================================================================================ Fixlist for IBM Secure Proxy 6.0.3.0 (SP6030) iFix 01 Plus Includes Log4j 2.16.0 jars for CVE-2021-44228 and CVE-2021-45046 JNDI Lookup Vulnerability December 2021 ACTION: After applying 6.0.3.0, SSPCM web sessions may be rejected if the hostname does not match the hostnames in the new /conf/cmconfig.properties file. See See SSP-5088/ADV0031920 below for more information. ACTION: With 6.0.3.0, TLSv1 and TLSv1.1 security protocols are disabled by default. See SSP-5483 below for instructions to enable. ================================================================================ This cumulative maintenance iFix includes the GA release of SSP Engine and SSP Configuration Manager 6.0.3.0 as well as the fixes for the issues mentioned below. The install images for the SSP Engine, CM and PS may be used to install a new image or upgrade an existing image in place. Contents: I. HIPER fixes / Fixes requiring Action by iFix II. Summary of Fixes by iFix/Build (Latest iFix / Builds first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== ACTION - iFix images for HP, Solaris, and zLinux(s390) will no longer be placed on Fix Central. Contact Support if you need an iFix loaded to EcuRep. ACTION - It is a good practice to take a full backup of the install directory before putting on a new build. In SP 6.0.3.0 (SP6030) iFix01 Plus Build 135 (December 2021): HIPER - ADV0040239 - Log4j CVE-2021-45046 JNDILookup issue See SSP-5743/ADV0040239 below for details. In SP 6.0.3.0 (SP6030) iFix01 Build 134 (December 2021): HIPER - ADV0040089 - Log4j CVE-2021-44228 JNDILookup issue See MFT-12762/ADV0040089 below for details. In SP 6.0.3.0 (SP6030) GA Build 120 (October 2021): ACTION - After applying 6.0.3.0, SSPCM web sessions may be rejected if the hostname in the URL https://:/SSPDashboard does not match one of the hostnames in the new /conf/cmconfig.properties file. See SSP-5088/ADV0031920 below for more information ACTION - With 6.0.3.0, TLSv1 and TLSv1.1 security protocols are disabled by default. See SSP-5483 below for instructions to enable. In SP 6.0.2.0 (SP6020) iFix 03 Build 204 (August 2021): HIPER - Addressed various security advisories (links to security bulletins under fix descriptions): ADV0028445 - Oracle Java Oct 2020 CPU deferred CVE ADV0029859 - Oracle Java Jan 2021 CPU ADV0031846 - Risky cryptographic algorithm vulnerability ADV0031847 - Hard-coded secrets vulnerability ADV0031848 - Weak hash vulnerability ADV0032087 - Container environment compoments vulnerability ACTION: For this iFix, the TLSv1 and TLSv1.1 protocols continue to be allowed. In the next iFix, they will be disabled by default. Customers should change all TLS connections to use the TLSv1.2 protocol. In SP 6.0.2.0 (SP6020) iFix 02 Build 192 (June 2021): HIPER - Addressed various security advisories (links to security bulletins under fix descriptions): ADV0027664 - Upgrade httpcomponents-client tooolkit ADV0031827 - Upgrade Eclipse Jetty toolkit ADV0031888 - Resource leakage ADV0031895 - Unrestricted document type definition The following have been re-evaluated and determined to not be vulnerabilities. ADV0023803 - Upgrade Apache Santuario toolkit ADV0031824 - Upgrade Guava: Google Core Libraries for Java toolkit ADV0031843 - Upgrade Apache ActiveMQ toolkit ADV0031845 - Dubious method issue In SP 6.0.2.0 (SP6020) iFix 00 Plus Build 148 (April 2021): HIPER/ACTION - Keycert passwords visible as clear text in engine audit logs when configuration is pushed. See MFT-11965 HIPER/ACTION - Before upgrading to SSP6011 or SSP6020, the admin should check that the Sessionid Cookie Domain field in the GUI is either blank or it is the fully qualified domain name of the SSPCM. See MFT-11971. In SP 6.0.2.0 (SP6020) iFix 00 Plus Build 143 (March 2021): HIPER - Updated code signing certificate for signing jarfiles. See SSP-4965. In SP 6.0.2.0 (SP6020) iFix 00 Plus Build 135 (March 2021): HIPER - Revert to older Maverick SFTP toolkit to alleviate hangs during uploading and downloading of files. See MFT-11830 for details. In SP 6.0.2.0 (SP6020) iFix 00 Plus Build 132 (February 2021): HIPER - New Jetty keeps SSPCM from coming up if multiple keycerts are detected - See MFT-11742 ACTION - If your site has rebranded the HTTP Signon pages or scripts, you must re-apply your customizations after the upgrade. See MFT-11669. In SP 6.0.2.0 (SP6020) GA Build 120 (December 2020): HIPER - Update JRE 1.8 to SR6 FP15 (8.0.6.15) for security patches - See PSIRT ADV0026225 for more details. HIPER - Address vulnerability in Eclipse Jetty toolkit. See ADV0028030. HIPER - Address vulnerability in Apache ActiveMQ toolkit. See ADV0027000. In SP 6.0.1.1 (SP6011) iFix 02 Plus Build 208 (November 2020): ACTION - If your site has customized the login.js scripts, you must re-apply your customizations after the upgrade. See MFT-11536 for specifics. In SP 6.0.1.1 (SP6011) iFix 02 Build 193 (September 2020): HIPER - Address vulnerability in Apache Commons Codec toolkit. See ADV0025470 In SP 6.0.1.1 (SP6011) iFix 01 Plus Build 188 (September 2020): HIPER - Upgraded Maverick SSH toolkits to the 1.7.32 level for thread deadlock and OutOfMemory issues. See MFT-11273 for details. ACTION - SFTP key sizes, both yours and your trading partners, MUST be 1024 bits or higher. Ensure that key sizes are adequate before migrating to production. See MFT-11273 for details. In SP 6.0.1.1 (SP6011) iFix 01 Build 180 (August 2020): ACTION: The procedure to deploy IBM Secure Proxy using a Docker Container has changed. For more information see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.1/com.ibm.help.ssp.overview.doc/ssp_whats_new.html. In SP 6.0.1.1 (SP6011) GA Build 150 (June 2020): ACTION: An Engine and any remote Perimeter Servers associated with its ACTION: adapters must be upgraded to the 6011 level at the same time to ACTION keep their PS code in sync. Otherwise the adapters will fail to ACTION: start with "Unable to connect to remote perimeter server..." ACTION: See SSP-3966 for details. HIPER - Update JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches - See PSIRTs ADV0021791 and ADV0023736 for more details. HIPER - XML External Entity (XXE) vulnerability in SSP - See SSP-4323 (PSIRT ADV0023731 for more details. In SP 6.0.1.0 (SP6010) iFix 02 Build 134 (March 2020): HIPER - Update JRE 1.8 to SR6 FP05 (8.0.6.5) for security patches - See PSIRT ADV0021787 for more details. HIPER - Missing secure attribute in encrypted session (SSL) cookie - See SSP-3793 (PSIRT ADV0022033) for more details. In SP 6.0.1.0 (SP6010) General Availability (January 2020): ACTION - For a detailed list of the new features in the 6010 release, see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.1/com.ibm.help.ssp.overview.doc/ssp_whats_new.html ACTION - Installation issues with Docker containers - See SSP-4220 In SP6000 Fixpack 1 (SP6001) iFix 01 (October 2019): HIPER - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches - See PSIRT17288 for more details. HIPER - Possible vulnerability in Jetty server. See PSIRT16274, PSIRT16318 In SP6000 Fixpack 1 (SP6001) iFix 00 Plus (September 2019): ACTION - SSP can run out of threads if SEAS goes down and the SFTP adapter does not have failover coded. See MFT-10402 In SP6000 FixPack 1 (SP6001) General Availability (August 2019): ACTION - For a detailed list of the new features in the 6001 FixPack, please see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.0/com.ibm.help.ssp.overview.doc/ssp_whats_new.html ACTION - RESTAPI requires new X-Passphrase keyword for exporting, importing sensitive objects: sspCMConfigs, Netmaps, Keystores, sysSslInfo, globals. See https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.0/com.ibm.help.ssp.apis.doc/CommonFiles/rest_api_request_headers.html In SSP6000 iFix 2 (June 2019): ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) disables anon and null cipher suites and includes a new parm for distrusting CAs. For more information, see the writeup below for PSIRT15330. ACTION - New feature to restrict access to pages under the /Signon directory. If you have added additional files or directories as part of customizing the Login portal (/Signon directory), you must add whitelist entries for them similar to the existing entries in the new /bin/portal/pages.properties file. See SSP-3542 for details. In SSP60000 iFix 1 (March 2019): NONE - In SSP60000 GA (February 2019): ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced changes to disable SHA1 certificates. See PSIRT12959 and PSIRT13809 for more details. =============================================================================== II. Summary of Fixes by iFix/APAR (Latest iFix / FixPack first) Fixes are marked as Engine and CM (Configuration Manager) =============================================================================== ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.3.0 (SP6030) iFix 01 Plus Build 135 Dec 2021 ------------------------------------------------------------------------------- SSP-5743/ADV0040239 (CM/Engine) - Log4j CVE-2021-45046 JNDILookup issue ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.3.0 (SP6030) iFix 01 Build 134 Dec 2021 ------------------------------------------------------------------------------- MFT-12423/IT39259 (Engine) - Unknown SFTP user can log in to SSP in passthrough mode MFT-12446/IT39123 (Engine) - Support for specifying engine client alias during import and stopEngine.sh MFT-12618/ (Engine) - Set Maxheap on Windows via LAX file lax.nl.java.option.additional parm MFT-12762/ADV0040089 (CM/Engine) - Log4j CVE-2021-44228 JNDILookup issue SSP-5698/ (CM, Engine) - SSL debug output not going to systemout.log SSP-5472/ (CM) - RESTAPI validation for certificate names added to the keystore/truststore SSP-5484/ (CM) - Ciphersuites specified in the OSA monitoring tab not being honored. ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.3.0 (SP6030) GA Build 120 Oct 2021 ------------------------------------------------------------------------------- o New with Secure Proxy 6.0.3.0: See https://www.ibm.com/docs/en/secure-proxy/6.0.3?topic=overview-new-features-enhancements - Enhancement to support ICAP virus scanning with the HTTP adapter for MyFG2.0 (See SSP-4326) - Enhancement to support the TLS 1.3 security protocol (See SSP-4959) - New host header checking for access to the SSPCM (See SSP-5088) - SSPCM GUI support for Open Server Architecture (OSA) for secure event/status publishing to IBM Control Center (See SSP-5130) SSP-4326/ (CM,Engine) - Enhancement: Http ICAP support SSP-5045/ (CM,Engine) - Various issues reported by internal code scans SSP-4841/ (CM) - RESTAPI allowing simple SQL Injection SSP-4882/ (CM,Engine) - SCIRandom logging not sent to SSP log files SSP-4959/ (CM,Engine) - Support the TLSv1.3 security protocol SSP-4983/ (CM) - Allow SSP CM RESTAPI to use TLSv1.2, TLSv1.3 SSP-5043/ (CM) - Require a password policy when creating a new user. SSP-5088/ADV0031920 (CM) - Host header injection vulnerability SSP-5130/ (CM) - Enhancement: SSPCM support for configuring OSA and multiple EPs SSP-5483/ (CM,Engine) - Add java.security.override file to allow disabled TLSv1 SSP-5565/ (CM,Engine) - Upgrade thirdparty jars for SSP 6.0.3.0 SSP-5626/ (CM,Engine) - Support for IBM ISAM SAML2.0 IdP - ACS URL SSP-5698/ (CM,Engine) - SSL debug output not going to systemout.log ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.2.0 (SP6020) iFix 03 Plus Build 212 Oct 2021 ------------------------------------------------------------------------------- MFT-12294/IT38557 (CM) - RESTAPI UnrecoverableKeyException in concurrent processing MFT-12534/IT38589 (Engine) - Produce SSE2656 at INFO mode if -Dsftp.sse2656.as.info=true MFT-12557/ (CM) - RESTAPI import of older config fails on 'templateName' xml key. ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.2.0 (SP6020) iFix 03 Plus Build 210 Sep 2021 ------------------------------------------------------------------------------- MFT-12464/IT38350 (CM,Engine) - Previous Windows 6.x service not deleted during install SSP-4956/ADV0028445 (CM,Engine) - IBM JRE 8.0.6.30 for Solaris and HP SSP-5478/ (Engine) - Intermittent Unauthorized error when using SSP login portal in high concurrency SSP-5479/ (CM) - RESTAPI import fails on PESIT adapter with Invalid content on 'icapPSName' SSP-5520/ (CM) - CM GUI session from second tab gets Unauthorized Error ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.2.0 (SP6020) iFix 03 Build 204 Aug 2021 ------------------------------------------------------------------------------- MFT-12358/ (CM) - Allow Other provider under ICAP config SSP-4956/ADV0028445 (CM,Engine) - Oracle Java Oct 2020 CPU deferred CVE SSP-5012/ADV0031846 (CM,Engine) - Risky cryptographic algorithm vulnerability SSP-5016/ADV0031847 (CM,Engine) - Hard-coded secrets vulnerability SSP-5080/ADV0031848 (CM,Engine) - Weak hash vulnerability SSP-5089/ADV0032087 (CM,Engine) - Container environment compoments vulnerability SSP-5093/ADV0029859 (CM,Engine) - Oracle Java Jan 2021 CPU SSP-5116/IJ33416 (Engine) - CD TLSv1 sessions fail with "SSLv2Hello is not enabled" in new IBM JRE 8.0.6.25 SSP-5124/ (CM) - Nuisance msg in CM log: NoClassDefFoundError javax.security.auth.message.AuthException SSP-5155/ (Engine) - MyFG2.0 does not show the SSP portal login page when the SSOTOKEN expires SSP-5414/ (Engine) - Keep the hash value for ssotokens consistent in the debug logs SSP-5457/ (CM,Engine) - Merge Resource Leakage code to complete SSP-5021 ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.2.0 (SP6020) iFix 02 Plus Build 196 Jul 2021 ------------------------------------------------------------------------------- MFT-12189/ (Engine) - Add File name to HTTP URL in the ICAP request MFT-12271/IT37593 (Engine) - Interface issues with external SAML IdP MFT-12310/IT37562 (Engine) - SCP/SFTP rejecting transfers with "time" option ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.2.0 (SP6020) iFix 02 Build 192 Jun 2021 ------------------------------------------------------------------------------- o New with SP 6.0.2.0 iFix 02: - Enhancement to support MyFG 2.0 (See SSP-4994) - Enhancement to support OSA for publishing audit events to ICC (See SSP-5110) - Ability to install and run on Windows 2019 Server - Ability to install and run on Linux PowerPC Little Endian (Use new Linux_PPC-LE install image) - Addressed various security advisories (see defects with ADV00* below) MFT-12113/IT37411 (Engine) - Engine fails to start on Solaris MFT-12193/IT37112 (CM) - RESTAPI fails to import HSM certs SSP-4714/ (CM) - SSPCM Fresh install gets ERROR on Solaris SSP-4994/ (Engine) - Enhancement to support MyFG 2.0 SSP-5015/ADV0031895 (CM) - Unrestricted document type definition vulnerability found in scan SSP-5018/ADV0031845 (CM) - Dubious method issue found in scan SSP-5021/ADV0031888 (CM) - Resource leakage vulnerability found in scan SSP-5022/ADV0027664 (CM,Engine) - Upgrade httpcomponents-client to 4.5.13 SSP-5067/ADV0031843 (CM,Engine) - Upgrade Apache ActiveMQ toolkit to 5.16.2 SSP-5071/ADV0023803 (Engine) - Upgrade Apache Santuario to 2.2.1 SSP-5075/ADV0031824 (Engine) - Upgrade Guava: Google Core Libraries for Java to 30.1.1 SSP-5077/ADV0031827 (CM,Engine) - Upgrade Eclipse Jetty to 9.4.41 SSP-5096/ (CM) - Keystore and Truststore passwords dumped in SSP-5110/ (CM,Engine) - Enhancement to support OSA for publishing audit events to Control Center (ICC) SSP-5141/ (CM) - SSPcm upgrade fails after second restart with IOException: Keystore type is not PKCS12 SSP-5212/ (CM,Engine) - Connection failures with multiple EPs support ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.2.0 (SP6020) iFix 01 Plus Build 166 Jun 2021 ------------------------------------------------------------------------------- MFT-11724/IT36856 (Engine) - ICAP integration with provider: BitDefender MFT-11940/IT37028 (CM) - SSPCM User Auth with EA - Support SEAS Alternate Server configuration MFT-12099/IT36837 (Engine) - SSP Change Password Portal login issue MFT-12193/IT37112 (CM) - RESTAPI import of HSM keys gets "Invalid content was found starting with element keyStoreProvider SSP-4986/ (CM) - Unable to update webCiphers with ConfigureCmSslTool SSP-5105/ (CM) - NPE when switching CM User auth from EA to local store SSP-5126/ (CM) - RESTAPI import fails when ICAP scan option is NONE for CD node ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.2.0 (SP6020) iFix 01 Build 158 May 2021 ------------------------------------------------------------------------------- MFT-11853/IT36501 (Engine) - Invalid Eyecatcher exception in logs MFT-11917/IT36577 (CM) - Lock manager in GUI not behaving as expected MFT-11944/IT36706 (Engine) - SSP SSO Myfilegateway login fails when resource files missing after SSP upgrade MFT-12018/IT36711 (CM, Engine) - SFTP does not support DH Group18-sha512 key exchange ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.2.0 (SP6020) iFix 00 Plus Build 148 Apr 2021 ------------------------------------------------------------------------------- MFT-11769/IT36186 (CM) - Cannot sign in to SSPCM when going through WebSeal proxy MFT-11902/IT36593 (Engine) - SFTP SSE2654 "Session limit of 'n' has been exceeded" message not posted in logs MFT-11937/IT36198 (Engine) - Upgrade from pre-SSP6001 in FIPS mode causes engine startup to fail MFT-11968/IT36578 (Engine) - Max session limit on one SFTP adapter limits sessions on other adapters with higher setting MFT-11965/IT36452 (Engine) - Keycert passwords visible as clear text in Engine audit logs when configuration pushed. MFT-11971/ (CM) - Cannot Login to SSPCM after upgrade to 6.0.2.0 or 6.0.1.1 iFix 3 if Sessionid Cookie Domain is misconfigured ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.2.0 (SP6020) iFix 00 Plus Build 143 Mar 2021 ------------------------------------------------------------------------------- MFT-11762/IT36161 (Engine) - After importing engine certificate, dfltEngineKeyStore and dfltEngineTrustStore are renamed to dfltCMKeyStore and dfltCMTrustStore MFT-11873/IT36145 (Engine) - Remove TRACE from allowed methods in HTTP Adapter MFT-11875/IT36185 (CM,Engine) - Silent install ends with 255 code due to failure reported in Import/generate certificate step SSP-4965/ (CM,Engine) - Updated code signing certificate for signing jarfiles ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.2.0 (SP6020) iFix 00 Plus Build 135 Mar 2021 ------------------------------------------------------------------------------- MFT-11770/ (Engine) - Set HttpOnly, Secure for SspWebSessionId cookie MFT-11830/IT36115 (Engine) - SFTP transfers stall with Maverick 1.7.32 ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.2.0 (SP6020) iFix 00 Plus Build 132 Feb 2021 ------------------------------------------------------------------------------- MFT-11467/IT34992 (Engine) - Problem with HTML rewrite - connection close MFT-11666/IT35478 (Engine) - SFTP adapters go offline when too many sessions per user on SFG MFT-11669/ (Engine) - Protect login form from CSRF MFT-11683/IT35628 (Engine) - SFTP disconnects when >500 files in a mailbox MFT-11742/IT35559 (CM) - Jetty failure at CM startup after upgrade to iFix 03 SSP-4873/ (CM,Engine) - Support SFTP adapter property to set front end rekey count SSP-4908/ (Engine) - PS for SSP on Windows shows SSP.INSTALLED.VERSION=6.0.3.2 SSP-4950/ (CM) - SSPCM adding duplicate cookies ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.2.0 (SP6020) GA Build 120 Dec 2020 ------------------------------------------------------------------------------- New features see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.2/com.ibm.help.ssp602.doc/com.ibm.help.ssp.overview.doc/ssp_whats_new.html o Support to proxy outbound Connect Direct connections through a SOCKS5 Proxy Server. SSP-2963/ (CM) - Remove option to update the security under the CMSystemSettings SSP-3548/ (CM) - Allow configuration of the maximum header length and content size for the SSPCM. SSP-4518/ (Engine) - ICAP Logging improvements SSP-4606/ (Engine) - Audit log messages for CD ICAP support SSP-4614/SSP-4699 (CM,Engine) - Fix resource leak issues reported by internal code scan SSP-4666/ (CM,Engine) - Log stacktraces when startup fails SSP-4694/4697/4698 (CM,Engine) - Support for SOCKS5 Proxy for outbound CD connections SSP-4706/ADV0026225 (Engine,CM) - Upgrade IBM JRE to 8.0.6.15 level for security patches SSP-4710/ADV0027000 (Engine) - Upgrade Apache ActiveMQ to 5.16 for security patches SSP-4736/ (CM) - Upgrade Jackson jars to latest SSP-4742/ (CM,Engine) - Data Collector for non-Windows CM & engine leaves LongDirectoryOutput.txt empty SSP-4801/ (CM) - Upgrade IBM MQ Client to latest SSP-4812/ADV0028030 (Engine,CM) - Update Jetty toolkit to 9.4.34 for security patches SSP-4925/ (Engine) - Remove license type prompt from Engine install ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 02 Plus Build 217 Nov 2020 ------------------------------------------------------------------------------- MFT-11512/IT34993 (Engine) - (HSM) HTTPs fails with HSM enabled MFT-11517/IT34628 (CM) - RESTAPI validation of CD netmap node ip addr MFT-11519/IT34997 (Engine) - SSP OutOfMemory (OOM) with 80% in com.sterlingcommerce.cspssh.parameters.Parms MFT-11578/IT34989 (CM) - SSPCM adding to user store fails with password policy selected after upgrade SSP-4866/ (CM) - Password policy fields not initialized properly after upgrade from SSP3432 ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 02 Plus Build 208 Nov 2020 ------------------------------------------------------------------------------- MFT-11238/IT34624 (Engine) - (SFTP) Negative message length SshException for DATA packet from non-standard server MFT-11309/IT34732 (Engine) - (SFTP) SSE2640 sshd channel closing when local window size goes below 32k MFT-11517/IT34628 (CM) - RESTAPI validation of CD netmap node ip addr MFT-11536/IT34761 (Engine) - "testSSPCookie" fails Customer's Security scan MFT-11557/IT34792 (CM) - RESTAPI SFTP Netmap import allows unreferenced remoteClientKeyStore SSP-4799/ (Engine,CM) - Allow configurable window and packet size limits for SFTP. ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 02 Plus Build 203 Oct 2020 ------------------------------------------------------------------------------- MFT-11511/IT34629 (CM,Engine) - Performance problems editing large netmaps SSP-4206/ (Engine) - Logs show "SSP0040I Support for IBMPKCS11Impl HSM is enabled" though HSM is not enabled SSP-4232/ (Engine) - Wrong certificate store displayed for Engine ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 02 Plus Build 201 Oct 2020 ------------------------------------------------------------------------------- MFT-11423/IT34330 (Engine) - (HTTP) Empty cookie header sent to PEM MFT-11428/IT34518 (CM,Engine) - CM performance problems editing large netmaps ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 02 Plus Build 199 Oct 2020 ------------------------------------------------------------------------------- MFT-11388/IT34365 (Engine) - (FTPs) loopback transfers failing 75% of time MFT-11411/IT34415 (CM) - RESTAPI Validation of Peer address range (IP Subnet range) in Netmap Inbound Nodes MFT-11429/ (Engine) - SSP adapters listening even after outbound node becomes unreachable MFT-11451/IT34408 (CM) - RESTAPI addNodes failed with "Content is not allowed in prolog" through sspRestAPI utility ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 02 Build 193 Sep 2020 ------------------------------------------------------------------------------- MFT-11423/IT34330 (Engine) - MyFG 2.0 (B2Bi 6.1) REST API Authentication fails when it goes through SSP SSP-4640/ (CM,Engine) - Vulnerability in Apache Commons Codec ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 01 Plus Build 188 Sep 2020 ------------------------------------------------------------------------------- MFT-11273/IT33922 (Engine) - JVM thread deadlocks in Maverick code; OutOfMemory during large SFTP download SSP-3583/ (CM) - unauthorized.jsp does not display IBM in header title SSP-4138/ (CM) - manageKeyCerts cannot copy non-HSM keycert SSP-4662/ (CM) - RESTAPI missing validations of Password Policy SSP-4668/ (CM) - RESTAPI allows empty eaAuthProfile and eaCertProfile tags to be imported SSP-4670/ (CM) - RESTAPI services do not report exception ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 01 Build 180 Aug 2020 ------------------------------------------------------------------------------- New Features in SP 6.0.1.1. iFix 01 Docker Changes - The procedure to deploy IBM Secure Proxy using a Docker Container has changed. For more information, see Deploying IBM Sterling Secure Proxy using a Docker container at https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.1/com.ibm.help.ssp.overview.doc/ssp_whats_new.html. HELM Chart Support - This iFix allows the IBM Sterling Secure Proxy users to deploy their applications in a Kubernetes base containerized environment using Helm Chart. For more information see the above link. MFT-11130/IT33879 (Engine) - Intermittent requests to SEAS timing out MFT-11139/IT33786 (Engine) - During load testing, SEAS shows ERROR "AUTH037E Authentication request missing password." SSP-4675/ (CM) - NullPointerException adding trustedCert ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 00 Plus Build 166 Aug 2020 ------------------------------------------------------------------------------- MFT-11287/IT33627 (CM) - Allow comma and apostrophe in CM key passwords MFT-11293/IT33828 (Engine) - 229 response for FTP EPSV causes problems with some partners ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) iFix 00 Plus Build 163 Jul 2020 ------------------------------------------------------------------------------- MFT-11269/IT33625 (PS) - PS silent install gving bad port error SSP-3804/ (Engine, CM) - Passphrase validation in silent install SSP-4450/ (CM) - Add checkboxes to Password Policy in SSP CM SSP-4480/ (CM) - RESTAPI add missing validations SSP-4529/ (CM) - Allow CM login page from root (/) SSP-4597/ (Engine,CM) - Install rejects password with $$ SSP-4620/ (Engine,CM) - Set TLSv1.2 protocol for CM, Engine and Web Server (Jetty) ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.1 (SP6011) GA Build 151 Jun 2020 ------------------------------------------------------------------------------- New features see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.1/com.ibm.help.ssp.overview.doc/ssp_whats_new.html o Support to scan inbound CD data in transit via Secure Proxy for virus and malware scan - See SSP-4309 o Apply password policy for system passphrase and admin password for new installs - See SSP-3701 o Upgrade Perimeter Server code to same as B2Bi 6.0.3.2 - See SSP-3966 MFT-11042/ (Engine,PS) - Getting IOException: Too many open files SSP-3582/ (Engine) - Blacklisted events are logged as ERROR messages SSP-3701/ (Engine,CM) - Apply password policy for system passphrase and admin password for new installs SSP-3966/ (Engine,PS) - Upgrade Perimeter Server code to same as B2Bi 6.0.3.2 SSP-4016/ (CM) - RESTAPI import does not update Jetty Server alias SSP-4190/ (Engine) - Getting IllegalBlockSizeException after upgrade SSP-4198/ (CM) - configureCmSsl -s utility not showing all certs SSP-4308/ (Engine,CM) - Add password policy for command line changePassphrase utility SSP-4309/SSP-4322 (Engine,CM) - Support for ICAP Anti-Virus Scanning in C:D SSP-4310/SSP-4445 (Engine,CM,PS) - Update JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches. SSP-4510/ (Engine,CM) - (SFTP) Allow reject option when ICAP session limit is exceeded SSP-4590/ (Engine) - Missing HTTP headers in response from MFG ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.0 (SP6010) iFix 02 Plus Build 147 Jun 2020 ------------------------------------------------------------------------------- MFT-11200/IT33098 (Engine) - NPE in Maverick logs ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.0 (SP6010) iFix 02 Plus Build 145 May 2020 ------------------------------------------------------------------------------- MFT-11151/IT32957 (Engine) - SSP6010 upgrade fails on Windows ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.0 (SP6010) iFix 02 Plus Build 143 May 2020 ------------------------------------------------------------------------------- MFT-10874/ (Engine) - Engine listCerts.sh not working in 6010 MFT-10995/IT32374 (Engine) - SFTP adapter hung in a stopping state MFT-11060/IT32769 (Engine) - SFTP Getting SSE2654 Session limit exceeded on wrong adapter(s) MFT-11075/IT32687 (CM) - Change to SFTP Policy in 6.0.1.0 greyed out the Pass-Through option for Password and Key MFT-11106/IT32810 (CM) - Unable to delete default self signed certificate from SSPCM SSP-4215/ (CM) - RESTAPI import error - Invalid cipher suite specified twofish256-cbc SSP-4323/SEAS-1233 (Engine) - XML External Entity (XXE) vulnerability in SSP SSP-4346/ (Engine) - SFTP ICAP AntiVirus scanning getting spurious RuntimeException: no messages in ICAP cache ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.0 (SP6010) iFix 02 Build 134 Mar 2020 ------------------------------------------------------------------------------- MFT-10765/IT31672 (CM) - 6.0.0.1F1 with Client Auth not working with SAN certs, getting ERR_BAD_SSL_CLIENT_AUTH_CERT MFT-10779 (CM) - RESTAPI import errors with backupDir and urlMapEntry MFT-10853/IT31763 (CM) - (GUI) SSPcm user binds to LDAP twice with SEAS for single login MFT-10887/ (CM,Engine,PS,SEAS) - GPF in SSP engine MFT-10889/IT32078 (CM) - (GUI) CM session timeout still allows partial access of the GUI function MFT-10898/ (CM,Engine,PS) - (Container) Can not create APP_USER in the yaml file with GID of 1001 MFT-10903/IT32096 (CM,Engine) - configureCmSsl and configureEngineSsl not adding certificate chain to cmtrustore or truststore MFT-10904/ (CM,Engine,PS,SEAS) - GPF in SSP engine MFT-10959/IT32191 (CM) - (GUI) Unable to update keystore with certain PFX keys. PEM format works SSP-3771/ (CM) - Updates to make CM logging more readable SSP-3793/ (CM) - Missing secure attribute in encrypted session (SSL) cookie SSP-4182/ (CM) - ICAP configuration field validation issues SSP-4183/ (CM,Engine) - Files with temporary names not getting AV scanned SSP-4195/ (CM) - RESTAPI ICAP field validation errors for empty maxSessions file extensions SSP-4202/ (CM) - SSPCM was allowing unsupported HTTP methods to be processed SSP-4207/ (CM, Engine) - New Engine install fails while importing keycert if engine port is in use SSP-4223/ (Engine) - Excessive logging on idle SFTP adapter SSP-4236/PSIRT21787 (Engine,CM,PS) - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches. SSP-4244/ (Engine,CM,PS) - Cannot start docker container after stopping it ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.0 (SP6010) iFix 01 Build 121 Jan 2020 ------------------------------------------------------------------------------- MFT-10779 (CM) - RESTAPI import errors with backupDir and urlMapEntry SSP-4186 (Engine,CM) - System passphrase not getting validated during upgrade when bootstrap is disabled SSP-4200 (Engine,CM) - Installer needs to confirm key passwords SSP-4208 (Engine) - HSM command line clients cannot connect to engine SSP-4220 (Engine,CM) - Installation issues with Docker containers ------------------------------------------------------------------------------- Summary of Fixes for SP 6.0.1.0 (SP6010) GA Build 116 Jan 2020 ------------------------------------------------------------------------------- New features see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.1/com.ibm.help.ssp.overview.doc/ssp_whats_new.html o Deploying IBM Secure Proxy containers in Red Hat OpenShift platform; Red Hat container certification o Support to scan inbound data in transit via Secure Proxy for virus and malware scan - See SSP-3834. o Support to secure connection between Engine and Configuration Manager using self-signed certificates - See SSP-3543 o Support to prevent storage of passphrase required at start up using a utility - see SSP-3854 o Support to set administrator password at installation SSP-3540 (Engine) - Do not log sessionids or sso tokens used for authentication SSP-3543 (CM, Engine) - Generate keys at install time SSP-3612 (Engine,CM) - Make Security Headers active by default for the HTTP adapter SSP-3803 (Engine,CM) - Generate unique encryption key at install time SSP-3834 (Engine,CM) - Support for ICAP Anti-Virus Scanning in SFTP SSP-3854 (Engine,CM) - New disableBootstrap command-line utility SSP-4120 (CM) - Update Apache Commons BeanUtils to 1.9.4 ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) iFix 01 Plus Build 136 Jan 2020 ------------------------------------------------------------------------------- MFT-10616/IT30591 (CM) - REST API fails with "The processing instruction target matching "[xX][mM][lL]" is not allowed" MFT-10656/IT30692 (CM) - SSPCM “Enable SSP CM startup backup” field in CM System settings has no effect MFT-10692/IT30823 (CM) - (FTP) EPSV command giving wrong response MFT-10704/IT31049 (Engine) - Engine audit logs contain hashed passwords MFT-10737/IT31341 (Engine) - Unable to login to the CM after upgrade MFT-10749/IT31534 (CM) - NPE during RESTAPI session cleanup. MFT-10762/IT31135 (Engine) - (CD) SSP incorrectly logs stepname of run task and run job C:D process steps MFT-10774/IT31439 (Engine) - (CD) CSP032E 4 KQV keyword "RLS2" found in FM70, but not defined in XML schema definition MFT-10832/IT31500 (Engine) - (HTTP) Duplicate Host Header attribute SEAS-1083/ (Engine) - (HTTP) Password change on SSO portal clears all policies on password policy display tab ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) iFix 01 Build 124 Oct 2019 ------------------------------------------------------------------------------- MFT-10357/PSIRT16274,16318 (Engine,CM) - Security upgrade to Jetty 9.4.20 MFT-10485/IT30344 (Engine) - (SFTP) OutOfMemoryError "Java heap space" crash MFT-10578/PSIRT17288 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches. MFT-10608/IT30643 (Engine) - (SFTP) Added client ciphers as well as negotiated ciphers in logging. ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) iFix 00 Plus Build 122 Oct 2019 ------------------------------------------------------------------------------- MFT-10541/IT30346 (CM) - (RESTAPI) userStore API update throwing exception on CLI. MFT-10559/IT30200 (CM) - Jetty Http server uses incorrect certificate alias MFT-10564/IT30532 (Engine) - Blacklist not displaying messages for SFTP protocol ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) iFix 00 Plus Build 119 Sep 2019 ------------------------------------------------------------------------------- MFT-10402/IT30050 (Engine) - *HIPER* (SFTP) OutOfMemory (out of threads) when SEAS goes down with no failover coded MFT-10483/IT30076 (CM) - RESTAPI activity leads to OutOfMemory (OOM) full of AuthenticationResource, JMS objects SSP-3530/ (CM) - REST API issues when importing from older CM SSP-3810/ (CM) - REST API xsd failure for ssoConfig and sysGlobals SSP-3833/ (CM) - RESTAPI failure on userstore entry without password policy. ------------------------------------------------------------------------------- Summary of Fixes for SP6000 FixPack 1 (SP6001) GA Build 114 Aug 2019 ------------------------------------------------------------------------------- New Features - see https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.0/com.ibm.help.ssp.overview.doc/ssp_whats_new.html o Support to include HTTP host header and client IP address in requests forwarded to backend HTTP servers. See SSP-3667 for more information o Additional configuration fields to support SSO and external SAML IdP o Support to export encrypted configuration data via RESTful APIs - ACTION: Requires new X-Passphrase keyword for exporting, importing sensitive objects: sspCMConfigs, Netmaps, Keystores, sysSslInfo, globals. See SSP-3539. o Require user to supply admin password at new installation. See SSP-3537 o Rebrand the product name to IBM® Secure Proxy MFT-10355/ (Engine) - Getting myFileGateway "Session expired" popup. MFT-10451/IT30080 (CM) - CM GUI presents factory cert instead of common SSP-3536/ (CM,Engine) - Log authentication failures for command line utilities in audit log SSP-3537/ (CM) - Require admin password to be set during new CM installation SSP-3539/ (CM) - (RESTAPI) Require password when exporting and importing sensitive configuration objects SSP-3599, SSP-3603/ (Engine) - Support for Web Session for HTTP SSO sessions SSP-3667/ (CM) - Support for X-Forwarded* HTTP headers SSP-3763/ (Engine/CM) - Restrict permissions of the Unix bootstrap file ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 03 Build 203 Aug 2019 ------------------------------------------------------------------------------- SSP-3788/ (Engine) - Installation JPEG picture contains wrong product name ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 02 Plus Build 198 July 2019 ------------------------------------------------------------------------------- MFT-10422/IT29819 (Engine) - (HSM) FTPS data channel hangs during SSL handshake with HSM enabled MFT-10444/IT29840 (CM) - RESTAPI script fails if the admin user is defined to use external authentication MFT-10470/IT29827 (Engine) - HTTP 500 message for /Signon/login.html after upgrade to SSP6000 iFix 2+ B189. SSP-3771/ - Add direction arrows ===> for readability in FTP logs ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 02 Plus Build 189 July 2019 ------------------------------------------------------------------------------- MFT-10207/IT29589 (Engine) - (HTTP) Getting myFileGateway "Session expired" popup using passthrough authentication ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 02 Build 181 June 2019 ------------------------------------------------------------------------------- MFT-10242/PSIRT15330 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches. ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 01 Plus Build 177 June 2019 ------------------------------------------------------------------------------- MFT-9915/IT29131 (Engine) - Memory leak in logging area causes OutOfMemory MFT-10325/IT29109 (CM) - RESTAPI Issues with importing keyDefEntries. MFT-10341/IT29130 (Engine) - (HTTP) Directory traversal issue MFT-10368/IT29310 (Engine) - SSP Nodes getting into deadlock state MFT-10374/IT29318 (CM) - (RESTAPI) Unable to import keyDefEntries MFT-10382/IT29278 (PS) - More Secure PS (MSPS) scripts on Windows have wrong service name SSP-3542/ (Engine) - Only allow selected whitelisted pages under /Signon to be rendered by engine SSP-3561/ (Engine) - HSM IBMPKCS11 sample config files SSP-3597/ (Engine,CM,PS) - InstallAnywhere 2018 upgrade SSP-3698/ (Engine) - Adapter and netmap logs going to secureproxy.log instead, missing log files ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 01 Plus Build 148 May 2019 ------------------------------------------------------------------------------- MFT-9906/IT28592 (Engine) - (HSM,CD) Intermittent timeout during SSL handshake MFT-9976/IT28591 (Engine) - (HSM,CD) Unable to open HSM keystore during SSL Handshake MFT-10129/IT27075 (Engine) - (HTTP) Failures in HTTP adapters after upgrade to SSP 3.4.3.2 iFix 3 MFT-10206/IT28929 (CM) - Problem with SSPcm certificate renewal process MFT-10218/IT28554 (Engine) - SSP sending FTP STOR command multiple times, leading to '451 - session in inconsistent state' MFT-10219/IT28683 (Engine) - (SFTP) All SFTP clients timing out connecting to back end SFTP adapters MFT-10241/IT28986 (CM) - SSPRestAPI fails with SNI handshake from client MFT-10250/IT29018 (Engine) - OutOfMemory during SFTP transfer after upgrade MFT-10257/IT28968 (Engine, CM) - Sporadic loss of data during bulk transfer of multiple files via Filezilla FTP client SSP-3023/RTC569596 (CM,Engine) - (SFTP) Upgrade Maverick to 1.7.20 for additional ciphers SSP-3132/ (CM,Engine) - Make TLSv1.2 the default protocol for secure connections SSP-3525/ (CM) - SSO Configuration allowing invalid characters SSP-3531/ (CM) - Correct legacy "TLS_ONLY" value to correct JSSE equivalent SSP-3592/ (Engine) - Prompt for HSM password in configureHsmPassword utility SSP-3660/ (Engine) - Add limit to number of data buffers being cached in FTP ------------------------------------------------------------------------------- Summary of Fixes for SSP6000 iFix 01 Build 115 Mar 2019 ------------------------------------------------------------------------------- MFT-10020/IT27450 (CM) - Peer Address Pattern now allows starting or ending with * SSP-2968/No APAR (CM) - Allow HTTP response header overrides SSP-3109/SSP-3578 (CM) - Better help in change password screen SSP-3444/No APAR (CM) - Internal AppScan - CSRF - Login SSPNonce SSP-3446/No APAR (CM) - (GUI) Adapters listed out of order in monitor SSP-3451/No APAR (CM) - (GUI) Ensure HTTP Header values only have ASCII characters SSP-3458/No APAR (CM) - Internal AppScan - HTTP cookies SSP-3511/No APAR (CM, Engine) - (PeSIT) Netmap not accepting wildcard entries SSP-3515/No APAR (Engine) - Improving messages for PeSIT user blacklisting SSP-3525/No APAR (CM) - SAML 2.0 related field validations SSP-3579/No APAR (CM) - SFTP netmap peer address pattern with multiple "?" wildcards fails with PatternSyntaxException SSP-3584/SSP-3597 (CM,Engine,PS,SEAS) - Support for Windows 2016 SSP-3606/No APAR (CM) - (REST API) Unable to import XML with httpSecurityHeaders =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) Fixes are marked as Engine, CM (Configuration Manager), and PS (Perimeter) =============================================================================== PSIRT12959, (Engine,CM,PS) - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for PSIRT13809 security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle October 2018 level to satisfy the CVEs in PSIRT advisories 12959 and 13809. See http://www.ibm.com/support/docview.wss?uid=ibm10872758 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced a change to disable SHA1 certificates via the jdk.certpath.disabledAlgorithms parameter in the /jre/lib/security/java.security file. For more information, read the comments in the java.security file which relate to the added parm: jdk.certpath.disabledAlgorithms= * * *, SHA1 jdkCA & usage TLSServer, MFT-9906/IT28592 (Engine) - (HSM,CD) Intermittent timeout during SSL handshake When using an HSM device to store SSL private keys, the SSL handshake sometimes timed out because it took longer than 5 minutes to pull the key from the keystore. The PNode disconnected due to timeout. Symptom: CSP900E Logged Exception : java.net.SocketException: Underlying socket is not connected Resolution: Eliminated 2 redundant loads of the HSM keystore which were causing a delay. Also added some extra debug to help track the flow leading up to the handshake. MFT-9915/IT29131 (Engine) - Memory leak in logging area causes OutOfMemory A slow memory leak in the log4j2 logging subsystem led to an OutOfMemory (OOM) exception crash of the SSP engine after several weeks. Analysis of the heap dumps showed the following: The class "org.apache.logging.log4j.core.appender.AbstractManager" occupies 1,904,050,896 (89.23%) bytes. The memory is accumulated in one instance of "java.util.HashMap$Node[]". For each new session in which logging was enabled, the logging system was adding a new appender to write to the log file, even though in most cases, one already existed for that file. Resolution: Corrected the logic which decided whether a new logging appender was required so that duplicate entries would not longer accumulate and cause an OOM exception. MFT-9976/IT28591 (Engine) - (HSM,CD) Unable to open HSM keystore during SSL Handshake Customer running a Gemalto (Luna) HSM device was unable to open the device during an SSL handshake for a CD process. The HSM keystore passphrase supplied with the confgureHsmPassphrase.sh was not working. Symptom: CSP900E Logged Exception : java.io.IOException - Vendor defined error (0x80000067) Resolution: Now correctly provide the HSM passphrase to the Luna device at SSP initialization time so it can be initialized. Also added better stack traces to help show if the problem is in IBMPKCS11, JSSE, or HSM code. MFT-10020/IT27450 (CM) - Peer Address Pattern now allows starting or ending with * On the Netmap Inbound Node Definition screens for CD, FTP, HTTP, and SFTP, the ability to have peer address patterns which started or ended with *, ex: *.company.com or www.company.* was broken. Also known internally for SSP6000 branch as SSP-3562. SSP-3357 provided REST API support to match the GUI changes. Resolution: Corrected the parser which was keeping these patterns from working. MFT-10129/IT27075 (Engine) - (HTTP) Failures in HTTP adapters after upgrade to SSP 3.4.3.2 iFix 3 After Customer applied SSP3432 iFix 3, certain HTTP transactions were failing with: SSP175E Invalid HTTP Request method. Client possibly attempting SSL/TLS connection. SSP0231E Invalid data from client (Exception unmarshalling) - com.sterlingcommerce.csp.jetty.io.ValidationFailedException, null Resolution: Now wait till a full request line is received before calling validateMethod() MFT-10206/IT28929 (CM) - Problem with SSPcm certificate renewal process When using the CM GUI to update a keycert which is also used for connecting to SEAS, the copy of the certificate in the /conf/system/cmkeystore is not updated. If CM users are authenticated by SEAS, the connections to SEAS fail with an expired certificate. During connections to SEAS from the CM, the truststore and keystore entries needed for the connection were being copied from the configuration to the cmtruststore and cmkeystore, respectively to assist in the connection. But if an entry already existed, it was not updated. Resolution: Updated the CM code which connects to SEAS to build the the temporary keystore and truststore in memory rather than updating the files in /conf/system. MFT-10207/IT29589 (Engine) - (HTTP) Getting myFileGateway "Session expired" popup using passthrough authentication Since the Jetty upgrade in 3.4.3.2 iFix 2 Plus Build 263, Customers were getting several strange behaviors connecting to myFileGateway via HTTP doing passthrough. Customers who had the front end (inbound) connection secured and the back end (outbound) session non-secure were getting a "Session expired due to inactivity" popup immediately from myFileGateway. Other Customers found that even if both sides of the session were secured, when they logged off and back on, they got the "Session expired" message. Resolution: Corrected the code to send all cookies back and forth between the two sessions and to correctly send cookies based on the Security attribute. MFT-10218/IT28554 (Engine) - SSP sending FTP STOR command multiple times, leading to '451 - session in inconsistent state' A client attempted to send a large number of files during a single FTP session through SSP to a B2Bi backend. The first few transfers succeeded, but then SSP happened to send the STOR command to the server twice in a row causing the backend to respond with 451 Requested action aborted: session in inconsistent state. All subsequent uploads in the session then failed with the same error. Corrected this timing issue by always clearing the cached command queue before returning to the 'CommandHandler' state. MFT-10219/IT28683 (Engine) - (SFTP) All SFTP clients timing out connecting to back end SFTP adapters SFTP adapters were stalling when making connections to the backend SFTP server because a getLocalHost operation was hanging. Resolution: Updated the SFTP backend session setup logic to no longer do the getLocalHost operation to find the local NIC for the connection to the back end. This is already handled by the SSP local Perimeter Server code. Workaround: Supply the SFTP Adapter property sftp.listenAddress = nnn.nn.nnn.nn to supply the local NIC address. MFT-10241/IT28986 (CM) - SSPRestAPI fails with SNI handshake from client The Customer replaced their factory certificate with a self-signed keycert using a wildcard in the common name: CN=*.si.com. When submitting the sspRestAPI.sh script, the TLS ClientHello message included a server_name extension, which caused the connection to fail with /sspcmrest/sspcm/rest/session org.eclipse.jetty.http.BadMessageException: 400: Host does not match SNI The REST API client was not inserting HTTP header host name during connection to the SSP CM, and the Jetty on the CM server side was set to enforce SNI checking if the client indicated it. Resolution: Corrected the client side of the RESTAPI to allow the HTTP header host name to be set in the sspRestAPI.properties so that it matches the CN of Client's public key CN. Also changed the behavior of the CM to disable the SNI checking if the k=-Dssp.cm.jetty.sni.enable=false is set in the startCM.sh script. MFT-10250/IT29018 (Engine) - OutOfMemory during SFTP transfer after upgrade Customer applied SSP3432 iFix 4 Plus Build 291 and encountered OutOfMemory (OOM) crash when transferring files with SFTP. The build included a new Maverick toolkit which changed the way it managed buffers during transfers. The heap dump contained tens of thousands of com/maverick/ssh/Packet objects. Resolution: Updated the API calls to use the new CreatePacket method in the Maverick toolkit, which is the preferred method of managing the memory. MFT-10257/IT28968 (Engine, CM) - Sporadic loss of data during bulk transfer of multiple files via Filezilla FTP client Customer attempting to upload 500 files with Filezilla was getting many files missing and missing data in the files which were transferred. The utility was sending data before SSP had signalled it was ready to receive. Resolution: Now maintain a temporary buffer to hold the data sent from the FTP client before SSP is ready to receive it. See also SSP-3660. SSP-2968/No APAR (CM) - Allow HTTP response header overrides Resolution: Allow the user to be able to override the default values for these response headers: X-Frame-Options, X-XSS-Protection, Content Security Policy, X-Content-Type-Options and Strict-Transport-Security SSP-3023/RTC569596 (CM,Engine) - (SFTP) Upgrade Maverick to 1.7.20 for additional ciphers The Maverick 1.6.x toolkit goes out of support at the end of 2019. Also, there have been requests for additional ciphers which are provided in the 1.7.20 toolkit. Resolution: Now utilize the Maverick J2SSH client and SSHD server toolkits, which also supply the following new ciphers New ciphers: aes128-gcm@openssh.com, aes256-gcm@openssh.com New macs: hmac-ripemd160, hmac-ripemd160-etm@openssh.com hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com New groups: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256@libssh.org SSP-3109/SSP-3578 (CM) - Better help in change password screen When the password policy is used for CM users, there should be better messages in the change password screen. Resolution: Added popup assistance messages such as, "Your password is required to contain at least one of the following characters `#@$%^&* " And, "Confirm password must match New Password". SSP-3444/No APAR (CM) - Internal AppScan - CSRF - Login SSPNonce An internal APPScan revealed that CM GUI sessions were using an insufficient authentication method. Resolution: Now validate the value of the "Referer" header and use a one-time nonce for each submitted form. SSP-3446/No APAR (CM) - (GUI) Adapters listed out of order in monitor tab In the CM monitor tab, the Engine status lines were in alphanumeric order but the adapter lines were not. Resolution: Corrected the monitor screen to display the adapters in alphanumeric order. SSP-3451/No APAR (CM) - (GUI) Ensure HTTP Header values only have ASCII characters Http headers need to be validated to make sure that values are in ascii format. Resolution: Now validate the HTTP headers for ASCII data. SSP-3458/No APAR (CM) - Internal AppScan - HTTP cookies An internal APPScan recommended some updates for HTTP cookies used to access the GUI. Resolution: Now set the domain and path for HTTP cookies containing session identifiers to an appropriately restricted value for the site. SSP-3511/No APAR (CM, Engine) - (PeSIT) Netmap not accepting wildcard entries The PeSIT protocol netmap for inbound entries was not allowing wildcard patterns, such as "CX1*" or "CX2*", only a full wildcard "*" or full names. Resolution: Now allow the PeSIT netmap to accept peer address patterns. SSP-3515/No APAR (Engine) - Improving messages for PeSIT user blacklisting When using the new blacklisting feature introduced in SSP 6.0, the IP address blacklisting works for PeSIT and indicates that the session was rejected because the address was blacklisted. But while the user blacklisting locked the PeSIT user, the log did not say it was because of blacklisting. Resolution: Now put out SSP0511E message for locked userid which indicates the PeSIT account was locked due to blacklisting. SSP-3525/No APAR (CM) - SAML 2.0 related field validations In the Advanced / SSO Configuration screen, the new SAML 2.0 fields introduced in SSP 6.0 were not being validated fully. Resolution: Now do URL validation for - Service Provider ID, External Portal Login URL, and the External Portal Logout URL. Also for Fully Qualified Host Names, added a similar validation for the Primary Destination Address field, which means the FQDN for SSO will not accept any kind of IP pattern or peer address pattern. ** SSP-3579/No APAR (CM) - SFTP netmap peer address pattern with multiple "?" wildcards fails with PatternSyntaxException SFTP netmap peer address pattern that contained two or more "?" characters was throwing exception *--*java.util.regex.PatternSyntaxException: Dangling meta character. Resolution: Now allow multiple ? characters in the SFTP netmap peer address pattern. SSP-3584/SSP-3597 (CM,Engine,PS,SEAS) - Support for Windows 2016 Resolution: Add support for Windows 2016 - Upgraded all installers to use InstallAnywhere 2018 SP1. SSP-3606/No APAR (CM) - (REST API) Unable to import XML with httpSecurityHeaders The new HTTP Security Header overrides introduced in SSP-2968 were not being handled correctly by the RESTAPI import tool. Resolution: Modified the SSP 6.0 sysglobals.xsd to accept the httpSecurityHeader & cookie domain fields. SSP-3660/ (Engine) - Add limit to number of data buffers being cached in FTP This is an extension of MFT-10257. Resolution: Added new FTP adapter property ftp.max.data.buffers.cache=50 to limit number of data buffers being cached in FTP to avoid an out of memory issue. The value must be an integer > zero and <= 999. MFT-10325/IT29109 (CM) - RESTAPI Issues with importing keyDefEntries. Customer attempting to use the REST API to import a key certificate, but getting, "Create key operation failed. - Error parsing request: expected root xml element to be elements but received keyStoreDef". Workaround: Set N=-DvalidateThruXSD=false in the bin/startCM.sh. Resolution: Updated the XSD syntax definition file to allow user to provide input xml with tag as the root. Also made changes to the createKeyDef, modifyKeyDefEntries and deleteKeyDefEntries apis to make them work correctly with the CLI. Now also removed the ability to add or delete certificates in the internal CM->System->Certificate Stores, since they do not allow updates from the GUI either. MFT-10341/IT29130 (Engine) - (HTTP) Directory traversal issue Customer noticed that URLs including ..//..//, which is a common directory traversal hack, were being passed back to SI/SFG to be handled. Resolution: Added code to strip the intervening dots and slashes using canonical methods, further protecting the backend server. MFT-10357/PSIRT16274,16318 (Engine,CM) - Security upgrade to Jetty 9.4.20 Resolution: Update the Jetty server to satisfy the CVEs in PSIRT advisories 16274 and 16318. See http://www.ibm.com/support/docview.wss?uid=ibm11095826 for the Security Bulletin. MFT-10368/IT29310 (Engine) - SSP Nodes getting into deadlock state After applying SSP3432 iFix 4 Plus Build 295, the Customer found that several nodes were hanging, caused by threads in a deadlocked state. Resolution: Corrected a locking mechanism introduced by defect MFT-10257 which caused threads to be deadlocked. MFT-10374/IT29318 (CM) - (RESTAPI) Unable to import keyDefEntries Customer exported their CM configuration using the RESTAPI but could not import it back in. They were getting "cvc-complex-type.2.4.a: Invalid content was found starting with element 'keyauthReqdBeforePwdauth'" Resolution: Updated the xsd definition file to allow the keyauthReqdBeforePwdauth keyword on import. MFT-10382/IT29278 (PS) - More Secure PS (MSPS) scripts on Windows have wrong service name When installing a Perimeter Server on Windows as a More Secure PS, the startPSservice.cmd and stopPSservice.cmd scripts are generated without the engine hostname in the service name, so that they will not actually start or stop the service. Resolution: Updated the InstallAnywhere step for a More Secure Perimeter Server to add the Engine host to the Windows Service name: SSP_PerimeterServer_%EnginePort%_$EngineHost$ SSP-3132/ (CM,Engine) - Make TLSv1.2 the default protocol for secure connections SSP formerly installed with TLSv1 as the default TLS protocol. Resolution: For new installs, make TLSv1.2 the default protocol everywhere a TLS secure connection is made. SSP-3525/ (CM) - SSO Configuration allowing invalid characters The CM->Advanced->SSO Configuration was allowing special characters other than "-", "_", "." and ":" in the "Fully Qualified Hostname" field. Resolution: Now ensure that the hosthame value only uses standard characters. SSP-3531/ (CM) - Correct legacy "TLS_ONLY" value to correct JSSE equivalent An older configuration may contain the "TLS_ONLY" protocol value, which resulted in "java.security.NoSuchAlgorithmException: TLS_ONLY SSLContext not available" Resolution: Now automatically convert TSL_ONLY to the correct JSSE equivalent. SSP-3542/ (Engine) - Only allow selected whitelisted pages under /Signon to be rendered by engine Clients accessing the SSP HTTP proxy adapter login portal send requests with a URL path starting with /Signon/. Currently SSP will render any html pages and resources under the login dir configured (/Signon/). Resolution: Updated the Http Proxy in SSP to white list the html pages and other resources being rendered to the client. A new property file is created at /bin/portal/pages.properties. Secure proxy will render only the files listed in this properties file. If a page request is made to a file not in the properties file, the following error is returned: Engine_host is currently unable to handle this request. ACTION: If you have added additional files or directories as part of customizing the Login portal (/Signon directory), you must add whitelist entries for them similar to the existing entries in the new /bin/portal/pages.properties file. SSP-3561/ (Engine) - HSM IBMPKCS11 sample config files SSP was shipping the Luna 5.0 configuration file for Customers who use HSM boxes, even though that version is no longer supported. Resolution: Now ship the Lunx 6.0 configuration file in the /conf directory and include all the supported IBMPKCS11 sample config files in a new file called /conf/PKCS11ConfigFiles.zip. SSP-3592/ (Engine) - Prompt for HSM password in configureHsmPassword utility The configureHsmPassword utility only allowed specifying the HSM password on the command line which exposes the password in the system log. Resolution: The configureHsmPassword utility now prompts for the HSM password and does not echo the typing. SSP-3597/ (Engine,CM,PS) - InstallAnywhere 2018 upgrade Resolution: Upgraded to InstallAnywhere 2018, which provides support for Windows 2016 Server. SSP-3698/ (Engine) - Adapter and netmap logs going to secureproxy.log instead, missing log files The fix for MFT-9915 caused the adapter and netmap logs to no longer be created, with all logging going to the secureproxy.log. Resolution: Corrected the fix to not create a new appender for a new session if the appender and logger already existed, but to use the existing proven method when starting to log to a new file. MFT-10242/PSIRT15330 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2019 level to satisfy the CVEs in PSIRT advisory 15330. See http://www.ibm.com/support/docview.wss?uid=ibm10885937 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) introduced a change to disable anon and null cipher suites via the jdk.tls.disabledAlgorithms parameter in the /jre/lib/security/java.security file. If your site uses these suites for testing, update your java.security file to remove the last 2 parms: jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL ACTION - The java.security file includes a new parm for distrusting CAs: jdk.security.caDistrustPolicies=SYMANTEC_TLS For more information, see the writeup in the java.security file. MFT-10355/ (Engine) - Getting myFileGateway "Session expired" popup. MFG was showing "Session expired popup" when logging in via SSP using passthrough. SSP was only sending one Set-Cookie to the client, even if there were multiple Set-Cookies from the backend. Also, the Secure attribute in Set-Cookie was not getting set according to the security setting of the inbound connection. Resolution: Now do Set-Cookies properly to prevent session expire popUps to be shown. MFT-10402/IT30050 (Engine) - *HIPER* (SFTP) OutOfMemory (out of threads) when SEAS goes down with no failover coded Customer defined an SFTP adapter which uses SEAS External Authentication but did not have failover properties coded. When the SEAS became unreachable for several hours, new connections and load balancer pings continued to be directed to the SEAS for authentication until the JRE used up all available threads based on the numprocs alotted to the user. The adapter's max session value was ignored when in this state. Resolution: Firmed up the code in the following ways: 1) When at the adapter max session count, shut down any new session without calling SEAS. 2) If a new session comes in and EA is detected down, shut down the session and report a system failure to the caller. 3) If EA authentication fails for any reason, since we do not have a token, bypass calling SEAS to invalidate the token during session shutdown. Workaround/Best practice: Define failover properties in each SFTP adapter that uses SEAS to ensure that when SEAS or SI is detected to be down, the adapter will turn off its listener to stop incoming traffic until SEAS and SI are detected to be up again: failover.detection.enabled true failover.detection.mode continuous failover.poll.interval 15 (seconds) MFT-10422/IT29819 (Engine) - (HSM) FTPS data channel hangs during SSL handshake with HSM enabled The HSM keystore was taking a long time to load during the ssl handshake which resulted in session timeouts. Resolution: Now load the HSM keystore during engine startup time and keep it in memory to speed up subsequent handshakes. Also, reload the HSM keystore periodically based on the value of the RELOAD_HSM_KEYSTORE_TIME parm in the /bin/security.property file, default 15 (minutes). MFT-10444/IT29840 (CM) - RESTAPI script fails if the admin user is defined to use external authentication The RESTAPI was doing local authentication in addition to external auth when the admin user running the RESTAP was defined as using EA. Resolution: Now properly authenticate users defined as external auth when running the RESTAPI. MFT-10451/IT30080 (CM) - CM GUI presents factory cert instead of common The Customer attempted to replace their SSP factory certificate with a new common certificate with the ./configureCmSsl.sh -u commonCert= command. The CM and Web certs showed to be using the new alias. However, when connecting to the CM GUI, the SSL certificate displayed was the SSP factory certificate. Resolution: Now ensure that at the low level keystore operation, the designated keycert alias is honored when the key is requested. Workaround: After the new commonCert has been added, delete the "factory" alias using the ./configureCmSsl.sh -d alias=factory MFT-10470/IT29827 (Engine) - HTTP 500 message for /Signon/login.html after upgrade to SSP6000 iFix 2+ B189. The new blacklist/whitelist feature in SSP6000 was interfering with the portal pages (/Signon, etc) on a UNIX/Linux sytem. The whitelist page list in /bin/portal/pages.properties used backward slashes for all the page names, which was only compatible with Windows systems. Resolution: Changed all the white listed page names to use forward slashes as the path separator. And now in the code, convert the path to forward slash to compare no matter if it is UNIX or Windows. MFT-10483/IT30076 (CM) - RESTAPI activity leads to OutOfMemory (OOM) full of AuthenticationResource, JMS objects The Customer is making heavy use of the REST API to update their configuration. After many sessions, the CM gets an OOM exception because the memory is full of AuthenticationResource objects. Also, at one point the Customer had JMS logging configured in the CM system tab without a JMS queue activated to receive the data which filled the memory with a JmsPublisherProxy object. Resolution: Now ensure that the AuthenticationResource session object is cleaned up at the end of each RESTAPI session. Also, maintain a limit of JMS queue objects so that we don't overflow the memory when the JMS queue is not active. MFT-10485/IT30344 (Engine) - (SFTP) OutOfMemoryError "Java heap space" crash The SFTP adapter was adding to a backendRegistrarMap object each time a session opened a corresponding session to the back end SI server. However, in some cases, the placeholder in the map was not getting cleaned out at logoff time. The heap dump showed that 91% of the memory was consumed by one class "com.sterlingcommerce.cspssh.daemon.SftpAccessManager", and one object java.util.HashMap$Node[]. Resolution: Now ensure that the session entry is cleaned out at logoff time from the backendRegistrarMap. SSP-3530/ (CM) - REST API issues when importing from older CM Internal testing found several issues when importing a configuration with the REST API which was exported from an older version of SSP. The got syntax errors with the 'createdBy' and 'formatVer' elements, the import rejected expired certificates and cipher suites which had been deprecated, and the factory certificate was not replaced. Resolution: Updated the RESTAPI import logic to recognize and include artifacts from older versions to make upgrades between versions more seamless. SSP-3771/ - Add direction arrows ===> for readability in FTP logs Resolution: Added some directional arrows in the logging for FTP control channel traffic to make it easier to follow the flow of data between the client and SSP and between SSP and the back end server. Examples: ===> RECV fr Client: SEND to Server ===>: RECV fr Server <===: <=== SEND to Client: SSP-3788/ (Engine) - Installation JPEG picture contains wrong product name Resolution: Updated the JPEG file to contain the correct product name. SSP-3810/ (CM) - REST API xsd failure for ssoConfig and sysGlobals XSD validation failures for ssoConfig and SysGlobals were preventing update and import operations. Resolution: Updated the xsd files to include all the correct elements. SSP-3833/ (CM) - RESTAPI failure on userstore entry without password policy. REST API import of SSP CM user was failing with invalid passwordPolicy when the user had no password policy assigned. Resolution: Now allow CM users having no password policy to be imported. MFT-10541/IT30346 (CM) - (RESTAPI) userStore API update throwing exception on CLI. After a userStore update operation using the RESTAPI Command Line Interface if the xml contained "" the operation reports success but then gets a message: org.xml.sax.SAXParseException: The processing instruction target matching "[xX][mM][lL]" is not allowed. Resolution: Now remove the offending xml so the parse exception does not occur. MFT-10559/IT30200 (CM) - Jetty Http server uses incorrect certificate alias Customer added a new keycert with a new alias to replace their expired keycert. However, when they attempted to logon to GUI, they were presented with the expired certficate. Resolution. Updated the HTTP server side code to ensure that we honor the keycert alias listed in the configureCmSsl.sh -s utility. MFT-10564/IT30532 (Engine) - Blacklist not displaying messages for SFTP protocol When an SFTP user was found on the blacklist, the session was terminated, but the reason was not logged. Resolution: Now put out a new log message so show that the blacklisted user session has been terminated: SSE2900 : UserId test3 is Blacklisted.Terminating session. /10.20.30.40:1234 MFT-10578/PSIRT17288 (Engine,CM,PS) - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle July 2019 level to satisfy the CVEs in PSIRT advisory 17288. See http://www.ibm.com/support/docview.wss?uid=ibm11089580 for the Security Bulletin. MFT-10608/IT30643 (Engine) - (SFTP) Added client ciphers as well as negotiated ciphers in logging. After installing SSP3432 iFix 5, Customer lost visibility in the logs of the SFTP clients available ciphers and hmacs. The Customer needed this debug info for a project to ensure their clients would be able to run with stronger ciphers. Resolution: Added DEBUG message SSE2656, "Key Exchange Init Details :", which contains the remote's IP and port, along with the key exchanges, ciphers, macs, etc that the client is capable of. Another DEBUG message, SSE2640 "Negotiated Ciphers Details :" shows the ones chosen for the session. Message SSE2729 provides the negotiated values at INFO level. SSP-3536/ (CM,Engine) - Log authentication failures for command line utilities in audit log This defect is the result of internal proactive Threat Model testing. Resolution: Now log authentication failures for the following command line utilities (*.bat or *.sh): CM: changePassphrase, configureAccepter, configureCmSsl listCmCerts, manageCSRs, manageKeyCerts, startCM, stopCM.bat Engine: changePassphrase, configureAccepter, configureEngineSsl, configureHsmPassword, listCerts, startEngine, stopEngine SSP-3537/ (CM) - Require admin password to be set during new CM installation This defect is the result of internal proactive Threat Model testing. Resolution: On new installs (not upgrades) of the SSP Configuration Manager, request and confirm a valid password for the admin id. This is to keep all installations of SSP from having the same default admin password. SSP-3539/ (CM) - (RESTAPI) Require password when exporting and importing sensitive configuration objects This defect is the result of internal proactive Threat Model testing. Resolution/ACTION: Now require a new X-Passphrase keyword for exporting or importing sensitive configuration objects: sspCMConfigs, Netmaps, Keystores, sysSslInfo, globals. The exported configuration data will be encrypted with the supplied passphrase and cannot be imported without supplying the same. SSP-3599, SSP-3603/ (Engine) - Support for Web Session for HTTP SSO sessions The HTTP adapter creates a TCP session id for every connection from a client/browser. But SSO sessions may involve multiple connections tied with an authenticated web sessionid. This becomes more crucial when adding more features related to support for SAML external IdP. Resolution: This new feature is only applicable when 'Application Authentication' is selected for the HTTP policy and SSO is selected for the HTTP Proxy Adapter. Now create a unique web session id after authentication and supply it via a websessionid cookie. At logout or timeout, invalidate the web session id and clear the websessionid cookie. SSP-3667/ (CM) - Support for X-Forwarded* HTTP headers Currently SSP HTTP proxy adapter modifies the host header received from the client to match the host specified in the outbound node before sending it back to the backend HTTP Server. Resolution: Add the capability to forward the IP details of the incoming HTTP connection to Sterling Integrator. This defect is in response to Customer enhancement requests SSP-I-77 and SSP-I-80. If the HTTP Proxy adapter property "passthru.client.host.header" is specified and set to true, the host header from the client/browser will be passed as is to the backend Server. Otherwise keep the current behavior. SSP-3763/ (Engine/CM) - Restrict permissions of the Unix bootstrap file Resolution: During a new install, set the permissions for the password bootstrap file to 600 (owner RW only). MFT-10616/IT30591 (CM) - REST API fails with "The processing instruction target matching "[xX][mM][lL]" is not allowed" After upgrading the SSPCM to 3.4.3.2 iFix 5, the RESTAPI call for SSH key modification fails with "The processing instruction target matching "[xX][mM][lL]" is not allowed. line # 1 column # 40". The input xml contained '' at the beginning, but that was not a problem in previous builds. Resolution: Now remove xml headers which during validation are being inserted after the root tag. MFT-10656/IT30692 (CM) - SSPCM “Enable SSP CM startup backup” field in CM System settings has no effect Attempted to configure CM to not backup at startup by unchecking “Enable SSP CM startup backup” (From SSP Dashboard, System -> System Settings -> CM System Settings -> Globals). After saving the page and coming back, the field is checked again. Resolution: Now handle the negative case when the CM Backup checkbox is not selected. MFT-10692/IT30823 (CM) - (FTP) EPSV command giving wrong response The original MFT-9148 fix to support FTP's Extended PASV (EPSV) and Extended PORT (EPRT) RFC returned responses should be based on whether SSP detected IPv6 addresses. If SSP is on a machine in IPv6 mode, the response for the EPSV command was the PASV response. Now return the response to the PASV or EPSV command based on the command entered rather than on whether we detect that IPv6 addressing is in play. For PASV, the response continues to be, 227 Entering Passive Mode (127,0,0,1,153,178). For EPSV, the response is 229 Entering Extended Passive Mode (|||58792|). MFT-10704/IT31049 (Engine) - Engine audit logs contain hashed passwords The SSP engineAuditEvent entry for a configuration push contained Base64 hashed password values for the admin id and some keycerts. Resolution: Now replace the hashed password values in the audit logs with asterisks (****). MFT-10749/IT31534 (CM) - NPE during RESTAPI session cleanup. RESTAPI sessions are maintained in a map and get cleaned up after a set amount of inactivity by the RestAPI_SessionCleanup thread. If any problem happens during cleanup, the map entry is not cleared and the thread attempts to logoff the same session every minute, getting a NullPointerException (NPE) on each attempt. Resolution: Now ensure each portion of the RESTAPI session cleanup gets a chance to run so the map is cleared. MFT-10762/IT31135 (Engine) - (CD) SSP incorrectly logs stepname of run task and run job C:D process steps SSP was logging a hardcoded stepname "SameStep" during a Connect:Direct run task or run job process step. Resolution: Now log the actual stepname in the RUN JOB, RUN TASK and SUBMIT processes. MFT-10737/IT31341 (Engine) - Unable to login to the CM after upgrade After upgrading SSP Linux to 6.0.0.1 the Customer would login to CM but immediately get “Unauthorized Access Attempted" messages. The Customer's load-balancing setup was generating different IP addresses for each connection to the SSP CM Dashboard and the Content Manager. Resolution: Turned off checking for matching IP addresses between the SSPCM Dashboard and Content Manager webapp sessions. MFT-10774/IT31439 (Engine) - (CD) CSP032E 4 KQV keyword "RLS2" found in FM70, but not defined in XML schema definition SSP uses xsd files to validate the CD FMH's going through. As the various CD groups develop new features, we periodically must add new keywords (KQV) they may have created. Resolution: Add support for the following KQV values FMH70: RLS2 FMH71: DEXP,DEXR,DSFF,DSFS,DMXF,SDVF,SMXG,SDVE,DDVF,DDSY,DMXG,DDVE FMH7402: ZECR,ZIFR,ZIFS,NODA,SDTP,DDTP,SDVE,DDVE,SISM,DISM,SMXG,DMXG MFT-10832/IT31500 (Engine) - (HTTP) Duplicate Host Header attribute The SSP HTTP adapter was adding duplicate "HOST: serverIp:serverPort" to the requests going to the backend. Resolution: Added logic to make sure that duplicate HOST headers were not sent to the backend. Internally fixed as SSP-3820. SEAS-1083/ (Engine) - (HTTP) Password change on SSO portal clears all policies on password policy display tab When a user changed their password through the SSO portal, an unexpected method was being called to clear the cookies. Resolution: Removed the inadvertant method from being called to clear the cookies. SSP-3540 (Engine) - Do not log sessionids or sso tokens used for authentication Internal scans flagged that no sessionids or sso tokens used for authentication should be logged. Resolution: Now map the sessionid and sso tokens to an internal value and log that value. SSP-3543 (CM, Engine) - Generate keys at install time Internal ThreatModel scanning indicated that we should no longer install an SSP Factory Certificate to be used by all Customers. The factory certificate was used to secure communication between the CM and engine(s). Resolution: On new installs of the CM or Engine, generate a self-signed certificate or allow Customers to import their own keycert during the install process. If a self-signed cert is generated, it is also securely exported so that it can be imported into the other component(s). SSP-3612 (Engine,CM) - Make Security Headers active by default for the HTTP adapter Resolution: Now set the Strict-Transport-Security, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy and X-Frame-Options to be on by default while leaving the ability to change them or turn them off. SSP-3803 (Engine,CM) - Generate unique encryption key at install time Internal ThreatModel scanning indicated a change in the way we encrypt the system passphrase which is used to encrypt the configuration files. Resolution: On new installs of the CM or Engine, generate a unique hex key and store it in a file with read/write permissions for the userid of the installer only. This key is used to encrypt the passphrase the installer supplies which encrypts the configuration files. SSP-3834 (Engine,CM) - Support for ICAP Anti-Virus Scanning in SFTP Enhancement to support in-flight anti-virus scanning of small to medium size files being uploaded through the SFTP adapter. See online documentation for SSP6010 for more details. Requires McAfee Web Gateway ICAP server. Other internal stories SSP-3912, SSP-3913, SSP-4018, SSP-4061 SSP-3854 (Engine,CM) - New disableBootstrap command-line utility Follow on to SSP-3803, which only applied to new installs. Created a disableBootstrap utility, which in conjunction with the existing enableBootstrap utility will change the system generated hex key used in bootstrap support. SSP-4120 (CM) - Update Apache Commons BeanUtils to 1.9.4 Internal BlackDuck scan recommended upgrade of Apache Commons BeanUtils. Resolution: Upgraded Apache Commons BeanUtils jars from 1.9.3 to 1.9.4 MFT-10779 (CM) - RESTAPI import errors with backupDir and urlMapEntry Using the RESTAPI to import a configuration from a late SSP3432 or SSP6001 instance. Getting errors on the following in the cms.log and the import fails: cvc-complex-type.2.4.d: Invalid content was found starting with element 'urlMapEntry'. No child element is expected at this point. line # 3671 column # 14 Also getting the same error for the element "backupDir" Resolution: Added the recent keywords urlMapEntry and backupDir to the valid list in the xsd so that the RESTAPI will recognize them. SSP-4186 (Engine,CM) - System passphrase not getting validated during upgrade when bootstrap is disabled When bootstrapping is disabled, the upgrade must request the passphrase during the install in order to decrypt the configuration files. The passphrase was not getting validated when entered. Resolution: Now validate the system passphrase requested during an upgrade when bootstrapping is disabled. SSP-4200 (Engine,CM) - Installer needs to confirm key passwords During a new SSP install of the CM or Engine, when generating a self-signed keycert, we prompt for a password for the private key, and also for encrypting the key when exporting it to the other component. However, we do not confirm the password, so if a Customer mis-types it and it's not what they think it is, it's lost. Resolution: Now prompt and confirm the password for the private key generated during a new install and also the password for the exported copy of the key. SSP-4208 (Engine) - HSM command line clients cannot connect to engine After the upgrade to SSP6010, the HSM command line utilities manageKeyCerts and manageCsrs no longer connected to the SSP Engine/HSM because of changes made to support xml-based keystores. These clients were not updated with the correct logic for establishing a secure connection between CM and the Engine. Resolution: Updated the underlying logic to load configured xml-based keystores and truststores and dynamically convert them to java-based JKS keystores for the duration of the utility. SSP-4220 (Engine,CM) - Installation issues with Docker containers Resolved several issues found during beta testing of Docker containers - Removed root user password changing logic from Docker file - Added sudo package to allowing sudo command to non-root user - Added logic for passing user, pwd, uid and gid into ENV variables, to be the owner of host mounted path for host configuration data. Defaults: APP_USER=appuser, APP_USER_PWD=appuser, APP_USER_UID=3000, APP_USER_GID=3000 Note: Do NOT use User names root, spuser, cmuser, psuser or, seas or UID/GID: 0 and 1000 because these are already used inside the container. - Combined PROD and NON_PROD license variables into LICENSE_TYPE variable - Mapped silent installation log file with Volume host path to assist in checking the log without logging in - Please refer to the deployment YAML files bundled with the Fix Central tar file for the latest rather than the samples in the online doc. - Following are the parameters needed to start the various containers using Docker: ********** Deploying the new SSPCM Container: ********************* docker run -it -d \ -v /SPcm:/spinstall/IBM/SPcm \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e LICENSE_ACCEPTED=true \ -e PORT=62366 \ -e JETTY_PORT=8443 \ -e PASSPHRASE=password \ -e USER_PASSWORD=password \ -e KEY_CERT_EXPORT=true \ -e KEY_CERT_FILE_NAME=defkeyCert.txt \ -e KEY_CERT_ALIAS=keycert \ -e KEY_CERT_STORE_PASSPHRASE=password \ -e KEY_CERT_ENCRYPT_PASSPHRASE=password \ -p 8443:8443 \ --name SPcm \ sp-cm-docker-image:V6.0.1.0.iFix01 /bin/bash ************ Upgrade the SSPCM deployment ***************** docker run -it -d \ -v /SPcm:/spinstall/IBM/SPcm \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e LICENSE_ACCEPTED=true \ -p 8443:8443 \ --name SPcm \ sp-cm-docker-image:V6.0.1.0.iFix01 /bin/bash ************* Deploying the new SSP Engine Container *************** docker run -it -d \ -v /SP:/spinstall/IBM/SP \ -v /defkeyCert.txt:/spinstall/defkeyCert.txt \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1001 \ -e APP_USER_GID=1002 \ -e LICENSE_ACCEPTED=true \ -e LICENSE_TYPE=1 \ -e PORT=63366 \ -e PASSPHRASE=password \ -e KEY_CERT_EXPORT=false \ -e KEY_CERT_ALIAS=keycert \ -e KEY_CERT_FILE_NAME=defkeyCert.txt \ -e KEY_CERT_ENCRYPT_PASSPHRASE=password \ -p 63366:63366 \ -p 30820:30820 \ --name SPEngine \ sp-engine-docker-image:V6.0.1.0.iFix01 /bin/bash ************** Upgrade the SSP Engine deployment **************** docker run -it -d \ -v /SP:/spinstall/IBM/SP \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1001 \ -e APP_USER_GID=1002 \ -e LICENSE_ACCEPTED=true \ -e LICENSE_TYPE=1 \ -p 63366:63366 \ -p 30820:30820 \ --name SPEngine \ sp-engine-docker-image:V6.0.1.0.iFix01 /bin/bash ************ Deploying the new Less Secure PS Container ************** docker run -it -d \ -v /PSLessSecure:/spinstall/IBM/PServer \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e NETWORK_ZONE_SECURE=false \ -e PS_PORT=30810 \ -e PS_SECURE_IF=* \ -e PS_EXTERNAL_IF=* \ -p 30810:30810 \ -p 20010-20020:20010-20020 \ --name PSLessSecure \ sp-ps-docker-image:V6.0.1.0.iFix01 /bin/bash ************* Upgrade the Less Secure PS deployment ***************** docker run -it -d \ -v /home/durgesh/base/PSLessSecure:/spinstall/IBM/PServer \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e NETWORK_ZONE_SECURE=false \ -p 30810:30810 \ -p 20010-20020:20010-20020 \ --name PSLessSecure \ sp-ps-docker-image:V6.0.1.0.iFix01 /bin/bash ************ Deploying the new More Secure PS Container ************** docker run -it -d \ -v /home/durgesh/base/PSMoreSecure:/spinstall/IBM/PServer \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e NETWORK_ZONE_SECURE=true \ -e PS_PORT=0 \ -e PS_SECURE_IF=* \ -e PS_EXTERNAL_IF=* \ -e REMOTE_PORT=30820 \ -e REMOTE_ADDRESS=172.20.185.196 \ --name PSMoreSecure \ sp-ps-docker-image:V6.0.1.0.iFix01 /bin/bash ************* Upgrade the More Secure PS deployment ***************** docker run -it -d \ -v /home/durgesh/base/PSMoreSecure:/spinstall/IBM/PServer \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e NETWORK_ZONE_SECURE=true \ --name PSMoreSecure \ sp-ps-docker-image:V6.0.1.0.iFix01 /bin/bash MFT-10765/IT31672 (CM) - 6.0.0.1F1 with Client Auth not working with SAN certs, getting ERR_BAD_SSL_CLIENT_AUTH_CERT Customer has client authentication turned on for browser connectivity to the SSPCM dashboard, as well as client certificates configured with Subject Alternate Name. SSL handshakes from browsers were failing with "No subject alternative names matching IP address xx.xx.xx.xx found" in the CM log. Resolution: Allow the Customer to override the new behavior in the JRE by uncommenting -DsspcmDisableClientEndpointIdentification=true in the startCM.sh script. This tells the CM to ignore the hostname discrepancy in the SAN cert. MFT-10779 (CM) - RESTAPI import errors with backupDir and urlMapEntry Using the RESTAPI to import a configuration from a late SSP3432 or SSP6001 instance. Getting errors on the following in the cms.log and the import fails: cvc-complex-type.2.4.d: Invalid content was found starting with element 'urlMapEntry'. No child element is expected at this point. line # 3671 column # 14 Also getting the same error for the element "backupDir" Resolution: Added the recent keywords urlMapEntry and backupDir to the valid list in the xsd so that the RESTAPI will recognize them. MFT-10853/IT31763 (CM) - (GUI) SSPcm user binds to LDAP twice with SEAS for single login When SSPCM users are configured to authenticate through SEAS, they are authenticating twice to LDAP, once for the dashboard, and again under the covers for the configuration manager. Resolution: When authenticating CM users through SEAS, request an SSO token on the first authentication from the dashboard, and then pass the token to SEAS on the authentication from the configuration manager, avoiding the second call to LDAP. MFT-10887/ (CM,Engine,PS,SEAS) - GPF in SSP engine The SSP Engine terminated with a General Protection Fault (GPF) when the JVM tried to get an internal structure from a terminated thread. Resolution: Installed the IBM JRE 8.0.6.5 to resolve the GPF. MFT-10889/IT32078 (CM) - (GUI) CM session timeout still allows partial access of the GUI function Often when a CM GUI session times out (ie, after 30 minutes of inactivity), the user is allowed to complete a save operation, though they get a message that they must login again. Resolution: Now implement an HttpSessionListener for the SSPDashboard and Content web apps, which ensure that the GUI timeout is enforced before a save operation is allowed. MFT-10898/ (CM,Engine,PS) - (Container) Can not create APP_USER in the yaml file with GID of 1001 When trying to use a group ID (GID) of ‘1001’ in the yaml file the messages groupmod: GID '1001' already exists ERROR: Cannot set GID for appear in the APPStartup.log in the backup directory on the VM. Resolution: Now allow 1001 to be used as a group ID in a container. MFT-10903/IT32096 (CM,Engine) - configureCmSsl and configureEngineSsl not adding certificate chain to cmtrustore or truststore When adding a keycert to the keystore using the configureCmSsl or configureEngineSsl utilities, they were not adding the certificate chain to the cmtrustore or truststore. Resolution: Now add or update the certificate chain from the keycert into the appropriate truststore. MFT-10904/ (CM,Engine,PS,SEAS) - GPF in SSP engine The SSP Engine terminated with a General Protection Fault (GPF) in the IBMPKCS11 area. Resolution: Installed the IBM JRE 8.0.6.5 to resolve the GPF. SSP-3771/ (CM) - Updates to make CM logging more readable Resolution: Shortened some thread names within the CM to make the log lines narrower. Also merged some redundant lines in the debug log to lower the output. SSP-3793/ (CM) - Missing secure attribute in encrypted session (SSL) cookie SSP CM does not append "http-only" and "secure" security attributes for cookies that are sent back to the browser client. Resolution: Now add "http-only" and "secure" attributes to JSESSIONID cookies. Also known as PSIRT ADV0022033. See https://www.ibm.com/support/pages/node/6249281 for the Security Bulletin. SSP-4182/ (CM) - ICAP configuration field validation issues In the ICAP configuration panel, the Service Name and File Type fields were allowing binary non-printable characters and not displaying an error. Resolution: Now reject the bad field values and prompt the user for good ones. SSP-4183/ (CM,Engine) - Files with temporary names not getting AV scanned The ICAP AV Scanning feature for SFTP has a feature to scan only files with extensions specified in the ICAP Configuration. However, some clients (e.g. WinScp) append “filepart” as a temporary extension for large file uploads. Workaround: add "filepart" to the extensions list in the ICAP configuration. For example, if exe is an extension chosen, add exe.filepart along with exe in the ICAP configuration. Resolution: Added support for an adapter property “sftp.client.temp.ext.names=ext1,ext2,..,extn” in the ICAP Configuration. SSP will append these client specific extensions to each extension chosen for scanning when determining the extension match for ICAP AV scanning. SSP-4195/ (CM) - RESTAPI ICAP field validation errors for empty maxSessions file extensions RESTAPI import of ICAP configuration data allowed empty file extensions to be added and an empty maxSessions field got an error message related to numeric conversion rather than about the empty field. Resolution: Now do proper validations for empty file extensions and maxSessions fields. SSP-4202/ (CM) - SSPCM was allowing unsupported HTTP methods to be processed The SSPCM was allowing unsupported HTTP methods, such as PUT ot BOGUS, to be processed. Resolution: Now return a 403 Forbidden when an unsupported HTTP method is encountered. SSP-4207/ (CM, Engine) - New Engine install fails while importing keycert if engine port is in use During a new Engine install, the install fails while importing the keycert generated by the CM if the engine port is in use. The install log shows FATAL ERROR - class com.sterlingcommerce.csp.install.IA_ImportOrGenerateEngDfltCert FatalInstallException: Import Operation Failure even though there is nothing wrong with the certificate import. Resolution: Now check if a port number selected during an engine or CM install is already active at the time of selection and give the user a chance to change it or ignore the alert. SSP-4223/ (Engine) - Excessive logging on idle SFTP adapter During internal testing, found that the SFTP adapter could sometimes emit a couple of messages excessively in DEBUG mode, even when idle. SSE2621 sw is before setting interest ops SSE2621 sw is after setting interest ops Resolution: Changed the message number to SSE2998, which only gets emitted when the log level is DEBUG and the property log.debug.detail = 2 is set in the adapter properties tab. SSP-4236/PSIRT21787 (Engine,CM,PS) - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle January 2020 level to satisfy the CVEs in PSIRT advisories 20470 and 21787. See https://www.ibm.com/support/pages/node/6116926 and https://www.ibm.com/support/pages/node/6116962 for the Security Bulletins. Also tracked internally as SSP-4235. SSP-4244/ (Engine,CM,PS) - Cannot start docker container after stopping it After running "docker stop " on the Engine, CM or PS, it fails to start with a "docker start ". Logs show message 'cannot create user "test"' Resolution: Corrected the user conflict causing the container not to start. MFT-10874/ (Engine) - Engine listCerts.sh not working in 6010 The Engine listCerts.sh command did not work in 6.0.1.0 GA, giving a message "No certificates match the specified criteria." When SSP was converted to store configured key certificates and public keys, this utility was not modified to recognize the current formats for storing key certificates and public keys. Resolution: Modified the ListCerts utility to recognize the current key certificate and public key storage format. MFT-10959/IT32191 (CM) - (GUI) Unable to update keystore with certain PFX keys. PEM format works The SSP CM is unable to handle a PFX keycert format when there is a missing or unspecified label for either the private key or the associated public key. Resolution: Corrected SSP CM to be able to import PFX keycert format even when there is missing or unspecified label for the keycert or public key. MFT-10995/IT32374 (Engine) - SFTP adapter hung in a stopping state 2 pairs of synchronized methods in the SFTP failover code were causing a deadlock condition. One failover thread was trying to start an outbound route while another was stopping a listener after a failed connection and a deadlock occurred. The Engine had to be restared to clear the condition. Resolution: Replaced the method synchronization on 2 pairs of stop/start methods with synchronization on a local object instead. MFT-11060/IT32769 (Engine) - SFTP Getting SSE2654 Session limit exceeded on wrong adapter(s) The first SFTP adapter to come up was getting any "SSE2654 Session limit of xx has been exceeded" irrespective of the source adapter of the event. Resolution: Corrected the way the loggers are assigned to adapters at startup. MFT-11075/IT32687 (CM) - Change to SFTP Policy in 6.0.1.0 greyed out the Pass-Through option for Password and Key The SFTP Policy screen was changed in 6.0.1.0 to grey out the Pass-Through option when "Password and Key" is specified. While it is not possible to do Pass-Through when specifying "Key" or "Password or Key", we are guaranteed to have a password to pass through to the back with "Password and Key". Resolution: Allow Pass-through (again) on the SFTP policy screen when "Password and Key" is specified. MFT-11106/IT32810 (CM) - Unable to delete default self signed certificate from SSPCM Customers trying to delete a previous keycert using the configureCmSsl tool could get "***Cannot delete certificate with alias "xxxx". The certificate is currently selected for use." Using the configureCmSsl tool with the -s option did not show the certificate in use anywhere. Resolution: Incorporated portion of SSP-4335 fix which ensures that the configureCmSsl.sh update commonCert operation updates all 4 locations for the client and server certificate for the SSLInfo and JettyConfig defintions. Also provide more information about where the certs are in use when trying to delete them. SSP-4215/ (CM) - RESTAPI import error - Invalid cipher suite specified twofish256-cbc Some SFTP ciphers have been deprecated, and when trying to import from an older RESTAPI export, were causing the import to fail in the latest CM with "Invalid cipher suite specified twofish256-cbc". Resolution: Now allow the import to continue but remove deprecated SFTP ciphers with a warning message. If all ciphers are removed, substitute our default SFTP ciphers instead. SSP-4323/SEAS-1233 (Engine) - XML External Entity (XXE) vulnerability in SSP During internal security scanning, SSP was found to be vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. It is further described in PSIRT advisory ADV0023731. Resolution: Added parser processing commands to disallow the illegal commands that caused the XXE attack. Fixed in code as SEAS-1233. See https://www.ibm.com/support/pages/node/6249331 for the Security Bulletin. SSP-4346/ (Engine) - SFTP ICAP AntiVirus scanning getting spurious RuntimeException: no messages in ICAP cache When using the SFTP ICAP AntiVirus scanning, as the file is uploaded to the backend server, it generates the following spurious error at the end of the transfer which does not affect the file upload function. java.lang.RuntimeException: System error - no messages in ICAP cache Resolution: Removed an extra call to SSH_FXP_CLOSE which was causing the nuisance error. MFT-11151/IT32957 (Engine) - SSP6010 upgrade fails on Windows When upgrading to SSP6010 on Windows, the install was failing with, "IBM Sterling Secure Proxy Engine services running. The installation cannot proceed while the services are running." This happened on the engine or CM even though all SSP services were stopped. Resolution: Corrected a test in the install process which was erroneously detecting that the SP-V6.0.1.0-engine or SP-V6.0.1.0-cm services were running. MFT-11200/IT33098 (Engine) - NPE in Maverick logs SFTP connections were failing intermittently, and the maverick.log contained many instances of com.maverick.ssh.ExecutorOperationSupport - Caught exception in operation remainingTasks=1 java.lang.NullPointerException: null Resolution: Corrected the NullPointerException in the SftpSubSys local_init method when a connection comes in. MFT-11042/ (Engine,PS) - Getting IOException: Too many open files SSP adapters were reporting "Too many open files" errors which used up all resources and blocked other partners from connecting to the Customer. They increased their kernel nofiles setting from 4096 to 8192, which helped to delay the outages. The local SSP Perimeter Server code was intermittently not cleaning up sockets at session end, which allowed file descriptors to accumulate. Resolution: Updated the old PS4060602 Perimeter Server jar files to the PS6000302 level. See SSP-3966 for description and important ACTION. SSP-3582/ (Engine) - Blacklisted events are logged as ERROR messages When sessions from blacklisted IPs or using blackisted userids were rejected the messages were coming out in the logs as ERROR, which made it difficult to separate out other ERROR messages in the logs. Resolution: Now log the blacklisted messages as WARN instead of ERROR SSP-3701/ (Engine,CM) - Apply password policy for system passphrase and admin password for new installs Resolution: New installs of SSP will impose a password policy during the install process requiring the system passphrase and admin password to be 6 to 28 characters in length with at least one upper case letter, one lower case, one digit, and one special character (“!@#$%^&”) with not more than 2 consecutive characters repeated. SSP-3966/ (Engine,PS) - Upgrade Perimeter Server code to same as B2Bi 6.0.3.2 The SSP Perimeter Server code is obtained from the B2Bi team at Precisely/ Syncsort. It had not been refreshed in several releases, causing issues such as MFT-11042 above. Resolution: Updated the SSP local and remote Perimeter Server code to use the PS6000302 code level as is shipped with B2Bi 6.0.3.2. This is an upgrade from the PS4060602 code we were shipping with. This defect also tracked internally as SSP-4233. ACTION: An Engine and any remote Perimeter Servers associated with its ACTION: adapters must be upgraded to the 6011 level at the same time to ACTION keep their PS code in sync. Otherwise the adapters will fail to ACTION: start with "Unable to connect to remote perimeter server..." SSP-4016/ (CM) - RESTAPI import does not update Jetty Server alias For a RESTAPI full CM export, the Jetty SSL configuration definition information was not being included. So a RESTAPI import was not updating the Jetty SSL configuration for the WebStart GUI. Resolution: Now export the Jetty config def information during a full RESTAPI CM export, so it can be used during a subsequent import. SSP-4190/ (Engine) - Getting IllegalBlockSizeException after upgrade After replacing the common CM and Engine certificate and upgrading to SSP6010, the engine would not start, with, "Startup did not succeed. Terminating: java.io.IOException: javax.crypto.IllegalBlockSizeException: Input length (with padding) not multiple of 16 bytes" Resolution: Added a flag in the internal engine configuration file to indicate whether the keystore and truststore xml files are encrypted. SSP-4198/ (CM) - configureCmSsl -s utility not showing all certs With SSP6010, the configureCmSsl -s utility di not show all the keycerts and certs in the keystore and truststore in the defSslInfo.xml file. When the keystore type was switched from java-keystore (jks) to an xml-based keystore, the display/show functionality stopped working. Resolution: Added logic to restore the display/show functionality in the configureCmSsl script. SSP-4308/ (Engine,CM) - Add password policy for command line changePassphrase utility Resolution: Now use the same password policy which was added in SSP-3701 to the changePassphrase utility in the Engine and CM. New passwords will need to be 6 to 28 characters in length with at least one upper case letter, one lower case, one digit, and one special character (“!@#$%^&”) with not more than 2 consecutive characters repeated. SSP-4309/SSP-4322 (Engine,CM) - Support for ICAP Anti-Virus Scanning in C:D Enhancement to support in-flight anti-virus scanning of small to medium size files being uploaded through the C:D adapter. Since C:D is a forward or reverse proxy, it can also be used for pulling files into the secure zone. See online documentation for SSP6011 for more details. Simlar to SSP-3834 for SFTP, it requires the McAfee Web Gateway ICAP server. Other internal stories: SSP-4358, SSP-4374, SSP-4485. SSP-4310/SSP-4445 (Engine,CM,PS) - Update JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2020 level to satisfy the CVEs in security PSIRT advisories ADV0021791 and ADV0023736. https://www.ibm.com/support/pages/node/6249355 and https://www.ibm.com/support/pages/node/6249371 for the Security Bulletins. SSP-4510/ (Engine,CM) - (SFTP) Allow reject option when ICAP session limit is exceeded Resolution: Adding a second option in the ICAP GUI Advanced tab to reject a file upload or send the file as "unscanned" for the following situations: - IO error or connection error with ICAP Server (already done) - ICAP server Max session limit is exceeded (new) SSP-4590/ (Engine) - Missing HTTP headers in response from MFG Internal OWASP testing showed that when logging in to MFG, the HTTP headers Cache-control and X-Content-Type-Options were not being returned. Resolution: Now supply the missing headers when front-ending the MFG application. MFT-11269/IT33625 (PS) - PS silent install gving bad port error During a silent install, if the port value is incorrect, the install gets into an infinite loop resulting in a stackOverflow error. Resolution: Added custom Java code to handle the error condition and exit the install with a message to in install log SSP-3804/ (Engine, CM) - Passphrase validation in silent install During a silent install, there were no rules for validating and confirming the passphrases and passwords supplied. Resolution: On a new install in Silent Install mode, verify the length of the passphrase / password (6 to 28), and ensure it contains an upper case, lower case, digit, and a special character (!@#$%^&). SSP-4450/ (CM) - Add checkboxes to Password Policy in SSP CM Resolution: Add checkboxes in SSPcm -> Advanced -> Password Policy to allow the administrator to turn off the requirement for Capital characters, Small charcaters, and/ or digits. SSP-4480/ (CM) - RESTAPI add missing validations As changes have been made to the SSPCM GUI, some validations have not kept up in the RESTAPI. Resolution: Updated the RESTAPI policy validators for SFTP, FTP, CD, and HTTP. SSP-4529/ (CM) - Allow CM login page from root (/) Resolution: Now allow the CM login page to be accessible from root "/" as well as the "/SSPDashboard" context path. SSP-4597/ (Engine,CM) - Install rejects password with $$ A new install of SSP would not accept passwords with multiple dollar ($) symbols, such as Pa$$w0rd or Pa$wor$d123. Resolution: Now correctly handle passwords with multiple dollar ($) symbols. SSP-4620/ (Engine,CM) - Set TLSv1.2 protocol for CM, Engine and Web Server (Jetty) On a new install, the default protocol for communication between the CM and Engine and the Web GUI was IBM's SSL_TLSv2. This allowed connections to protocols SSLv3 (disallowed), TLS, TLSv1.1, or TLSv1.2. Resolution: To improve security, brand new installs will set the secure protocol to TLSv1.2 across the board. MFT-11287/IT33627 (CM) - Allow comma and apostrophe in CM key passwords SSP CM does not support comma and apostrophe character in key certificate passwords. Resolution: Now allow commas and apostrophes as valid characters for key certificate passwords. MFT-11293/IT33828 (Engine) - 229 response for FTP EPSV causes problems with some partners Fix RTC556199 in SSP3430 enabled IPV6 in SSP, but the responses to the FTP Extended PASV (EPSV) and Extended PORT (EPRT) commands were wrongly tied to whether the machine that SSP was running on was IPv6 enabled. If it was not, it returned a 227 response for the EPSV instead of the correct 229 response. This behavior was corrected in the fix for MFT-10692. However, some partners got used to the wrong behavior and depended on a 227 PASV response being returned for an EPSV command. When the Customer upgraded to an iFix which contained MFT-10692, partner the scripts stopped working. Resolution: Added support for a new FTP adapter property, "ftp.return.pasv.response.for.epsv", which if set to "true" causes that adapter to return the 227 PASV response to a EPSV command. Also fixed a problem where the 227 response on an IPv6 enabled machine displayed the IP address in IPv6 format "0:0:0:0:0:0:0:1" instead of comma separated IPv4 format "127,0,0,1" as the RFC requires. MFT-11130/IT33879 (Engine) - Intermittent requests to SEAS timing out Occasionally, when several requests came in on the CD adapter at the same time requesting SEAS certificate validation, the last request sent timed out 3 minutes later when the socket was closed. The low level write of the bytes to the SEAS socket was not doing a flush of the data to make sure that it was properly presented to SEAS. Resolution: Now ensure that each SEAS request written on the socket has a proper ending of the data so that it is immediately recognized by SEAS. MFT-11139/IT33786 (Engine) - During load testing, SEAS shows ERROR "AUTH037E Authentication request missing password." If SFTP adapter session limit exceed the max limit during load test, it was still trying to connect with SEAS resulting in missing password error in the Customer load test environment. Resolution: Moved session limit check earlier in sftp adapter so that it does not make an unnecessary connection to SEAS. SSP-4675/ (CM) - NullPointerException adding trustedCert Getting a NullPointerException while adding a trusted certificate for the Jetty webserver using the cmConfigureSsl utiity. Resolution: Now use the proper method for adding trusted certificates for XML-based keystores. MFT-11273/IT33922 (Engine) - JVM thread deadlocks in Maverick code; OutOfMemory during large SFTP download The Customer's monitoring software noticed that there were several pairs of SFTP threads deadlocked on each other. This deadlock was fixed in the Maverick 1.7.22 release, while we were running 1.7.20. A second issue with an OutOfMemory (OOM) exception was tracked with MFT-11539 but no APAR was needed. A client was downloading a multi-GB file and requesting data packets faster than it was receiving them causing them to back up in memory. Heap dumps showed memory accumulated in java/util/LinkedList$Node and com/maverick/sshd/Channel$QueuedData. Resolution: Upgraded the Maverick toolkits to the 1.7.32 level to correct the deadlock and windowing issues. ACTION: SFTP key sizes, both yours and your trading partners, MUST be 1024 bits or higher. Ensure that key sizes are adequate before migrating to production. From the Maverick toolkit vendor: This release restricts the use of RSA keys in authentication to 1024 bits or higher. If you attempt to authenticate with a key with < 1024 bits, the API will automatically reject the authentication request. The API also restricts key generation of RSA and DSA keys to 1024 bits or higher. These changes match the key size restrictions used by OpenSSH. Please note that the recommended size of an RSA key should be at least 2048 bits, preferably 3072 bits, which is now the OpenSSH default for RSA keys. SSP-3583/ (CM) - unauthorized.jsp does not display IBM in header title When the unauthorized.jsp page was displayed, it said Secure Proxy, not IBM Secure Proxy as it should. Resolution: Updated the unauthorized.jsp page to display IBM Secure Proxy. SSP-4670/ (CM) - RESTAPI services do not report exception stacktrace in CM log file SSP CM Rest API services are not logging exception stacktraces thereby making problem resolution more time consuming. Resolution: Added logic to extract the full exception stacktrace when an error occurs and write it into the SSP CM log files SSP-4138/ (CM) - manageKeyCerts cannot copy non-HSM keycert The manageKeyCerts utility was getting a Nullpointer exception when trying to copy a non-hsm certificate. Resolution: Now correctly copy all types of keycerts. SSP-4662/ (CM) - RESTAPI missing validations of Password Policy The RESTAPI was not properly validating new tags in the password policy definition. Resolution: Now correctly validate the following tags during RESTAPI import when presented, but do not require them from older exports: , , , , and . SSP-4668/ (CM) - RESTAPI allows empty eaAuthProfile and eaCertProfile tags to be imported During a RESTAPI import, the CM does not throw any exception if , or is an empty value. Resolution: Now fail the import if the , or is present but contains an empty value. MFT-11423/IT34330 (Engine) - MyFG 2.0 (B2Bi 6.1) REST API Authentication fails when it goes through SSP MFG 2.0 uses HTTP Authorization header with scheme of "bearer". SSP only supported "basic". SSP rejected the header and did not pass it to the back end MFG 2.0, which caused it to fail. Resolution: Now support the "bearer" Http Authorization header and pass it to the back end server. Also tracked internally as SSP-4702. SSP-4640/ (CM,Engine) - Vulnerability in Apache Commons Codec HIPER: Updated the Apache Commons Codec toolkit to v1.15 to address PSIRT advisory ADV0025470 - CVEID: 177835 (CVSS: 7.5). See https://www.ibm.com/support/pages/node/6339801 for security bulletin. MFT-11388/IT34365 (Engine) - (FTPs) loopback transfers failing 75% of time FTPS sessions (data connections) were failing when large number (~800) of trusted certificates are involved in the handshake with client. The SSL handshake for the data channel was being delayed, causing intermittent failures. Resolution: Corrected a problem interacting with the local perimster server code when setting up the handshake with the client on the data channel in passive mode. MFT-11411/IT34415 (CM) - RESTAPI Validation of Peer address range (IP Subnet range) in Netmap Inbound Nodes There was no support in the RESTAPI for validating the CIDR (IP subnet) peer address ranges on inbound SFTP, FTP and HTTP nodes. Examples: 10.20.30.40/32, 10.20.30.0/24, etc. Resolution: Now validate the inbound netmap node peer address patterns durig RESTAPI imports for proper specification of the CIDR patterns, namely, the value of significant bits to mask for IP address checking (the number after the /) must be between 0 and 32. Also, the address pattern must specify zeroes for the trailing bits in the pattern which are to be "wildcarded". Example 10.20.30.40/24 - wrong, 10.20.30.0/24 - correct. MFT-11429/ (Engine) - SSP adapters listening even after outbound node becomes unreachable With the adapter properties failover.detection.enabled=true and failover.detection.mode=continuous, the adapter was not taking the inbound listener down when it detected that there was a problem connecting to the back end SI adapter. This caused the load balancer to continue to send sessions to the SSP adapter even though it was not working. Resolution: Now correctly monitor the "stopListenCalled" flag so that when the outound adapter is inaccessible, the SSP adapter will stop listening. MFT-11451/IT34408 (CM) - RESTAPI addNodes failed with "Content is not allowed in prolog" through sspRestAPI utility When calling the API through the sspRestAPI utility, SSP was not parsing the input xml correctly. It was working fine for HTTTP based REST clients, such as Postman, etc. Resolution: Now parse the xml correctly no matter the source. MFT-11423/IT34330 (Engine) - (HTTP) Empty cookie header sent to PEM After upgrading to Jetty 9.4.x, the cookie header going back to PEM was sometimes empty or blank. Resolution: Now validate the cookie header to make sure it is not empty or blank before forwarding it via SSP. MFT-11428/IT34518 (CM,Engine) - CM performance problems editing large netmaps Customer with large netmaps (thousands of nodes with unique IP addresses) found that editing and saving the netmap could take minutes and result in a timeout. SSP was writing an audit log record of the change with a "before" and "after" copy of the netmap configuration xml, each copy of which could be several MB. The string functions to sanitize the audit records to mask passwords, etc, were not streamlined for performance. Resolution: Updated the string functions used to sanitize the configuration audit records to make CM edit/save operations perform better. Also for SFTP, now show the Netmap and Node that an inbound session matched. MFT-11511/IT34629 (CM,Engine) - Performance problems editing large netmaps This is a follow on to MFT-11428 to resolve performance problems related to editing and saving large netmaps through the SSPCM GUI. The process of logging configuration changes to the audit log was doing inefficient processing when trying to mask password data being written. Resolution: Improved the method of masking sensitive information when logging configuration changes for netmap nodes. Limit the inbound node checking to CD and PeSIT netmaps, as other protocols do not have sensitive information. SSP-4206/ (Engine) - Logs show "SSP0040I Support for IBMPKCS11Impl HSM is enabled" though HSM is not enabled Resolution: Skip sending the message when HSM is not enabled. SSP-4232/ (Engine) - Wrong certificate store displayed for Engine After installation, a ConfigureEngineSsl -s utility was showing the key store name as dfltCMKeyStore and the trust store name as dfltCMTrustStore. Resolution: Corrected the installer to set the names as dfltEngineKeyStore and dfltEngineTrustStore, respectively. MFT-11238/IT34624 (Engine) - (SFTP) Negative message length SshException for DATA packet from non-standard server Customer using a non-standard server on the back end and trying to pull a file. The SSP local TCP window size was small which caused the server to split a data packet incorrectly. SSP detected it as a negative message length. Resolution: Now set the initial TCP local window size for the back end SFTP session to 4MB to ensure that the server does not need to split data packets. The value can be overridden with the following new SFTP adapter properties (See also SSP-4799): sftp.backend.max.packet.size = 4194304 (4M initial backend window size) sftp.backend.max.window.size = 4194304 (4M max backend packet size) MFT-11309/IT34732 (Engine) - (SFTP) SSE2640 sshd channel closing when local window size goes below 32k A trading partner was uploading a several hundred MB file using the Globalscape ETF SFTP client and randomly getting an abrupt channel close which terminated the connection. When the local TCP window size went below 32k on SSP and the client sent a 32k data packet, SSP shut down the connection. Resolution: Now set the minimum and maximum local window size for the SFTP adapter and allow them to be configured in the adapter property tab (See also SSP-4799): sftp.inbound.max.window.size = 2097152 (2M maximum inbound window size) sftp.inbound.min.window.size = 131072 (128k minimum inbound window size) MFT-11517/IT34628 (CM) - RESTAPI validation of CD netmap node ip addr Various problems in RESTAPI validation of CD nodes allowed netmaps to be imported which could not be saved in the CMU GUI and/or could not be pushed to the engine. 1) Accepting "0" or unspecified for CD Netmap "port number" in the location corresponding to GUI [CD Netmap > Edit a Node > Advanced tab > Port num] 2) Accepting "/32" for "Connect direct server address" correspoding to GUI [CD Netmap > Edit a Node > Basic Tab > Server address] Resolution: Now validate the address and port values during a RESTAPI import of CD netmaps. Fail the import with meaningful error messages to help isolate any import problems. MFT-11536/IT34761 (Engine) - "testSSPCookie" fails Customer's Security scan The test cookie used by the SSP login page javascript for detecting if the browser allows cookies was being flagged by the Customer's security scans because it does not have the security attributes HttpOnly and Secure. Adding the HttpOnly attribute would not work, as it would prevent the javascipt from accessing the cookie. Resolution: Removed the use of the testSSPCookie and used a javascript variable (navigator.cookieEnabled ) designed for this purpose. ACTION: If your site has customized the login.js scripts, you must re-apply your customizations after the upgrade in /resources/login.js and /extportal/resources/login.js. MFT-11557/IT34792 (CM) - RESTAPI SFTP Netmap import allows unreferenced remoteClientKeyStore The RESTAPI import of an SFTP netmap outbound node was allowing a tag to be imported with the name of a non-existent Local User Keystore. The resulting configuration could not be pushed to the engine, resulting in a message: "CONF003E Exception processing configurator request. Name , Request: sspConfigPush, Exception: ConfigDefMissingException: Referenced definition not found in registry: string (dataType=KeyStoreDef)" Resolution: Updated the RESTAPI validation of an SFTP netmap to ensure that if a remoteClientKeyStore is referenced, it actually exists. SSP-4799/ (Engine,CM) - Allow configurable window and packet size limits for SFTP. Resolution: This internal defect was done to add support for the SFTP adapter properties needed by MFT-11238 and MFT-11309: sftp.inbound.max.window.size = 2097152 (2M maximum inbound window size) sftp.inbound.min.window.size = 131072 (128k minimum inbound window size) sftp.backend.max.packet.size = 4194304 (4M initial backend window size) sftp.backend.max.window.size = 4194304 (4M max backend packet size) MFT-11512/IT34993 (Engine) - (HSM) HTTPs fails with HSM enabled SSP was seeding the SecureRandom function when the safeNet/LUNA Hardware Security Module (HSM) was enabled, which the HSM rejected. This caused an exception that prevented the TLS Handshake from completing. Resolution: Now turn off seeding SecureRandom when IBMPKCS11 is the provider for generating pseudo random numbers. MFT-11517/IT34628 (CM) - RESTAPI validation of CD netmap node ip addr Problem 1) Unable to add an IP in "IP Checks section" (CD Netmap > Edit a Node > IP checks. 2) RESTAPI still allows a "/32" subnet range for Alternative Destinations. Resolution: Cleaned up these stray problems. MFT-11519/IT34997 (Engine) - SSP OutOfMemory (OOM) with 80% in com.sterlingcommerce.cspssh.parameters.Parms SSP failed with an OutOfMemory. The heapdump analyzer showed that the top 3 main leak suspects were com.sterlingcommerce.cspssh.parameters.Parms adding up to about 80% of the available memory. The .policy value was not being removed from Parms map for false authentication cases and gradually filled it and caused the OOM condition. Also when a user could not connect to the backend, the channel id was not getting removed from the map. Resolution: Now handle the false authentication case and remove the .policy entry from the Parms map. Also ensure the channel id is removed from the map for backed registration failure scenarios. MFT-11578/IT34989 (CM) - SSPCM adding to user store fails with password policy selected after upgrade After upgrading from a previous build of SSP, and trying to add a user to the user store with the password policy in place, the CM would get a System Error popup and force the user to exit. There was a NullPointerException in com.sterlingcommerce.csp.gui.web.utils.SSPFieldValidator.validatePassword() because the validation code was missing a check for null when looking for a capital letter. Workaround is to turn off the password policy when adding the user. Resolution: Now when the system is upgraded and some password policy fields are uninitialized, check for null before using them. This was fixed internally as SSP-4795. SSP-4866/ (CM) - Password policy fields not initialized properly after upgrade from SSP3432 When upgrading from SSP3432, the new password policy fields for requiring upper case, lower case, and digits were checked. Resolution: Now when upgrading, set these new fields to false (unchecked) by default. SSP-4926/ (CM) - ICAP RESTAPI not validating properties The RESTAPI was not validating ICAP properties for numeric/alpha fields. Resolution: Added validations for the ICAP properties in the RESTAPI. SSP-2963/ (CM) - Remove option to update the security under the CMSystemSettings Customers who used the CM GUI System -> CMSystemSettings -> Security tab to change their TLS protocol information found that they could no longer use the GUI once it restarted, since the web configuration also needed to be changed. Resolution: Changed the security tab under CMSystemSettings to be view only, with a note that to change settings, they must run the configureCmSsl tool. SSP-3548/ (CM) - Allow configuration of the maximum header length and content size for the SSPCM. The SSPCM could get overrun with data if a large HTTP header or page content is received. Resolution: Now set a default header size (8192) and content size (200,000) to protect the CM from an overrun. These are configurable in the Globals tab of the System -> System Settings tab. SSP-4518/ (Engine) - ICAP Logging improvements Some log messages in ICAP processing were in DEBUG mode when they should have been logged in INFO or ERROR mode. Resolution: Added the following INFO and ERROR messages to the ICAP flow: CSP085I No malware reported during ICAP AV scanning of file - {0} CSP086E Secure Proxy Internal Error occured during ICAP AV Scanning of file - {0} CSP087E Copy terminated for file ({0}) due to internal error with ICAP Server CSP088E File ({0}) will be transferred without Anti Virus scan, due to internal error with ICAP Server CSP089E ICAP AV Scanning failed, malware detected file: {0}, ICAP response : {1}, Virus name: {2}, Reputation: {3}, Geo Location: {4} CSP090I Data Compression (Standard/Extended) is enabled, File ICAP AV Scanning skipped, file - {0} CSP091I File extension not in selected list, ICAP AV Scanning skipped for file - {0} CSP092I FASP is enabled at PNODE & SNODE, ICAP AV Scanning skipped for file - {0} SSP-4606/ (Engine) - Audit log messages for CD ICAP support Resolution: Added audit log messages for the new CD ICAP functionality AUD3004E=Copy terminated for file ({0}) due to internal error with ICAP Server AUD3005E=File ({0}) will be transferred without Anti Virus scan, due to internal error with ICAP Server AUD3006I=No malware reported during ICAP AV scanning of file - {0} AUD3007E=ICAP AV Scanning failed, malware detected file: {0}, ICAP response : {1}, Virus name: {2}, Reputation: {3}, Geo Location: {4} AUD3008I=Data Compression (Standard/Extended) is enabled, File ICAP AV Scanning skipped, file - {0} AUD3009I=File extension not in selected list, ICAP AV Scanning skipped for file - {0} AUD3010I=FASP is enabled at PNODE & SNODE, ICAP AV Scanning skipped for file - {0} SSP-4614/SSP-4699 (CM,Engine) - Fix resource leak issues reported by internal code scan Resolution: Corrected various coding issues detected by our internal code scan tool. Removed dead code, avoid NullPointerExceptions, use IOException instead of Exception when closing resources. SSP-4666/ (CM,Engine) - Log stacktraces when startup fails The SSP startup process does not log encountered exceptions properly to enable prompt resolution of Customers' startup failures. Resolution: Now ensure that fatal exceptions log their stacktrace into the SSP log file. SSP-4694/4697/4698 (CM,Engine) - Support for SOCKS5 Proxy for outbound CD connections Enhancement: Engine, CM GUI and RESTAPI changes for SOCKS5 Proxy support for outbound CD connections. Also worked as defects SSP-4697 and SSP-4698. SSP-4736/ (CM) - Upgrade Jackson jars to latest Resolution: Updated the Jackson jars to the latest (1.9.14) to facilitate parsing JSON requests. SSP-4742/ (CM,Engine) - Data Collector for non-Windows CM & engine leaves LongDirectoryOutput.txt empty The runCMDataCollector and runEngineDataCollector scripts in the bin directory dump out a number of text files with information about the environment for passing to Support. The longDirectoryOutput.txt file, a recursive dir listing of the installation directory, works on Windows, but is empty on non-Windows. Resolution: Corrected the utilities to correctly output the recursive listing of the installation directory for diagnostic purposes. SSP-4801/ (CM) - Upgrade IBM MQ Client to latest Resolution: Updated the IBM MQ Client jars to the latest (9.2.0.1). SSP-4925/ (Engine) - Remove license type prompt from Engine install Resolution: Remove the prompt for the license type (Production or non-Production) from a new SSP Engine install. SSP-2963/ (CM) - Remove option to update the security under the CMSystemSettings Customers who used the CM GUI System -> CMSystemSettings -> Security tab to change their TLS protocol information found that they could no longer use the GUI once it restarted, since the web configuration also needed to be changed. Resolution: Changed the security tab under CMSystemSettings to be view only, with a note that to change settings, they must run the configureCmSsl tool. SSP-3548/ (CM) - Allow configuration of the maximum header length and content size for the SSPCM. The SSPCM could get overrun with data if a large HTTP header or page content is received. Resolution: Now set a default header size (8192) and content size (200,000) to protect the CM from an overrun. These are configurable in the Globals tab of the System -> System Settings tab. SSP-4518/ (Engine) - ICAP Logging improvements Some log messages in ICAP processing were in DEBUG mode when they should have been logged in INFO or ERROR mode. Resolution: Added the following INFO and ERROR messages to the ICAP flow: CSP085I No malware reported during ICAP AV scanning of file - {0} CSP086E Secure Proxy Internal Error occured during ICAP AV Scanning of file - {0} CSP087E Copy terminated for file ({0}) due to internal error with ICAP Server CSP088E File ({0}) will be transferred without Anti Virus scan, due to internal error with ICAP Server CSP089E ICAP AV Scanning failed, malware detected file: {0}, ICAP response : {1}, Virus name: {2}, Reputation: {3}, Geo Location: {4} CSP090I Data Compression (Standard/Extended) is enabled, File ICAP AV Scanning skipped, file - {0} CSP091I File extension not in selected list, ICAP AV Scanning skipped for file - {0} CSP092I FASP is enabled at PNODE & SNODE, ICAP AV Scanning skipped for file - {0} SSP-4606/ (Engine) - Audit log messages for CD ICAP support Resolution: Added audit log messages for the new CD ICAP functionality AUD3004E=Copy terminated for file ({0}) due to internal error with ICAP Server AUD3005E=File ({0}) will be transferred without Anti Virus scan, due to internal error with ICAP Server AUD3006I=No malware reported during ICAP AV scanning of file - {0} AUD3007E=ICAP AV Scanning failed, malware detected file: {0}, ICAP response : {1}, Virus name: {2}, Reputation: {3}, Geo Location: {4} AUD3008I=Data Compression (Standard/Extended) is enabled, File ICAP AV Scanning skipped, file - {0} AUD3009I=File extension not in selected list, ICAP AV Scanning skipped for file - {0} AUD3010I=FASP is enabled at PNODE & SNODE, ICAP AV Scanning skipped for file - {0} SSP-4614/SSP-4699 (CM,Engine) - Fix resource leak issues reported by internal code scan Resolution: Corrected various coding issues detected by our internal code scan tool. Removed dead code, avoid NullPointerExceptions, use IOException instead of Exception when closing resources. SSP-4666/ (CM,Engine) - Log stacktraces when startup fails The SSP startup process does not log encountered exceptions properly to enable prompt resolution of Customers' startup failures. Resolution: Now ensure that fatal exceptions log their stacktrace into the SSP log file. SSP-4694/4697/4698 (CM,Engine) - Support for SOCKS5 Proxy for outbound CD connections Enhancement: Engine, CM GUI and RESTAPI changes for SOCKS5 Proxy support for outbound CD connections. Also worked as defects SSP-4697 and SSP-4698. SSP-4736/ (CM) - Upgrade Jackson jars to latest Resolution: Updated the Jackson jars to the latest (1.9.14) to facilitate parsing JSON requests. SSP-4742/ (CM,Engine) - Data Collector for non-Windows CM & engine leaves LongDirectoryOutput.txt empty The runCMDataCollector and runEngineDataCollector scripts in the bin directory dump out a number of text files with information about the environment for passing to Support. The longDirectoryOutput.txt file, a recursive dir listing of the installation directory, works on Windows, but is empty on non-Windows. Resolution: Corrected the utilities to correctly output the recursive listing of the installation directory for diagnostic purposes. SSP-4706/ADV0026225 - Upgrade IBM JRE to 8.0.6.15 level for security patches Resolution: Update the IBM JRE to satisfy the CVEs in the Oracle July 2020 CPU, PSIRT advisory 26225. See https://www.ibm.com/support/pages/node/6398774 for the Security Bulletin. SSP-4710/ADV0027000 (Engine) - Upgrade Apache ActiveMQ to 5.16 for security patches Resolution: Updated the Apache ActiveMQ libraries to v5.16.0 to mitigate CVE-2020-13920, a man-in-the-middle attack. This is PSIRT advisory 27000. See https://www.ibm.com/support/pages/node/6398750 for the Security Bulletin. SSP-4801/ (CM) - Upgrade IBM MQ Client to latest Resolution: Updated the IBM MQ Client jars to the latest (9.2.0.1). SSP-4812/ADV0028030 (Engine,CM) - Update Jetty toolkit to 9.4.34 for security patches Resolution: Updated the Eclipse Jetty toolkit to 9.4.34 to mitigate CVE-2020-27216, dealing with elevated privileges. This is PSIRT advisory 28030. See https://www.ibm.com/support/pages/node/6398772 for the Security Bulletin. SSP-4925/ (Engine) - Remove license type prompt from Engine install Resolution: Remove the prompt for the license type (Production or non-Production) from a new SSP Engine install. MFT-11467/IT34992 (Engine) - Problem with HTML rewrite - connection close When 'HTML Rewrite' is selected in SSP, if the backend HTTP Server sends a response with a 'Connection: close' header and does not include content length or chunked transfer encoding headers, the browser does not get the full response body. Resolution: Made changes to correctly handle the Connection: close header. MFT-11666/IT35478 (Engine) - SFTP adapters go offline when too many sessions per user on SFG Customer had failover enabled for the SFTP adapter and the B2Bi max sessions per user set. When the user session count exceeded the limit on B2Bi, it threw an exception back to SSP, which called failover to take the listener down. When the failover code detected that the B2Bi adapter was not down, it brought the listener back up, resulting in a yo-yo effect on the listener. Resolution: Now check if the session startup exception from B2Bi is due to "too many connections for user" and don't take listener down. MFT-11669/ (Engine) - Protect login form from CSRF Resolution: Set a CSRF token in a hidden field in the login and changePassword pages and when the user logs in, validate the token from the form. This fix also known internally as SSP-4591. ACTION - If your site has rebranded the HTTP Signon/login.html, changepw.html, or login.js script, you must re-apply your customizations after the upgrade. MFT-11683/IT35628 (Engine) - SFTP disconnects when >500 files in a mailbox SFTP sessions were failing when connecting to an SFG mailbox with 500 files in it. MFT-11238 introduced a 4M default value for the SFTP adapter property sftp.backend.max.packet.size which sets the sessionMaxPacketSize in the Maverick toolkit for the backend session to B2B1. The large packet size caused the Maverick toolkit on B2Bi to throw an exception when trying to return a directory listing for an SFG mailbox with over 500 files. Resolution: Make the default of the sftp.backend.max.packet.size adapter property to 34000 (33.2 KB) and enforce a maximum value of 56320 (55 KB). MFT-11742/IT35559 (CM) - Jetty failure at CM startup after upgrade to iFix 03 Customers installing the new SSPCM or SEAS for iFix 03 could not bring up the SSPCM or SEAS. The error message was KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead) The new Jetty for PSIRT ADV0028030 introduced a requirement of having only one CA-signed keycert in the keystore unless using a server form of the SslContextFactory class. The problem could also occur with one Subject Alternative Name (SAN) keycert which has multiple hosts. Resolution: Updated our Jetty instance to use the SslContextFactory$Server class as required when SAN certificates or multiple signed certificates are present in the keystore. SSP-4873/ (CM,Engine) - Support SFTP adapter property to set front end rekey count Resolution: Support a new SFTP adapter property, sftp.rekeycount, with a default value of 60000 which sets the number of packets to receive on the front end before requesting an SSH rekey. SSP-4908/ (Engine) - PS for SSP on Windows shows SSP.INSTALLED.VERSION=6.0.3.2 The SSP Perimeter Server on Windows was using SSP.INSTALLED.VERSION=6.0.3.2 in the property file instead of the correct SSP version, iFix number and build. The value is for reference only to show which SSP build the PS install was done from. The "6.0.3.2" is the version of the B2Bi that the PS code was built from. UNIX/Linux versions display the values correctly. Resolution: Updated the InstallAnywhere deck for the Windows install to correctly supply the SSP version, iFix and build number. SSP-4950/ (CM) - SSPCM adding duplicate cookies The SSPCM was adding duplicate cookies in the HTTP response header to the browser, causing Jetty to fumble the real sessionid when the browser sent subsequent requests to the CM. Resolution: Removed the logic enabling the duplicate set-cookie command on the http response to the browser. Also added logic to enable the Cookie Domain on the set-cookie HTTP header line. MFT-11770/ (Engine) - Set HttpOnly, Secure for SspWebSessionId cookie The HttpOnly and Secure attributes were being sent when the SspWebSessionId cookie was being sent for the first time but not on a resend. Resolution: Turned off the unnecessary resend of the cookie at the place where the attributes were not being sent. Also, added the missing domain attribute for this cookie. MFT-11830/IT36115 (Engine) - SFTP transfers stall with Maverick 1.7.32 After putting on SSP6011 iFix 1 Build 188 or higher, several Customers experienced SFTP transfers hanging, stalling, or failing on uploads or downloads. That build introduced a newer Maverick toolkit which caused the instability. This issue also tracked internally with MFT-11982. Resolution: Through much testing with small, medium and large files, it was determined that the 1.7.20 toolkit which we had on prior to 1.7.32 was much more stable, so we are reverting to that toolkit while working with the Maverick vendor on the transfer issues. Note: This also temporarily lifts the restriction introduced in the Maverick 1.7.31 toolkit that all keys presented to SSP must have a key size of 1024 or greater. We still recommend that all trading partners update any keys which are deficient so that they will not fail in a future build. MFT-11762/IT36161 (Engine) - After importing engine certificate, dfltEngineKeyStore and dfltEngineTrustStore are renamed to dfltCMKeyStore and dfltCMTrustStore After exporting the certificates from the CM and using the engineSslConfig tool to import them into the engine, the dfltEngineKeyStore and dfltEngineTrustStore were renamed to dfltCMKeyStore and dfltCMTrustStore. There were no other side effects. Resolution: Corrected the utility to not change the names of the key and trust stores during an import operation. MFT-11873/IT36145 (Engine) - Remove TRACE from allowed methods in HTTP Adapter Resolution: Removed TRACE from the default allowed methods in the HTTP adapter. Also tracked internally as SSP-4989. MFT-11875/IT36185 (CM,Engine) - Silent install ends with 255 code due to failure reported in Import/generate certificate step When recording a silent install response file, the variable generated for the response to the generate keycert question was different than the one that the installer used during playback. (USER_INPUT_CONSOLE_RESULTS vs. GEN_KEY_CERT). The mismatch caused a failure and a 255 return code. Resolution: Corrected the installer to use either variable format to answer the generate keycert question. SSP-4965/ (CM,Engine) - Updated code signing certificate for signing jarfiles The code signing certificate for signing jar files expires March 14, 2021. Internal testing with dates beyond the expiration date showed no side effects on starting and running SSP or the SSPCM. Resolution: Now sign all jars with an IBM signing certificate which expires in 2031. MFT-11769/IT36186 (CM) - Cannot sign in to SSPCM when going through WebSeal proxy Customer with an IBM Webseal proxy in front of the SSPCM was getting "session is null or invalid" when trying to sign in from the login page. The referrer in the HTTP header was not being validated properly. Resolution: Now strip off the port from the host value in the HTTP request header to correctly validate the referrer. MFT-11902/IT36593 (Engine) - SFTP SSE2654 "Session limit of 'n' has been exceeded" message not posted in logs The SSE2654 message was inconsistently being emitted for an SFTP adapter which reached its session limit, or showing up in the wrong adapter log. Resolution: Corrected the logger instance for SSE2654, ensuring that each adapter's session limit messages are logged properly and that each adapter enforces its own session limits. MFT-11937/IT36198 (Engine) - Upgrade from pre-SSP6001 in FIPS mode causes engine startup to fail Customer running on SSP6000 in FIPS mode upgraded to SSP6011 and could not start the engine. The following messages were shown in the startup logs: ERROR AccepterConfigManager - Issue encountered while retrieving configuration file from [null] ERROR ServiceManagerImpl - java.lang.RuntimeException: Unable to configure/start accepter: Secure The FIPS compatibility checks were being done before the keystores were converted to the post-6001 format. Resolution: Now handle an upgrade in FIPS mode from a pre-SSP6001 system. Workaround: Prior to the upgrade, set FIPS_MODE=false in the bin/security.properties file. Set it back to true after the upgrade. MFT-11968/IT36578 (Engine) - Max session limit on one SFTP adapter limits sessions on other adapters with higher setting The Customer found that an SFTP adapter with a limit of 1000 sessions was limited by the setting on another adapter which was set to 400 sessions. Resolution: This was fixed by the same fix as MFT-11902, ensuring that each adapter's session limit messages are logged properly and that each adapter enforces its own session limits. MFT-11965/IT36452 (Engine) - Keycert passwords visible as clear text in Engine audit logs when configuration pushed. When adding a keycert to the CM system store and using it in an SSL based protocol on the Engine, the keyPassphrase and keyStorePassword fields are shown in plain text in the /logs/audit/auditlog.xml files when the configuration is pushed to the engine. The fields are masked on the CM side. Resolution: Now mask the keyPassphrase and keyStorePassword fields in the engine audit logs, as we do for other sensitive fields. HIPER/ACTION: Search and clean any references to the keyPassphrase and keyStorePassword fields in the /logs/audit/auditlog*.xml files. MFT-11971/ (CM) - Cannot Login to SSPCM after upgrade to 6.0.2.0 or 6.0.1.1 iFix 3 if Sessionid Cookie Domain is misconfigured If the CM->System->CMSystemSettings->HTTP Security Sessionid Cookie Domain field is non-blank and not set to the fully qualified domain name (FQDN) of the SSPCM, the SSPCM will reject logins after the upgrade to 6011 iFix 3 or 6020. "Session Error Invalid session, please sign in again." is seen. Resolution: Now allow the Sessionid Cookie Domain field in the GUI to be set to blank to ignore it. Also add a warning message when the Cookie Domain is saved that the CM user may be unable to login if it is incorrect. And added support for a -Dsspcm.disable.cookie.domain parm in the startCM script as a "back door" to disable the Cookie Domain check during the login. HIPER: Before upgrading to SSP6011 or SSP6020, the admin should check the Sessionid Cookie Domain field in the GUI to make sure that it is either blank or it is the fully qualified domain name of the SSPCM. Workaround: Without this fix, the admin must restore the previous version of the SSPCM and set the Sessionid Cookie Domain to the correct FQDN before upgrading. MFT-11853/IT36501 (Engine) - Invalid Eyecatcher exception in logs SSP logs were showing Invalid Eyecatcher exceptions when interacting with SEAS. There is built in logic to make sure that every header received by SEAS and returned from SEAS has a 4 character eyecatcher as a validation. Resolution: Now dump the eyecatcher when the error happens so that the underlying issue with the send/receive on the SEAS socket can be diagnosed. MFT-11917/IT36577 (CM) - Lock manager in GUI not behaving as expected Customer has multiple SSP admin users who may be editing something and have a lock placed on it. If called away while editing a node in the netmap it remains locked until it times out. The CM->System->Lock Manager screen only showed the user with the lock for a tenth of a second before vanishing. Resolution: Corrected the Lock Manager to show the locked objects and allow them to be unlocked from the GUI screen. MFT-11944/IT36706 (Engine) - SSP SSO Myfilegateway login fails when resource files missing after SSP upgrade After the Customer upgraded to SSP6011 iFix 3+ Build 241, their logins to myFilegateway were failing with an UNAUTHORIZED response. The Customer had customized their login.html, but 2 of the gif files referenced were missing, causing a redirect back to the login.html file and a new web sessionid and a new CSRF token. Since the CSRF token does not match the one in the browser, the redirect results in an UNAUTHORIZED response. Resolution: Changed so SSP does not redirect to the login.html if a resource is not found. It simply sends 404 NOT FOUND for that resource and continues. MFT-12018/IT36711 (CM, Engine) - SFTP does not support DH Group18-sha512 key exchange 2 HMACs and 5 key exchanges were determined to be unsupported by the IBM JSSE component of the JRE, and so were not being used by the SFTP adapter. Resolution: Removed the following unsupported HMACs and key exchanges from the CM SFTP adapter GUI. HMACs: hmac-ripemd160 and hmac-ripemd160-etm@openssh.com Key exchanges: RSA2048_SHA256 diffie-hellman-group15-sha512 diffie-hellman-group16-sha512 diffie-hellman-group17-sha512 diffie-hellman-group18-sha512 MFT-11724/IT36856 (Engine) - ICAP integration with provider: BitDefender Customer using the BitDefender ICAP provider for in-flight virus scanning, which was not on our original supported list. The product claimed to adhere to the ICAP RFC 3507, so we worked with the Customer to test and refine our ICAP solution to work with BitDefender. Resolution: Updated the code to handle ICAP service names other than wwreqmod (for McAfee), and better eof detection when sending a stream to the ICAP server. ICAP solution now works for McAfee and BitDefender. MFT-11940/IT37028 (CM) - SSPCM User Auth with EA - Support SEAS Alternate Server configuration When defining SSPCM users in LDAP to authenticate with SEAS, there was no failover if the SEAS defined for the user went down. Resolution: Enhancement to have the SSPCM try the alternate server in the SEAS definition if the primary SEAS goes down. MFT-12099/IT36837 (Engine) - SSP Change Password Portal login issue In some situations the SSP Change Password or MustChange Password portals are not saving the userid in the websesion causing it to be missing from the webpage. Resolution: Now always save the userid in the web session. Also added additional strategic logging. MFT-12193/IT37112 (CM) - RESTAPI import of HSM keys gets "Invalid content was found starting with element keyStoreProvider During a RESTAPI import of a full configuration containing HSM keys, the Customer got "cvc-complex-type.2.4.a: Invalid content was found starting with element 'keyStoreProvider'". Added support in the RESTAPI xsd for the tag , which comes into play with HSM certificates. SSP-4986/ (CM) - Unable to update webCiphers with ConfigureCmSslTool Using the ConfigureCmSslTool utility to update the Jetty Cipher Suites, none of the selected cipher suites will pass validation. Resolution: Corrected the validation method for the webCiphers. SSP-5105/ (CM) - NPE when switching CM User auth from EA to local store Found while testing MFT-11940; reassigning a CM User back from EA authentication to the local user store got a NullPointerException in the log. Resolution: Now handle the authentication reassignment correctly. SSP-5126/ (CM) - RESTAPI import fails when ICAP scan option is NONE for CD node Discovered in internal testing that exporting a CD node with icapScanOption NONE caused a failure on import. It complained that the only valid values were BOTH, PNODE, or SNODE. Resolution: Added "NONE" as a valid value for a CD node icapScanOption during a RESTAPI import. MFT-12113/IT37411 (Engine) - Engine fails to start on Solaris After the new certificate signing process was implemented, the SSP engine would not start on Solaris, getting java.lang.SecurityException: Untrusted manifest entry: org/jdom/input. Solaris did not like the Digest Algorithm SHA256. Resolution: Updated the SHA256 digest algorithm to SHA-256 to correct the startup on Solaris and HP. MFT-12193/IT37112 (CM) - RESTAPI fails to import HSM certs The RESTAPI was getting an XSD validation error when importing an HSM certificate. The HSM certificates were not getting decrypted properly at import time. Resolution: Corrected the decrypt operation at RESTAPI Import time for HSM certificates. SSP-4714/ (CM) - SSPCM Fresh install gets ERROR on Solaris The install log for a new install of the CM on Solaris showed an ERROR message, even when the installation was successful. Unable to locate /jre/bin/ikeyman Resolution: Removed a stray character in a variable name within the InstallAnywhere deck so that IA could find the ikeyman pointer file on a Solaris install. SSP-4994/ (Engine) - Enhancement to support MyFG 2.0 B2Bi has developed the next version of myFileGateway known as MyFG 2.0 as a Single Page Application. There is only one javascript or page request from the MyFG2.0 port. Resolution: Now provide support for MyFG2.0 within the SSP HTTP adapter. Add the following properties to the HTTP adapter which points to MyFG2.0: - myfg.url.path=/myfg - no.cookie.sso=true SSP-5015/ADV0031895 (CM) - Unrestricted document type definition vulnerability found in scan Internal security scans revealed an Unrestricted document type definition (DTD) vulnerability, for which we opened PSIRT advisory 31895. Resolution: Disabled the DTD feature on the DocumentBuilder factory. See https://www.ibm.com/support/pages/node/6471623 for the Security Bulletin. SSP-5018/ADV0031845 (CM) - Dubious method issue found in scan Internal scans revealed a System.exit(0) was being used in the runCMDataCollector tool. Resolution: Updated the class to remove the exit(0) call. This has been re-evaluated and determined to not be a vulnerability. The call was found in a utility which does not affect the running CM. SSP-5021/ADV0031888 (CM) - Resource leakage vulnerability found in scan An internal security scan revealed that resources were not being closed properly in all circumstances, resulting in memory leakage. Resolution: Now close the resources properly to avoid the memory issues. See https://www.ibm.com/support/pages/node/6471577 for the Security Bulletin. SSP-5022/ADV0027664 (CM,Engine) - Upgrade httpcomponents-client to 4.5.13 An internal scan suggested a newer version of the httpcomponents-client toolkit. Upgraded to the 4.5.13 version of the httpcomponents-client toolkit. This also fixes several serialization and URL processing issues. See https://www.ibm.com/support/pages/node/6471577 for the Security Bulletin. SSP-5067/ADV0031843 (CM,Engine) - Upgrade Apache ActiveMQ toolkit to 5.16.2 An internal scan suggested a newer version of the Apache ActiveMQ toolkit. Resolution: Upgraded the toolkit to the Apache ActiveMQ 5.16.2 level. This has been re-evaluated and determined to not be a vulnerability. SSP-5071/ADV0023803 (Engine) - Upgrade Apache Santuario to 2.2.1 An internal scan suggested a newer version of Apache Santuario (XML Security for Java). Resolution: Upgraded the toolkit to Apache Santuario 2.2.1 This has been re-evaluated and determined to not be a vulnerability. SSP-5075/ADV0031824 (Engine) - Upgrade Guava: Google Core Libraries for Java to 30.1.1 An internal scan suggested a newer version of Guava: Google Core Libraries for Java. This has been re-evaluated and determined to not be a vulnerability. Resolution: Upgraded the Guava toolkit to the 30.1.1 level. SSP-5077/ADV0031827 (CM,Engine) - Upgrade Eclipse Jetty to 9.4.41 An internal scan suggested a newer version of the Jetty toolkit. Resolution: Upgraded the Jetty toolkit to the 9.4.41 level. See https://www.ibm.com/support/pages/node/6471577 for the Security Bulletin. SSP-5096/ (CM) - Keystore and Truststore passwords dumped in CM Debug log When logging level is enabled to DEBUG in the SSPCM GUI, the keystore and truststore passwords are displayed in the clear. Resolution: Now ensure that the password values are not displayed. SSP-5110/ (CM,Engine) - Enhancement to support OSA for publishing audit events to Control Center (ICC) There is a requirement to provide an alternative to JMS queue publishing for writing audit events to IBM Control Center (ICC), since the JMS queue server connection is not secured. Resolution: Now support event/status publishing using Open Server Architecture (OSA). Initially, to turn on OSA support, the CM startup must be updated with some Java overrides. These will be replaced with GUI support in a later release. -Dssp.osa.enable=true -Dssp.osa.ep.host=host1:port1;host2:port2 -Dssp.osa.service.url=/sccwebclient/events -Dssp.osa.user.admin=AdminId:password -Dssp.osa.ep.secure=true SSP-5141/ (CM) - SSPcm upgrade fails after second restart with IOException: Keystore type is not PKCS12 The fix for MFT-11937 associated an extra public key to the private key being converted during the upgrade. On the second restart, the above message was seen. Resolution: Corrected the upgrade logic to no longer add the extra public keys. SSP-5212/ (CM,Engine) - Connection failures with multiple EPs support Multiple EPs support for OSA monitoring was causing connection failures. Resolution: Now reset the connectionCount to the default value when the full count is reached. MFT-12189/ (Engine) - Add File name to HTTP URL in the ICAP request Enhancement to pass the destination file path within the HTTP URL POST when making the connection to the ICAP server. Then when the virus scanning is done, the file path can show up in the ICAP server audit logs. MFT-12271/IT37593 (Engine) - Interface issues with external SAML IdP Customer using the HTTP adapter for myfilegateway and an SSO configuration with an external SAML IdP was having some integration issues. - The SAML2.0 AuthnResponse post was greater than 1024, failing the session - A session initiated at the IdP might not supply a websessionid. - The IdP might not send a session index in the AuthnResponse's AuthStatement Resolution: - Increased the default AuthnResponse data length to 64k. - Changed to not check for websessionid when using SAML external IdP. - Allow a missing session Index, but log it. MFT-12310/IT37562 (Engine) - SCP/SFTP rejecting transfers with "time" option The SCP/SFTP -p option to preserve the timestamp on a transfer was being rejected by SSP, causing the file transfer to fail. Resolution: Now allow the "time" option to be passed through to the back end B2Bi server, so that it can choose to honor or ignore it. MFT-12358/ (CM) - Allow Other provider under ICAP config The ICAP configuration advanced tab in the SSP CM allowed only one option, MacAfee, for the server provider for virus scanning. Other providers which follow the ICAP RFC are also supported. Resolution: Updated the SSP GUI to specify Other as an alternative to MacAfee under the ICAP config screen. SSP-4956/ADV0028445 (CM,Engine) - Oracle Java Oct 2020 CPU deferred CVE Resolution: Upgraded the IBM JRE to the 8.0.6.30 level to satisfy the CVEs in the Oracle October 2020 CPU, PSIRT advisory 28445. See the Security Bulletin at https://www.ibm.com/support/pages/node/6484671 SSP-5012/ADV0031846 (CM,Engine) - Risky cryptographic algorithm vulnerability This vulnerability was fixed as part of SSP-5080/ADV0031848. See that defect for more information. SSP-5016/ADV0031847 (CM,Engine) - Hard-coded secrets vulnerability An internal security scan revealed the use of a hard-coded password in some SSP files. Resolution: 1) Now read the truststore password from defTrustStore.xml when loading the truststore for SAML-IDP signature validation. 2) Generate a random string for a password to load a keystore in memory when using the HSM manageKeycert utility. See the Security Bulletin at https://www.ibm.com/support/pages/node/6484681 SSP-5080/ADV0031848 (CM,Engine) - Weak hash vulnerability An internal security scan revealed the use of hash values which were not computationally intensive enough. Also tracked internally as SSP-5012. Resolution: Now use a strong salt and a PDKSF2 hashing technique. See the Security Bulletin at https://www.ibm.com/support/pages/node/6484681 SSP-5089/ADV0032087 (CM,Engine) - Container environment compoments vulnerability An internal security scan found that the SSP containers allowed privileged escalations and lacked a network policy. Resolution: Added support for a network policy, supplemental group and removed some capabilities. Security Bulletin pending review: https://www.ibm.com/support/pages/node/6487461 For downloading the latest Certified Container Software, please visit the following links: SSP: https://www.ibm.com/docs/en/secure-proxy/6.0.2?topic=tasks-downloading-certified-container-software SEAS: https://www.ibm.com/docs/en/external-auth-server/6.0.2?topic=tasks-downloading-certified-container-software CASE Bundles: 1.0.2 Helm Chart: 1.0.3 Docker Image: 6.0.2.0.03 SSP-5093/ADV0029859 (CM,Engine) - Oracle Java Jan 2021 CPU Resolution: Upgraded the IBM JRE to the 8.0.6.30 level to satisfy the CVEs in the Oracle January 2021 CPU, PSIRT advisory 29859. See the Security Bulletin at https://www.ibm.com/support/pages/node/6484671 SSP-5116/IJ33416 (Engine) - CD TLSv1 sessions fail with "SSLv2Hello is not enabled" in new IBM JRE 8.0.6.25 When attempting to use the IBM JRE 8.0.6.25, Connect:Direct UNIX and Windows sessions using TLSv1 were failing to connect to SSP, which gave an error, "SSLv2Hello is not enabled". The CD sessions were using a legacy SSLv2Hello to start the TLS exchange, which negotiates up to TLSv1. If configured for TLSv1.2, the session worked correctly. Resolution: The IBM Java team added support back in for receiving a client SSLv2Hello in JRE 8.0.6.30, after taking it out in 8.0.6.25. Workaround: The best long term solution is for all CD sessions to be configured for TLSv1.2 going forward. Support for TLSv1 and TLSv1.1 is going away in the next JRE from IBM. SSP-5124/ (CM) - Nuisance msg in CM log: NoClassDefFoundError javax.security.auth.message.AuthException The Jetty 9.4.34 upgrade introduced the jetty-jaspi-9.4.34.v20201102.jar file, which caused this nuisance message in the CM logs. Resolution: Stop shipping the jar file, which was not being used anyway. SSP-5155/ (Engine) - MyFG2.0 does not show the SSP portal login page when the SSOTOKEN expires When the SSOTOKEN expires on a token validation, currently SSP deletes any cookies and sends a redirect response (302) to the SSP login page to the client/Browser. Unlike the myfilegateway application, the MyFG2.0 client script is angular based and does not get the 302 redirect. The browser hangs, showing an hourglass instead of the login page. Resolution: Now send a 401 response instead of a 302 to the client/browser, so the client side angular script can handle this. We still keep the location header. SSP-5414/ (Engine) - Keep the hash value for ssotokens consistent in the debug logs While doing work on hash values in SSP-5012 and SSP-5080, it was noticed that SSO tokens were not being logged consistently, which made it hard to keep track of session flows. Resolution: Created a separate hash function without the salt used for logging the SSO tokens. SSP-5457/ (CM,Engine) - Merge Resource Leakage code to complete SSP-5021 Found one module which did not make the original SSP-5021 code change. Resolution: Updated the module to complete the SSP-5021 fix. MFT-12464/IT38350 (CM,Engine) - Previous Windows 6.x service not deleted during install Doing an upgrade in place of SSP6011 to SSP6020 on Windows, the old Windows service name was not deleted. The InstallAnywhere logic was using a combersome process to remove old services which had not been maintained since 6.0.0.0. Resolution: Updated the InstallAnywhere process to remove old Windows services from 3.4.2.0 to 6.0.1.1 if the install directory matches the executable path in the service. Did the same for Engine, CM and SEAS. SSP-5478/ (Engine) - Intermittent Unauthorized error when using SSP login portal in high concurrency During internal testing with 100 concurrent logins through the SSP login portal, 15% of the sessions failed with a 401 Unauthorized error. There was a mismatch between the websessionid associated with the TCP session and the one from the cookie, causing the CSRF check to fail. Resolution: Now always use the websessionid from the cookie instead of the one stored with the TCP session. SSP-5479/ (CM) - RESTAPI import fails on PESIT adapter with Invalid content on 'icapPSName' When creating a PESIT adapter throug the GUI, the icapPSName tag was being added, even though ICAP is not supported for the PESIT protocol. ICAP is supported for CD, and the CD and PESIT protocols share the same GUI jsp. Resolution: Updated the JSP to only add the icapPSName tag for a CD adapter if it is called for. SSP-5520/ (CM) - CM GUI session from second tab gets Unauthorized Error A CM GUI user attempting to open a second session in another tab gets Unauthorized Error because a websessionid cookie is already present. Found while testing SSP-5478. Resolution: Updated the login process to use the webSessionId from the cookie instead of the one stored with the TCP session. MFT-12294/IT38557 (CM) - RESTAPI UnrecoverableKeyException in concurrent processing Running multple copies of the RESTAPI, the keystore password can get corrupted by multiple threads using the same static keystore build method. Resolution: Now use the keystore password from the properties before trying the system value. MFT-12534/IT38589 (Engine) - Produce SSE2656 at INFO mode if -Dsftp.sse2656.as.info=true The SSE2656 message is put out at session initialization time in DEBUG mode and lists the ciphers, macs and kex algorithms that the remote client is capable of. One Customer needed this information in INFO mode for an internal security audit, because if they run in DEBUG mode, their SFTP transfers are negatively impacted. Resolution: Added support for a new Java startup option -Dsftp.sse2656.as.info=true. If added to the java invocation lines in startEngine.sh, it will put out the SSE2656 message in INFO mode. MFT-12557/ (CM) - RESTAPI import of older config fails on 'templateName' xml key. A Customer importing a RESTAPI configuration from a 343x version of SSP gets Invalid content was found starting with element 'templateName'. Resolution: Added the templateName tag back into the keystoredef.xsd file. SSP-4326/ (CM,Engine) - Enhancement: Http ICAP support Enhancement to support in-flight anti-virus scanning of small to medium size files being uploaded through the HTTP adapter. See online documentation for SSP6030 for more details. SSP-5045/ (CM,Engine) - Various issues reported by internal code scans Internal code scans revealed potential issues in several areas: synchronized Lock/Wait, Resource leakage, indefinite wait, infinite loop, unlogged security exception, weak password hashing, insecure TLSv1 connection. Resolution: Corrected the issues to use best practices and reran the scans to ensure compliance. Also tracked internally with defects SSP-4838, SSP-5002, SSP-5009, SSP-5010, SSP-5014, SSP-5546 SSP-4841/ (CM) - RESTAPI allowing simple SQL Injection Internal RESTAPI testing found that the SOCKS Proxy Config validator was allowing a simple SQL injections. Resolution: Hardened the RESTAPI to detect and reject simple SQL constructs. SSP-4882/ (CM,Engine) - SCIRandom logging not sent to SSP log files Output from the SCIRandom function was not getting to the SSP log files. Resolution: Implemented a log4j logger for SCIRandom output. SSP-4959/ (CM,Engine) - Support the TLSv1.3 security protocol Resolution: Updated SSPCM and Engine code to support the TLSv1.3 security protocol. Communication between the SSPCM, Engine and SEAS can be configured to run with it, as well as inbound traffic on the HTTP, FTP, CD and PESIT adapters. As B2Bi does not yet support it, it cannot be used for backend connections to B2Bi adapters. Note: Because of a timing issue in the TLSv1.3 handshake when acting as a client, it cannot be used in the forward proxy outbound connection of the CD or PESIT adapters. The TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, and TLS_CHACHA20_POLY1305_SHA256 ciphers are supported. SSP-4983/ (CM) - Allow SSP CM RESTAPI to use TLSv1.2, TLSv1.3 The RESTAPI command line utility was hardcoded to use the TLSv1 protocol. Updated the utility and the sample sspRestAPI.properties file to support the new "TLS_PROTOCOL=TLSv1.2" property. Also supports TLSv1 and TLSv1.3. SSP-5043/ (CM) - Require a password policy when creating a new user. Resolution: When creating a new user via the SSPCM GUI, require a password policy be assigned, instead of allowing the None option. SSP-5088/ADV0031920 (CM) - Host header injection vulnerability Internal scans showed that the SSPCM is not validating the Host Header passed from the client in the HTTP requests it gets and uses it when sending a redirect to client/browser. Resolution: Now enforce a list of acceptable hostnames which the client may pass in their host headers, to ensure that the session is not getting spoofed. ACTION: After applying 6.0.3.0, SSPCM web sessions may be rejected if the hostname in the URL https://:/SSPDashboard does not match the hostnames in the new /conf/cmconfig.properties file. To correct this, the admin should update the file to add the list of hostnames that the SSPCM machine may be known by. Change the following line in the file from: #cm.alternate.hosts= to: cm.alternate.hosts=hostname1,hostname2.mycompany.com,localhost,10.20.30.40 Or SSPCM hostname checking can be turned off altogether by changing the following line in that file from: #cm.bypass.host.header.check=false to: cm.bypass.host.header.check=true SSP-5130/ (CM) - Enhancement: SSPCM support for configuring OSA and multiple EPs Support for Open Server Architecture (OSA) to allow secure event/status publishing to IBM Control Center was introduced in SSP 6.0.2 iFix 02 using startup options in the CM startup script. This release 6.0.3 enhancement provides support within the SSPCM GUI in the System->CM System Settings-> ICC OSA Monitoring tab. Multiple Event Processor (EP) host/ports may be defined as well as the ability to secure the connections. SSP-5483/ (CM,Engine) - Add java.security.override file to allow disabled TLSv1 The jre/lib/security/java.security file which ships with the IBM JRE now disables the TLSv1 and TLSv1.1 security protocols by default. Customers are encouraged to use the TLSv1.2 protocol. Resolution: Now ship a conf/java.security.override file which allows the Customer to enable the TLSv1 and TLSv1.1 protocols. ACTION: With 6.0.3.0, TLSv1 and TLSv1.1 security protocols are disabled by default. If your shop is not ready to disable them, remove the "#" from the following line in the conf/java.security.override file to take TLSv1 and TLSv1.1 off the disabled algorithms list: #jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, ... Applies to the CM and Engine. SSP-5565/ (CM,Engine) - Upgrade thirdparty jars for SSP 6.0.3.0 Resolution: Updated the following third party jars: commons-io-2.11.0.jar cryptacular-1.2.4.jar jdom-1.1.3.jar log4j-*-2.14.1.jar xmlsec-2.2.3.jar Also tracked internally with SSP-5070. SSP-5626/ (CM,Engine) - Support for IBM ISAM SAML2.0 IdP - ACS URL When testing myFilegateway thru SSP using IBM ISAM SAML IdP, the Idp was throwing errors. SSP did not support IBM ISAM SAML2.0 IdP before. Passing the Assertion Consumer Service (ACS) URL parameter in the AuthnRequest works. The java.util.Base64 decoder also reported an issue with the AuthnResponse, whereas the OpenSAML library Base64 worked. Resolution: Made changes to pass ACS url if an SSO property "saml2.assertion.consumer.svc.url" value is specified, otherwise it passes the ACS index specified in the SSO configuration GUI. Also now use the OpenSAML Base64 decoder for debug logging of the AuthnResponse from IdP. SSP-5698/ (CM,Engine) - SSL debug output not going to systemout.log The Systemout logger required buffers with a newline string ("\r\n" or "\n") to output a buffered string. The SSL debug output did not always cooperate. Without the newline, the output gets buffered and never flushed into the log, unless one comes from another source. Resolution: Now buffer up to 4096 bytes and log it even if there is no newline at the end. MFT-12423/IT39259 (Engine) - Unknown SFTP user can log in to SSP in passthrough mode For SFTP passthrough, logs were printing auth=true and logged on even before actual authentication is done by B2Bi. Unknown users, such as admin and root could log in to SSP (not B2Bi) and attempt to issue local commands (which were rejected). We recommend Single Signon (SSO) authentication through SEAS rather than passthrough for production. Also Customers should use SSP blocklisting to reject obvious unwanted users (e.g. admin, root). Resolution: For SSP passthrough, no longer say a user is password authenticated when they are not. Also when we reject a local SSH command, specifically log that SSP does not support local SSH commands. MFT-12446/IT39123 (Engine) - Support for specifying engine client alias during import and stopEngine.sh A Customer's security team required strict client-only and server-only keycerts, but the SSP stopEngine command failed when the certificates for the CM and Engine did not have both the server and client extended usage. Resolution: Added support for a engClientAlias= on the stopEngine command line. Also, allow the engClientCertAlias parm on an import from the CM. configureEngineSsl.sh -i file=cmConfig.exp engCertAlias=serverAlias engClientCertAlias=clientAlias MFT-12618/ (Engine) - Set Maxheap on Windows via LAX file lax.nl.java.option.additional parm Java Max Heapsize for Windows services was not honoring the lax.nl.java.option.java.heap.size.max in the $LAX file. Resolution: Updated comments in the bin\SSPengine$.lax file to override the Max heap via the lax.nl.java.option.additional property. SSP-5698/ (CM, Engine) - SSL debug output not going to systemout.log The Systemout logger required buffers with a newline string ("\r\n" or "\n") to output a buffered string. The SSL debug output did not always cooperate. Without the newline, the output gets buffered and never flushed into the log, unless one comes from another source. Resolution: Now buffer up to 4096 bytes and log it even if there is no newline at the end. SSP-5472/ (CM) - RESTAPI validation for certificate names added to the keystore/truststore The SSP RESTAPI was doing no validation on certificate names being added to the keystore/truststore. Resolution: Added name validation for keycerts and certs being added through the RESTAPI. SSP-5484/ (CM) - Ciphersuites specified in the OSA monitoring tab not being honored. Ciphersuites in the OSA monitoring tab were not being used by OSA. Resolution: Now build the TLS context correctly so that the ciphers are used. MFT-12762/ADV0040089 (CM/Engine) - Log4j CVE-2021-44228 JNDILookup issue HIPER: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Resolution: Now supply log4j 2.15.0, where this behavior has been disabled by default. SSP-5743/ADV0040239 (CM/Engine) - Log4j CVE-2021-45046 JNDILookup issue Apache Log4j is vulnerable to a denial of service, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. A remote attacker with control over Thread Context Map (MDC) input data or a Thread Context Map pattern to exploit this vulnerability to craft malicious input data using a JNDI Lookup pattern and cause a denial of service. Resolution: Now supply log4j 2.16.0, where this behavior has been disabled by default.