (CD) SSP handshake failure with CDSA after upgrading to SI 5.2.6.1. SI/B2Bi 5.2.6.1 uses the fix provided in the IBM JRE (JSSE) to break up packets when using CBC cipher suites and TLS 1.0. The short packet during the initial FMH 68/72 exchange was causing SSP to issue message CSP900E Logged Exception : Invalid Connect:Direct FMH Resolution. Now handle SSL fragmentation caused by remediation for the CBC BEAST TLS 1.0 PSIRT advisory. Workaround: There are 2 known workarounds to this problem - 1) Switch to using TLS 1.2 between SSP and SI, as the BEAST "fix" only gets used with TLS 1.0 2) Update the SI 5.2.6.1 startup script(s) to add "-Djsse.enableCBCProtection=false" in the Java startup line(s). RTC497033/IT14757 (Engine) - Dummy object unmarshalling error for PerimeterServerConfig During a configuration push from the CM to the engine, getting multiple java.lang.RuntimeException: Problem with reflection based marshalling. Invalid data was being passed to SSP Engine Converter method. Resolution: Added logic to detect when an invalid data is passed into the converter method and handle it properly RTC497092/IT14615 (Engine) - Engine Shutdown issue Customer could not shut down the SSP engine from the command line using either stopEngine.sh mode=auto or the regular ./stopEngine.sh. Resolution: Added logic to SSP code base so that the TLS protocol is no longer hard-coded for SSP engine shutdown module. RTC497412/ (Engine) - Inbound FTPS fails when client cert has server flag FTPS client fails the SSL handshake because it is using a certificate marked for Server use only. Resolution: Now provide better diagnostics in the error message so that the client can be instructed to get a certificate marked Client only or Server plus Client. Now the error message will say: [TLSCheck.certificateCallback] Entered: 4 (TRUST_ERROR_OTHER - could be server-only certificate used for client auth or client-only certificate used for server auth or broken chain, etc) RTC500038/IT15916 (Engine) - Intermittent failures with concurrent SSL handshakes Customers experiencing intermittent failures during SSL handshaking in CD, FTP, or HTTP sessions. A PEMHelper utility class which feeds certificates to the SSL/TLS handshake process had objects defined in such a way that they were not thread-safe, causing unpredictable outcomes when multiple sessions were attempting to do simultaneous handshakes.  Resolution: Corrected the objects in the PEMHelper class to be thread-safe.   RTC500069/IT15063 (Engine) - SFTP transfers stalling at 627MB or the sftp_rekeycount limit in the adapter. Under certain circumstances, the rekey limit is causing SFTP transfers to stall. The sftp_rekeycount property defaults to 20000 by default, which allows 20k packets to flow before requesting a new key exchange. However, the SSP FTP daemon and the SSH Maverick toolkit are both keeping track of the packet count, which can cause a hang when both request a rekey at the same time. Turned off requesting rekey operations on the back end session to SI within the SFTP adapter. Added a new property, sftp_backend_rekeycount, with a default of zero, to specify the number of packets between rekeys on the backend session to SI, in case a Customer needs to turn it back on. Also updated the Maverick toolkit to get the latest versions with any impact on re-key issues. RTC501172/ (CM) - CM ManagedAccepterService fails to startup causing logins to fail There was an internal error during startup of the CM and the internal ManagedAccepterService never came up, which caused logins to fail. Resolution: Added the ManagedAccepterService to the list of global services so it would start sooner in the process. RTC501513/IT15516 (CM) - Vulnerability issues found with SSPcm HTTP Headers The SSP CM is missing the following HTTP security headers: Cache-Control: no-cache,no-store Pragma: no-cache X-Content-Type-Options: nosniff X-XSS-Protection: 1 Resolution: Added the missing HTTP security headers to the SSP CM. RTC501735/IT15517 (Engine) - (SFTP) Key Exchange Exception encountered when FIPS enabled With FIPS mode enabled in SSP, a null pointer exception can occur if the group-exchange-sha256 key exchange algorithm is enabled in the outbound netmap node. Resolution: Code has been added so that SSP can use the group-exchange-sha256 key exchange algorithm, in FIPS mode, for connections to the backend server. RTC502844/IT15531 (CM) - Unable to import PCKS12 SHA2 certs using configureCmSsl utility CmSslConfigTool was unable to successfully import pkcs12 certificates. Resolution: Added logic that allows for the public certificate to be extracted from pkcs12 into SSP CM truststore. RTC502863/IT16819 (CM,Eng) - (SFTP) Support hmac-sha256 & hmac-sha256@ssh.com Previously, SSP did not support the following HMAC algorithms for SFTP adapters and outbound nodes: hmac-sha256 and hmac-sha256@ssh.com. Resolution: Added support for hmac-sha256 and hmac-sha256@ssh.com. Logging Improvement (Engine) - C:D certificate failure logging improvements Trusted certificates that contain comments or too many characters on a line may not be able to be parsed by SSP 3.4.2, even though they worked in SSP 3.4.1. Resolution: Added code so that if SSP fails to parse a trusted certificate, the name of the offending certificate is logged. RTC503126/IT15568 (CM) - (REST API) Unable to create CM user who uses External Authentication When using the SSP REST API to create a new CM user that uses external authentication, an error will occur if a password is not specified.  Since authentication is done externally, a password should not be required in SSP. Resolution: The SSP REST API code has been changed so that passwords are not required for new CM users that use external authentication. RTC503335/ (Engine) - (CD) Improve certificate failure logging Resolution: Changed the CSP062E (Secure+ mismatch error) message to ERROR level. Also updated the SSE0116E and SSE0117E messages (handshake failures) to include "Check for certificate failures" in addition to the instructions to verify protocols and ciphers. RTC503335/ (Engine) - (CD) Logging improvements for Certificate issues C:D Secure+ handshakes sometimes failed due to certificate errors, but did not include which certificate was identified as failing. Resolution: Add keycertificate name to error messages when appropriate. Examples: CSP037E Could not load certificate information for node. KeyCertificate Name=CertWiz_SHA256_SelfSigned.keycert CSP900E Logged Exception : could not handshake because certs or configuration is invalid, KeyCertificate Name=CertWiz_SHA256_SelfSigned.keycert CSP057E 16 Exception or other serious error occurred: exception in processing could not handshake because certs or configuration is invalid, KeyCertificate Name=CertWiz_SHA256_SelfSigned.keycert RTC503536/ (Engine) - (HTTP) Client is not receiving the 500 error message from SSO login failure When using SSP/SEAS to connect to myFileGateway the username that is entered into the SSP login page is authenticated against SEAS before it is sent to SFG. The username in LDAP is case insensitive, but in SI it is case sensitive, so authentication can succeed in LDAP, but fail on SI.  This causes SSP to display a blank page, and return the 500 HTTP response code.  Resolution: Now whenever the HTTP response code is 500, SSP also returns “Internal Server Error” in the message body, so that the response code is delivered and the client does not get a blank page. RTC503895/IT15606 (CM) - (REST API) Delete Netmap Node entry request returns success but the node still exists When using the SSP REST API to delete a C:D netmap node, and the node being deleted is referenced by another node’s ACL, the REST API will return a successful response, but the node will not be deleted. Resolution: The SSP REST API code has been updated to return a meaningful error message if a node cannot be deleted because it is referenced by another node's ACL. RTC504462/IT15808 (PS) - Installation of SSP Perimeter Server package creates a single Windows Service and s starting/shutting down the PS service starts/stops all of them After installing a more secure perimeter server, it is possible that the Windows service used to start and stop the perimeter server will be named using the wrong port number.  If this new Windows service name overwrites an existing service, the perimeter server corresponding to the old Windows service cannot be started. Resolution: The code has been changed so that the name of the perimeter server always contains the port number that the SSP Engine will listen on. This guarantees that the Windows Service name corresponds to the correct server. RTC504499/ (Engine) - (CD) Common name (CN=) can be last entry in subject. If certificate common name matching was turned on for CD Secure Plus transfers, the comparisons would fail if the common name was the last field in the Subject or if it had a comma (,) in it. Legacy code was relying on the comma as a terminator for the CN= field in the certificate. Resolution: Converted from legacy parsing to use the X500Name field built into Java certificate processing. RTC504898/IT16824 (CM) - (REST) XMLSchemas for Import RESTAPI Requests Resolution: XSD files are now provided to allow XML validation. Sample programs were changed to show validation using the appropriate xsd file. Note: Because netmapDef was re-used for cd, ftp, http, pesit and sftp and ftpPolicyDef was reused for ftp and sftp, changes were required to allow for xsd validation of import/export XML files. These changes also required modifications in the SSP CM, so CM must be upgraded to this level in order to use the xsd's provided. RTC505169/IT15947 (CM) - HTTP Security headers were missing. Resolution: Added the following security headers 1) Cache-Control: no-cache,no-store and Pragma: no-cache 2) X-Content-Type-Options "nosniff" 3) X-XSS-Protection "1" 4)Strict-Transport-Security - Note: Chrome may require some tweaking when CM server certificate CN does not match host name see https://support.opendns.com/entries/66657664-Chrome-for-Windows-only- HSTS-Certificate-Exception-Instructions for mitigation for chrome See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505320/IT15946 (CM) - Traversal of SSP CM Webapp root Under certain conditions, a browser user is able to traverse the SSP CM webapp root directory. Resolution: Added logic in SSP servlet filter to block directory traversal. See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505321/IT16020 (CM) - Accessing SSP CM using expired session id The SSP CM Dashboard web session was not being reset during a logoff operation. Resolution: Added logic to always reset the SSP CM Dashboard web session during a logoff operation. See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505365/ (CM) - (REST) Unable to create CM user using ExternalAUTH When creating a new CM user that uses External authentication, the REST API requires a password for that user. A password should only be required if Local authentication is selected. Resolution: Changed the CM User validator so that a password is not required if External authentication is selected. RTC505548/ (Engine) - CD Proxy shows CM monitoring status as active, though the less secure remote PS is down. SSP C:D Adapter failed to recognize that remote PS had failed and didn't initate recovery (both with and without failover). Resolution: The C:D Adapter now recognizes the failure of the remote PS failure and reports is properly in the log and to CM and initiates recovery attempts. RTC505522/IT16713 (Engine) - (FTP/S) Enabling CCC causes transfers to fail When CCC (Clear Control Channel) is enabled on the inbound node for the connection from FTP Client to SSP FTP Proxy, the session fails after the CCC command is sent by the client to SSP. Resolution: SSP was updated to correctly interface with the newer PS. RTC505585/IT15949 (CM) - SSP CM allows methods other than GET or POST User was able to send a method request other than GET and POST to the SSP CM server and get a response back. Resolution: Modified the SSP CM web.xml to only honor GET and POST methods. See http://www.ibm.com/support/docview.wss?uid=swg21991278 for more details. RTC505702/IT16080 (CM) - Enhancements to password policy rules Resolution: Now allow the SSP CM admin to specify the allowed special characters and also to specify the number of consecutive repeating characters within a new password string RTC507008/IT16396 (Engine) - (CD) Memory usage increases and process slowdown with C:D wildcard copies. A C:D process with a large number of steps (e.g. a wildcard copy) continues to consume resources and processing slows down as more and more objects are added to SSP session document. Resolution: Refactored the way the SSP session document is manipulated to make it more efficient. RTC507936/ (Engine, CM) - Unpredictable install directory when backspace settings not set correctly Inputting data to InstallAnywhere during installation and using the backspace or cursor arrow keys results in bad data. This comes about when the stty terminal settings are not set up correctly. The install directory value may display correctly, but end up containing unprintable backspace or arrow keys in them. Resolution: Added code to inspect for backspace and cursor keystrokes and correct the data inputted. RTC508303/ (Engine) - CDzOS via SSP produces XXDR021I in CD Windows statistics. C:D Windows stats shows XXDR012I RC 4 for processes between C:D Windows and C:D z/OS when going through SSP. Resolution: Now explicitly specify the ISO-8859-1 character set for "bytes to string" and "string to bytes". RTC508526/IT16700 (CM) - Allow CM Admin to control locked account msgs After SSP3430 iFix 1, the CM user is notified when its account is locked Resolution: Added a check box in SSPCM System Setting's tab to allow the Admin to indicate whether a CM user should be notified of a locked condition. RTC508872/IT16456 (Engine) - SFTP public key auth failures cause locked accounts sooner in SSP3430. When the "Key or Password" authentication policy is used in SSP's SFTP adapter and a user's key is invalid, the account gets locked after one failed password attempt. The public key authentication failure is recorded twice, causing one subsequent failure of a password attempt to lock the account for SSP's lockout period. Resolution: Ensure the SSH User Key authentication failure is not counted twice. Workaround: Raise the "User Lockout Threshold" from the default of 3 in the Credentials -> User Stores section of the CM. (This value is used whether or not the user account is in the SSP user store). RTC508898/ (Engine) - (CD) With CHECKPOINT and FASP=SSP; SUSPEND hangs session Doing CDZ PNODE to CDU SNODE PULL with a checkpoint interval (100K) and FASP=SSP. Suspend from CDZ hangs session. Last thing seen is CDZ sends exception response with sense code 08240118 to CDU then goes into receive, and after receiving all data and FMH80's buffered in SSP, final receive waits for a response that never comes. Unable to flush process, so CDZ must be shut down. Resolution: FASP connection was being closed prematurely when it should have waited for the LIC on the data. The code has been updated to do so. RTC508901/ (Engine) - (CD) Submit process on Snode using FASP does not end session gracefully The positive response from the SNODE to the PNODE after the FM7404 was not being waited on. Reslution: Now wait on the positive response correctly.   RTC509062/IT16642 (PS) - (PS) Install issues with Windows service names After SSP3430 iFix 1, The Windows Service name for the Remote Less Secure PS includes the local listen port number and for the More Secure PS, it includes the port number of SSP to which PS will connect. If there are more than one More Secure PS servers running on one host, pointing to the same port, the PS windows service name will not be unique and cause problems. Resolution: To make the Remote PS Windows service name unique, the IP address of the host on which the PS listens (Less Secure PS) or the IP address of the SSP to which the PS connects (More Secure PS) is appended to the service name in addition to the port number. Example PS name: IBM Sterling Perimeter Server V4.6.6.2 for SSP 3.4.3.0 on 3000 1.2.3.4 Windows Service name: SSP_PerimeterServer_3000_1.2.3.4. RTC509910/IT16488 (Engine) - (CD) SSP3430 causing data overrruns when inbound unencrypted, outbound secure. With SSP3430 in front of a B2Bi CD server adapter, the CDSA may get Java NullPointerException or IndexOutOfBoundsException when the C:D inbound session is unencrypted and the back end (outbound) node uses Secure Plus. When SSP encrypted the data from the inbound RU, it went beyond the negotiated RU size on the back end, causing the data overrrun exceptions. Resolution: Now properly break up the data from the unencrypted buffer into chunks which fit in the outbound RU, using multiple RUs as required. RTC510313/IT16560 (CM,Eng) - (SFTP) Allow buffer lengths greater than 128K Unable to upload files via SFTP if client is using a buffersize > 128K. Customer attempting to connect from command line sftp with larger buffer parm -B240000. Connection is ok, but during the upload the SSP Maverick toolkit gets an error. Maverick log is showing com.maverick.sshd.Subsystem - Incoming subsystem message length 240043 exceeds maximum supported packet length 131328 com.maverick.ssh.ExecutorOperationSupport - Caught exception in operation remainingTasks=0 java.nio.BufferOverflowException at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:183) ~[?:1.7.0] at java.nio.ByteBuffer.put(ByteBuffer.java:832) ~[?:1.7.0] at com.maverick.sshd.Subsystem.parseMessage(Subsystem.java:137) Resolution: Now set the default allowed buffersize supported to be 256K. Override using the sftp.maxPacketLength property. Note: Maverick toolkits were upgraded to SSHD 1.6.24 and J2SSH 1.6.22. RTC510634/IT16823 (Engine) - (SFTP) SCP presents a RC 1 after successful GET When a file is downloaded from SI SFTP Server Adapter thru SSP using the command line scp command, the scp client reports a Return Code of 1 instead of 0 for success. The scp put operations return a 0 as expected. Resolution: Made change to SSP to close the connection properly so the command line scp client reports 0 Return Code for "get" operations. RTC510635/IT16815 (Engine) - (HSM) Certificates causing SSP0229E Exception Customer has certificates stored in an HSM and upgrading to SSP 3.4.3. When securing connections or sending data, getting java.lang.NoClassDefFoundError - com.sterlingcommerce.security.util. SCIHSMManager. Resolution: Corrected SSP code and PS jar file to properly reference the failing class. RTC511154/IT16980 (Engine) - (CD) C:D adapter fails to send "Http Ping Response" string consistently Customer using the HTTP ping response for the C:D adapter to streamline the communication with the load balancer. After upgrading to SSP3420 iFix 8 (or SSP3430 iFix 1), the response was not being sent to the load balancer consistently. Resolution: SSP was closing the socket after writing the HTTP ping response before PS got a chance to complete its work. Added a 200ms delay after writing the HTTP response before closing the socket. RTC511478/RFE511476 (CM,Eng)- (SFTP) Force one line password prompt When the SFTP adapter is configured with the "Key or Password" authentication mechanism it was causing a multiple line password prompt to be displayed. Resolution: Added support for a new property in the SFTP adapter Property tab. kb.single.password.prompt=false is default is keeps a multi-line password prompt in keyboard interactive mode when using "Key or Password". Setting kb.single.password.prompt=true forces a one-line prompt. RTC511666/IT17151 (CM) - Unable to invoke iKeyman on Solaris 10. The IBM hybrid JRE on Solaris delivers ikeyman as a call to the native Java with a class to execute. However, if the JAVA_HOME doesn't point to the IBM JRE, it gets "Could not find or load main class com.ibm.gsk.ikeyman.Ikeyman" Resolution: Corrected Solaris installers for SEAS, SSP, SSP_CM and PS to modify jre/bin/ikeyman so that it always invokes the installed IBM JRE. RTC511903/IT17121 (Engine) - (SFTP) Slow upload speed via SSP on Solaris SSP was not automatically using Solaris hardware encryption to speed up its crypto processing. Resolution: Updated the installer to change the the java.security file on Solaris to include the security provider for Solaris hardware encryption. RTC511928/IT17359 (CM) - (HSM) Cannot delete old certificates in the CM HSM Keys list after upgrade Certificates installed into HSM using pre-SSP3420 had a different provider than is supported with the new IBM toolkit. Resolution: Updated the code to delete the old certificates successfully. RTC512573/IT18260 (Engine) - HTTP connections fail with SSE0102E secure connection failures after upgrade to SSP 3.4.2 Starting in version 3.4.2, a change was made in SSP to make use of the IBM JSSE as a security provider for SSL instead of Certicom. Certicom used only one thread to process the events related to SSL handshakes. For the IBM JSSE, a thread pool was introduced for processing the events. along with a new local perimeter server property, perimeterServices.tlsDefaultThreadsPerAdapter=1, specifying the number of threads in the pool. However, the default value of 1 resulted in not having enough threads to handle even small spikes in TLS handshakes. Resolution: Change the value of the local perimeter services property in /bin/perimeter.properties to perimeterServices.tlsDefaultThreadsPerAdapter=5. RTC513206/IT17358 (CM) - SSPCM allows the password change step to be bypassed When the administrator sets a CM user's password for first time or resets it and the user is required change the password initially entered by the admin, it is possible to bypass the mandatory password change and access the CM. Resolution: Locked down the access in the case of a required password change. RTC513451/IT17846 (CM,Engine) - Updated to use Maverick sshd 1.6.27, j2ssh 1.6.23, common 1.6.11 Resolution: Upgraded to newer Maverick toolkits to resolve several underlying issues. RTC513984/ (Engine, - Enhancement to allow silent Installs for SSP, CM, PS) SSPCM, PS and SEAS InstallAnywhere Silent Install is a feature which allows for automated installs without questions and answers from the console. It can be used for repetitive installs at Customer sites. The administrator first does the product install in "record" mode which builds an installation properties file for subsequent silent installs in "replay" mode. Resolution: The SSP Engine, CM, PS, and SEAS have all been updated to allow silent installs. RTC514315/IT17373 (CM) - Import of CA trusted file with multiple certs or comments getting corrupted or rejected Customer imports a trusted.txt file that contains several CA certificates into the truststore (Credentials > Trusted Certificate Stores). The certificates import but in the Certificate Data window, it indicates only 1 of 1 certificates is imported though you are able to see the multiple BEGIN and END embedded certs. Also trusted files with imbedded comments before or after the BEGIN CERTIFICATE / END CERTIFICATE pairs were being rejected. Resolution: Updated the import logic to remove comments and blank lines during the import process and process multiple certs in one file. Also updated the CM during startup to clean trusted files already loaded in the truststore. RTC516359/IT18163 (Engine) - Deadlock/hang in failover code When Failover is setup in continuous mode and a more secure Remote PS is setup between SSP and the backend Server, if the backend Server goes down, it may result in a deadlock in the SSP Adapter threads. When the backend Server is active again, SSP Adapter may not be accepting new connections, causing the engine to appear hung. Resolution: Modified failover logic to avoid the deadlock. Note: RTC516359 is also internally called RTC524026. RTC516459/IT17419 (CM) - The manageCSRs.sh script gets a NullPointerException when attempting to create a CSR The manageCSRs.sh script gets a NullPointerException after generating the private and public key and attempting to place it in the keystore. Resolution: Now set the default keystore provider to be the IBM JCE. RTC517058/IT17567 (Engine) - *HIPER* FTPS passive data connection timeouts after upgrade to SSP 3.4.2 or 3.4.3. After upgrading to SSP3420 or SSP3430, Secure FTP client sessions were hanging intermittently on data operations, such as directory listings, sending and receiving files. The TLS handshake was failing to start, causing a timeout. One Customer also experienced data corruption when using Filezilla as the FTPS client. Resolution: Fixed a race condition when opening the data channel and responding to the TLS handshake for the client. RTC517621/IT17983 (Engine,PS) - Too many open file handles - lsof output Round 2 of issue with having sockets show up as leftover and in an unusual state (can't identify protocol) in a lsof command after hours of running. This can lead to the PS running out of available "channels". Resolution: Updated the PS code (local and remote) to automatically close sockets which are detected to be in this unusual state. RTC518916/IT18164 (Engine) - CD "PNODE Host controls SSL Protocol" netmap setting fails in some circumstances When SSP is connecting to the real SNODE, specifying "PNODE Host controls SSL Protocol" and the real SNODE doesn't support TLS1.2 and has specified OVERRIDE=N, the handshake fails. Resolution: Now recognize that "PNODE Host controls SSP Protocol" is set and the adapter allows differing encryption levels, and attempt to do a handshake supporting all protocols with the SNODE. The SNODE then decides what it can and cannot do. RTC519253/IT18066 (Engine) - (CD) Allow server only certificates for client authentication If Secure+ and client authentication is turned on for a CD PNode, and the node presents a certificate with "Netscape Cert Type: SSL Server" and does not also indicate an Extended Key usage of SSL Client, the SSL handshake fails with CSP057E "exception in processing com.ibm.jsse2.util.j: Netscape cert type does not permit use for SSL client". This is an RFC restriction imposed by the IBM JSSE toolkit. Resolution: SSP is updated to allow SSL Server certificates for CD client authentication by default. A new property can be set in the CD adapter, AcceptServerOnlyCertForClientAuth, to override this behavior. Settings are: true - (default) allow the handshake and produce message CSP998I to list the PNode and subject name of the certificate showcert - same as true, but also append the full certificate listing false - reject the handshake with message CSP997E. RTC519510/IT18176 (CM,Engine) - Do not enforce common name checking if CD client authentication not turned on The SSP CD adapter was failing PNode connections when common name checking was checked in the netmap, but client authentication was not. Resolution: Now ignore the common name checking flag during CD handshaking if the client authentication flag is not checked and put out a warning message instead. RTC519864/IT17988 (Engine) - 2 ciphers missing from supported ciphersuites list Two ciphers (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) were missing from the supported ciphersuites. Resolution: Added the ciphers to the supported ciphersuites. RTC519966/IT18001 (CM) - Admin user can't be deleted in SSPCM After installing the SSPCM and adding a new user with Admin privileges, the Customer was unable to delete the original default "admin" account. The Customer's site security required removing the default account. Resolution: Corected the code to allow deleting the "admin" account from another account with Admin privileges. RTC520046/IT17985 (CM) - Unable to use custom channel name in the JMS configuration The Customer defined a custom channel name in addition to the default "", but the custom channel name was overriden by the default. Resolution: Correct the code that was overriding the custom channel name so that it could be used to send messages. RTC520758/IT18178 (CM) - Externalize delay for CD HttpPingResponse. When the SSP CD adapter is configured to accept HTTP pings, SSP writes the ping response and closes the socket before the PS gets a chance to complete sending the response to the load balancer. Resolution: Now add a 200ms delay after writing the HTTP response before going to final to close socket. Delay can be adjusted with CD Adapter property HttpPingResponseDelay=200 (default). Value is in milliseconds. RTC521075/IT18187 (CM) - 2 special characters in CM password when special characters required When the SSPCM password policy was set to require a special character, the password was being forced to include at least two special characters. Resolution: Now only require one special character when the passsord policy is enabled with "must have special character". RTC521499/ (CM) - (RESTAPI) HTTP Netmap import failing without truststore even though no client authentication When XML validation through XSD was added, some of the XSD files did not mark some tags as optional. This caused validation to fail indicating tags were required when they were not. Resolution: Changed XSD files to mark all tags as optional. RTC521835/IT18266 (Engine) - (HSM) SecureRandom failures using HSM with CD CD sessions fail with "session.logic.engine not found in Parameters" when using ncipher HSM. The HSM random number generator does not accept seeding. Resolution: Removed code which was attempting to seed SecureRandom during TLS connections when the key certificate is in the ncipher HSM. RTC522699/IT18216 (CM) - Thousands of sockets in TIME_WAIT when JMS listener down After configuring SSP CM to publish messages to WebSphere MQ, Customer found a huge amount of sockets in TIME_WAIT status with destination of the queue manager and originating from the SSP CM. The excessive sockets used up file descriptors in their system. Resolution: Added logic to log JMS connection failures, and then added a 20 second delay between connection attempts to limit the growth of sockets when the JMS queue is down. RTC522918/ (Engine) - Include content-length header in CD Health check ping response The CD health check ping response always specified HTTP 1.0 and included no content-length header. Resolution: Now include content-length header in the CD HTTP ping response and if a CD adapter property "ping.response.http.1_1=true" is set, an HTTP 1.1 response will be sent. RTC523287/IT18529 (Engine) - SEAS-Agent timeouts are hanging other SFTP Adapters including ones not dependent on SEAS SFTP sessions which go through SEAS and hang during a logoff operation can cause sessions on other SFTP adapters which do not use SEAS to hang. Resolution:   Placed the logic for doing SFTP logoffs in a separate thread pool so that they do not hold the EventServiceImplementation lock while doing the logoff operations. RTC523578/ (Engine) - (HSM) CD Protocol unable to use keycert in HSM The C:D protocol was unable to use a key/certificate stored in HSM, getting CSP900E Logged Exception : no valid keycert found - exception. Resolution: Added the logic to correctly handle referencing keycerts in an HSM device when using the C:D protocol. RTC524219/IT18552 (Engine) - *HIPER* CD failures after upgrade to SSP3420 iFix 9 or SSP3430 iFix 2 When upgrading to SSP3420 iFix 9 or 3430 iFix 2, the old Certicom SSL Context values from SSP3418 were not properly converted to IBM JSSE SSL Context values. This caused java.security.NoSuchAlgorithmException - TLS1-ONLY SSLContext not available on CD transfers. Resolution: Now convert the old Certicom SSL Context values to the IBM JSSE SSL Context values during CD SSL handshaking. Workaround: Do a Save in the GUI on the affected netmap node(s) to assign the correct TLS protocol setting. RTC524274/IT19027 (Engine) - (HSM) FTPS not working with HSM certificates after upgrading from 3.4.1.7 to 3.4.3 The key certificate alias in HSM was mixed case and was not succeeding during TLS connection in the SSP FTP adapter. Resolution: Now normalize the key certificate alias to lower case before attempting the TLS connection. RTC524639/ (Engine) - Bad format in one user auth key keeps SFTP RTC538332 adapters from coming up The SFTP adapter does not start if there is an error loading any of the known host keys or authorized user keys. Resolution: Now log the failing key name with message SSE2727 and continue to load other valid keys and start the SFTP adapter. RTC524897/IT18695 (Engine) - 100% CPU in Maverick toolkit after a few days Customer found that his engine was reaching 100% CPU after several days. Javacore showed that there were several threads looping in Maverick code. Resolution: Updated Maverick toolkits to SSHD 1.6.30 and J2SSH 1.6.25 RTC525081/IT18698 (Engine) - Numerous Maverick NullPointerExceptions in systemout.log after SSP3420 iFix 9 The fix for RTC523287 introduced a new thread to handle SFTP logoffs. However, it attempted to reference a Maverick Connection object which became stale. Since the NPE happened after the client had disconnected, it had no effect on transfers, etc. Resolution: Now get the information from the Maverick Connection object before invoking the SFTP logoff thread. RTC525304/ (Engine) - Performance test fails for HTTPS and FTPS Resolution Changed the default values for the following two properties in the local perimeter.properties file, based on recommendation from the SI team after performance testing with SSP. perimeterServices.outboundPipeCapacity=10 (was 2) perimeterServices.serverConduitCapacity=10 (was 2) RTC525585/IT18998 (CM) - HTTP netmap inbound logging level reset to NONE if Routing Node tab selected If the user sets a value for the logging level in the HTTP Netmap Inbound Advanced tab and then navigates to the Routing Node tab, the logging level is reset back to NONE. Resolution: Now save the logging level value before navigating away from the Advanced tab. RTC525694/IT18971 (CM) - Large certificate serial number appears incorrectly within SSPCM Certificate with a serial number larger than the maximum integer value (2G) was not being displayed correctly. Resolution: Now format the display of the certificate serial number using the BigInteger object type, which handles numbers larger than maxint. RTC525887/ (Engine) - FTPS data channel hangs when CEU is back end Running Secure FTP with Connect:Enterprise for UNIX as the back end FTP server, the data channel can hang waiting for TLS handshake when in PASV mode. The CEU was placed behind SSP to assist in migrating to Sterling File Gateway using Single Signon and Dynamic Routing. Resolution: Now determine if the back end server is CEU and automatically adjust the timing of when to start the TLS handshake for the data channel on the back end. If the CEU is not recognized, the parameter bypass.wait.for.data.channel=true can be added to the FTP adapter properties to force this behavior. RTC525909/ (Engine) - Error messages "peer not authenticated" in load test logs for C:D sessions In our local testing there were numerous "peer not authenticated" error messages in the C:D logs, although the sessions completed normally. If the sessions were configured to require client authentication by the PNode, the messages were not produced. Resolution: Now bypass emitting the message if the PNode is not configured to do SSL client authentication. RTC525956/ (Engine) - SFTP concurrency test produces number of NPEs Our concurrencly load testing was turning up numerous NullPointerExceptions in BackendSftpSubsystem.java, after RTC523287 and RTC525081. Resolution: Now serialize the usage of the session object to eliminate the NPE. RTC526163/ (Engine) - Avoid erroneous PASV response from server When a FTPS client starts a data operation without waiting for the previous command to complete, the PASV response from the back end server can be sent directly to the client, disclosing the IP information of the internal system. Resolution: Now detect when a PASV response is being returned when not in passive mode and terminate the session with an internal error. RTC527009/IT19026 (Engine) - FTPS client connects, but LIST command delayed In some situations, the FTP LIST command takes a long time to finish when testing with WS-FTP. The time it takes seems to match the FTP Adapter session timeout time in SSP. A NullPointerException was causing the data channel to not be closed properly. Resolution: Changed the code to avoid the NullPointerException during the data channel operation. RTC527283/IT19153 (CM) - SSP 3.4.3 CM in Windows Uninstall shows Version 3.4.2.0; 'Help' points to v3.4.2 content The SSPCM v3.4.3 'Version' column information in Windows 'Programs and Features / Uninstall a Program' shows 3.4.2.0. The "IBM Sterling Perimeter Server V4.6.6.2 for SSP 3.4.3.0" shows a version of "4.6.6.0". Also, the SSPCM 3.4.3.0 'Help' links were all pointing to 3.4.2 content. Resolution: Updated the InstallAnywhere installer to properly set the version information for the SSPCM and SSP PS. Updated all the SSP3430 Help links to point to SSP3430 URLs. RTC527354/IT19159 (CM) - TLS1.2 is not negotiating when FIPS mode ON When running the SSP Engine in FIPS MODE, the HTTP and FTP adapters will not allow a TLS1.2 handshake. It works ok when FIPS mode is OFF. Resolution: Updated SSP to allow TLSv1.1 and TLSv1.2 under FIPS mode. RTC527355/ (CM,Engine) - SSP CM not PUSHing configured SSH Local User Keys to SSP Engine In some situations, the SSP CM was not pushing the SSH local user keys to the SSP Engine. Resolution: Now correctly push the SSH local user keys to the SSP Engine. No Defect (Engine) - Additional KQV values for C:D FM71 - ZEDC Resolution: New KQV values for the Connect:Direct FMH71 are added for ZEDC support to avoid error messages when unknown values are encountered. The following values are added: "ZEDR", "ZEDS", "ZEFR", "ZEFS", "ZERR", "ZERS", "ZWIN", "ZWIR", "Z15R", "Z15S", "ZIFR", "ZIFS", "ZBFR", "ZBFS", "ZEHR", "ZEHS", "ZEIR", "ZEIS" "ZIIR", "ZIIS", "ZIJR", and "ZIJS" RTC528288 (CM) - Allow space char at end of SFTP password prompt For password prompt overrides in the SFTP adapter, e.g. kb.pwd.prompt or kb.sec.code.prompt, any space character at the end of the prompt would be stripped. Resolution: Now allow the space character to be specified by spelling out the unicode value for a space: \u0020. RTC528506/ (Engine,CM) - Remove/rename seas.log from CM, engine The seas.log is unused in the CM and does not have anything to do with SEAS in the engine. Resolution: Remove the seas.log from the CM log directory. Rename seas.log to sspengine.log in the Engine log directory so it may be used to log access to the engine from the SSPCM. RTC528659/IT20207 (Engine) - SSP restarted due to OOM errors The SFTP session config objects were not consistently getting disposed of and were causing a memory leak, resulting in a Java OutOfMemory exception. Resolution: Now properly dispose of the session config object at the end of each session. RTC528702/IT19672 (CM,Engine) Install failure causes secure protocols to fail after upgrade Customer had security software on their Linux box which prohibited running the InstallAnywhere scripts out of the /tmp directory. InstallAnywhere silently failed to copy the JRE libraries that we need to do unlimited strength security. Resolution:  Updated InstallAnywhere to check the return code from the "CopyJreLib files" step and put out a message panel to let the installer know they should set 2 environment variables and restart the installation to ensure that the InstallAnywhere scripts can run in their work directory. Workaround: Prior to running the install, set the following environment variables to point to a work directory other than /tmp (example, $HOME): export IATEMPDIR= export TEMPDIR= RTC529443/IT19491 (Engine) - SFTP adapter won't come up when HSM is enabled. The SFTP adapter will not start when HSM is enabled in security.properties. Resolution: Updated the SFTP toolkit API (Maverick) to use IBMJCE for algorithms handling the SSH private key. RTC529446/IT19332 (Engine) - Unable to use HSM keystore without password The SSP engine was not able to access ncipher HSM when HSM keystore password was set to blank Resolution: Now initialize the HSM interface with proper values for blank/null passphrases. RTC529453 (CM) - Ship a separate security.properties for SSP CM Resolution: Ship a separate copy of bin/security.properties for the SSP CM. RTC529530 (CM,Engine) (HSM) No longer ship setupHSM.bat or .sh and remove them if they exist. The setupHSM is no longer valid to run as all the support for HSM is contained in the IBM JRE. Resolution: The setupHSM.bat or .sh scripts are no longer shipped, and are removed at upgrade time with an InstallAnywhere post-install step. RTC530844/IT19443 (Engine) - (CD) Allow client-only certs in server authentication. This is similar to RTC519253/IT18066 for server-only certificates after an upgrade from SSP341x. If Secure+ is turned on for a CD SNode, and the node presents a server certificate with an Extended Key usage of SSL Client, the SSL handshake fails with CSP057E "exception in processing com.ibm.jsse2.util.j: Netscape cert type does not permit use for SSL server". This is an RFC restriction imposed by the IBM JSSE toolkit. Resolution: SSP is updated to allow SSL client certificates for CD server authentication by default. A new property can be set in the CD adapter, AcceptClientOnlyCertForServerAuth, to override this behavior. Settings are true - (default) allow the handshake and produce message CSP998I to list the SNode and subject name of the certificate showcert - same as true, but also append the full certificate listing false - reject the handshake with message CSP997E. RTC530859/IT19451 (Engine) - (CD) Accept "TLS" and change to "TLSv1" Some configurations from older levels of SSP contain "TLS" as the protocol to be used for the C:D netmap. "TLS" is not a valid protocol in the IBM JSSE. "TLSv1" is the correct name for version 1 of TLS. Resolution: Updated the code on the engine to recognize "TLS" and convert it to "TLSv1". Workaround: Do a Save in the GUI on the affected netmap node(s) to assign the correct TLSv1 protocol setting. RTC531365/IT19649 (CM) - SSPCM users unable to change password after upgrade SSP CM users were unable to successfully perform a password change when the SSP CM was upgraded from a version previous to 3430. A new string for specifying which special characters to allow in a password was not being populated during an upgrade and users got the message, "password must contain these special characters null" Resolution: Added logic for SSP CM during startup, to validate and correct password policies that have "mustContainSpecialCharacter" set but no default special character string set. Workaround is to simply save the password policy in the GUI, and it will self-correct. RTC531976/IT19734 (Engine) - SFTP sessions fail when HSM is enabled When HSM is turned on in the SSP Engine, the IBMPKCS11Impl provider is added ahead of the IBM JCE in the Java security provider list, which causes SFTP sessions to fail. Resolution: Now ensure that we use the IBM JCE for certain ciphers like the DH key exchange. RTC532302/IT19647 (CM) - REST: Don't require truststore for http inbound node if client auth is not enabled When using the SSP REST APIs to update an HTTP netmap with security enabled, an error is thrown if the HTTP inbound node does not specify a trust store, even when client auth is not enabled. Resolution: Update the REST validator to not require a trust store name when client auth is not enabled for HTTP inbound nodes.   RTC532854/IT19863 (CM) - REST API unable to use TLS1.2 to SSP CM Web Customer updated their SSPCM Web server to use the TLS1.2 protocol, but then the REST API would not connect to it. Resolution: Corrected the SSP REST API connections to use whatever protocol (SSLv3-TLS1.2) that the SSPCM is configured to use Prior to this fix, only TLSv1 protocol could be used. RTC533058/ (CM,Engine) - Shutdown scripts hang with JRE 1.8 on AIX The delay was caused by getRandom not getting enough entropy to initialize the seed value for the random number generator. Resolution: Set securerandom.source=file:/dev/random in the java.security file. This accesses the default random source on unix platforms and it works with no delay. RTC533345/ (Engine) - (CD) Session fails because "End user tried to act as a CA" CD node was sending an old 1999 Entrust root CA in their certificate chain during the SSL handshake. The certificate used the old NetscapeCertType [SSL CA; S/MIME CA; Object Signing CA] extension instead of the newer BasicConstraints:[CA:true ...] extension. The IBM JSSE toolkit was ignoring the Netscape extension and rejected the certificate with javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: End user tried to act as a CA. Resolution: Back in RTC530844, SSP was updated to allow Customers to bypass a certificate exception by including a portion of the exception message in a new adapter property, "AcceptClientServerText". The Customer added this property to their CD adapter to allow this old root CA: "AcceptClientServerText" = "End user tried to act as a CA" (case sensitive, without the quotes). The engine required a restart for the adapter to pick up the change. This defect updated our trust manager code to print out the exception text if the certificate is about to be rejected. RTC533482/IT20234 (Engine) - CD transfers not working with SSLv3 Customer has a legacy CD partner which still uses the SSLv3 protocol. However, SSLv3 was not working because the protocol specification was being passed to the IBM JSSE as uppercase "SSLV3" instead of "SSLv3" which the JSSE requires. Resolution: Now pass the correct "SSLv3" protocol to the JSSE when the netmap node definition is "SSLv3" or "PNode Controls the SSL protocol". Note: Since SSLv3 is disabled by default, see the notes for IT07375 to allow it to work for a legacy partner. RTC533580/ (CM) - REST unable to import exported configurations Several errors have been exposed in the SSP REST API validation when users export their entire configuration with "export entity=sspCMConfigs" and then attempt to import the same file back in. Problems found: o C:D Netmap: Common Name checking didn't allow blanks in names o C:D Netmap: Verify Common Name required client auth to be enabled o C:D Netmap: Old Certicom protocols rejected (TLS1-ONLY and TLS) o C:D Netmap: Node names not allowed to start with a dash "-" o C:D Netmap: Nodes rejected without the ACLOutboundRequired xml tag o KeyStore Certificates: old "templateNames" keyword mis-handled o KeyStore Certificates: Was rejecting expired certificates o CM Users: Only the role of "admin" was accepted o sysSslInfo: Validation required list of cipher suites o Error messages needed to be improved to aid in problem determination Resolution: Corrected the above issues so that exported configurations could be imported again via the REST API. RTC533680/IT20027 (Engine) - RU size negotiated to 16259 when using Secure+ on one CD node and non-secure on the other. C:D Windows and C:D UNIX put SSLB=fals in their FM68 when establishing a non-secure connection. This indicates that SSL blocking cannot be used to add multiple SSL buffers into a single RU. SSP only adds SSLB=true when the SSLB keyword is not present in the FM68. Resolution: Now recognize when SSLB-fals is sent from a non-secure node and change its value to true on the SNode side so that SSL blocking can be done on the secure side. RTC533801/ - Upgrade to Java 1.8 for Java January 2017 security fixes Resolution: Upgrade to IBM JRE 1.8 SR4.1 to take advantage of the improved security features. This level of JRE addresses several Java vulnerabilities documented in the Security Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22001966 ACTION: Java 1.8 will not install on Redhat 5. See this web page for the list of supported platforms: https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.lnx.80.doc/user/supported_env_80.html ACTION: Disables Triple-DES (3DES_EDE_CBC) and DES ciphers. If your site is using TLSv1 and above, there is no need for 3DES, since AES ciphers are available. However, if you still have trading partners who have not switched to TLS* protocols and need to keep the SSLv3 protocol, you must retain the 3DES cipher as well, as AES ciphers do not work with SSLv3. To allow SSLv3 and 3DES do the following: 1) Edit the /jre/lib/security/java.security file and change the following line from jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede to jdk.tls.disabledAlgorithms=RC4, MD5withRSA, DH keySize < 768 2) You must also add the -Dcom.ibm.jsse2.disableSSLv3=false java parm to the engine startup parms. See the writeup for IT07375 in this fixlist for instructions. Note that the new Java 1.8 contains the following new parameters in the ./jre/lib/security/java.security file. See that file for additional comments. # IBMJCE and IBMSecureRandom SecureRandom seed source. securerandom.source=file:/dev/urandom securerandom.strongAlgorithms=SHA2DRBG:IBMJCE # Controls compatibility mode for the JKS keystore type. keystore.type.compat=true (allows JKS or PKCS12 format) jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ DSA keySize < 1024 (DSA keysize parm added) # Algorithm restrictions for signed JAR files jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024 (all new) # Algorithm restrictions for SSL/TLS processing jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede (Note: Disabling 3DES_EDE_CBC, DESede is new for this release) # Legacy algorithms for SSL/TLS processing (used as last resort) jdk.tls.legacyAlgorithms (New in 1.8, but not configured) # Policy for the XML Signature secure validation mode. jdk.xml.dsig.secureValidationPolicy=\ disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\ maxTransforms 5,\ maxReferences 30,\ disallowReferenceUriSchemes file http https,\ minKeySize RSA 1024,\ minKeySize DSA 1024,\ noDuplicateIds,\ noRetrievalMethodLoops RTC533907/ (Engine,CM) - InstallAnywhere on Windows shows ERROR: Failure in the CopyJreLib step After installing the fix for my defect 528702, Windows installs were showing an install step of "ERROR: failure in the CopyJreLib step". There was no actual failure, it just looked like one. Resolution: Changed the title of the panel from "ERROR: failure in the CopyJreLib step" to "JreLib Copy Check" and moved the "ERROR:..." down into the body of the panel. The panel should not show up unless there is an error in the CopyJreLib step. RTC534003/IT19950 (CM) - Error when executing configureCmSsl.sh The Customer wanted to limit the number of ciphers available for the CM. However, the ./configureCmSsl.sh -u cmCiphers=... command was getting ***Invalid value for cmCiphers: java.lang.NullPointerException and the /configureCmSsl.sh -u webCiphers=... command was getting ***Invalid value for jettyCiphers: java.lang.NullPointerException. Resolution: Moved the call to parse arguments in configureCmSsl to happen after all the relevant objects have been initialized. Workaround: Add the protocol cmSslProt=TLSv1.2 to the configureCmSSL.sh command. (or TLSv.1, TLSv1.1) RTC534483/IT20590 (Engine) - SFTP adapter policy (password+key) doesn't report failed logon attempts When the SFTP Policy of Key AND Password auth is used, audit messages related to key authentication success and failure are not logged. Resolution: Now generate audit log messages for key auth failure/success when Key & Password auth is used. RTC534665/IT20206 (Engine) - Invalid CD copy step causes NPE in validation C:D Windows was somehow generating a process where the COPY step did not contain a destination file name (DDSN in XDR). When SSP attempted to validate the FMH71, it got a NullPointerException in PasCdCbDelegate.getLocalCBType() Resolution: Now detect the missing file name and throw a new FmhLogicException with message "CDSP099E CCB did not validate - missing source/destination file name" RTC535210/ (Engine) - RAS Enhancement - Add new switches for heap dumps and SSL debugging Reliability/Availability/Serviceability (RAS) enhancement to the startEngine.sh and startEngine.bat scripts. 1) By default, capture heap dumps also when asked for a user javacore dump. 2) Add Java SSL Debug parms (# Z=...) so they can be uncommented and used. 3) Create /bin/startEngine.log with one line per startup for history RTC535333/ (Engine,CM) - Data Collector updates Customers are asked to run the data collector scripts when opening a PMR to gather common information which can help with problem resolution. (runEngineDataCollector(.sh/.bat) and runCMDataCollector(.sh/.bat)) Resolution: Added additional artifacts to the default collection - Full recursive listings of install directories - More complete gathering of property files - Optional parm "includeDumps" which pulls any dumps from today - Optional parm "includeConfigs" which dumps Customer's configs RTC535517/IT20520 (Engine) - Error on first block when enabling data encryption When decrypting and encrypting data during Secure Plus sessions, the session may fail and the SNode report, "MSST=The buffer to hold the data is too small. Length=4." Encrypted data, when decrypted and re-encrypted for the outbound side, can be larger than the negotiated RU size. Resolution: Now ensure that the decrypted data for the outbound side will fit into the RU. If not, split the data into two RU's. RTC536410/ (Engine) - Spurious RejectedExecutionExceptions in log during load testing During internal load testing after applying RTC536506, discovered that there were still RejectedExecutionExceptions in the log. When we added code to call logoffUser() on disconnect event on a ThreadPoolExecutor, the eventlistener was getting called even after the sftp adapter was shutdown, resulting in java.util.concurrent.RejectedExecutionExceptions being thrown. Resolution: 1. Catch the RejectedExecutionException and log an error msg. 2. Remove the event listener from the EventServiceImplementation instance when the adapter is taken down. 3. Ignore the disconnect event if the connection does not pertain to this sftp adapter (i.e. when more than one sftp adapters defined for the engine). RTC536506/IT20338 (Engine) - SFTP maverick log getting numerous exceptions for each SFTP logoff. After applying RTC523287 in SSP3430 iFix 2 Plus, the Maverick log was getting flooded with numerous exceptions with every SFTP logoff. Exception from event listener java.util.concurrent.RejectedExecution- Exception - rejected from java.util.concurrent.ThreadPoolExecutor. The problem happened after the SFTP adapter was brought down and back up. Restarting the engine clears the problem. Resolution: Now close the SFTP adapter's event listener whenever the adapter is taken down and create a new one at adapter startup. RTC536899/ (CM) - SSP REST API import errors detected Cleaning up several errors encountered during REST imports: 1) ERROR ObjectFactory - unexpected element (uri:"", local:"sftpPolicyDef"). Expected elements are <{}ftpPolicyDef> 2) ERROR SSPGUIAgent - Exception : GUIException: SYST039E SessionId: 1 - Error Validting System Settings: defSslInfo; Validation of keystore failed: Keystore was tampered with, or password was incorrect 3) Problem importing passwords in netmap entries for ftp, http and sftp Resolution: Corrected the SFTP, keystore, and password issues encountered during REST API imports. RTC536951/IT20749 (CM) - Hashed password returned in CM display When logged into the CM and accessing the local or CM user stores at SSPCM->System->CM Users or SSPCM->Credentials->User Store->defUserStore, a View Frame Source operation will show the hashed password value for a user. The value is not readily usable. Resolution: Now mask the password values when returning them to the CM GUI, but allow them when returning to the REST API. RTC537305/IT20816 (Engine) - SSP Engine OutOfMemory (OOM) exception when CD adapter gets out of sync with local PS In some situations, when the connection between SSP and the outbound Perimeter Server (PS) is lost and restored, the CD proxy adapter can think that its listener is down, while the local inbound PS is still accepting connections on its behalf and queueing them up. No useful work is done by the CD adapter. If the situation goes undetected, the load balancer health check pings can lead to build up of connection objects and eventually cause the OutOfMemory exception. Another symptom is the CD adapter hung in "Waiting on connection to the PS server" state at startup. Resolution: Improved the startup of the CD adapter as well as the recovery of the listener after an outage event on the outbound side. RTC537525/IT21212 (CM) - configureCmSsl script gets error - No supported private key marker found in PEM stream When running the configureCmSsl.bat -r command to restore to factory settings, it can get ***No supported private key marker found in PEM stream. Resolution: Added better logic to determine if the keycert is in PEM or PKCS12 format. RTC538591/IT20896 (CM) - Error accessing certificates in the trusted keystore after upgrade from 3.4.1.8 After SSP3420, the SSP CM could not import into the trusted store if the certificates had a private key imbedded. And certificates currently in the truststore could not be seen. Resolution: Now ignore any imbedded private keys during an import to the truststore by focusing only on what is between the BEGIN CERTIFICATE/ END CERTIFICATE pairs. At CM startup, remove private keys from existing public keys in the Trusted Certificate Store so the IBM JCE toolkit can process them. RTC538758/IT20889 (Engine) - Avoid NPE when SFTP adapter shut down An SFTP session can get a NullPointerException (NPE) when the SFTP adapter is stopped. Any session just starting that requests a back end session will get a null object, and a NPE. Resolution:  Now ensure when requesting a back end session that it is non-null before attempting to write to it. If not, return an error message instead of a NullPointerException. RTC538773/IT21115 (Engine) - (Failover) EAProxy deadlock due to method serialization When multiple adapters are using SEAS and also configured for failover detection, a deadlock can occur in the EA_Proxy class due to synchronization at the method level in the timer task. Resolution: Updated the EA_Proxy failover code to no longer synchronize at the method level, but instead synchronize on 2 local objects to ensure that no deadlocks occur. RTC539383/IT20879 (CM) - Unable to see the all trusted certificates in Netmap > Outbound > Security The SSP CM did not recognize public certificates without imbedded PEM-linefeed delimiters. The Customer had a certificate which was delimited with spaces instead of the linefeed character. Resolution: Now strip the incoming certificates and internally reformat them into linefeed-limited PEM format. RTC540353/IT20845 (CM) - RestAPI import failed with ERROR SspCMConfigService - sysGlobalsDef Host required The Customer defined a new JMS configuration in the CM->System->System Settings and left the default auditLogJmsConfig configuration (which has no host information). After doing a REST export of entity=sspCMConfigs, the import operation got the above failure because there was no hostname in the auditLogJmsConfig definition. Resolution: Now validate the JMS configs only when referenced elsewhere in the configuration. RTC540861/IT21120 (PS) - PS upgrade fails to replace JRE when jre directory is owned by another user/group The Customer had changed the ownership of the /jre directory prior to doing the PS install/upgrade. The JRE was not updated, and no error messages were written. Resolution: Corrected the PS installer to recognize an error occurred and report it. RTC541553/ (CM,Engine) - Factory cert expiring December 1, 2017 The Sterling Secure Proxy (SSP) factory certificate that comes with the product is expiring December 1, 2017 at 10:54 PM EST. The factory certificate is shipped as the default certificate for the secure connections to the SSP Configuration Manager (CM) GUI and between the SSP CM and the Engine. Similar to replacing the "admin" userid which is shipped with the product, the factory certificate is intended to be replaced by the Customer once the product is up. ACTION: If you are still using the factory certificate for the CM and the Engine you need to replace it before December 1, 2017. Failure to do so will result in the SSP CM being unable to push new configurations to the Engine and users being unable to login to the CM. The following link is to a knowledgebase article with instructions for checking to see if you are still using the factory default certificate and if so, how to replace it with your own. If you still need assistance with replacing the factory certificate please open a new PMR. http://www-01.ibm.com/support/docview.wss?uid=swg22004773 Resolution: For NEW installs (not upgrades), the default factory certificate has been updated with one that expires in the year 2037. RTC542091/IT21139 (CM) - (CD) Include all ciphers for PNODE Controls When configuring a CD netmap node with "PNODE Host controls SSL Protocol", ciphers with SHA256 and SHA384 are not shown. Resolution: Now include all the ciphers from the CD TLS1.2 list in the "PNODE Host controls SSL Protocol" list. Similarly, for the FTP and HTTP protocols, the list for the "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" selection has been reworked. RTC542503/IT21213 (CM) - (REST) Add more information to error message when importing SSH KeyDef During a REST API import of an SSH KeyDef, a particular key was failing to validate, but there was nothing in the cms.log file which would point to which key was failing. Resolution: Improved the error message from the REST API to report which SSH key is failing to import properly. RTC542640/IT21204 (CM,Engine,PS) - Turn off world-writable files Customer has a requirement that no files be created with write privileges by all users (i.e. UNIX "Other" ......RW.). By default, the JRE creates a temporary directory under /tmp/.com_ibm_tools_attach for monitoring programs to attach to (e.g. Dynatrace). One file based on the pid called attachNotificationSync has permissions of -rw-rw-rw-. Resolution: Added -Dcom.ibm.tools.attach.enable=no to all scripts associated with SSP, SSPCM, PS, and SEAS so that these world-writable files would no longer be created. ACTION: If you use third party monitoring tools to monitor SSP or SEAS, you may need to change to -Dcom.ibm.tools.attach.enable=yes in the startup scripts. RTC542811/IT21439 (Engine) - SFTP with zlib compression is not working SFTP with zlib compression has not been working since SSP3418. The session connects and gets SshException: com.jcraft.jzlib.ZStream [java.lang.NoClassDefFoundError]. Resolution:  Now include the jzlib-1.1.3.jar file in the distribution so that our Maverick SFTP toolkit can call the zlib compression utilities. Build 154 updated to include the jzlib jar in the classpath when running SSP as a service under Windows. RTC543000/IT21407 (Engine) - Option to roll over log files at midnight The Customer needed a way to roll logs for archive on a daily basis Made changes to allow a cron pattern in bin/log.properties and conf/log4j2.xml to control time based rollover. Sample of setup provided in new bin/log.properties.install and conf/log4j2.xml.install files. RTC544511/IT21482 (Engine,CM) - New protocol option for TLS1.0-1.2 only The Customer's auditors did not like seeing a protocol selection which included SSLv3. Resolution: Add new choice for C:D, HTTP and FTP which includes "TLSv1, TLSv1.1 or TLSv1.2" without having to select the option "SSLv3, TLSv1, TLSv1.1 or TLSv1.2". RTC544966/ (Engine) - (SFTP) Correct 5 second delay at the beginning of a session The Customer noticed a 5 second delay at the beginning of each SFTP session that connected. Resolution: Added a selector wakeup in the code before the channel registration with the selector to mitigate the delay. RTC545321/IT21567 (CM) - (REST) Password corruption on HTTPnetmap HTTP Netmaps may contain passwords for outbound connections. However, the REST API code for updating the netmap stripped off critical information causing the passwords to be corrupted. Resolution: Updated the REST API to no longer strip off critical information when handling any Netmap entry. RTC545688/IT21592 (Engine) - (CD) Common name can contain comma If certificate common name matching was turned on for CD Secure Plus transfers, the comparisons would fail if the common name was the last field in the Subject or if it had a comma (,) in it. Legacy code was relying on the comma as a terminator for the CN= field in the certificate. Resolution: Converted from legacy parsing to use the X500Name field built into Java certificate processing. RTC545903/IT21596 (Engine) - (REST) Error loading C:D Adapter with EA PS When a CD adapter is configured with a remote perimeter server (PS) for the External Authentication (EA) server, the REST API was erroneously marking it as invalid. Invalid value specified for perimeter server out name(psEA) Resolution: Now correctly allow an EA PS definition in the CD adapter during REST API update. RTC546159/IT21867 (Engine) - Error resuming an SFTP transfer Error resuming the partial upload of a file (curl -C option). SSP logs this error : "Closing remote client connection due to command decode policy:SSH_FXP_OPEN, version:3, Reason:invalid flag:6 request due to {1} request". Resolution: Fixed an internal SFTP command validation error. RTC546370/IT22549 (Engine) - (SFTP) One line password prompt not working Displaying of a single line password prompt is not honored when the property "kb.single.password.prompt=true" is set in the SFTP Proxy Adapter. Resolution: Made changes to turn off keyboard interactive prompting when kb.single.password.prompt=true is set or defaulted. RTC546604/IT22033 (Engine) - SSP Engine needs to send HTTP security headers The SSP HTTP adapter is not sending desired security headers in the HTTP responses sent to the browsers: Resolution: Added the following Security Headers with the default values, some of which can be customized through adapter properties: Strict-Transport-Security: max-age=31536000;includeSubDomains X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN (override with Adapter property 'X-Frame-Options.value=...' ) Referrer-Policy: no-referrer-when-downgrade (override with 'Referrer-Policy.value=...' Content-Security-Policy: default-src 'self' https (override with 'Content-Security-Policy.value=...' Also property like the following for each of these headers will control how the header needs to be handled if one is sent by the backend server. e.g Referrer-Policy.override = ignore | no | add | replace ignore - SSP will not add this header no - SSP will not add the header if a header is sent by the backend server add - SSP will add an additional header, if a header is sent by the backend server replace - SSP will replace the header, if a header is sent by the backend server RFE547267/ (CM,RESTAPI) - Enhancement - Ability to disallow concurrent SSP CM sessions The Customer has a security policy that allows only one CM session at a time per user. Resolution: Added a checkbox to CM -> System -> System Settings -> Globals called, "Allow multiple sessions per user". Default is checked, which is the current behavior. To handle the case where a user forgets to log off and holds a session, added a default 15 minute timeout. This default value can be changed with a system property, -Dsspcm.idle.timeout.min=15, added to the java startup line(s) in the startCM.sh script for UNIX, or to the lax.nl.java.option.additional parameter in the SSPcm$.lax file for Windows. Also added support for backward compatibility within the RESTAPI. RTC547559/IT22014 (CM) - Allow REST API to run concurrently, support better format for encrypted passwords The Customer needed a way to run concurrent copies of the SSP REST API and insure that update conflicts could be detected and retried. Resolution:The SSP REST API has been changed to allow for concurrent SSP REST API users to be able to run and to insure that their updates will not regress an update done by another user. The sample Java programs in SSPCM/sdk/SSPCMRESTAPI.zip have all been updated to illustrate the use of the new RestUtils.getVerStampFromXML(xml) method which returns the version stamp after a "get" operation. Update calls now include the version stamp, e.g. updateNetmap(xml, "HTTPNetmap", verstamp)) which should be the same unless another task has updated the object after our "get" was done. Also cleaned up various other REST messages and issues. Second issue with passwords: The original encryption of passwords returned to the SSP REST API required newline (\n) characters, which HTML can strip off. If the newline character is stripped, the password can no longer be decrypted. It is corrupted and causes the size of the object being updated to grow each time the object is updated. Resolution: Now use a base64 encoding on the entire password field when encrypting passwords for a SSP REST API export or get operation. This hides the newline characters so that the import/update can be done with HTML. When receiving a new object, validate the consistency of the password field in the old or new format before storing it internally. Also added restrictions on password values: o It cannot contain \n or \r characters o It cannot be null or empty o It cannot be longer then 1024 characters (unless overridden by a System property (-Dpassword.length=nnnn) when CM is started). RTC548552/IT22537 (Engine) - Intermittent SFTP transfers through SSP show as an "ABORT" in SFG Various SFTP clients requesting files from SFG were causing intermittent issues when they closed the file and immediately disconnected without waiting for the result of the close operation. If SFG does not get the close command, it assumes the file was not successfully downloaded and marks it available, which can result in duplicate sends. Resolution: Handled one case where SSP can get into a race condition and not send the close command to SFG if it detects the client has already disconnected. All other cases are caused by the client. Workaround: Have the client add an operation such as a directory command after the download to ensure the client hangs around long enough for the close command to be delivered to SFG. RTC548827/ (CM,Engine) - IPv6 support for SSP and SEAS Resolution: Added support for iPv6 by - Removing the disabling IPV6 from the engine and CM startups - Changed the validators in all address fields to allow IPV6 addresses where IPV4 addresses were allowed  - Changed HTTP usage of IPV6 so that IPV6 addresses are enclosed in square brackets (RFC requirement). RTC550068/IT22538 (Engine) - SFTP leaving leftover sessions.  Customer was seeing a handful of SFTP sessions in ESTABLISHED mode which stayed for hours. They could be cleared by restarting the SFTP adapter. Resolution:   Upgraded the Maverick SSH toolkit to include a new fix which times out a session if there is no attempt at a handshake in 30 seconds. (New Maverick jars - J2SSH-1.6.32, SSHD-1.6.39, Common-1.1.18) RTC550113 (CM) - Error writing to UDP audit syslog when configuration change record exceeds 65k Customer getting ERROR Unable to write to stream UDP: addr:port for appender proxy.syslog.audit.appender" when a configuration change causes an audit record to be written which exceeds 65k. The limit on a UDP write is 65K. Resolution: Now document an exisiting option in the log.properties file that syslogd.protocol=TCP can be specified to override the default of UDP. RTC550278/IT22371 (Engine) - (Pesit) Allow Pre-connection phase to be optional with TCP connections Some PeSIT products do not send the pre-connection message and the PeSIT adapter rejects incoming client with no pre-connection. Resolution: Pre-connection has been made optional in the PeSIT adapter. RTC550295/IT23475 (PS) - Perimeter Services Messages ALWAYS getting logged only under DEBUG Customer noticed that after SSP upgraded the PS from PS4660 to PS4662 these periodic 'ALWAYS' log messages were only getting logged as DEBUG messages. The messages have value, but not at the expense of running the PS in DEBUG mode: MemoryManager (SingleBar strategy) current allocated bytes: n, current count: n, high water mark: n, h.w.m. count: n, denied preallocations: n - (This message comes out every 10 minutes by default) PhysicalConnectionManager connections: active: n, listening: n, loopback: n - (This message comes out every 2 minutes by default) Resolution: Added 'ALWAYS' log level in SSP to match the one in PS. RTC550367/ (Engine) - Set correlator on EA failover ping request so it can be suppressed in EA log When failover checking is requested on SSP adapters, the resulting "pings" to SEAS can result in multiple log messages, making the SEAS log difficult to read. Resolution: Now add a correlator on the ping request to SEAS, "EAPING-sspDUMMYprofile", which SEAS can detect, so it suppresses the messages related to the SSP pings. RTC550968 (Engine) - New HTTP headers cause problem with Chrome 6 new security headers were added to messages returned by the HTTP adapter by RTC546604. 2 of them, X-Content-Type-Options and Content-Security-Policy have been found to cause problems with Chrome and some other older browser version. Resolution: Now disable these 2 headers by default so they don't cause problems for existing browsers. RTC551227/IT22491 (Engine) - Avoid Perimeter race condition causing C:D z/OS error messages (SVTM091I and SVTM090I) At times, the last RU to be sent to the SNODE by the C:D Adapter is not sent when the close of the socket occurs too quickly. Resolution: A short wait (default 200ms) is introduced before the close to avoid this problem. This wait time can be changed with a Java property in the SSP engine startup: -Dcd.close.wait=200. RTC551786/IT23476 (Engine) - Updated Maverick to SSHD 1.6.41, J2SSH 1.6.34 After upgrading from SSP 3.4.1 to 3.4.3 iFix4 the Customer was experiencing intermittent connection failures through the SFTP adapter. The connections appear to have a successful SEAS Authentication, however the connection is then terminated for no obvious reason. Resolution: Upgraded the SSH Maverick toolkits to the SSHD 1.6.41 (server side) and J2SSH 1.6.34 (client side) levels. RTC552345/IT22825 (CM) - SHA2 and SHA3 Cipher Suites not available when selecting "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" When selecting "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" in the CD, HTTP, or FTP netmap security tab, there were no SHA256 or SHA384 cipher suites listed. Resolution: Now default to 18 cipher suites, including at least 5 each of SHA256 and SHA384 for the following protocol selections: "TLSv1, TLSv1.1, or TLSv1.2" (Inroduced with RTC544511) "SSLv3, TLSv1, TLSv1.1, or TLSv1.2" "The PNODE Host controls SSL Protocol" (CD only) PSIRT9227 (Engine, CM, PS) - Update JRE 1.8 to SR4 FP10 (8.0.4.10) Resolution: Update the JRE 1.8 to bring it up to the Oracle July 2017 level for all the security patches. RTC552273/ (Engine) - Security Headers causing errors in rendering SSO HTTP proxy portal pages The Security Headers (Content-Security-Policy, X-Content-Type-Options) introduced in RTC546604 and disabled in RTC550968 were causing errors in rendering Single Signon (SSO) HTTP proxy portal pages. Resolution: Reworked these defects to not add the following security headers by default: Strict-Transport-Security, X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Content-Security-Policy. Updated the SSO html pages, javascript, and java code to avoid browser side errors. Action: To send these headers, add HTTP Adapter properties as shown below: Strict-Transport-Security.value = max-age=31536000 X-XSS-Protection.value = 1; mode=block X-Content-Type-Options.value = nosniff X-Frame-Options.value = SAMEORIGIN Referrer-Policy.value = no-referrer-when-downgrade Content-Security-Policy.value=default-src 'self' https: Note: Sending the 'Content-Security-Policy' header can cause existing backend application pages to not get displayed correctly if they have any in-line scripts or in-line style in their html. Action: For headers already being sent, one can specify HTTP Adapter property '
.override' = ignore - SSP ignores and does not send this header. replace - SSP removes any of these headers sent by the backend server before adding the value specified. add - SSP simply adds these headers, even if they are present already (sent by the backend server) no- SSP does not replace the header if it is present already. This is the default behavior. Action: Any custom response header can be sent by specifying an HTTP Adapter property like the following: resp.header.1.key=
resp.header.1.value=
resp.header.2.key=
resp.header.2.value=
... Action: When upgrading, if you have customized the SSP portal pages before, you need to update the portal pages from this iFix upgrade with your customization. Also, there is a new properties file in this upgrade : /bin/portal/mediatypes.properties. If you have any new files under the /Signon dir because of customization and if the extensions of these files are not present in the mediatypes.properties file, please add entries as appropriate to this file. RTC553906/ (Engine) - (HTTP) 'must change password' does not work if browser makes favicon request This is related to the SSP HTTP Portal, when the password is reset by the admin, and LDAP requires the user to change his password after login. If the browser makes a request for favicon (/favicon.ico) for the change password page, SSP logs the user out takes the user back to the login prompt out of the change password page. Under this circumstance the user is unable to login to the SSP HTTP portal. Resolution: Changed SSP to automatically handle a favicon name of "favicon.ico". Also allow the user to specify a list of valid favicon names with HTTP SSO property 'favicon.names=favicon.ico,favicon2.ico, etc". If a request comes for /favicon.ico, SSP renders the file under /Signon/resources/. Any custom favicon files need to be copied to Signon/resources/ (and after each install/upgrade). RTC554088/IT23494 (Engine) - Support EPSV and EPRT FTPs commands The Customer's trading partner was restricted to using an FTPs client in IPv6 mode, which is not allowed to use the PORT and PASV commands for specifying a data port. Resolution: Added support for the "extended" EPRT and EPSV FTPs commands when a client uses them. The response for the EPSV command only includes the port number we are opening: 229 Entering Extended Passive Mode (|||6446|) RTC554173/IT23167 (CM) - CM scripts not honoring the TLS protocol version from CM security Sytem Settings Customer changed the CM TLS protocol from TLSv1 to TLSv1.2 using configureCmSsl.sh and exported it to the engines with configureCmSsl.sh and configureEngineSsl.sh. Afterward, the manageKeyCerts.sh script would not work. Resolution: Fixed the manageKeyCerts and manageCSRs scripts by updating the underlying code to use the TLS protocol from the CM security System Settings. RTC554225/ (CM) - Poor error message when importing expired certificate When importing an expired certificate into the CM, the error message is "Certificate data could not be validated". Resolution: Now put out the message "Certificate data could not be validated or certificate expired. Check Valid Until date." RTC555530/ (Engine) - SFTP log showing parameter place holders: {1} Some of the SFTP Adapter log debug messages have parameter place holders like "{1}". Example: "SSE2633 Closing Closing backend session due to ending sessions from sftpsubsystem: did not close session request due to {1} request" Resolution: Corrected the messages and calls to ensure the placeholders are used correctly. PSIRT10042/IT23654 (CM) - Possible vulnerability in Apache Commons Fileupload toolkit Resolution: Upgraded to use commons-fileupload-1.3.3.jar to resolve a possible security vulnerability. This toolkit is used by the SSPCM GUI in the secure zone when importing certificates. For more information, see http://www.ibm.com/support/docview.wss?uid=swg22012458. RTC556199/IT23554 (CM/Engine) - SSP import replace in HSM fails if key with same alias already exists in HSM When trying to replace a certificate in the HSM, with the command ./manageKeyCerts.sh -import certName= ... replace=y Getting the error ***SSP0044E Error adding key-certificate: Cannot add key-certificate to keystore. Alias already exists. Resolution: Now correctly honor the replace request. RTC556393/ (Engine) - Improve SSP logging for C:D XDR keyword error When a remote C:D node sends in an FMH with a keyword that SSP has not been updated to recognize, SSP spits out a very verbose set of error messages which clutter up the log: CSP031E 16 Invalid protocol message or message key. CSP032E 16 cvc-complex-type.2.4.a: Invalid content was found starting with element 'xxxx'. One of '{aaaa, bbbb, ..., zzzz}' is expected. Followed by a multi-line (20+ lines) dump of the FMH Resolution: Now capture the Exception and parse it to get the KQV value that is missing and report it in a one-line message: CSP032E 4 KQV keyword "APID" found in FM68, but not defined in XML schema definition RTC556544/ (CM) - Improve console output for sspRestAPI script when connection cannot be made. When a SSPREST connection can't be made to the SSPcm, the console is flooded with Java exceptions and stack traces, obfuscating the reason for the error. Resolution: Now print a simpler error message: Attempting to logon to localhost:28443 as admin ERROR: Unable to acquire connection Only produce the Java exception and stack trace if GLOBAL_DEBUG is set. RTC557073/IT23495 (Engine,CM) - Engine fails to start after upgrading from pre-SSP3420 Upgrade installs of SEAS, SSPcm or SSP engine did not replace the log4j property files and in some cases, the SSP CM and/or SSP engine will not come up properly. Resolution: The installer (during an upgrade) will make a copy of the following log4j files and append a date/time stamp to the name before replacing the file with the current version: bin/log.properties conf/log.properties conf/log4j.properties conf/log4j2.xml ACTION: If there are customizations to the log4j property files, the Customer must retrofit them after the upgrade. RTC557173/IT23483 (Enging,CM) - Add TLS 1.1 and 1.2 protocols for PeSIT The PeSIT Netmap entries should allow TLSv1.1 and TLSv1.2, since Connect:Express (C:X) supports them. Resolution: Updated the SSL/TLS ciphers table to include the additional protocol selections for PeSIT. RTC557986/IT23827 (CM) - REST API responds with 200/OK on invalid netmap XML input REST API Unable to delete first node in CD Netmap When using the REST API to update or delete a netmap node which doesn't exist or has invalid XML tags, the operation was getting a 200 OK return code. Also, it was not possible to delete the first node in a netmap. Resolution: Added xsd validation code to REST API to check for consistency in the XML, and return an appropriate code when an operation fails. ACTION: If REST imports fail due to XSD validation after applying this fix, You may modify the startup parms for the SSPCM to include a new parm to turn off the XSD validation during import. In the bin/startCM.sh script (UNIX) add or replace the following parm: N=-DvalidateThruXSD=false (default is true) In Windows, update the bin\SSPcm$.lax to include the -DvalidateThruXSD=false parm at the end of the line starting with lax.nl.java.option.additional=. RTC558982/IT24252 (CM) - NPE importing keycert with comma, asterisk, or exclamation mark in password. When attempting to import a keycert in .pfx (.p12) format which had a private key with a passphrase containing invalid characters, the admin session ended abruptly with a NullPointerException. Resolution: Now correctly detect the invalid characters in the passphrase and put out an appropriate message instead of knocking the admin out of the session. RTC559115/IT23828 (PS) - Install failed - "CIP_List is not set" when interface not found Customer installing a Perimeter Server, gets the following message during the install dialogs and the Perimeter Server Interface Address choices does not display: ERROR: CIP_List is not set Resolution: Updated the InstallAnywhere exit to set the $CIP_List$ and $CIP_DEFAULT$ variables even if an exception happens while looking for interfaces. RTC559657/IT23829 (CM) - Distinguish in CM logs between REST API and CM GUI configuration updates SSP CM doesn't indicate in the logs whether a session is from REST API or the CM GUI. Resolution: Updated the SSP CM logs (including the Audit Log) to indicate whether a session is from the "REST API" or "CM GUI". RTC560800/IT24125 (Engine) - (CD) CSP057E KQV keyword "FSOK" found in FM71, but not defined in XML schema definition A Connect:Direct session is coming in specifying an Aspera FASP keyword, but the keyword was not recognized by SSP. Resolution: The FSOK keyword has been added to the FM71.xsd. RTC561255/IT24036 (Engine) - (CD) Unable to use Secure+ with Wild Card Nodename feature - %DEFAULT_NODE Customer was attempting to use the wild card nodename feature within the CD netmap to receive connections from nodes not in the netmap. It worked for non-seccure sessions, but not for secure ones. Resolution: Now correctly build the temporary netmap node entry with the security properties from the default definition so that it can properly do the SSL handshake. RTC561382/IT24037 (CM) - (GUI,RESTAPI) Importing multiple certificates into the truststore. Customer was attempting to import a file into the truststore with multiple certificates, but it failed during XML validation. Resolution: Corrected the xsd validation for modify key entries. Also return an error for an attempt to modify an entry that does not exist. RTC561603/IT24112 (CM) - GUI listing AES ciphers for SSLv3 protocol The SSPCM GUI listed AES and ECDHE cipher suites for the SSLv3 protocol, but they are not supported by the IBM JSSE toolkit. Resolution: Removed all the AES and ECDHE ciphers for SSLv3 as there are no ciphers in the IBM JSSE toolkit which work out of the box with SSLv3. Left 3DES as a default as there must be at least one cipher to save a config. To allow SSLv3 as a protocol, see the writeup for IT07375 in this fixlist. To allow 3DES as a cipher suite, see the writeup for RTC533801. RTC561821/IT24660 (Engine) - (SFTP) Password prompted after key auth failed when "Key and Password" auth policy is used The SFTP adapter presents a password authentication prompt, even if the key authentication failed when the authentication policy is "Key and Password" Resolution: Now look for an adapter property "keyauth.reqd.before.pwdauth" set to "true" and shut down the session before password authentication if the SSH public key is not presented or if key authentication fails. Note: This also fixes a nuisance message which some Customers reported: AUTH003E Authentication request received for unknown definition: null. RTC561952/ (CM) - SSPCM - Authentication Bypass Using HTTP Verb Tampering An internal dynamic AppScan test found that SSPCM allowed unauthorized HTTP Verbs (methods). Resolution: Now ensure only valid methods are allowed. RTC562430/(Enh) (CM) - Enhancement to improve listing of certificates to include chains and pkcs12 The listCmCerts utility in the SSPCM bin directory skips certificates in pkcs12 format and only reports on the first certificate in the KeyDef (which can contain a chain of certificates, each of which can have different expiration dates). Resolution: Updated the listCmCerts utility to list certificates from a pkcs12 package, and individually report on all certificates in a key or trust chain (as 1 of 10, 2 of 10, etc). Run cmListCerts.bat (or .sh) with expireDays=365 to show the list of certificates that expire within the coming year. RTC562623/IT24251 (Engine) - SFTP logoff messages with every load balancer ping. After applying the iFix containing RTC534483, the Customer was receiving sftp SSE2726  SessionId: ... disconnected userid: null, logged at INFO level with every load balancer ping. The Customer had the adapter property load.balancer.addr=ip1;ip2 set up correctly to turn off logging for load balancer pings. Resolution: Now emit the SSE2726 disconnect message at DEBUG level if the userid is null. RTC563014/IT24648 (Engine) - SSP not failing back to primary SEAS server When an alternate external authentication server is coded in the SEAS definition and failover code detects that the "primary" address is unreachable, the adapter redirects SEAS traffic to the alternate address. However, when the primary is reachable again, the adapters do not direct SEAS traffic back to the primary SEAS. Resolution: Now determine when the "primary" SEAS is back up and restore traffic to it automatically. Issue a new SSE1852I message indicating that we are closing the secondary EA connection and contacting the primary EA again. SSE1852I Engine Name=MyEngine, Adapter Name=FTP_Proxy, EA Name=EA2. Primary EA server (EA1) is back up, closing connection to EA2 RTC563309/IT24246 (CM) - (RESTAPI) Unable to add HMAC values that are available in the SSPcm UI The REST API could not import a SFTP netmap node with HMAC values of hmac-sha256 and hmac-sha256@ssh.com. The same are available in the GUI. Resolution: Now have the REST API get the valid SSH HMACs, ciphers, etc, from the same property file as the SSP GUI so that they are in synch. RTC563311/IT24440 (Engine) - (SFTP) Client receives password prompt when netmap using a sftpPolicy set to KEY only The Customer has only one sftpPolicy with the Required Authentication Method set to 'Key'. However, SFTP clients were presented with all three auth mechanisms ("password, "publickey", and "keyboard-interactive"). Resolution: Now limit the SFTP auth methods to only those represented by the sftpPolicies pointed to by the netmap. To turn off password prompting, ensure that no sftpPolicies pointed to by the netmap include password or keyboard-interactive. RTC563378/IT24253 (Engine) - Allow suppressing content length header in CD http health check ping response RTC522918 updated the CD adapter to return a content-length header when it is configured to return an HTTP Ping response. This caused an issue for a Customer's load balancer which was hardcoded to receive the response without the content-length header. Resolution: Now support a CD adapter property to turn off the header: ping.response.include.len.header = false will turn off the content-length header again. (default is true). RTC563547/IT24449 (Engine) - Not encoding url correctly when SSP redirects to an external login page When an external logon portal is used, SSP redirects requests without a valid token to the external logon portal passing the original request as a query parameter. However, if the original request url itself has query parameters, these are not getting passed when the portal redirects back to SSP after a successful login. Resolution: Fixed the encoding of the original request url when passing as a query parameter to the external portal. RTC563781/IT24842 (Engine) - HTTP malformed upload causes hung state The HTTP Proxy was not releasing buffers after an error was detected in a large upload. If the HTTP upload(s) in flight consumed more than 384M, it caused local perimeter server buffer allocation errors. This also caused other SSP Adapters to go into a stopped/hung status. Resolution: Now correctly release the subsequent buffers when an error condition is detected in the HTTP adapter. Workaround: Increase the gmm.maxAllocation=384M parm in the /bin/perimeter.properties file to 1024M until the fix can be applied. RTC564157/internal (CM) - IPV4 and IPV6 addresses not screened properly IPV6 (and IPV4) address were not being screened properly in the GUI. Resolution: Changed IPV6 and IPV4 validation to properly determine valid IP addresses. Since fields can contain a DNS name or an IP mask, updated the code to recognize that and validate properly. RTC564833/ (CM) - AppScan - Stack trace in the response body An internal dynamic AppScan test was able to get the SSPCM to generate a stack trace in the reponse body, which can be a security disclosure. Resolution: Now only send a summarized message back to browser client instead of a stacktrace RTC564992/ (CM) - SSPCM fails to start after upgrade if "admin" id previously deleted. Upgrading from SSPCM 3.4.2 iFix10 to iFix12 after deleting the default "admin" user causes an unencrypted 586034f.xml file to reappear. Once this file reappears, the CM fails to start because encryption checking fails. Resolution: Updated the SSPcm installer to not install the admin user xml if performing an upgrade to an existing configuration. Workaround (if the fix is not applied): Delete or rename the unencrypted /conf/haas/users/586034f.xml file to allow the CM to start. RTC565487/ (CM,Engine) - SSP/SEAS code signing certificate expires June 21, 2018 The code signing certificate used for SSP and SEAS expires June 21, 2018. Testing showed that both products will run after that date, but the SEAS Webstart GUI will not. Resolution: Updated the signing cert for SSP and SEAS with one which will expire on March 14, 2021. HIPER: Upgrade SEAS to the SEAS2432 (SEAS 2.4.3.0 Fixpack 2) level before June 21, 2018 to ensure that the Webstart GUI will continue working. RTC566007 (CM, Engine, PS) - SSP crashes with HSM enabled Customer with a Hardware Security Module (HSM) enabled crashes periodically with a General Protection Fault (GPF) failure in IBMPKCS11 code, which is the HSM interface code. The javacore shows a GPF with the current thread in NativePKCS11Session.getAttributeValue. Resolution: Upgraded the JRE to the 8.0 SR 5 FP 10 (8.0.5.10) level to pick up the IBMPKCS11 updates which address this problem. RTC566337/IT24733 (Engine) - SSP SFTP Adapter will not start in FIPS mode The SFTP adapters get NullPointerExceptions (NPEs) when the SSP engine starts in FIPS mode. The systemout.log also gets java.security.NoSuchAlgorithmException: no such algorithm: SHA1PRNG for provider IBMJCEFIPS Resolution: Changed to use the SHA2DRBG pseudo random number generator when initializing the SecureRandom object in FIPS mode. RTC566450/IT24790 (CM, Engine) - (SFTP) Remove the twofish* and cast* ciphers Ciphers that are no longer supported by Maverick had been included in the pre-build ssh_ciphers.properties file, which populates the GUI screens. Resolution: Removed these unsupported ciphers from the file. RTC566512/IT24843 (CM, Engine) - Add missing ciphers to FIPS list Four ciphers were missing from the list of FIPS approved ciphers that the JSSE allows to be defined. TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 Resolution: Added the missing ciphers to the list of approved ciphers RTC566675/IT25694 (Engine,PS) - (CD) Large FASP Transfers (5GB) are failing with broken pipe When C:D is using the FASP feature to send large files (e.g. 5 GB) the original C:D socket may be terminated by the firewall for inactivity while the data is sent on the FASP socket. The Perimeter Server code (local and remote) was not setting keep-alive values to override the OS settings. Resolution: Now allow setting KeepAlive variables in Perimeter Server (both Local and Remote) in SSP. Perimeter Services has been updated to allow KeepAlive variables to be set in the local perimeter.properties file. The SSP engine perimeter.properties file in /bin must be updated to enable this new support. Also, if using SSP remote perimeter servers, they must also be upgraded using the installers from this build or higher. socket.tcpKeepAlive=true (REQ -enables KeepAlive with OS default values) socket.keepAliveIdleTime=180 (OPT -time in seconds the connection is silent. OS default usually 7200) socket.probeCount=25 (OPT -number of ACK probes sent) socket.intervalTime=25 (OPT -seconds before sending a new ACK) Note: This defect is related to internal defect RTC567627. RTC566772/IT25294 (Engine) - SFTP users unable to logon using "key and password" policy (session limit exceeded) When hit with thousands of requests when the session limit is 20, the SFTP adapter did not accept new sessions since the session limit had been reached. However, after stopping and starting the SFTP adapter, sessions were still being rejected. Resolution: Now wait long enough for sessions to close properly when the SFTP adapter is stopped. A new adapter property, "sftp.adapter.shutdown.wait.secs" can be configured to specify the time to wait for sessions to close when the adapter is stopped. By default, this property is set to the SFTP adapter session timeout value. Also cleaned up spurious "System error - sftpAccessInstance is missing" messages in the systemout.log file. RTC567232/IT24869 (Engine) - (CD) SSL Protocol missing from CSP007I and SSP0240I messages After applying fix for defect 518916, the CSP007I and SSP0240I messages were not including the SSL protocol used, instead reporting Protocol=None Resolution: Now accurately report the SSL protocols used for the PNODE and SNODE sessions. RTC567296/ (Engine) - SFTP resetting failed login attempt count even when one of the auth fails SFTP is resetting the failed login attempt count even when key auth fails but password auth succeeds. Resolution: Now reset the failed login attempt count only when both auth methods (password and key) succeed. RTC567354/IT24987 (CM) - Getting non-fatal stackOverflowExceptions in log of SILENT install of SSPcm The SILENT install for SSPcm produces one or more stackOverflowExceptions in the installer log. However, the actual installation is still ok and these errors can be ignored. Resolution: Changed the installer to recognize that the installation is a SILENT install and avoid the action causing the stackOverflowException. RTC568078/IT24967 (Engine) - (CD) HSM retargeted keys get java.security.UnrecoverableKeyException - DER input not an octet string HSM keys created in SSP3418 or earlier and "retargeted" for use with the IBM JSSE were getting an UnrecoverableKeyException with CD, even though they worked with FTPs and HTTPs. Resolution: Now catch the UnrecoverableKeyException and build a temporary IBMPKCS11 keystore to load the retargeted HSM key from. RTC568408/ (Engine) - Limit userid/password fields to 256 characters Within the HTTP adapter login and change password pages, the length of the userid and password fields are not bounded, which could allow large amounts of data to be entered. This could result in a security vunerability. Resolution: Updated the logon and changepw pages to limit the userid and password fields to 256 characters. RTC568515/IT25039 (Engine) - (CD) Unable to access HSM key referenced from non-default keystore Certificates in user defined key/trust stores have the name of the keystore / truststore prepended to them followed by a colon (e.g. MyKeyStore:MyCertificate). The CD adapter was not able to retrieve the key from the HSM store with the full name. Resolution: Now strip off the keystore name and to return just the certificate name. Debug messages were also added. PSIRT10955/10418 (Engine, CM, PS) - Update JRE 1.8 to SR5 FP10 (8.0.5.10) Resolution: Update the JRE 1.8 to bring it up to the Oracle January 2018 level to satisfy the CVEs in PSIRT10418 and PSIRT10955. PSIRT 10418 - October 2017 Java CPU Advisory CVE-2017-10356 (CVSS 6.2) - Product uses JKS or JCEKS keystores PSIRT 10955 - January 2018 Java CPU Advisory CVE-2018-2633 (CVSS 8.3) - Vulnerable to specially crafted LDAP CRL URL. CVE-2018-2603 (CVSS 5.3) - Applications that use SSL/TLS. CVE-2018-2602 (CVSS 4.5) - Affects all Java deployments. CVE-2018-2588 (CVSS 4.3) - LdapLoginModule for LDAP based authentication. CVE-2018-2579 (CVSS 3.7) - Issue with getEncoded() method See http://www.ibm.com/support/docview.wss?uid=swg22017038 for the security bulletin. RTC569857/ (CM) - Improve messages for xml parsing exceptions During CM startup, a corrupt configuration file can result in a message XmlParsingException: Error on line 1: An invalid XML character was found. The message was not helpful in determining the root cause. Resolution: Updated the error message to include more information about the file, line number, and reason for the error. Example: XmlParsingException: Error on line 88 in file XxXxXxX: An invalid XML character (Unicode: 0x8) was found in the CDATA section. RTC570690/ (CM) - IBM Metric tools cannot detect SSPCM The IBM metric tools (i.e. ILMT) are not detecting the SSP CM installed instance because the *.swidtag files were not being shipped. Resolution: Now ship the swid tag file for ILMT in the SSPCM properties/version directory ibm.com_IBM_Sterling_Secure_Proxy_Configuration_Manager-3.4.3.swidtag RTC571371/IT25695 (CM) - (REST) Failure to add a new node to a netmap when an existing node has problems in its configuration Customer was attempting to add a new CD node to an existing netmap using the REST API, but got failures indicating a problem with TLS ciphers chosen and the TLS protocol. The REST API was attempting to validate all the nodes in the netmap instead of just the one being added. The failing node was from a previous build of the product that allowed the invalid combination. Resolution: Now only validate the node(s) being added or updated to a netmap using the REST API and indicate which node fails validation. During an import operation, recognize any ciphers which have ever been supported so that Export/Import operations do not result in a failure. RTC572142/DT001321 (Engine) - FTP-SSL Customers on slow line getting 226 Transfer Complete on the Control Channel prior to all data sent Large file downloads failing for FTP clients on slow connections. The 226 transfer complete message from the SI server was appearing on the control channel several minutes before the data on the data channel had been delivered, but SSP forwarded it to the FTP Client immediately, causing the client to get confused. Resolution: Updated the SSP FTP adapter to wait for the client data channel to close before sending the '226 Transfer Complete' message on the control channel. RTC572554/IT26062 (CM) - (CM) ./manageKeyCerts.sh fails when admin user defined in SEAS Customer could not run the manageKeyCerts.sh script using admin credentials defined in SEAS. Resolution: Updated the manageKeyCerts and manageCSRs tools to handle admin credentials which are managed by External Authentication. Note: Issue RTC572554 is also known internally as MFT-9866. MissingKQVs (Engine) - (CD) CSV057E missing values Z15R, DDTY, DDTS Z15R boolean to FMH7402, DDTY str and DDTS boolean to FMH71 RTC572605/IT25899 (Engine) - (CD) Upper and lower case node logs not created CD node specific logs used different cases when naming the PNODE or SNODE logs. When the PNODE, the nodename was in lower case; for the SNODE, the nodename was upper case. Since the C:D support in SSP is both reverse proxy and forward proxy, both PNODE and SNODE logs could be written. When SSP introduced the log4j2 logging package, it used a case-insensitive check for the existence of the log files, which resulted in the node specific logs being gathered by the first user of node (either as the PNODE or the SNODE). Resolution: Now use the lower case version of the SNODE nodename when creating the node specific logs. This means that the log will contain its log records regardless of whether the node is the PNODE or the SNODE. Note: Issue RTC572605 is also known internally as MFT-9867. SSP-3036/ (Engine) - (HTTP) B2Bi 6.0 rejecting HTTP requests with "400 Bad Message" error B2Bi60 has upgraded to use a later Apache Jetty version 9.4.11. This Jetty version supports a later HTTP standard where the folding of HTTP headers is not allowed and thus the requests are rejected. The Cookie header with multiple cookies is putting a CRLF and space after each cookie. Entering credentials and trying to login results in a "Bad Message 400" error. Resolution: *HIPER* Now eliminate the HTTP folding while passing the headers to the back end HTTP server. PSIRT11819 (CM,Engine,PS) - Update JRE 1.8 to SR5 FP17 (8.0.5.17) Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2018 level to satisfy the CVEs in PSIRT11819: CVE-2018-2783 (CVSS 7.4) TLS handshaking flaw implementing 3Shake See http://www.ibm.com/support/docview.wss?uid=ibm10729765 for the Security Bulletin. MFT-9835/IT26615 (Engine) - (CD) Timeout during FASP Close at end of large transfer. At the end of a large FASP=SSP transfer, the FASP Close operation may be discarded by the receiver if there is still a lot of data being received. This results in a timeout on the sending side waiting for a response to the FASP Close operation: CSP999E fsc-aspera-stream-transfer.log ERR Failed to receive Close Session, read timed out (errno=110) timeout:120, rsize:0 The Customer increased the timeout value in the ./bin/aspera.conf file: 360 The transfer was successful, but the timeout messages persisted. Resolution: Corrected the receiving side code to ensure that the FASP Close directive is not discarded during high activity. MFT-9898/IT26763 (Engine) - (HTTP) Userid included in URL query string parameter during password change During password change processing, the userID was getting passed in the URL, which is insecure. Resolution: Removed the userID from the URL and moved it into the HTTP headers which remain secure during the password change operation. MFT-9902/IT26640 (Engine) - (HTTP) Error messages in log after successful transfer. During successful connections to myFileGateway, the Customer is seeing numerous error messages in the logs: SSE0100E Attempt to secure client connection failed. SSP0449E Client disconnected before server connection completed. Sessions from Chrome produce more error messages than those from IE. Resolution: Cleaned up most of the spurious messages resulting from disconnects during TLS handshaking. MFT-9906/IT28592 (Engine) - (HSM,CD) Intermittent timeout during SSL handshake When using an HSM device to store SSL private keys, the SSL handshake sometimes timed out because it took longer than 5 minutes to pull the key from the keystore. The PNode disconnected due to timeout. Symptom: CSP900E Logged Exception : java.net.SocketException: Underlying socket is not connected Resolution: Eliminated 2 redundant loads of the HSM keystore which were causing a delay. Also added some extra debug to help track the flow leading up to the handshake. MFT-9915/IT29131 (Engine) - Memory leak in logging area causes OutOfMemory A slow memory leak in the log4j2 logging subsystem led to an OutOfMemory (OOM) exception crash of the SSP engine after several weeks. Analysis of the heap dumps showed the following: The class "org.apache.logging.log4j.core.appender.AbstractManager" occupies 1,904,050,896 (89.23%) bytes. The memory is accumulated in one instance of "java.util.HashMap$Node[]". For each new session in which logging was enabled, the logging system was adding a new appender to write to the log file, even though in most cases, one already existed for that file. Resolution: Corrected the logic which decided whether a new logging appender was required so that duplicate entries would not longer accumulate and cause an OOM exception. MFT-9925/IT26416 (Engine) - Allow Customer to override minimum DH Exchange key sizes Customer has an SFTP partner which cannot support a DH key exchange size above 1024. For security reasons, the default minimum keysize that SSP will negotiate is 2048 and is the recommended value. Resolution: Now allow a property value in the SFTP adapter to override the minimum keysize required. MinDHGroupExchangeKeySize=1024 will allow a keysize of 1024. MFT-9946/IT26632 (Engine) - (CD) Alternate node in netmap not called unless specified with ip/port. Coding an "Alternate Destination" in the Advanced tab of a CD node does not work if a nodename is used from the pulldown. It is only honored if specified using the ip address and port number. Resolution: Now correctly parse for the node name in the "Alternate Destinations" specification in the Advanced tab of the CD netmap node. MFT-9961/IT26631 (Engine,CM) - (SFTP) Intermittent SignatureException The IBM Java team tightened the restrictions on how public key signatures can be encoded. This caused our SSH processing to intermittently get java.security.SignatureException failures at session startup. Resolution: Upgraded the Maverick SSH toolkits for current maintenance which works within the tighter restrictions. Upgraded to Maverick Legacy SSHD Server 1.6.47 and J2SSH Client 1.6.39. MFT-9975/IT26788 (Engine) - (CM) Adding cipher suite to External Auth definition gets System Error When the CM user tries to add a new cipher suite in the Security tab of the Advanced -> External Authentication Server definition without "Use Secure Connection" checked, the SSP CM connection is broken with the message: ‘System Error. Unexpected System Error has occurred. Please sign in again. If the problem persists, contact your system administrator’. Resolution: Now disable the cipher add/remove listbox by default unless "Use Secure Connection" is checked. MFT-9976/IT28591 (Engine) - (HSM,CD) Unable to open HSM keystore during SSL Handshake Customer running a Gemalto (Luna) HSM device was unable to open the device during an SSL handshake for a CD process. The HSM keystore passphrase supplied with the confgureHsmPassphrase.sh was not working. Symptom: CSP900E Logged Exception : java.io.IOException - Vendor defined error (0x80000067) Resolution: Now correctly provide the HSM passphrase to the Luna device at SSP initialization time so it can be initialized. Also added better stack traces to help show if the problem is in IBMPKCS11, JSSE, or HSM code. MFT-9981/IT27055 (Engine) - (FTP) Password prompt not retrying if SEAS auth fails When using SEAS authentication with FTP, the user is not prompted for a password if the first attempt fails. When running directly to SI, the user is allowed to reenter a bad password. Resolution: Correct the password prompting when SEAS is in use so that the session is not closed until the user exhausts the maximum allowed attempts. SSP-3041 (Engine,CM) - Upgrade SSP to Jetty 9.4.12 Resolution: Upgrading SSP to the latest Jetty for security and supportability. This is also known as PSIRT12571. SSP-3070 (Engine,CM) - Update SSP to Apache Active MQ 5.15.6 Resolution: Upgrading SSP to the latest Apache Active MQ for security and supportability. This is also known as PSIRT13307 MFT-10004/IT27002 (Engine) - (SFTP) Unable to upload files > 32k After applying the fix for MFT-9961, the Customer was unable to upload files larger than 32k with SFTP. Some clients could transfer up to 1MB before stalling. Resolution: The Maverick server toolkit sshd-1.6.47 has issues with window sizes during transfers. Reverted back to the sshd-1.6.45 build, which still contains the fix for the signature exceptions found in MFT-9961. SSP-3229/ (Engine) - (SEAS) Support for OpenDJ LDAP server Resolution: Now support the OpenDJ LDAP server for back end security queries and assertions. SSP-3233 (Engine) - (HTTP) NPE in SSO portal after Jetty upgrade After the upgrade to Jetty 9.4.12, if the SSO configuration for the HTTP adapter uses the FQDN (Fully Qualified Domain Name) of the SSP engine host as the SSO cookie name, the HTTP Portal page can fail to load. It throws a Null Pointer Exception (NPE) in the secureproxy.log and the portal page is not displayed. Resolution: Now make a check for a null domain value to avoid the NPE. Workaround: If "a.b.c.d" is the FQDN in the SSO configuration, change it to ".b.c.d" until this fix can be applied. SSP-3234 (CM,Engine) - Correct missing ActiveMQ lib Resolution: Now include the hawtbuf-1.11.jar, needed for ActiveMQ. MFT-10020/IT27450 (CM) - Peer Address Pattern now allows starting or ending with * On the Netmap Inbound Node Definition screens for CD, FTP, HTTP, and SFTP, the ability to have peer address patterns which started or ended with *, ex: *.company.com or www.company.* was broken. Resolution: Corrected the parser which was keeping these patterns from working. MFT-10029/IT27654 (Engine) - (HTTP) SSP Change Password Policy link not working correctly Clicking on the close link after viewing the password policy does not return to the change password screen. Instead it throws you back to original login screen. Resolution: Updated the href value in the changepw.html file to behave correctly. MFT-10035/IT27649 (Engine) - (CD) Routing type "PNODE_Specified, and then Standard (mixed)" fails to route to standard snode. The Customer specifies "PNODE_Specified, and then Standard (mixed)" in the CD adapter routing type. However, if the incoming pnode specifies an snode which does not exist in the netmap, the connection fails to route to the snode specified in the SNODE Netmap Entry box. Resolution: Now when the routing type is "PNODE_Specified, and then Standard (mixed)" and the SNode requested by the incoming PNode does not exist, correctly set the SNnode to the Standard Node. MFT-10089/IT27917 (Engine) - (SFTP) With FIPS_MODE = True in the security.properties file, SFTP connections fail Customer running in FIPS mode applied SSP3432 iFix 2 and began experiencing failures in their SFTP connections: SSE2668 WARNING - Support for hmac-sha2-256-96 not available in FIPS mode. SSE2651 Exception encountered, type: java.lang.ArrayIndexOutOfBoundsException, message: Array index out of range: 11 Resolution: Modified the internal fipsMacClass array to ensure it is sized correctly when running in FIPS mode. MFT-10129/IT27075 (Engine) - (HTTP) Failures in HTTP adapters after SSP upgrade to version 3.4.3.2 iFix 3) After Customer applied SSP3432 iFix 3, certain HTTP transactions were failing with: SSP175E Invalid HTTP Request method. Client possibly attempting SSL/TLS connection. SSP0231E Invalid data from client (Exception unmarshalling) - com.sterlingcommerce.csp.jetty.io.ValidationFailedException, null Resolution: Now wait till a full request line is received before calling validateMethod() MFT-10218/IT28554 (Engine) - SSP sending FTP STOR command multiple times, leading to '451 - session in inconsistent state' A client attempted to send a large number of files during a single FTP session through SSP to a B2Bi backend. The first few transfers succeeded, but then SSP happened to send the STOR command to the server twice in a row causing the backend to respond with 451 Requested action aborted: session in inconsistent state. All subsequent uploads in the session then failed with the same error. Corrected this timing issue by always clearing the cached command queue before returning to the 'CommandHandler' state. PSIRT12959, (Engine,CM,PS) - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for PSIRT13809 security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle October 2018 level to satisfy the CVEs in PSIRT advisories 12959 and 13809. See http://www.ibm.com/support/docview.wss?uid=ibm10872758 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced a change to disable SHA1 certificates via the jdk.certpath.disabledAlgorithms parameter in the /jre/lib/security/java.security file. For more information, read the comments in the java.security file which relate to the added parm: jdk.certpath.disabledAlgorithms= * * *, SHA1 jdkCA & usage TLSServer, SSP-3446/ (CM) - Adapters in SSP CM monitor screen out of order When using the Monitoring tab in the SSPCM GUI, the adapters were not showing up in alphabetical order. Resolution: Corrected the ordering of the adapters in the monitoring screen. MFT-10219/IT28683 (Engine) - (SFTP) All SFTP clients timing out connecting to back end SFTP adapters SFTP adapters were stalling when making connections to the backend SFTP server because a getLocalHost operation was hanging. Resolution: Updated the SFTP backend session setup logic to no longer do the getLocalHost operation to find the local NIC for the connection to the back end. This is already handled by the SSP local Perimeter Server code. Workaround: Supply the SFTP Adapter property sftp.listenAddress = nnn.nn.nnn.nn to supply the local NIC address. SSP-3023/RTC569696 (CM,Engine) - (SFTP) Upgrade Maverick to latest 1.7.xx for additional ciphers The Maverick 1.6.x toolkit goes out of support at the end of 2019. Also, there have been requests for additional ciphers which are provided in the 1.7.x toolkit. Resolution: Now utilize the Maverick 1.7.20 J2SSH client and SSHD server toolkits, which also supply the following new ciphers New ciphers: aes128-gcm@openssh.com, aes256-gcm@openssh.com New macs: hmac-ripemd160, hmac-ripemd160-etm@openssh.com hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com New groups: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256@libssh.org Added new message SSE2729 which details the ciphers and macs negotiated between the client and SSP. SSE2729 SessionId: {sid} with Sftp Client: {IP} established, kex: {DH grp}, host key: {type}, csCipher: {cipher to SSP}, scCipher: {cipher to clt}, csMac: {mac to SSP}, scMac: {mac to clt}, csComp: {compression}, scComp: {comp} MFT-10206/IT28929 (CM) - Problem with SSPcm certificate renewal process When using the CM GUI to update a keycert which is also used for connecting to SEAS, the copy of the certificate in the /conf/system/cmkeystore is not updated. If CM users are authenticated by SEAS, the connections to SEAS fail with an expired certificate. During connections to SEAS from the CM, the truststore and keystore entries needed for the connection were being copied from the configuration to the cmtruststore and cmkeystore, respectively to assist in the connection. But if an entry already existed, it was not updated. Resolution: Updated the CM code which connects to SEAS to build the the temporary keystore and truststore in memory rather than updating the files in /conf/system. MFT-10207/IT29589 (Engine) - (HTTP) Getting myFileGateway "Session expired" popup using passthrough authentication Since the Jetty upgrade in 3.4.3.2 iFix 2 Plus Build 263, Customers were getting several strange behaviors connecting to myFileGateway via HTTP doing passthrough. Customers who had the front end (inbound) connection secured and the back end (outbound) session non-secure were getting a "Session expired due to inactivity" popup immediately from myFileGateway. Other Customers found that even if both sides of the session were secured, when they logged off and back on, they got the "Session expired" message. Resolution: Corrected the code to send all cookies back and forth between the two sessions and to correctly send cookies based on the Security attribute. MFT-10241/IT28986 (CM) - SSPRestAPI fails with SNI handshake from client The Customer replaced their factory certificate with a self-signed keycert using a wildcard in the common name: CN=*.si.com. When submitting the sspRestAPI.sh script, the TLS ClientHello message included a server_name extension, which caused the connection to fail with /sspcmrest/sspcm/rest/session org.eclipse.jetty.http.BadMessageException: 400: Host does not match SNI The REST API client was not inserting HTTP header host name during connection to the SSP CM, and the Jetty on the CM server side was set to enforce SNI checking if the client indicated it. Resolution: Corrected the client side of the RESTAPI to allow the HTTP header host name to be set in the sspRestAPI.properties so that it matches the CN of Client's public key CN. Also changed the behavior of the CM to disable the SNI checking if the k=-Dssp.cm.jetty.sni.enable=false is set in the startCM.sh script. MFT-10250/IT29018 (Engine) - OutOfMemory during SFTP transfer after upgrade Customer applied SSP3432 iFix 4 Plus Build 291 and encountered OutOfMemory (OOM) crash when transferring files with SFTP. The build included a new Maverick toolkit which changed the way it managed buffers during transfers. The heap dump contained tens of thousands of com/maverick/ssh/Packet objects. Resolution: Updated the API calls to use the new CreatePacket method in the Maverick toolkit, which is the preferred method of managing the memory. MFT-10257/IT28968 (Engine, CM) - Sporadic loss of data during bulk transfer of multiple files via Filezilla FTP client Customer attempting to upload 500 files with Filezilla was getting many files missing and missing data in the files which were transferred. The utility was sending data before SSP had signalled it was ready to receive. Resolution: Now maintain a temporary buffer to hold the data sent from the FTP client before SSP is ready to receive it. See also SSP-3660. SSP-3660/ (Engine) - Add limit to number of data buffers being cached in FTP This is an extension of MFT-10257. Resolution: Added new FTP adapter property ftp.max.data.buffers.cache=50 to limit number of data buffers being cached in FTP to avoid an out of memory issue. The value must be an integer > zero and <= 999. MFT-10325/IT29109 (CM) - RESTAPI Issues with importing keyDefEntries. Customer attempting to use the REST API to import a key certificate, but getting, "Create key operation failed. - Error parsing request: expected root xml element to be elements but received keyStoreDef". Workaround: Set N=-DvalidateThruXSD=false in the bin/startCM.sh. Resolution: Updated the XSD syntax definition file to allow user to provide input xml with tag as the root. Also made changes to the createKeyDef, modifyKeyDefEntries and deleteKeyDefEntries apis to make them work correctly with the CLI. Now also removed the ability to add or delete certificates in the internal CM->System->Certificate Stores, since they do not allow updates from the GUI either. MFT-10341/IT29130 (Engine) - (HTTP) Directory traversal issue Customer noticed that URLs including ..//..//, which is a common directory traversal hack, were being passed back to SI/SFG to be handled. Resolution: Added code to strip the intervening dots and slashes using canonical methods, further protecting the backend server. MFT-10357/PSIRT16274,16318 (Engine,CM) - Security upgrade to Jetty 9.4.20 Resolution: Update the Jetty server to satisfy the CVEs in PSIRT advisories 16274 and 16318. See http://www.ibm.com/support/docview.wss?uid=ibm11095826 for the Security Bulletin. MFT-10368/IT29310 (Engine) - SSP Nodes getting into deadlock state After applying SSP3432 iFix 4 Plus Build 295, the Customer found that several nodes were hanging, caused by threads in a deadlocked state. Resolution: Corrected a locking mechanism introduced by defect MFT-10257 which caused threads to be deadlocked. MFT-10382/IT29278 (PS) - More Secure PS (MSPS) scripts on Windows have wrong service name When installing a Perimeter Server on Windows as a More Secure PS, the startPSservice.cmd and stopPSservice.cmd scripts are generated without the engine hostname in the service name, so that they will not actually start or stop the service. Resolution: Updated the InstallAnywhere step for a More Secure Perimeter Server to add the Engine host to the Windows Service name: SSP_PerimeterServer_%EnginePort%_$EngineHost$ SSP-3561/ (Engine) - HSM IBMPKCS11 sample config files SSP was shipping the Luna 5.0 configuration file for Customers who use HSM boxes, even though that version is no longer supported. Resolution: Now ship the Lunx 6.0 configuration file in the /conf directory and include all the supported IBMPKCS11 sample config files in a new file called /conf/PKCS11ConfigFiles.zip. SSP-3597/ (Engine,CM,PS) - InstallAnywhere 2018 upgrade Resolution: Upgraded to InstallAnywhere 2018, which provides support for Windows 2016 Server. SSP-3698/ (Engine) - Adapter and netmap logs going to secureproxy.log instead, missing log files The fix for MFT-9915 caused the adapter and netmap logs to no longer be created, with all logging going to the secureproxy.log. Resolution: Corrected the fix to not create a new appender for a new session if the appender and logger already existed, but to use the existing proven method when starting to log to a new file. MFT-10242/PSIRT15330 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2019 level to satisfy the CVEs in PSIRT advisory 15330. See http://www.ibm.com/support/docview.wss?uid=ibm10885937 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) introduced a change to disable anon and null cipher suites via the jdk.tls.disabledAlgorithms parameter in the /jre/lib/security/java.security file. If your site uses these suites for testing, update your java.security file to remove the last 2 parms: jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL ACTION - The java.security file includes a new parm for distrusting CAs: jdk.security.caDistrustPolicies=SYMANTEC_TLS For more information, see the writeup in the java.security file. MFT-10422/IT29819 (Engine) - (HSM) FTPS data channel hangs during SSL handshake with HSM enabled The HSM keystore was taking a long time to load during the ssl handshake which resulted in session timeouts. Resolution: Now load the HSM keystore during engine startup time and keep it in memory to speed up subsequent handshakes. Also, reload the HSM keystore periodically based on the value of the RELOAD_HSM_KEYSTORE_TIME parm in the /bin/security.property file, default 15 (minutes). SSP-3771/ - Add direction arrows ===> for readability in FTP logs Resolution: Added some directional arrows in the logging for FTP control channel traffic to make it easier to follow the flow of data between the client and SSP and between SSP and the back end server. Examples: ===> RECV fr Client: SEND to Server ===>: RECV fr Server <===: <=== SEND to Client: MFT-10402/IT30050 (Engine) - *HIPER* (SFTP) OutOfMemory (out of threads) when SEAS goes down with no failover coded Customer defined an SFTP adapter which uses SEAS External Authentication but did not have failover properties coded. When the SEAS became unreachable for several hours, new connections and load balancer pings continued to be directed to the SEAS for authentication until the JRE used up all available threads based on the numprocs alotted to the user. The adapter's max session value was ignored when in this state. Resolution: Firmed up the code in the following ways: 1) When at the adapter max session count, shut down any new session without calling SEAS. 2) If a new session comes in and EA is detected down, shut down the session and report a system failure to the caller. 3) If EA authentication fails for any reason, since we do not have a token, bypass calling SEAS to invalidate the token during session shutdown. Workaround/Best practice: Define failover properties in each SFTP adapter that uses SEAS to ensure that when SEAS or SI is detected to be down, the adapter will turn off its listener to stop incoming traffic until SEAS and SI are detected to be up again: failover.detection.enabled true failover.detection.mode continuous failover.poll.interval 15 (seconds) MFT-10444/IT29840 (CM) - RESTAPI fails if CM user defined to use external authentication If a new CM admin user is defined to do external authentication, the sspRestAPI.sh script fails. Only if the user is defined as a local CM user first and using the same password as in the LDAP does the script work. Resolution: Updated the RESTAPI authentication code to correctly utlilize the external authentication through SEAS. MFT-10451/IT30080 (CM) - CM GUI presents factory cert instead of common The Customer attempted to replace their SSP factory certificate with a new common certificate with the ./configureCmSsl.sh -u commonCert= command. The CM and Web certs showed to be using the new alias. However, when connecting to the CM GUI, the SSL certificate displayed was the SSP factory certificate. Resolution: Now ensure that at the low level keystore operation, the designated keycert alias is honored when the key is requested. Workaround: After the new commonCert has been added, delete the "factory" alias using the ./configureCmSsl.sh -d alias=factory MFT-10483/IT30076 (CM) - RESTAPI activity leads to OutOfMemory (OOM) full of AuthenticationResource, JMS objects The Customer is making heavy use of the REST API to update their configuration. After many sessions, the CM gets an OOM exception because the memory is full of AuthenticationResource objects. Also, at one point the Customer had JMS logging configured in the CM system tab without a JMS queue activated to receive the data which filled the memory with a JmsPublisherProxy object. Resolution: Now ensure that the AuthenticationResource session object is cleaned up at the end of each RESTAPI session. Also, maintain a limit of JMS queue objects so that we don't overflow the memory when the JMS queue is not active. SSP-3530/ (CM) - Rest API issues when importing from older CM Internal testing found several issues when importing a configuration with the REST API which was exported from an older version of SSP. The got syntax errors with the 'createdBy' and 'formatVer' elements, the import rejected expired certificates and cipher suites which had been deprecated, and the factory certificate was not replaced. Resolution: Updated the RESTAPI import logic to recognize and include artifacts from older versions to make upgrades between versions more seamless. MFT-10485/IT30344 (Engine) - (SFTP) OutOfMemoryError "Java heap space" crash The SFTP adapter was adding to a backendRegistrarMap object each time a session opened a corresponding session to the back end SI server. However, in some cases, the placeholder in the map was not getting cleaned out at logoff time. The heap dump showed that 91% of the memory was consumed by one class "com.sterlingcommerce.cspssh.daemon.SftpAccessManager", and one object java.util.HashMap$Node[]. Resolution: Now ensure that the session entry is cleaned out at logoff time from the backendRegistrarMap. MFT-10541/IT30346 (CM) - (RESTAPI) userStore API update throwing exception on CLI. After a userStore update operation using the RESTAPI Command Line Interface if the xml contained "" the operation reports success but then gets a message: org.xml.sax.SAXParseException: The processing instruction target matching "[xX][mM][lL]" is not allowed. Resolution: Now remove the offending xml so the parse exception does not occur. MFT-10578/PSIRT17288 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle July 2019 level to satisfy the CVEs in PSIRT advisory 17288. See http://www.ibm.com/support/docview.wss?uid=ibm11089580 for the Security Bulletin. MFT-10608/IT30643 (Engine) - (SFTP) Added client ciphers as well as negotiated ciphers in logging. After installing SSP3432 iFix 5, Customer lost visibility in the logs of the SFTP clients available ciphers and hmacs. The Customer needed this debug info for a project to ensure their clients would be able to run with stronger ciphers. Resolution: Added DEBUG message SSE2656, "Key Exchange Init Details :", which contains the remote's IP and port, along with the key exchanges, ciphers, macs, etc that the client is capable of. Another DEBUG message, SSE2640 "Negotiated Ciphers Details :" shows the ones chosen for the session. Message SSE2729 provides the negotiated values at INFO level. MFT-10616/IT30591 (CM) REST API fails with "The processing instruction target matching "[xX][mM][lL]" is not allowed" After upgrading the SSPCM to 3.4.3.2 iFix 5, the RESTAPI call for SSH key modification fails with "The processing instruction target matching "[xX][mM][lL]" is not allowed. line # 1 column # 40". The input xml contained '' at the beginning, but that was not a problem in previous builds. Resolution: Now remove xml headers which during validation are being inserted after the root tag. MFT-10656/IT30692 (CM) SSPCM “Enable SSP CM startup backup” field in CM System settings has no effect Attempted to configure CM to not backup at startup by unchecking “Enable SSP CM startup backup” (From SSP Dashboard, System -> System Settings -> CM System Settings -> Globals). After saving the page and coming back, the field is checked again. Resolution: Now handle the negative case when the CM Backup checkbox is not selected. MFT-10692/IT30823 (CM) (FTP) EPSV command giving wrong response The original MFT-9148 fix to support FTP's Extended PASV (EPSV) and Extended PORT (EPRT) RFC returned responses should be based on whether SSP detected IPv6 addresses. If SSP is on a machine in IPv6 mode, the response for the EPSV command was the PASV response. Now return the response to the PASV or EPSV command based on the command entered rather than on whether we detect that IPv6 addressing is in play. For PASV, the response continues to be, 227 Entering Passive Mode (127,0,0,1,153,178). For EPSV, the response is 229 Entering Extended Passive Mode (|||58792|). MFT-10704/IT31049 (Engine) Engine audit logs contain hashed passwords The SSP engineAuditEvent entry for a configuration push contained Base64 hashed password values for the admin id and some keycerts. Resolution: Now replace the hashed password values in the audit logs with asterisks (****). MFT-10762/IT31135 (Engine) (CD) SSP incorrectly logs stepname of run task and run job C:D process steps SSP was logging a hardcoded stepname "SameStep" during a Connect:Direct run task or run job process step. Resolution: Now log the actual stepname in the RUN JOB, RUN TASK and SUBMIT processes. MFT-10765/IT31672 (CM) - 6.0.0.1F1 with Client Auth not working with SAN certs, getting ERR_BAD_SSL_CLIENT_AUTH_CERT Customer has client authentication turned on for browser connectivity to the SSPCM dashboard, as well as client certificates configured with Subject Alternate Name. SSL handshakes from browsers were failing with "No subject alternative names matching IP address xx.xx.xx.xx found" in the CM log. Resolution: Allow the Customer to override the new behavior in the JRE by uncommenting -DsspcmDisableClientEndpointIdentification=true in the startCM.sh script. This tells the CM to ignore the hostname discrepancy in the SAN cert. MFT-10774/IT31439 (Engine) - (CD) CSP032E 4 KQV keyword "RLS2" found in FM70, but not defined in XML schema definition SSP uses xsd files to validate the CD FMH's going through. As the various CD groups develop new features, we periodically must add new keywords (KQV) they may have created. Resolution: Add support for the following KQV values FMH70: RLS2 FMH71: DEXP,DEXR,DSFF,DSFS,DMXF,SDVF,SMXG,SDVE,DDVF,DDSY,DMXG,DDVE FMH7402: ZECR,ZIFR,ZIFS,NODA,SDTP,DDTP,SDVE,DDVE,SISM,DISM,SMXG,DMXG MFT-10853/IT31763 (CM) - (GUI) SSPcm user binds to LDAP twice with SEAS for single login When SSPCM users are configured to authenticate through SEAS, they are authenticating twice to LDAP, once for the dashboard, and again under the covers for the configuration manager. Resolution: When authenticating CM users through SEAS, request an SSO token on the first authentication from the dashboard, and then pass the token to SEAS on the authentication from the configuration manager, avoiding the second call to LDAP. MFT-10887/ (CM,Engine,PS,SEAS) - GPF in SSP engine The SSP Engine terminated with a General Protection Fault (GPF) when the JVM tried to get an internal structure from a terminated thread. Resolution: Installed the IBM JRE 8.0.6.5 to resolve the GPF. MFT-10904/ (CM,Engine,PS,SEAS) - GPF in SSP engine The SSP Engine terminated with a General Protection Fault (GPF) in the IBMPKCS11 area. Resolution: Installed the IBM JRE 8.0.6.5 to resolve the GPF. SSP-3771/ (CM) - Updates to make CM logging more readable Resolution: Shortened some thread names within the CM to make the log lines narrower. Also merged some redundant lines in the debug log to lower the output. MFT-10903/IT32096 (CM,Engine) - configureCmSsl and configureEngineSsl not adding certificate chain to cmtrustore or truststore When adding a keycert to the keystore using the configureCmSsl or configureEngineSsl utilities, they were not adding the certificate chain to the cmtrustore or truststore. Resolution: Now add or update the certificate chain from the keycert into the appropriate truststore. SSP-4236/PSIRT21787 (Engine,CM,PS) - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle January 2020 level to satisfy the CVEs in PSIRT advisories 20470 and 21787. See https://www.ibm.com/support/pages/node/6116926 and https://www.ibm.com/support/pages/node/6116962 for the Security Bulletins. Also tracked internally as SSP-4235. SSP-4223/ (Engine) - Excessive logging on idle SFTP adapter During internal testing, found that the SFTP adapter could sometimes emit a couple of messages excessively in DEBUG mode, even when idle. SSE2621 sw is before setting interest ops SSE2621 sw is after setting interest ops Resolution: Changed the message number to SSE2998, which only gets emitted when the log level is DEBUG and the property log.debug.detail = 2 is set in the adapter properties tab. MFT-10959/IT32191 (CM) - (GUI) Unable to update keystore with certain PFX keys. PEM format works The SSP CM is unable to handle a PFX keycert format when there is a missing or unspecified label for either the private key or the associated public key. Resolution: Corrected SSP CM to be able to import PFX keycert format even when there is missing or unspecified label for the keycert or public key. MFT-10995/IT32374 (Engine) - SFTP adapter deadlock in failover code 2 pairs of synchronized methods in the SFTP failover code were causing a deadlock condition. One failover thread was trying to start an outbound route while another was stopping a listener after a failed connection and a deadlock occurred. The Engine had to be restarted to clear the condition. Resolution: Replaced the method synchronization on 2 pairs of stop/start methods with synchronization on a local object instead. MFT-11018/ (CM,Engine) - Support for diffie-hellman-group14-sha256 in SSP3432 Fix SSP-3023/RTC569696 delivered in April 2019 added new SFTP ciphers, macs, and group exchanges, but not the diffie-hellman-group14-sha256 group exchange to SSP3432. Resolution: Added the diffie-hellman-group14-sha256 group exchange to SSP3432. MFT-11200/IT33098 (Engine) - NPE in Maverick logs SFTP connections were failing intermittently, and the maverick.log contained many instances of com.maverick.ssh.ExecutorOperationSupport - Caught exception in operation remainingTasks=1 java.lang.NullPointerException: null Resolution: Corrected the NullPointerException in the SftpSubSys local_init method when a connection comes in. MFT-11042/ (Engine,PS) - Getting IOException: Too many open files SSP adapters were reporting "Too many open files" errors which used up all resources and blocked other partners from connecting to the Customer. They increased their kernel nofiles setting from 4096 to 8192, which helped to delay the outages. The local SSP Perimeter Server code was intermittently not cleaning up sockets at session end, which allowed file descriptors to accumulate. Resolution: Updated the old PS4060602 Perimeter Server jar files to the PS6000302 level. See SSP-3966 for description and important ACTION. SSP-3793/ (CM) - Missing secure attribute in encrypted session (SSL) cookie SSP CM does not append "http-only" and "secure" security attributes for cookies that are sent back to the browser client. Resolution: Now add "http-only" and "secure" attributes to JSESSIONID cookies. Also known as PSIRT ADV0022033. See https://www.ibm.com/support/pages/node/6249281 for the Security Bulletin. SSP-3966/ (Engine,PS) - Upgrade Perimeter Server code to same as B2Bi 6.0.3.2 The SSP Perimeter Server code is obtained from the B2Bi team at Precisely/ Syncsort. It had not been refreshed in several releases, causing issues such as MFT-11042 above. Resolution: Updated the SSP local and remote Perimeter Server code to use the PS6000302 code level as is shipped with B2Bi 6.0.3.2. This is an upgrade from the PS4060602 code we were shipping with. This defect also tracked internally as SSP-4233. ACTION: An Engine and any remote Perimeter Servers associated with its ACTION: adapters must be upgraded to the 6011 level at the same time to ACTION keep their PS code in sync. Otherwise the adapters will fail to ACTION: start with "Unable to connect to remote perimeter server..." SSP-4323/SEAS-1233 (Engine) - XML External Entity (XXE) vulnerability in SSP During internal security scanning, SSP was found to be vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. It is further described in PSIRT advisory ADV0023731. Resolution: Added parser processing commands to disallow the illegal commands that caused the XXE attack. Fixed in code as SEAS-1233. See https://www.ibm.com/support/pages/node/6249331 for the Security Bulletin. SSP-4310/SSP-4445 (Engine,CM,PS) - Update JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2020 level to satisfy the CVEs in security PSIRT advisories ADV0021791 and ADV0023736. https://www.ibm.com/support/pages/node/6249355 and https://www.ibm.com/support/pages/node/6249371 for the Security Bulletins. MFT-11130/IT33879 (Engine) - Intermittent requests to SEAS timing out Occasionally, when several requests came in on the CD adapter at the same time requesting SEAS certificate validation, the last request sent timed out 3 minutes later when the socket was closed. The low level write of the bytes to the SEAS socket was not doing a flush of the data to make sure that it was properly presented to SEAS. Resolution: Now ensure that each SEAS request written on the socket has a proper ending of the data so that it is immediately recognized by SEAS. MFT-11139/IT33786 (Engine) - During load testing, SEAS shows ERROR "AUTH037E Authentication request missing password." If SFTP adapter session limit exceed the max limit during load test, it was still trying to connect with SEAS resulting in missing password error in the Customer load test environment. Resolution: Moved session limit check earlier in sftp adapter so that it does not make an unnecessary connection to SEAS. MFT-11273/IT33922 (Engine) - JVM thread deadlocks in Maverick code; OutOfMemory during large SFTP download The Customer's monitoring software noticed that there were several pairs of SFTP threads deadlocked on each other. This deadlock was fixed in the Maverick 1.7.22 release, while we were running 1.7.20. A second issue with an OutOfMemory (OOM) exception was tracked with MFT-11539 but no APAR was needed. A client was downloading a multi-GB file and requesting data packets faster than it was receiving them causing them to back up in memory. Heap dumps showed memory accumulated in java/util/LinkedList$Node and com/maverick/sshd/Channel$QueuedData. Resolution: Upgraded the Maverick toolkits to the 1.7.32 level to correct the deadlock and windowing issues. ACTION: SFTP key sizes, both yours and your trading partners, MUST be 1024 bits or higher. Ensure that key sizes are adequate before migrating to production. From the Maverick toolkit vendor: This release restricts the use of RSA keys in authentication to 1024 bits or higher. If you attempt to authenticate with a key with < 1024 bits, the API will automatically reject the authentication request. The API also restricts key generation of RSA and DSA keys to 1024 bits or higher. These changes match the key size restrictions used by OpenSSH. Please note that the recommended size of an RSA key should be at least 2048 bits, preferably 3072 bits, which is now the OpenSSH default for RSA keys. SSP-4640/ (CM,Engine) - Vulnerability in Apache Commons Codec HIPER: Updated the Apache Commons Codec toolkit to v1.15 to address PSIRT advisory ADV0025470 - CVEID: 177835 (CVSS: 7.5). See https://www.ibm.com/support/pages/node/6339801 for security bulletin. MFT-11238/IT34624 (Engine) - (SFTP) Negative message length SshException for DATA packet from non-standard server Customer using a non-standard server on the back end and trying to pull a file. The SSP local TCP window size was small which caused the server to split a data packet incorrectly. SSP detected it as a negative message length. Resolution: Now set the initial TCP local window size for the back end SFTP session to 4MB to ensure that the server does not need to split data packets. The value can be overridden with the following new SFTP adapter properties: sftp.backend.max.packet.size = 4194304 (4M initial backend window size) sftp.backend.max.window.size = 4194304 (4M max backend packet size) MFT-11309/IT34732 (Engine) - (SFTP) SSE2640 sshd channel closing when local window size goes below 32k A trading partner was uploading a several hundred MB file using the Globalscape ETF SFTP client and randomly getting an abrupt channel close which terminated the connection. When the local TCP window size went below 32k on SSP and the client sent a 32k data packet, SSP shut down the connection. Resolution: Now set the minimum and maximum local window size for the SFTP adapter and allow them to be configured in the adapter property tab: sftp.inbound.max.window.size = 2097152 (2M maximum inbound window size) sftp.inbound.min.window.size = 131072 (128k minimum inbound window size) SSP-4799/ (Engine,CM) - Allow configurable window and packet size limits for SFTP. Resolution: This internal defect was done to add support for the SFTP adapter properties needed by MFT-11238 and MFT-11309: sftp.inbound.max.window.size = 2097152 (2M maximum inbound window size) sftp.inbound.min.window.size = 131072 (128k minimum inbound window size) sftp.backend.max.packet.size = 4194304 (4M initial backend window size) sftp.backend.max.window.size = 4194304 (4M max backend packet size) MFT-11467/IT34992 (Engine) - Problem with HTML rewrite - connection close When 'HTML Rewrite' is selected in SSP, if the backend HTTP Server sends a response with a 'Connection: close' header and does not include content length or chunked transfer encoding headers, the browser does not get the full response body. Resolution: Made changes to handle Connection: close header. SSP-4706/ADV0026225 - Upgrade IBM JRE to 8.0.6.15 level for security patches Resolution: Update the IBM JRE to satisfy the CVEs in the Oracle July 2020 CPU, PSIRT advisory 26225. See https://www.ibm.com/support/pages/node/6398774 for the Security Bulletin. SSP-4710/ADV0027000 (Engine) - Upgrade Apache ActiveMQ to 5.16 for security patches Resolution: Updated the Apache ActiveMQ libraries to v5.16.0 to mitigate CVE-2020-13920, a man-in-the-middle attack. This is PSIRT advisory 27000. See https://www.ibm.com/support/pages/node/6398750 for the Security Bulletin. SSP-4812/ADV0028030 (Engine,CM) - Update Jetty toolkit to 9.4.34 for security patches Resolution: Updated the Eclipse Jetty toolkit to 9.4.34 to mitigate CVE-2020-27216, dealing with elevated privileges. This is PSIRT advisory 28030. See https://www.ibm.com/support/pages/node/6398772 for the Security Bulletin. MFT-11683/IT35628 (Engine) - SFTP disconnects when >500 files in a mailbox SFTP sessions were failing when connecting to an SFG mailbox with 500 files in it. MFT-11238 introduced a 4M default value for the SFTP adapter property sftp.backend.max.packet.size which sets the sessionMaxPacketSize in the Maverick toolkit for the backend session to B2B1. The large packet size caused the Maverick toolkit on B2Bi to throw an exception when trying to return a directory listing for an SFG mailbox with over 500 files. Resolution: Make the default of the sftp.backend.max.packet.size adapter property to 34000 (33.2 KB) and enforce a maximum value of 56320 (55 KB). MFT-11742/IT35559 (CM) - Jetty failure at CM startup after upgrade to iFix 03 Customers installing the new SSPCM or SEAS for iFix 10 could not bring up the SSPCM or SEAS. The error message was KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead) The new Jetty for PSIRT ADV0028030 introduced a requirement of having only one CA-signed keycert in the keystore unless using a server form of the SslContextFactory class. The problem could also occur with one Subject Alternative Name (SAN) keycert which has multiple hosts. Resolution: Updated our Jetty instance to use the SslContextFactory$Server class as required when SAN certificates or multiple signed certificates are present in the keystore. MFT-11830/IT36115 (Engine) - SFTP transfers stall with Maverick 1.7.32 After putting on SSP6011 iFix 1 Build 188 or higher, several Customers experienced SFTP transfers hanging, stalling, or failing on uploads or downloads. That build introduced a newer Maverick toolkit which caused the instability. This issue also tracked internally with MFT-11982. Resolution: Through much testing with small, medium and large files, it was determined that the 1.7.20 toolkit which we had on prior to 1.7.32 was much more stable, so we are reverting to that toolkit while working with the Maverick vendor on the transfer issues. Note: This also temporarily lifts the restriction introduced in the Maverick 1.7.31 toolkit that all keys presented to SSP must have a key size of 1024 or greater. We still recommend that all trading partners update any keys which are deficient so that they will not fail in a future build. SSP-4965/ (CM,Engine) - Updated code signing certificate for signing jarfiles The code signing certificate for signing jar files expires March 14, 2021. Internal testing with dates beyond the expiration date showed no side effects on starting and running SSP or the SSPCM. Resolution: Now sign all jars with a new jar signing certificate. MFT-11853/IT36501 (Engine) - Invalid Eyecatcher exception in logs SSP logs were showing Invalid Eyecatcher exceptions when interacting with SEAS. There is built in logic to make sure that every header received by SEAS and returned from SEAS has a 4 character eyecatcher as a validation. Resolution: Now dump the eyecatcher when the error happens so that the underlying issue with the send/receive on the SEAS socket can be diagnosed. SSP-4714/ (CM) - SSPCM Fresh install gets ERROR on Solaris The install log for a new install of the CM on Solaris showed an ERROR message, even when the installation was successful. Unable to locate /jre/bin/ikeyman Resolution: Removed a stray character in a variable name within the InstallAnywhere deck so that IA could find the ikeyman pointer file on a Solaris install. SSP-4986/ (CM) - Unable to update webCiphers with ConfigureCmSslTool Using the ConfigureCmSslTool utility to update the Jetty Cipher Suites, none of the selected cipher suites will pass validation. Resolution: Corrected the validation method for the webCiphers. SSP-5021/ADV0031888 (CM) - Resource leakage vulnerability found in scan An internal security scan revealed that resources were not being closed properly in all circumstances, resulting in memory leakage. Resolution: Now close the resources properly to avoid the memory issues. See https://www.ibm.com/support/pages/node/6471577 for the Security Bulletin. SSP-5022/ADV0027664 (CM,Engine) - Upgrade httpcomponents-client to 4.5.13 An internal scan suggested a newer version of the httpcomponents-client toolkit. Upgraded to the 4.5.13 version of the httpcomponents-client toolkit. This also fixes several serialization and URL processing issues. See https://www.ibm.com/support/pages/node/6471577 for the Security Bulletin. SSP-5077/ADV0031827 (CM,Engine) - Upgrade Eclipse Jetty to 9.4.41 An internal scan suggested a newer version of the Jetty toolkit. Resolution: Upgraded the Jetty toolkit to the 9.4.41 level. See https://www.ibm.com/support/pages/node/6471577 for the Security Bulletin. SSP-5096/ (CM) - Keystore and Truststore passwords dumped in CM Debug log When logging level is enabled to DEBUG in the SSPCM GUI, the keystore and truststore passwords are displayed in the clear. Resolution: Now ensure that the password values are not displayed. SSP-4956/ADV0028445 (CM,Engine) - Oracle Java Oct 2020 CPU deferred CVE Resolution: Upgraded the IBM JRE to the 8.0.6.30 level to satisfy the CVEs in the Oracle October 2020 CPU, PSIRT advisory 28445. See the Security Bulletin at https://www.ibm.com/support/pages/node/6484671 SSP-5012/ADV0031846 (CM,Engine) - Risky cryptographic algorithm vulnerability This vulnerability was fixed as part of SSP-5080/ADV0031848. See that defect for more information. SSP-5016/ADV0031847 (CM,Engine) - Hard-coded secrets vulnerability An internal security scan revealed the use of a hard-coded password in some SSP files. Resolution: 1) Now read the truststore password from defTrustStore.xml when loading the truststore for SAML-IDP signature validation. 2) Generate a random string for a password to load a keystore in memory when using the HSM managekeycert utility. See the Security Bulletin at https://www.ibm.com/support/pages/node/6484681 SSP-5080/ADV0031848 (CM,Engine) - Weak hash vulnerability An internal security scan revealed the use of hash values which were not computationally intensive enough. Also tracked internally as SSP-5012. Resolution: Now use a strong salt and a PDKSF2 hashing technique. See the Security Bulletin at https://www.ibm.com/support/pages/node/6484681 SSP-5093/ADV0029859 (CM,Engine) - Oracle Java Jan 2021 CPU Resolution: Upgraded the IBM JRE to the 8.0.6.30 level to satisfy the CVEs in the Oracle January 2021 CPU, PSIRT advisory 29859. See the Security Bulletin at https://www.ibm.com/support/pages/node/6484671 SSP-5116/IJ33416 (Engine) - CD TLSv1 sessions fail with "SSLv2Hello is not enabled" in new IBM JRE 8.0.6.25 When attempting to use the IBM JRE 8.0.6.25, Connect:Direct UNIX and Windows sessions using TLSv1 were failing to connect to SSP, which gave an error, "SSLv2Hello is not enabled". The CD sessions were using a legacy SSLv2Hello to start the TLS exchange, which negotiates up to TLSv1. If configured for TLSv1.2, the session worked correctly. Resolution: The IBM Java team added support back in for receiving a client SSLv2Hello in JRE 8.0.6.30, after taking it out in 8.0.6.25. Workaround: The best long term solution is for all CD sessions to be configured for TLSv1.2 going forward. Support for TLSv1 and TLSv1.1 is going away in the next JRE from IBM. SSP-5698/ (CM, Engine) - SSL debug output not going to systemout.log The Systemout logger required buffers with a newline string ("\r\n" or "\n") to output a buffered string. The SSL debug output did not always cooperate. Without the newline, the output gets buffered and never flushed into the log, unless one comes from another source. Resolution: Now buffer up to 4096 bytes and log it even if there is no newline at the end. MFT-12762/ADV0040089 (CM/Engine) - Log4j CVE-2021-44228 JNDILookup issue HIPER: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Resolution: Now supply log4j 2.15.0, where this behavior has been disabled by default.