=============================================================================== Maintenance for IBM Secure External Authentication Server 6.1.0.0 (SEAS6100) iFix 05 - November 2023 =============================================================================== ACTION: The SEAS6100 release replaces the Java Webstart based client with a ACTION: true Web-based GUI for improved functionality and security. See the ACTION: "New in SEAS 6.1.0.0 GA" section in Fix Summary for details. ACTION: The SEAS6030 GA release disabled the TLSv1 and TLSv1.1 security ACTION: protocols by default. Customers are strongly encouraged to move to ACTION: the TLSv1.2 or TLSv1.3 security protocols. If you must ACTION: continue to allow the TLSv1 or TLSv1.1 protocols, see SEAS-1749 for ACTION: information on how to override the default behavior. This cumulative maintenance build may be used for new installs or upgrades. It includes fixes for the issues listed below. Contents: I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action II. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first) III. Detailed Description of Fixes =============================================================================== I. HIPER (High Impact PERvasive) Fixes / Fixes Requiring Action =============================================================================== ACTION - iFix images for zLinux(s390) are not placed on Fix Central. Contact Support if you need an iFix build loaded for this platform. ACTION - It is a good practice to take a full backup of the install directory before putting on a new build. In SEAS 6.1.0.0 (SEAS6100) iFix 04 Build 200 (August 2023): HIPER - ADV0083077 - Container - Silent install may log credentials HIPER - ADV0038395 - ThreatModel - Sanitize Credentials and Cryptographic keys from memory HIPER - ADV0083078 - Multiple vulnerabilities affect Codehaus Jettison HIPER - ADV0083296 - Apache Velocity is vulnerable to remote code execution (RCE) HIPER - ADV0084109 - Upgrade Eclipse Jetty to 9.4.51 HIPER - ADV0093561 - Java deserialization filters (JEP 290) ignored during IBM ORB deserialization HIPER - ADV0088146 - IBM Apr 2023 Java CPU In SEAS 6.1.0.0 (SEAS6100) iFix 03 Build 136 (Apr 2023): HIPER - ADV0070229 - IBM Java CPU Oct2022 HIPER - ADV0070230 - IBM Java OpenJ9 HIPER - ADV0077814 - IBM Java CPU Jan2023 HIPER - ADV0081465 - IBM Java XML vulnerability deferred from Oracle Apr 2022 CPU Now deliver IBM JRE 8.0.8.0. In SEAS 6.1.0.0 (SEAS6100) iFix 02 Build 122 (Jan 2023): HIPER - ADV0054854 - Generate unique encryption vector during install HIPER - ADV0060993 - Upgrade axios toolkit to 0.26.0 HIPER - ADV0038730 - Upgrade normalize-url toolkit to 6.1.0 (See the descriptions at the bottom for more information) In SEAS 6.1.0.0 (SEAS6100) iFix 01 Build 114 (Nov 2022): HIPER - ADV0034524 - Oracle Deferred CVE from Java Apr 2021 CPU Now deliver IBM JRE 8.0.7.16. HIPER - ADV0054062 – Insecure TLS/SSL in use In SEAS 6.1.0.0 (SEAS6100) GA Build 100 (Nov 2022): ACTION - The SEAS6100 release replaces the Java Webstart based client with a true Web-based GUI for improved functionality and security. See the "New in SEAS 6.1.0.0 GA" section in Fix Summary for details. In SEAS 6.0.3.0 (SEAS6030) iFix 04 Build 171 (Jul 2022): HIPER - ADV0049489,ADV0059312 - Upgrade Eclipse Jetty to 9.4.48 In SEAS 6.0.3.0 (SEAS6030) iFix 03 Build 168 (May 2022): HIPER - ADV0031889 - Hostname verification (see ADV0031889 description below for more information) HIPER - ADV0034524 - Oracle Java Jul 2021 CPU HIPER - ADV0038361 - Oracle Java Oct 2021 CPU HIPER - ADV0043610 - Oracle Java Jan 2022 CPU (see ADV0043610 description below for more information) In SEAS 6.0.3.0 (SEAS6030) iFix 02 Build 157 (February 2022): HIPER - ADV0038390 - Path traversal and field validation issues (see ADV0038390 description below for link to security bulletin) HIPER - ADV0038393 - Validate input size limits (Jetty) (see ADV0038393 description below for link to security bulletin) In SEAS 6.0.3.0 (SEAS6030) iFix 01 Plus Build 141 (January 2022): HIPER - ADV0040204 - Upgrade Log4j 1.x to 2.17.1 for security advisory (see ADV0040204 description below for link to security bulletin) HIPER - ADV0040738 - Log4j CVE-2021-45105 JNDILookup issue - Follow on (see ADV0040738 description below for link to security bulletin) HIPER - ADV0040951 - Log4j CVE-2021-44832 JNDILookup issue - Follow on (see ADV0040951 description below for link to security bulletin) In SEAS 6.0.3.0 (SEAS6030) iFix 01 Plus Build 135 (December 2021): HIPER - ADV0040239 - Log4j CVE-2021-45046 JNDILookup issue See SEAS-1902/ADV0040239 below for details. In SEAS 6.0.3.0 (SEAS6030) iFix 01 Build 128 (December 2021): HIPER - ADV0040089 - Log4j CVE-2021-44228 JNDILookup issue See MFT-12763/ADV0040089 below for details. In SEAS 6.0.3.0 (SEAS6030) GA Build 120 (October 2021): ACTION: The SEAS6030 GA release disables the TLSv1 and TLSv1.1 security ACTION: protocols by default. Customers are strongly encouraged to move to ACTION: the TLSv1.2 security protocol. With this release the TLSv1.3 ACTION: protocol is also available for incoming connections. If you must ACTION: continue to allow the TLSv1 or TLSv1.1 protocols, see SEAS-1749 for ACTION: information on how to override the default behavior. In SEAS 6.0.2.0 (SEAS6020) iFix 03 Build 185 (August 2021): HIPER - Addressed various security advisories (links to security bulletins in descriptions): ADV0028445 - Oracle Java Oct 2020 CPU deferred CVE ADV0029821 - Oracle Java Oct 2020 CPU deferred CVE ADV0029859 - Oracle Java Jan 2021 CPU ADV0031846 - Risky cryptographic algorithm vulnerability ADV0031847 - Hard-coded secrets vulnerability ADV0031848 - Weak hash vulnerability ACTION: For this iFix, the TLSv1 and TLSv1.1 protocols continue to be allowed. In the next iFix, they will be disabled by default. Customers should change all TLS connections to use the TLSv1.2 protocol. See SEAS-1733 for more details. In SEAS 6.0.2.0 (SEAS6020) iFix 02 Build 172 (June 2021): HIPER - Addressed various security advisories (security bulletins forthcoming): ADV0027664 - Upgrade httpcomponents-client toolkit ADV0031827 - Upgrade Eclipse Jetty tooolkit ADV0031844 - Upgrade Cryptacular toolkit ADV0031888 - Resource leakage vulnerability ADV0031895 - Unrestricted document type definition vulnerability The following have been re-evaluated and determined to not be vulnerabilities. ADV0031824 - Upgrade Guava: Google Core Libraries for Java toolkit In SEAS 6.0.2.0 (SEAS6020) iFix 01 Build 160 (May 2021): HIPER - SEAS SSO plug-in after 6011 iFix 2+ Build 192 causes B2Bi Dashboard GUI to display a blank screen - See MFT-12017. In SEAS 6.0.2.0 (SEAS6020) iFix 00 Plus Build 137 (March 2021): HIPER - Updated code signing certificate for signing jarfiles. See SSP-4965. In SEAS 6.0.2.0 (SEAS6020) iFix 00 Plus Build 122 (February 2021): HIPER - New Jetty keeps SEAS from coming up if multiple keycerts are detected - See MFT-11742 In SEAS 6.0.2.0 (SEAS6020) GA Build 120 (December 2020): HIPER - Update JRE 1.8 to SR6 FP15 (8.0.6.15) for security patches - See PSIRT ADV0026225 for more details. HIPER - Address vulnerability in Eclipse Jetty toolkit. See ADV0028030. In SEAS 6.0.1.1 (SEAS6011) iFix 02 Build 192 (September 2020): HIPER - Address vulnerability in Apache Commons Codec toolkit. See PSIRT25470 In SEAS 6.0.1.1 (SEAS6011) iFix 01 Build 177 (August 2020): ACTION: The procedure to deploy IBM Sterling External Authentication Server using a Docker Container has changed. For more information see https://www.ibm.com/support/knowledgecenter/SS4T7T_6.0.1/com.ibm.help.seas.overview.doc/seas_whats_new.html. In SEAS 6.0.1.1 (SEAS6011) GA Build 150 (June 2020): HIPER - Update JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches - See ADV0021791 and ADV0023736 for more details. HIPER - XML External Entity (XXE) vulnerability in SEAS - See SEAS-1233 (PSIRT ADV0023731) for more details. HIPER - Incomplete Content-Security-Policy Header - SEAS-1148 (PSIRT ADV0022035) for more details. In SEAS 6.0.1.0 (SEAS6010) iFix 02 Build 126 (March 2020): HIPER - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches - See PSIRT21787 for more details. In SEAS 6.0.1.0 (SEAS6010) iFix 01 Plus Build 113 (February 2020): HIPER - SEAS6010 gets "Invalid Client Alias" to LDAPs - See MFT-10847 In SEAS 6.0.1.0 (SEAS6010) General Availability (January 2020): ACTION - For a detailed list of the new features in the 6010 release, see https://www.ibm.com/support/knowledgecenter/SS4T7T_6.0.1/com.ibm.help.seas.overview.doc/seas_whats_new.html ACTION - Installation issues with Docker containers - SEAS-1190 In SEAS6000 FixPack 1 (SEAS6001) iFix 01 Build 124 (October 2019): HIPER - Update JRE 1.8 to SR5 FP40 (8.0.5.40) for security patches - See PSIRT17288 for more details. HIPER - Possible vulnerability in Jetty server. See PSIRT16274, PSIRT16318 In SEAS6000 FixPack 1 (SEAS6001) iFix 0 Plus Build 122 (September 2019): HIPER - Token synchronization fails during volume testing. See MFT-10545 for details. In SEAS6000 FixPack 1 (SEAS6001) General Availability (August 2019): ACTION - For a detailed list of the new features in the 6001 FixPack, please see https://www.ibm.com/support/knowledgecenter/SS4T7T_6.0.0/com.ibm.help.seas.overview.doc/seas_whats_new.html In SEAS6000 iFix 2 Plus Build 141 (July 2019): ACTION - SEAS Sample exit changes provided for moving global variables to local - See SEAS-665 for details. In SEAS6000 iFix 2 (June 2019): ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) disables anon and null cipher suites and includes a new parm for distrusting CAs. For more information, see the writeup below for PSIRT15330. In SEAS6000 iFix 1 (March 2019): NONE - In SEAS6000 GA (February 2019): ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced changes to disable SHA1 certificates. See PSIRT12959 and PSIRT13809 for more details. =============================================================================== II. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first) =============================================================================== ------------------------------------------------------------------------------- Fixes for SEAS 6.1.0.0 (SEAS6100) iFix 05 Build 207 November 2023 ------------------------------------------------------------------------------- MFT-14706 - Password with Danish Character is not working when use is logging into SSP's HTTP-SSO page MFT-14952 - Upgrade Bouncycastle security provider ver to 1.76 MFT-14999 - Secure connection between SEAS6100 and B2B XAPI adapter is not working ------------------------------------------------------------------------------- Fixes for SEAS 6.1.0.0 (SEAS6100) iFix 04 Plus Build 204 October 2023 ------------------------------------------------------------------------------- MFT-14940/IT44697 - Customer is using SEAS to integrate with PEM and LDAP, but invalid ApplicationOutput value was being returned for multi-valued attributes ------------------------------------------------------------------------------- Fixes for SEAS 6.1.0.0 (SEAS6100) iFix 04 Plus Build 203 September 2023 ------------------------------------------------------------------------------- MFT-14716 - SEAS Extended key usage does not permit use for TLS client authentication - Solution needed to use SEAS different certs for Client and Server authentication. ------------------------------------------------------------------------------- Fixes for SEAS 6.1.0.0 (SEAS6100) iFix 04 Build 200 August 2023 ------------------------------------------------------------------------------- SEAS-2969/ADV0083077 - Container - Silent install may log credentials SEAS-693/ADV0038395 - ThreatModel - Sanitize Credentials and Cryptographic keys from memory SEAS-2959/ADV0083078 - Multiple vulnerabilities affect Codehaus Jettison SEAS-2960/ADV0083296 - Apache Velocity is vulnerable to remote code execution (RCE) SEAS-2965/ADV0084109 - Upgrade Eclipse Jetty to 9.4.51 SEAS-3031/ADV0093561 - Java deserialization filters (JEP 290) ignored during IBM ORB deserialization SEAS-3014/ADV0088146 - IBM Apr 2023 Java CPU ------------------------------------------------------------------------------- Fixes for SEAS 6.1.0.0 (SEAS6100) iFix 03 Plus Build 160 August 2023 ------------------------------------------------------------------------------- SEAS-2959/ADV0083078 - Updated jettison version to 1.5.4 SEAS-2960/ADV0083296 - Updated velocity version to 2.3 SEAS-2964 - SEAS full config import failed while importing user due to missing password policy tag SEAS-3009 - Issue with stop server from SEAS UI dashboard ------------------------------------------------------------------------------- Fixes for SEAS 6.1.0.0 (SEAS6100) iFix 03 Plus Build 156 July 2023 ------------------------------------------------------------------------------- MFT-14546/ - GUI - Hostname Verification = Yes saved, then shows as No SEAS-2989 - The Flag that is used to control Client Endpoint Identification for Jetty Http Server was not specified in SEAS startup script SEAS-2990 - SEAS server is not properly handling an empty message returned by the LDAP server SEAS-3003 - SEASConfig API export failed with NullPointerException when keystore and truststore specified in SysSslInfoDefinition does not exist SEAS-3006 - The values of properties in custom Exit that contain "password" or "pwd" or "passphrase", were not being masked ------------------------------------------------------------------------------- Fixes for SEAS 6.1.0.0 (SEAS6100) iFix 03 Plus Build 150 Jun 2023 ------------------------------------------------------------------------------- MFT-14242/ - SEAS secure GUI not working after upgrade to SEAS 6.1 MFT-14403/IT43978 - Authenticating to LDAP gets No trusted certificate found when doing SFTP password and key auth SEAS-1831/ - Unable to add two EPs with same IP/Hostname SEAS-1900/ - EP table's validation failing for HostName in GUI SEAS-2928/ - Web GUI does not mask admin passphrase in Custom exit properties SEAS-2952/ - SystemHealthCheck GET command Rest API throws nullPointerException (NPE) SSP-6408/ - Support for SSH Key Signature Verification ------------------------------------------------------------------------------- Fixes for SEAS 6.1.0.0 (SEAS6100) iFix 03 Build 136 Apr 2023 ------------------------------------------------------------------------------- MFT-14242/ - SEAS secure GUI not working after upgrade to SEAS 6.1 SEAS-2890/ADV0070229 - IBM Java CPU Oct2022 CVE-2022-21628 - CVSS 5.3 SEAS-2914/ADV0070230 - IBM Java OpenJ9 - CVE-2022-3676 - CVSS 6.5 SEAS-2948/ADV0077814 - IBM Java CPU Jan2023 CVE-2023-21830 - CVSS 5.3 SEAS-2950/ADV0081465 - IBM Java XML vulnerability deferred from Oracle Apr 2022 CPU CVE-2022-21426 - CVSS 5.3 SEAS-2963/ - SEASConfigCipherTool utility does not allow CBC ciphers ------------------------------------------------------------------------------- Fixes for SEAS 6.1.0.0 (SEAS6100) iFix 02 Plus Build 135 Apr 2023 ------------------------------------------------------------------------------- MFT-14028/ - Unable to login to SEAS 6.1 when FIPS mode is enabled MFT-14085/IT43450 - SEAS 6.1 New User GUI requires password even when userid is external MFT-14108 - SEAS custom exit after upgrade to 6.1.0.0 gets java.lang.String incompatible with [Char] MFT-14239/IT43518 - LDAP password change issue on SEAS 6.1 SEAS-2934/ - Apply password policy to SEAS key/trust store passwords ------------------------------------------------------------------------------- Fixes for SEAS 6.1.0.0 (SEAS6100) iFix 02 Plus Build 128 Mar 2023 ------------------------------------------------------------------------------- MFT-14019/ - Web GUI SSL issues after upgrade to SEAS 6.1.0.0 MFT-14066/ - SEAS 6.1.0.0 upgrade on Windows does not remove 6.0.3.0 service MFT-14080/IT43248 - Unable to save defSslInfo SSL config across restart of SEAS6100 MFT-14096/IT43249 - SFTP password authentication not working after SEAS6030 upgrade SEAS-2939/ - Increase internal encryption key length to 256 bits SSP-6217/ - Drop stray copies of Log4j 2.17.1 jars in seasrest war ------------------------------------------------------------------------------- Fixes for SEAS 6.1.0.0 (SEAS6100) iFix 02 Build 122 Jan 2023 ------------------------------------------------------------------------------- MFT-13889/ - SEAS GUI read only access not working MFT-14024/ - XAPI authentication to SI not working after upgrade to SEAS 6.1 SEAS-1987/ADV0054854 - Generate unique vector during install to use for encryption SEAS-2916/ADV0060993 - Upgrade axios toolkit to 0.26.0 SEAS-2917/ADV0038730 - Upgrade normalize-url toolkit to 6.1.0 ------------------------------------------------------------------------------- Fixes for SEAS 6.1.0.0 (SEAS6100) iFix 01 Build 114 Nov 2022 ------------------------------------------------------------------------------- SEAS-2451/ - Remove the startup bootstrap listener on port 61367 SEAS-2756/ - Avoid spurious errors in Attribute Queries SEAS-2792/ - ADV0034524 - Oracle Deferred CVE from Java Apr 2021 CPU SEAS-2843/ - ADV0054062 – Insecure TLS/SSL in use SEAS-2892/ - Ambiguous error message when deleting referenced policy SEAS-2893/ - SEAS RESTAPI export/import failing on CCPort validation SEAS-2906/ - Unable to create attribute assertion query if it contains string "attr" SEAS-2909/ - GUI Help/About not showing iFix level with build info ------------------------------------------------------------------------------- Fixes for SEAS 6.1.0.0 (SEAS6100) GA Build 100 Nov 2022 ------------------------------------------------------------------------------- o New in SEAS 6.1.0.0 GA: See https://www.ibm.com/docs/en/external-auth-server/6.1.0?topic=overview-new-features-enhancements - True Web-based GUI, wuich replaces the Java Webstart (thick client) GUI o The URL to access the GUI is at the end of the /bin/startSeas.out file - New REST APIs have been added for the following features: o SSL Configuration - sysSslInfoDef o Attribute Query Definitions - attributeQueryDef o Attribute Assertion Definitions - attributeAssertionDef - New Standalone LDAP Attribute Queries - New Standalone Attribute Assertions - New SEAS Configuration Templates for LDAP Attribute Queries and Attribute Assertion entities - New Standalone SSL Configurations - Additional options for Commandline Script (configureAccepter and SEASCipherConfigTool) - Jetty Configuration can be made from Web Console SEAS-1413/ - Upgrade cipher for encrypting the configuration files. SEAS-2161/ - Include iFix, Build, and Platform in SEAS startup, shutdown messages SEAS-2541/ - NPE in SEAS plugin with B2Bi - jdom incompatibility ------------------------------------------------------------------------------- Fixes for SEAS 6.0.3.0 (SEAS6030) iFix 04 Plus Build 176 Nov 2022 ------------------------------------------------------------------------------- MFT-13463/ - Native memory leak in IBMJCEPlus provider MFT-13737/ - HSM manageCSR -update unable to add certificate from CA ------------------------------------------------------------------------------- Fixes for SEAS 6.0.3.0 (SEAS6030) iFix 04 Plus Build 175 Nov 2022 ------------------------------------------------------------------------------- MFT-13525/ - SSL Handshake failing with PingID Server from SEAS custom exit MFT-13576/ - Token Synchronization slow with only 2 threads MFT-13776/ - Token sent as Password is too long SEAS-2485/ - Mapped Credential functionality failing SEAS-2843/ - Remove weak ciphers in default ciphers for TLSv1.2 ------------------------------------------------------------------------------- Fixes for SEAS 6.0.3.0 (SEAS6030) iFix 04 Plus Build 172 Aug 2022 ------------------------------------------------------------------------------- MFT-13549/IT41719 - SAML Token Restriction issue ------------------------------------------------------------------------------- Fixes for SEAS 6.0.3.0 (SEAS6030) iFix 04 Build 171 Jul 2022 ------------------------------------------------------------------------------- MFT-13171/ - Webstart OpenJDK client fails to start SEAS-1992/ADV0049489 - Upgrade Eclipse Jetty to 9.4.48 SEAS-2249/ADV0059312 SSP-5756/ADV0040204 - Upgrade all Log4j to 2.17.2 ------------------------------------------------------------------------------- Fixes for SEAS 6.0.3.0 (SEAS6030) iFix 03 Build 168 May 2022 ------------------------------------------------------------------------------- MFT-12972/ - Handshake failures with FIPS enabled and RSASSA-PSS, RSAPSS not disabled MFT-13162/ - Attribute query error with a new SEAS profile (Implement MFT-12550 in 6030) SEAS-1590/ADV0031889 - Hostname verification SEAS-1907/ADV0034524 - Oracle Java Jul 2021 CPU SEAS-1910/ADV0038361 - Oracle Java Oct 2021 CPU SEAS-1933/ADV0043610 - Oracle Java Jan 2022 CPU Informational: Updated the jar signing certificate with this iFix ------------------------------------------------------------------------------- Fixes for SEAS 6.0.3.0 (SEAS6030) iFix 02 Plus Build 159 Mar 2022 ------------------------------------------------------------------------------- MFT-12942/ - LDAP Multiple domain search issues ------------------------------------------------------------------------------- Fixes for SEAS 6.0.3.0 (SEAS6030) iFix 02 Build 157 Feb 2022 ------------------------------------------------------------------------------- MFT-12495/IT39273 - New JRE breaks FIPS mode processing SEAS-694/ADV0038393 - Validate input size limits (Jetty) SEAS-1745/ADV0038390 - Path traversal and field validation issues SEAS-1921/ - New install fails to start with javax.crypto.IllegalBlockSizeException ------------------------------------------------------------------------------- Fixes for SEAS 6.0.3.0 (SEAS6030) iFix 01 Plus Build 141 Jan 2022 ------------------------------------------------------------------------------- SEAS-1898/ADV0040738 - Log4j CVE-2021-45105 JNDILookup issue - Follow on SEAS-1908/ADV0040204 - Upgrade all Log4j 1.x to 2.17.1 SEAS-1912/ADV0040951 - Log4j CVE-2021-44832 JNDILookup issue - Follow on ------------------------------------------------------------------------------- Fixes for SEAS 6.0.3.0 (SEAS6030) iFix 01 Plus Build 136 Dec 2021 ------------------------------------------------------------------------------- MFT-12817/ - NullPointerException during LDAP search operation ------------------------------------------------------------------------------- Fixes for SEAS 6.0.3.0 (SEAS6030) iFix 01 Plus Build 135 Dec 2021 ------------------------------------------------------------------------------- SEAS-1902/ADV0040239 - Log4j CVE-2021-45046 JNDILookup issue ------------------------------------------------------------------------------- Fixes for SEAS 6.0.3.0 (SEAS6030) iFix 01 Build 128 Dec 2021 ------------------------------------------------------------------------------- MFT-11975/IT39083 - Broken Pipe issue using XAPI authentication to B2Bi MFT-12363/ - NPE when pointing to new keystore and alias MFT-12618/ - Set Maxheap on Windows via LAX file lax.nl.java.option.additional parm MFT-12763/ADV0040089 - Log4j CVE-2021-44228 JNDILookup issue ------------------------------------------------------------------------------- Fixes for SEAS 6.0.3.0 (SEAS6030) GA Build 120 Oct 2021 ------------------------------------------------------------------------------- o New in SEAS 6.0.3.0 GA: See https://www.ibm.com/docs/en/external-auth-server/6.0.3?topic=overview-new-features-enhancements - Support for the TLSv1.3 protocol for inbound secure connections - see SEAS-1507 - Multiple ICC EP support in SEAS - see SEAS-1509 - Online Certificate Status Protocol (OCSP) for certificate validation - See SEAS-1710 SEAS-1196/ - Allow setting passphrases for keystore and truststore SEAS-1350/ - Various issues reported by internal code scans SEAS-1454/ - Add Hostname Verifier in Health Check Monitoring SEAS-1461/ - Use more efficient Java Script engine for queries SEAS-1470/ - Apply default password policy on passphrase used for RESTAPI exports SEAS-1507/ - Update SEAS to support TLSv1.3 SEAS-1509/ - Support multiple ICC EP support in SEAS SEAS-1553/ - RESTAPI - Show appropriate message if the passphrase was actually used to encrypt/decrypt sensitive information SEAS-1565/ - Enforce password policy when creating new user SEAS-1710/ - Online Certificate Status Protocol (OCSP) for certificate validation SEAS-1713/ - Unable to save secure connection configuration from Webstart under Oracle Java SEAS-1723/ - RESTAPI import fails with alternate keystore SEAS-1749/ - SEAS uses Java security file that disables TLS1.0 SEAS-1752/ - Support for hostname verification in RESTAPI SEAS-1785/ - Upgrade thirdparty jars for SEAS 6.0.3.0 ------------------------------------------------------------------------------- Fixes for SEAS 6.0.2.0 (SEAS6020) iFix 03 Plus Build 189 Oct 2021 ------------------------------------------------------------------------------- MFT-12464/IT38350 - Old Windows service not deleted when upgrading MFT-12468/IT38244 - OKTA SAML Response verification issue MFT-12500/ - DEBUG logging though log4j2.xml says INFO MFT-12550/IT38601 - SEAS not working with Oracle Internet Directory SEAS-1595/ - IBM JRE 8.0.6.30 for Solaris and HP. SEAS-1761/ - Plaintext admin.xml created during upgrade, SEAS won't come up ------------------------------------------------------------------------------- Fixes for SEAS 6.0.2.0 (SEAS6020) iFix 03 Build 185 Aug 2021 ------------------------------------------------------------------------------- MFT-12388/ - SEAS Webstart client not working with newer Oracle Java MFT-12389/IT38148 - RESTAPI authentication definition import failure SEAS-1505/ADV0028445 - Oracle Java Oct 2020 CPU deferred CVE SEAS-1522/ADV0029821 - Oracle Java Oct 2020 CPU deferred CVE SEAS-1537/ADV0031846 - Risky cryptographic algorithm vulnerability SEAS-1557/ADV0031847 - Hard-coded secrets vulnerability SEAS-1561/ADV0031848 - Weak hash vulnerability SEAS-1595/ADV0029859 - Oracle Java Jan 2021 CPU SEAS-1657/ - Update SEAS B2Bi plugin to work in all versions of B2Bi SEAS-1666/ - User with Anon role can shut down SEAS server from GUI SEAS-1713/ - Unable to save secure connection configuration from Webstart under Oracle Java SEAS-1720/ - Keep the hash value for ssotokens consistent in debug logs SEAS-1733/ - Add java.security.override file to allow disabled TLSv1 ------------------------------------------------------------------------------- Fixes for SEAS 6.0.2.0 (SEAS6020) iFix 02 Build 172 Jun 2021 ------------------------------------------------------------------------------- o New in SEAS 6.0.2.0 iFix 02: - Ability to install and run on Windows 2019 Server - Ability to install and run on Linux PowerPC Little Endian (Use new Linux_PPC-LE install image) - Addressed various security advisories (see defects with ADV00* below) MFT-11879/IT37158 - Custom exit parms not passed after upgrade MFT-11997/IT36905 - Unable to fetch non-default user password policies for the OpenDJ LDAP server MFT-12001/IT37433 - Lost connection to EA server error during high load MFT-12044/IT36953 - Improve token broadcasting between SEAS token group members MFT-12065/IT37026 - SEAS failing to suppress load balancer pings MFT-12220/IT37303 - Allow free-format for LDAP Query Match Attribute SEAS-1547/ADV0027664 - Upgrade httpcomponents-client to 4.5.13 SEAS-1549/ADV0031888 - Resource leakage vulnerability found in scan SEAS-1558/ADV0031895 - Unrestricted document type definition vulnerability found in scan SEAS-1586/ADV0031844 - Upgrade to Cryptacular 1.2.4 SEAS-1588/ADV0031824 - Upgrade Guava: Google Core Libraries for Java to 30.1.1 SEAS-1589/ADV0031827 - Upgrade Eclipse Jetty to 9.4.41 SEAS-1612 - Improperly handled clientConnectionException during SSL Handshake ------------------------------------------------------------------------------- Fixes for SEAS 6.0.2.0 (SEAS6020) iFix 01 Build 160 May 2021 ------------------------------------------------------------------------------- MFT-11853/IT36501 - Invalid Eyecatcher exception in logs MFT-11876/IT36502 - ERROR LdapSearcherRetriever - Naming exception iterating search return: Unprocessed Continuation Reference MFT-12011/IT36505 - Token synchronization SAML Decoding exception MFT-12017/IT36712 - SEAS6011 plug-in after iFix 2+ Build 192 causes B2Bi Dashboard GUI to display a blank screen MFT-12029/IT36505 - Token syncrhonization pruning causing performance issue SEAS-1197/ - DisableEndpointIdentification parm missing on Windows SEAS-1605/ - Clear text passphrase in the seas.log for API request ------------------------------------------------------------------------------- Fixes for SEAS 6.0.2.0 (SEAS6020) iFix 00 Plus Build 137 Mar 2021 ------------------------------------------------------------------------------- MFT-11661/IT35686 - Allow SEAS RESTAPI command line utility to use TLSv1.2 MFT-11747/IT35923 - Error accessing SEAS GUI with Oracle Java 10 from Windows MFT-11774/IT35934 - SingleSignonServiceImpl getting IllegalStateException: Queue full MFT-11869/IT36159 - SEAS silent install fails with bad port error SEAS-1401/ - RESTAPI export/import for certValidation not requiring passphrase for encrypt/decrypt SEAS-1472/ - RESTAPI import of user fails if role not admin or anon SEAS-1529/ - SEAS installation logs showing passphrases in plain text SEAS-1554/ - EOFException in validateTokenViaGroupMember SSP-4965/ - Updated code signing certificate for signing jarfiles ------------------------------------------------------------------------------- Fixes for SEAS 6.0.2.0 (SEAS6020) iFix 00 Plus Build 122 Feb 2021 ------------------------------------------------------------------------------- MFT-11742/IT35559 - Jetty failure at SEAS startup after upgrade to 6020 GA ------------------------------------------------------------------------------- Fixes for SEAS 6.0.2.0 (SEAS6020) GA Build 120 Dec 2020 ------------------------------------------------------------------------------- MFT-11590/ - SEAS install default host of 0.0.0.0 causes webGUI to fail SEAS-694/ - Enforce a maximum header length and content size for the SEAS Webstart GUI. SEAS-1051/ - SEAS logs passwords from exit properties at startup SEAS-1349/ - Fix resource leak issues reported by internal code scan SEAS-1360/ - Apply more restrictive password policy for admin userid SEAS-1373/ - SEAS server ID field does not handle IPV6 addresses SEAS-1377/ - Log stacktraces when startup fails SEAS-1401/ - RESTAPI certValidation export not prompting for passphrase SEAS-1430/ADV0026225 - Upgrade IBM JRE to 8.0.6.15 level for security patches SEAS-1478/ADV0028030 - Update Jetty toolkit to v9.4.34 for security patches SSP-4736/ - Upgrade Jackson jars to latest ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.1 (SEAS6011) iFix 02 Plus Build 199 Nov 2020 ------------------------------------------------------------------------------- MFT-11533/IT34738 - After new install of SEAS 6011 any new SEAS keystore must have alias name sso ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.1 (SEAS6011) iFix 02 Plus Build 198 Oct 2020 ------------------------------------------------------------------------------- MFT-11489/IT34631 - Not finding passwordPolicySubentry attribute on Oracle DS MFT-11500/IT34551 - NULL pointer exception during script engine allocation SEAS-1396/ - Unable to remove an unreferenced global connection SEAS-1440/ - SEAS hearbeat interval being sent to Control Center as a string and not a number ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.1 (SEAS6011) iFix 02 Plus Build 194 Oct 2020 ------------------------------------------------------------------------------- MFT-11367/IT34033 - Nullpointer in SingleSignonServiceImpl SEAS-985/ - Improve the validation of custom exit initialization and execution SEAS-1415/ - SSO Plugin changes to return Client IP address SEAS-1417/ - Client IP address enabled during regular Authentication SEAS-1421/ - Client IP Address not returned when ssoAuthRequest has a token in the password field ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.1 (SEAS6011) iFix 02 Build 192 Sep 2020 ------------------------------------------------------------------------------- MFT-11237 - Added properties/version/*swidtag file for ILMT discovery MFT-11359/IT33971 - AUTH061E NullPointerException during AttributeAssertion [VerifySSHPublicKey] SEAS-1256/ - StartTLS is Yes/No on the GUI but True/False in the API SEAS-1331/ - Ability to change keystore/truststore password from CLI SEAS-1352/ - Added validation for validLDAPVersion SEAS-1396/ - Cannot remove global connection even if unreferenced SEAS-1397/ - SEAS fails to start in disable bootstrap mode. SEAS-1398/ - RESTAPI not reporting exception stacktraces in log file SEAS-1404/ - Several sysGlobals fields accept empty values in RESTAPI SEAS-1422/ - RESTAPI import fails with "SSL Protocol Not be Null" SEAS-1423/ - RESTAPI import fails with invalid content when keystore or truststore password changed. SEAS-1429/ - Vulnerability in Apache Commons Codec ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.1 (SEAS6011) iFix 01 Build 177 Aug 2020 ------------------------------------------------------------------------------- New Features in SEAS 6.0.1.1. iFix 01 Docker changes - The procedure to deploy IBM Sterling External Authentication Server using a Docker Container has changed. For more information, see Deploying IBM Sterling External Authentication Server using a Docker container at https://www.ibm.com/support/knowledgecenter/SS6PNW_6.0.1/com.ibm.help.ssp.overview.doc/ssp_whats_new.html. Helm Chart Support - This iFix allows the SEAS users to deploy their applications in a Kubernetes based containerized environment using Helm Chart. For more information see the above link. MFT-11248/ - Cannot add new keystore to SEAS SEAS-1163/ - Limit numeric field lengths in SEAS GUI password policy SEAS-1193/ - SEAS server prompts for passphrase during silent upgrade SEAS-1334/ - Extend password validation to silent install SEAS-1338/ - RESTAPI failures with tokens and Export/Import SEAS-1346/ - Improve RESTAPI handling of SQL Injection. SEAS-1368/ - Remove token pool exceptions from log at startup SEAS-1372/ - Reduce SSPDummyProfile clutter in log SEAS-1395/ - RESTAPI valdation error during import of Service principal ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.1 (SEAS6011) iFix 00 Plus Build 171 Aug 2020 ------------------------------------------------------------------------------- MFT-11252/IT33690 - SEAS GUI does not timeout SEAS-967/ - SEAS displays protocol as TLSv1.2 if the value is empty SEAS-1166/ - Better validation of SEAS server ID field SEAS-1337/ - stopSeas fails if "&" in passphrase/password ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.1 (SEAS6011) iFix 00 Plus Build 162 Jul 2020 ------------------------------------------------------------------------------- MFT-11215/IT33497 - SEAS silent install giving bad port error MFT-11249/IT33604 - SEAS GUI not allowing # in keystore/truststore password MFT-11261/IT33503 - Webstart GUI gets Invalid Keystore: null error SEAS-1354/ - Installation rejects password with $$ ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.1 (SEAS6011) GA Build 150 Jun 2020 ------------------------------------------------------------------------------- New features see https://www.ibm.com/support/knowledgecenter/SS4T7T_6.0.1/com.ibm.help.seas.overview.doc/seas_whats_new.html o Apply password policy for system passphrase and admin password for new installs - See SEAS-1234 MFT-11043/ - Bind to Active Directory getting Unresolved address MFT-11147/IT33020 - CRL checking fails after upgrade to SEAS2432 iFix 7 MFT-11154/ - GUI connection to SEAS secure port fails MFT-11195/IT33131 - Mapped loginPwd not being processed properly from IBM SDS SEAS-692/ - Add HTTP header Cache-Control: max-age=0 SEAS-970/ - Uninstaller files deleted on upgrade on Linux SEAS-1024/ - GUI Auth exit radio buttons not warning if class missing SEAS-1184/SEAS-1194 - RESTAPI improved validation during import SEAS-1205/ - Set HTTP security headers on by default in GUI SEAS-1234/ - Apply password policy during new install for system passphrase and admin password SEAS-1255/SEAS-1257 - RESTAPI not encrypting LDAP ServicePrincipal password during export of Authentication, CertValidation profiles SEAS-1259/ADV0021791/ADV0023736 - Update IBM JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches SEAS-1261/ - SEAS Root Logger settings not honored across the product SEAS-1341/ - Add HTTP header Cache-Control: no-store SEAS-1345/ - SEAS health check monitoring overriding SEAS log level ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) iFix 02 Plus Build 136 Jun 2020 ------------------------------------------------------------------------------- MFT-11155/IT32979 - SEAS GUI failed keystore password update ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) iFix 02 Plus Build 135 May 2020 ------------------------------------------------------------------------------- MFT-11017/IT32542 - Deliver new log4j2.xml during upgrades SEAS-1233/ - XML External Entity (XXE) vulnerability in SEAS SEAS-1238/ - CRUD033E Operation: update failed when setting up LDAP Connection screen of LDAP authentication profile SEAS-1247/ - Supply IP address of authenticated user in SSO token validation response SEAS-1249/ - RESTAPI import error: Invalid content on element 'passwordIsPlain' ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) iFix 02 Plus Build 130 Apr 2020 ------------------------------------------------------------------------------- MFT-10999/IT32375 - SEAS GUI SSO Token Signing Key value changed when restarted MFT-11001/IT32370 - SEAS GUI Health Check Monitoring (HCM) tab won't save when HCM checkbox is checked from WebStart GUI. ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) iFix 02 Build 128 Mar 2020 ------------------------------------------------------------------------------- MFT-10898/ - (Container) Can not create APP_USER in the yaml file with GID of 1001 SEAS-1148/ - Improvements to Content-Security-Policy Header SEAS-1165/ - (GUI) Able to delete a password policy that is in use SEAS-1177/ - SEAS GUI tabs go away after changing Token Manager value SEAS-1183/ - Do not allow password policy with expiration for admins SEAS-1200/PSIRT21787 - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches. SEAS-1201/ - RestAPI encyrption/decryption of passwords SEAS-1230/ - CERT008E Exception encountered doing cert validation SSP-4244/ - (Container) Cannot start docker container after stopping it ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) iFix 01 Plus Build 113 Feb 2020 ------------------------------------------------------------------------------- MFT-10847/IT31788 - SEAS6010 gets "Invalid Client Alias" to LDAPs SEAS-992/ - Improve validation in token synchronization GUI panels SEAS-1164 - Password policy name fails to import with RESTAPI SEAS-1178 - Custom exit connecting to invalid URL gets nuisance msg ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) iFix 01 Build 110 Jan 2020 ------------------------------------------------------------------------------- SEAS-1145 - System passphrase not getting validated during upgrade when bootstrap is disabled SEAS-1175 - SEAS service not starting through command line on Windows SEAS-1190 - Installation issues with Docker containers ------------------------------------------------------------------------------- Fixes for SEAS 6.0.1.0 (SEAS6010) GA Build 106 Jan 2020 ------------------------------------------------------------------------------- New features see https://www.ibm.com/support/knowledgecenter/SS4T7T_6.0.1/com.ibm.help.seas.overview.doc/seas_whats_new.html o Deploying IBM Secure External Authentication Server container in Red Hat OpenShift platform; Red Hat container certification o Support for Authentication and Post-Authentication Custom Exit added to SEAS Authentication Definitions o Secure External Authentication Server now extends support for Red Hat® Directory Server o Secure External Authentication Server support for Health Check Monitoring - see SEAS-1050 o Support to prevent storage of passphrase required at startup using a utility - see SEAS-955 o Support to change administrator password at installation o Support to associate password policy to a SEAS user account - see SEAS-685 SEAS-685 - Support for Password Policy SEAS-689 - Do not log sessionids or sso tokens used for authentication SEAS-955,SEAS-944 - Generate unique encryption key at install time SEAS-1050 - Add support for SEAS health check monitoring by ICC ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) iFix 02 Plus Build 142 (Dec 2019) ------------------------------------------------------------------------------- MFT-10714/IT31373 - SEAS out of memory after 3 months MFT-10717/IT31035 - Persistent sockets for token synchronization group SEAS-1078/ - (RESTAPI) SEAS Import failing with Invalid content error ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) iFix 02 Build 138 (Dec 2019) ------------------------------------------------------------------------------- SEAS-919/ - Support for Red Hat Directory Server (RDS) SEAS-979/SEAS-980 - Support for pre-auth and post-auth custom exits ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) iFix 01 Plus Build 127 (Nov 2019) ------------------------------------------------------------------------------- MFT-10653/IT30757 - SEAS not starting when LDAP principal password contains an Ampersand (&) MFT-10678/IT30921 - Upgrade to SEAS6001 iFix00Plus Build122 gets wrong keycert, handshake failures ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) iFix 01 Build 124 (Oct 2019) ------------------------------------------------------------------------------- MFT-10358/PSIRT16274,16318 - Security upgrade to Jetty 9.4.20 MFT-10579/PSIRT17288 - Update JRE 1.8 to SR5 FP40 (8.0.5.40) sor security patches. ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) iFix 00 Plus Build 122 (Sep 2019) ------------------------------------------------------------------------------- MFT-10451/IT30080 - CM GUI presents factory cert instead of common MFT-10545/IT30239 - Token synchronization fails during volume testing MFT-10559/IT30200 - Jetty Http server uses the incorrect certificate alias ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) iFix 00 Plus Build 118 (Aug 2019) ------------------------------------------------------------------------------- MFT-10519/IT30065 - AUTH094E SSO token generation failed (Reason: Queue full) ------------------------------------------------------------------------------- Fixes for SEAS6001 (6.0.0.0 FixPack 1) GA Build 117 (Aug 2019) ------------------------------------------------------------------------------- New Features in SEAS6001 (6.0.0.0 FixPack 1) See https://www.ibm.com/support/knowledgecenter/SS4T7T_6.0.0/com.ibm.help.seas.overview.doc/seas_whats_new.html o Re-Branding: IBM Sterling External Authentication Server is now re-branded to IBM® Secure External Authentication Server o Support for new RESTful APIs o Support to export encrypted configuration with user supplied password via RESTful APIs o Allow user to supply admin password at installation ------------------------------------------------------------------------------- Fixes for SEAS 6.0.0.0 iFix 03 Build 143 (Aug 2019) ------------------------------------------------------------------------------- - No updates since iFix 02 Plus ------------------------------------------------------------------------------- Fixes for SEAS 6.0.0.0 iFix 02 Plus Build 141 (July 2019) ------------------------------------------------------------------------------- SEAS-665 - SEAS Sample exit changes provided for moving global variables to local MFT-10352/IT29527 - Exit displays LDAP password in readable format in SEAS MFT-10385/IT29587 - Token Synchronization failed from alternate SEAS MFT-10409/IT29481 - Passwords with & ampersands not authenticating through XAPI exit ------------------------------------------------------------------------------- Fixes for SEAS 6.0.0.0 iFix 02 Build 135 (June 2019) ------------------------------------------------------------------------------- MFT-10204/IT28758 - Ldap bind failure after upgrade to 6.0 or 2432 iFix 4 MFT-10269/IT29043 - SEAS Custom Exit alternate URLs not attempted SEAS-321/ - Ability to set various fields in the GUI SEAS-434/ - Make TLSv1.2 the default protocol for secure connections SEAS-686 - Log authentication failures in the audit log for command line utilities SEAS-711/ - SAML token assertions without a signature in the response allowed to be validated SEAS-714/ - Provide a GUI option to specify whether SAML assertion responses must be signed MFT-10243/PSIRT15330 - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches ------------------------------------------------------------------------------- Fixes for SEAS 6.0.0.0 iFix 01 Build 110 (March 2019) ------------------------------------------------------------------------------- SEAS-452 - InstallAnywhere 2018 upgrade for Windows 2016 support SEAS-468/SEAS-465 - GUI description box for new SSO Token Group member does no data screening SEAS-696/No APAR - SEAS GUI Log level setting is not getting honored =============================================================================== III. Detailed Description of Fixes (in Defect ascending order) =============================================================================== PSIRT12959, - Update JRE 1.8 to SR5 FP27 (8.0.5.27) for security PSIRT13809 patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle October 2018 level to satisfy the CVEs in PSIRT advisories 12959 and 13809. See http://www.ibm.com/support/docview.wss?uid=ibm10872778 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP27 (8.0.5.27) introduced a change to disable SHA1 certificates via the jdk.certpath.disabledAlgorithms parameter in the /jre/lib/security/java.security file. For more information, read the comments in the java.security file which relate to the added parm: jdk.certpath.disabledAlgorithms= * * *, SHA1 jdkCA & usage TLSServer, SEAS-452 - InstallAnywhere 2018 upgrade for Windows 2016 support Resolution: Upgraded to InstallAnywhere 2018, which provides support for Windows 2016 Server. SEAS-468/SEAS-465 - GUI description box for new SSO Token Group member does no data screening SSO Token Synchronization was introduced in SEAS 6.0.0.0. The SSO Token Group tab contains a description field which allows any sort of unprintable data to be pasted in. Resolution: Now filter the data allowed in the SSO Token Group description field. MFT-10204/IT28758 - Ldap bind failure after upgrade to 6.0 or 2432 iFix 4 After upgrading to SEAS 6.0.0.0, the Customer's SEAS instance could not connect successfully to the LDAP server. The LDAP server was using a keycert with a Subject Alternate Name (SAN) extension which did not include the load balancer hostname in front of the LDAP server that SEAS was connecting to. Oracle Java level 1.8.0_181 introduced changes to improve LDAP support by enabling endpoint identification algorithms by default for LDAPS connections; this also results in stricter hostname validation. Resolution: Updated the startSeas.sh script (and equivalent Windows scripts and LAX files) to include a commented -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true parameter which the Customer can uncomment to correct the behavior. Another way to resolve the problem is to update the LDAP server certificate to include all possible hostnames that clients will try to connect to. MFT-10269/IT29043 - SEAS Custom Exit alternate URLs not attempted The Customer is using the custom exit for authentication through the SI XAPI "com.sterlingcommerce.component.authentication.impl.SIUserAuthExit". Within the profile they have coded the the properties specific to the SI connection: (http.auth.user=*; http.auth.password=*; url=*; alt.url.1=*) When the primary URL is active the authentication is successful, but when the URL is down, the SEAS does not try the alternate url and the authentication fails. Resolution: Improved the retry logic when the alternate SI URL fails to make sure the alternate is tried. SEAS-321/ - Ability to set various fields in the GUI Customers have been unable to change the default values for minimum password length, login lockout delay time and max login attempt in the GUI. Resolution: Include these new fields in Manage -> System Settings -> Globals. SEAS-434/ - Make TLSv1.2 the default protocol for secure connections SEAS formerly installed with TLSv1 as the default TLS protocol. Resolution: For new installs, make TLSv1.2 the default protocol everywhere a TLS secure connection is made. SEAS-686 - Log authentication failures in the audit log for command line utilities EAS was not logging the auth failures encountered by command line utilities in the audit log. Resolution: Now explicitly call the audit logger for auth failures in the command line utilities in the bin directory. SEAS-696/No APAR - SEAS GUI Log level setting is not getting honored After upgrading to log4j2 in SEAS 6.0, setting the log level in the GUI is not changing the log level used in the log being generated. Resolution: Updated the GUI to correctly change the logging level. SEAS-711/ - SAML token assertions without a signature in the response allowed to be validated When SEAS validates a token, it sends an assertion to the External Identity Provided and gets a response. It validates any digital signature in the response. However, internal testing revealed that it silently skips validation of the signature if the signature has been removed. Resolution: Now reject a token validation request when the token assertion response does not have a digital signature. See SEAS-714 for further updates. SEAS-714/ - Provide a GUI option to specify whether SAML assertion responses must be signed After SEAS-711, needed the ability to specify whether the SAML assertion responses require a digital signature. Resolution: Now provide a checkbox "Signed AuthnResponse" in the SSO Token screen to allow Customers to require that token assertions have a valid digital signature. MFT-10243/PSIRT15330 - Update JRE 1.8 to SR5 FP35 (8.0.5.35) for security patches Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2019 level to satisfy the CVEs in PSIRT advisory 15330. See http://www.ibm.com/support/docview.wss?uid=ibm10885939 for the Security Bulletin. ACTION - JRE 1.8 SR5 FP35 (8.0.5.35) introduced a change to disable anon and null cipher suites via the jdk.tls.disabledAlgorithms parameter in the /jre/lib/security/java.security file. If your site uses these suites for testing, update your java.security file to remove the last 2 parms: jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL ACTION - The java.security file includes a new parm for distrusting CAs: jdk.security.caDistrustPolicies=SYMANTEC_TLS For more information, see the writeup in the java.security file. MFT-10352/IT29527 - Exit displays LDAP password in readable format in SEAS log During execution, the SEAS custom exit was dumping some password values coded in the SEAS profile to the SEAS log. Resolution: Commented out the line in the exit which displayed the incoming values from the SEAS profile. Also added code to mask printing the values of properties which contain the strings "password", "pwd" or "passphrase" in them while adding or updating profiles. MFT-10385/IT29587 - Token Synchronization failed from secondary SEAS Customer was testing the new Token Group feature but found that when he brought down the SEAS which generated the token, and the other SEAS in the token group had not received the token yet, it failed to check with the original SEAS to validate the token. Resolution: When SEAS is a member of a token group, now correctly process a token validation request by determining if we have the token, and if not, send the request to the SEAS that generated the token and pass back its response. Also updated the process of refreshing a token that is about to expire by another token group member. MFT-10409/IT29481 - Passwords with & ampersands not authenticating through XAPI exit Passwords which contained ampersands (&) were not authenticating correctly when going through the XAPI exit which authenticates to SI/B2Bi. The value was being encoded twice when building the xml to send to SI. Resolution: Corrected the double encoding so that passwords with ampersands can authenticate correctly through the XAPI exit. SEAS-665 - SEAS Sample exit changes provided for moving global variables to local The IBM Sterling External Authentication Server (SEAS) provides sample custom exits which Customers can update and implement to customize the authentication process in their environment. Previously, the sample code in these exits used some global variables instead of local variables, which could cause problems during high concurrency processing. The problems do not occur when using dynamic routing and/or mapped credentials without the custom exits. Resolution: The sample exits, /samples/SampleAuthenticationExit.java and /samples/SampleCertValidationExit.java have been updated to move the necessary global variables into the methods that use them so that they are local and unique per thread. The source is marked with "SEAS-665" in the comments with notes describing the changes that were made to make the code thread-safe. ACTION: Customers who use these exits should either update their own custom source with the changes highlighted in the new sample source, or copy in the new sample source and reapply their custom changes to them. MFT-10451/IT30080 - CM GUI presents factory cert instead of common The Customer attempted to replace their SSP factory certificate with a new common certificate but when connecting to the GUI, the factory certificate was still presented. Resolution: Now ensure that at the low level keystore operation, the designated keycert alias is honored when the key is requested. This defect shared common code with SSP. MFT-10519/IT30065 - AUTH094E SSO token generation failed (Reason: Queue full) The Customer set up for Token Synchronization between 2 SEAS instances. Either the 2 SEAS were not both properly configured or the second SEAS was down and the tokens generated by the first SEAS were not able to be sent to the second SEAS. Eventually, SEAS stopped generating tokens and put out the AUTH094E message in the title. Resolution: Now use an "offer" method when adding a token into the token synchronization queue, which allows a timeout on the operation when the buffer is unavailable. Also prune any expired tokens in the queue. MFT-10545/IT30239 - *HIPER* Token synchronization fails during volume testing Two issues were found in volume testing of the new token synchronization feature. After the first token was created and shared with the token group there was a 2 minute delay between each additional sharing, which caused tokens to not be available. And if the SEAS token group member which needed to validate the token did not have it on hand, it erroneously skipped calling the SEAS which generated the token to do the validation. Resolution: Changed the delay between sharing tokens with other token group members from 120 seconds to 100 milliseconds (1/10 second). And when a token is not in hand when a validation request comes in, now correctly pull the SEAS member which generated the token from the token prefix and call that SEAS to do the validation. MFT-10559/IT30200 - Jetty Http server uses the incorrect certificate alias Customer added a new keycert with a new alias to replace their expired keycert. However, when they attempted to logon to the 9080 WebStart port, they were presented with the expired certficate. Resolution. Updated the HTTP server side code to ensure that we honor the keycert alias specified in the SEAS GUI. MFT-10358/PSIRT16274,16318 - Security upgrade to Jetty 9.4.20 Resolution: Update the Jetty server to satisfy the CVEs in PSIRT advisories 16274 and 16318. See http://www.ibm.com/support/docview.wss?uid=ibm11095838 for the Security Bulletin. MFT-10579/PSIRT17288 - Update JRE 1.8 to SR5 FP40 (8.0.5.40) sor security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle July 2019 level to satisfy the CVEs in PSIRT advisory 17288. See http://www.ibm.com/support/docview.wss?uid=ibm11095832 for the Security Bulletin. MFT-10653/IT30757 - SEAS not starting when LDAP principal password contains an Ampersand (&) The Customer created an LDAP definition which included an ampersand (&) character in the password. The next time SEAS was restarted, it would not come up. The startSeas.out file contained the following: INFO: Instantiated the Application class com.ibm.seas.rest.SEASRestApplication. Startup did not succeed. Terminating: com.sterlingcommerce.hadrian.common.xml.XmlParsingException: Error on line 9: The entity name must immediately follow the '&' in the entity reference. Resolution: Added logic to properly encode the password field in LDAP Bind query object MFT-10678/IT30921 - Upgrade to SEAS6001 iFix00Plus Build122 gets wrong keycert, handshake failures Customer upgraded to the latest SEAS6001 and found that it installed an SSO keycert which caused handshake failures from SSP. SEAS6001 Build 122 and 124 created an OpenSAML compatible SSO keycert if it did not detect a keycert alias in their SSL or SSO definitions, even if a keycert existed. The new keycert interfered with the existing one used for communicating with SSP and the SEAS GUI. SSP connections failed and created a backlog of timer threads which caused SEAS to go down with OutOfMemory failures. Resolution: Now during the startup process, first check if a keycert exists in the keystore. If so, add its alias to the SSL and SSO definitions. If not, create the SSO keycert and add its alias to the SSL and SSO definitions. Also changed the default SEAS heap size in startSeas.sh from 256M to 1024M. MFT-10714/IT31373 - SEAS out of memory after 3 months SEAS took an OutOfMemory (OOM) exception after 3 months with a slow leak of the "EDU.oswego.cs.dl.util.concurrent.LinkedNode" class. It was defined in older sections of the code using a queue structure which did not have a size restriction. Resolution: Updated the code which used the LinkedQueue classes and now use the BoundedLinkedQueue classes, which will keep the OOM exception from happening. MFT-10717/IT31035 - Persistent sockets for token synchronization group The communication between token synchronization group members was causing performance issues at peak loads, due to opening a new socket for each token shared or requested. Resolution: Now establish a persistent socket connection between each token group member to improve performance. Note: This fix causes the token synchronization process to perform better, which may cause some additional timing issues. SEAS-919/ - Support for Red Hat Directory Server (RDS) Resolution: Add support for Red Hat Directory Server (RDS) as an option for LDAP queries. SEAS-979/SEAS-980 - Support for pre-auth and post-auth custom exits Customers who want to add some custom authentication logic to what is already being done in mainline SEAS find themselves writing a SEAS custom exit and duplicating the existing authentication logic that ships with SEAS. Resolution: Now allow pre-authentication and post-authentication exit points in which the custom code can be inserted while using the mainline functions for normal authentication. SEAS-1078/ - (RESTAPI) SEAS Import failing with Invalid content error When exporting the SEAS configuration with pre- and post-auth exits defined and then importing it again, getting INFO SeasConfigService - Entered update SeasConfig method ERROR SeasConfigService - cvc-complex-type.2.4.a: Invalid content was found starting with element 'serverAlias'. One of '{protocol, verStamp}' is expected. line # 311 column # 14 INFO LogAuditUtils - IMPORT SEAS_CONFIGS failed with error code 204 Resolution: Updated the RESTAPI export/import code to handle the pre- and post-auth exits. SEAS-685 - Support for Password Policy ThreatModel testing called for a way to enforce password policies for users Resolution: Added support for a new password policy screen in the GUI under Manage -> Password Policy. Policies can include minimum and maximum password length requirements, special characters, repeating character restrictions, history checking and expiration days. Users assigned to a policy must adhere to the restrictions when choosing a new password. SEAS-689 - Do not log sessionids or sso tokens used for authentication Internal scans flagged that no sessionids or sso tokens used for authentication should be logged. Resolution: Now map the sessionid and sso tokens to an internal digest value and log that value instead. SEAS-955,SEAS-944 - Generate unique encryption key at install time Internal ThreatModel scanning indicated a change in the way we encrypt the system passphrase which is used to encrypt the configuration files. Resolution: On new installs and when running the disableBootstrap and enableBootstrap utilities, generate a unique hex key and store it in a file with read/write permissions for the userid of the installer only. This key is used to encrypt the passphrase the admin supplies to encrypt the configuration files. SEAS-1050 - Add support for SEAS health check monitoring by ICC Add support in SEAS to proactively send health check pings to IBM Control Center so that its up/down status can be monitored. The SEAS GUI Manage -> System Settings -> Health Check Monitoring tab allows the admin to define the ICC host and port, id and password, and frequency of pings. See online documentation for SEAS6010 for more information. Other internal stories: SEAS-1052 SEAS-1145 - System passphrase not getting validated during upgrade when bootstrap is disabled When bootstrapping is disabled, the upgrade must request the passphrase during the install in order to decrypt the configuration files. The passphrase was not getting validated when entered. Resolution: Now validate the system passphrase requested during an upgrade when bootstrapping is disabled. SEAS-1175 - SEAS service not starting through command line on Windows The SEAS service was not starting with bin\startSeas.bat on Windows. It was starting the SEAS_V6.0.0.1 service by mistake. Resolution: Updated the InstallAnywhere deck to build the startSeas.bat job with the current release variable so that the "net start SEAS_V?.?.?.?" is always built correctly when the release changes. Workaround: Change the lines in startSeas.bat to say "net start SEAS_V6.0.1.0" SEAS-1190 - Installation issues with Docker containers Resolved several issues found during beta testing of Docker containers - Removed root user password changing logic from Docker file - Added sudo package to allowing sudo command to non-root user - Added logic for passing user, pwd, uid and gid into ENV variables, to be the owner of host mounted path for host configuration data. Defaults: APP_USER=appuser, APP_USER_PWD=appuser, APP_USER_UID=3000, APP_USER_GID=3000 Note: Do NOT use User names root, spuser, cmuser, psuser or, seas or UID/GID: 0 and 1000 because these are already used inside the container. - Mapped silent installation log file with Volume host path to assist in checking the log without logging in - Please refer to the deployment YAML files bundled with the Fix Central tar file for the latest rather than the samples in the online doc. - Following are the parameters needed to start a SEAS container using Docker: ************** Deploying the new Container ************************** docker run -it -d \ -v /SEAS:/seasinstall/IBM/SEAS \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e PORT=61365 \ -e JETTY_PORT=9080 \ -e JETTY_DNS=172.20.185.197 \ -e PASSPHRASE=password \ -e USER_PASSWORD=password \ -p 9080:9080 \ -p 61365:61365 \ -p 61366:61366 \ --name SEAS \ seas-docker-image:V6.0.1.0.iFix01 /bin/bash ******************* Upgrade the deployment ************************ Note: To upgrade from a traditional install to a container platform, you must modify HOST_IP OR HOST_Name tag in the following file before the deployment. File: /conf/jetty/JettyConfigDef.xml Replace "HOST_IP OR HOST_Name" with "0.0.0.0" Note: This change is not required when upgrading from container to container. docker run -it -d \ -v /SEAS:/seasinstall/IBM/SEAS \ -e APP_USER=test \ -e APP_USER_PWD=test \ -e APP_USER_UID=1004 \ -e APP_USER_GID=1005 \ -e JETTY_DNS=172.20.185.197 \ -p 9080:9080 \ -p 61365:61365 \ -p 61366:61366 \ --name SEAS \ seas-docker-image:V6.0.1.0.iFix01 /bin/bash MFT-10847/IT31788 - SEAS6010 gets "Invalid Client Alias" to LDAPs Customer upgraded to SEAS6001 iFix 2 and began getting the following during SSL handshaking to their LDAP server: java.lang.IllegalArgumentException: Invalid Client Alias SEND TLSv1 ALERT: fatal, description = internal_error The Customer's LDAP was requesting a client certificate but was configured not to require it. It worked before the upgrade. The SEAS keymanager was detecting a client keycert alias coded when the field was empty. The same bug existed in SEAS6010 GA. Resolution: Corrected the key manager to properly validate the existence of both the client keycertAlias and server keycertAlias. SEAS-992/ - Improve validation in token synchronization GUI panels The System Settings -> Token Group Configuration panels were confusing when trying to add a Token Group Member. The Name field value must be the Named Identity Provider name of the Token Group Member we are trying to add. Resolution: Now add a description text next to the Name field indicating it must match the Named Identity Provider name of the Token Group Member we are adding. And in the System Settings -> Globals tab when the "Enable SSO Synchronization" box is checked, verify that the Named Identity Provider is specified, otherwise report an error. SEAS-1164 - Password policy name fails to import with RESTAPI When creating a new password policy, the name could contain blanks. The RESTAPI was able to export the policy, but when importing it again, the blank in the policy name caused ERROR PasswordPolicyService - Valid characters for Name "test policy" are: "-abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.:" Resolution: Now restrict the name of the password policy being created to only contain the characters above (no blanks). SEAS-1178 - Custom exit connecting to invalid URL gets nuisance msg When an invalid URL is specified for the custom exit to connect to, it puts out "java.lang.IllegalArgumentException: Socket may not be null". Resolution: Now emit a proper error message: "ERROR HttpUserAuthExit - AUTH220D Communication failure, IBM Secure External Authentication Server could not connect to the server: https://:/myfilegateway" and also show a stacktrace if in debug mode. MFT-10898/ - (Container) Can not create APP_USER in the yaml file with GID of 1001 When trying to use a group ID (GID) of ‘1001’ in the yaml file the messages groupmod: GID '1001' already exists ERROR: Cannot set GID for appear in the APPStartup.log in the backup directory on the VM. Resolution: Now allow 1001 to be used as a group ID in a container. SEAS-1148/ - Improvements to Content-Security-Policy Header The default Content-Security-Policy HTTP header returned by the SEAS Webstart page was not acceptable to the OWASP security scanning tool. According to the tool, the value of "default-src 'self';" allowed wildcard sources or ancestors. Resolution: Now supply the following values for the Content-Security-Policy header: "default-src 'self'; img-src 'self'; style-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self';" This also required splitting the contents of the index.htm file into 3 new files: body.js, header.js, and stylesheet.css. The index.htm file is backed up prior to installing. This also tracked as PSIRT ADV0022035. See https://www.ibm.com/support/pages/node/6249399 for the Security Bulletin. SEAS-1165/ - (GUI) Able to delete a password policy that is in use A password policy file that is assigned to a user could still be deleted from the GUI. Resolution: Now check to make sure the password policy is not referenced before allowing it to be deleted. SEAS-1177/ - SEAS GUI tabs go away after changing Token Manager value In the SEAS GUI, in the Manage->SystemSettings->SSO Token tab, when the Token Manager field is changed from "SEAS-SAML" to "Custom", several other System Settings tabs go away. The System Settings must be selected again from the Manage screen to show the other tabs. Resolution: Now seamlessly allow changing the Token Manager field without losing other tabs. SEAS-1183/ - Do not allow password policy with expiration for admins A password policy with a "Days Valid" value set for an admin userid could cause the admin to be locked out when the password expires. Resolution: Now disallow a non-zero days password policy to be attached to admin users so they cannot get in a situation of being locked out of the system. The change is done both in the GUI and the REST API. SEAS-1200/PSIRT21787 - Update JRE 1.8 to SR6 FP5 (8.0.6.5) for security patches. Resolution: Update the JRE 1.8 to bring it up to the Oracle January 2020 level to satisfy the CVEs in PSIRT advisories 20470 and 21787. See https://www.ibm.com/support/pages/node/6116938 and https://www.ibm.com/support/pages/node/6116968 for the Security Bulletins. Also tracked internally as SEAS-1199. SEAS-1201/ - RestAPI encyrption/decryption of passwords The SEAS RESTAPI configuration export was not encrypting the password history and the new Control Center healthcheck password. Resolution: Added logic within the RESTAPI to encyrpt/decrypt the password history and the password associated with the health check connection to Control Center during export and import. SEAS-1230/ - CERT008E Exception encountered doing cert validation During regression testing with the new IBM JRE 8.0.6.5, a certificate validation test case failed with the following exception: CERT008E Exception encountered while processing certificate chain: com/ibm/security/x509/CRLDistributionPointsExtension.(Z[B)V The IBM JRE had changed the API for Certificate Revocation List processing which was incompatible with callers compiled under an older JDK. Resolution: Switched to compile SEAS with the IBM 8.0.6.5 JDK and updated the API call to use a different method to get the CRL distribution points from the certificate. SSP-4244/ - Cannot start docker container after stopping it After running "docker stop " it fails to start with a "docker start ". Logs show message: 'cannot create user "test"' Resolution: Corrected the user conflict causing the container not to start. MFT-10999/IT32375 - SEAS GUI SSO Token Signing Key value changed when restarted Customer upgraded to SEAS6010 and the Token Signing Key radio button in the System -> Manage Settings -> SSO Token tab was changed from "Auto Generated" to "Certificate Alias" and pointed to an existing keycert in the keystore. The Customer changed it back to Auto Generated and the service worked. However when they restarted SEAS it went back to Auto Generated. Resolution: Now persist the value of the Token Signing Key radio button across restarts. MFT-11001/IT32370 - SEAS GUI Health Check Monitoring (HCM) tab won't save when HCM checkbox is checked from WebStart GUI. Customer configured the System -> Manage Settings -> Health Check Monitoring tab using the WebStart GUI, but then could not save their changes. It worked from the SEAS/bin/startGUI.sh X11-based script. The EA_GUI.jnlp WebStart file was missing the persistance.jar entry, and threw a NoClassDefFoundError error on the com.sterlingcommerce.component.persistence.Persistor class. Resolution: Updated the SEAS/conf/jetty/docroot/webstart/EA_GUI.jnlp file to include the reference to the persistence.jar. Workaround: Update the SEAS/conf/jetty/docroot/webstart/EA_GUI.jnlp file to add the following line: MFT-11017/IT32542 - Deliver new log4j2.xml during upgrades The /conf/log4j2.xml file was not getting updated during a SEAS upgrade, even though a backup was being taken of it. Resolution: Now during an upgrade, overlay the existing log4j2.xml after its backup is created, so that it is current. SEAS-1233/ - XML External Entity (XXE) vulnerability in SEAS During internal security scanning, SEAS was found to be vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. It is further described in PSIRT advisory ADV0023731. Resolution: Added parser processing commands to disallow the illegal commands that caused the XXE attack. See https://www.ibm.com/support/pages/node/6249317 for the Security Bulletin. SEAS-1238/ - CRUD033E Operation: update failed when setting up LDAP Connection screen of LDAP authentication profile When configuring the LDAP authentication profile, a switch between the "Search for User DN" option, "Specify User DN" option, and the LDAP LDAP Connection Settings Tab can cause the error message, CRUD033E Operation: update failed : BindSearchName does not match query entered: FindUserDN vs. null Resolution: Now make sure that the configured value for principal Name is consistently set during a save operation to the backend. SEAS-1247/ - Supply IP address of authenticated user in SSO token validation response Resolution: This is a small enhancement to pass the IP address of the authenticated user to the back end B2Bi within the response to the SSO token validation request. For authentication and certificate validation SSO requests which supply an IP address of the incoming user, now include the IP address in the following tag in the response: auth.ipAddress 10.20.30.40 SEAS-1249/ - RESTAPI import error: Invalid content on element 'passwordIsPlain' A RESTAPI export from SEAS6001 iFix 3 and importing back into the same version was getting, "validationErrorsList : [cvc-complex-type.2.4.a: Invalid content was found starting with element 'passwordIsPlain'. One of '{port, protocol, sslInfo, verStamp}' is expected. line # 555 column # 18]. Resolution: Updated the xsd to allow the passwordIsPlain key on a RESTAPI import. MFT-11155/IT32979 - SEAS GUI failed keystore password update When trying to update the keystore password through the SEAS GUI, and the key alias has uppercase characters, the dialogue fails with - "SYST045E Specified certificate alias [ XXX ] doesn't exist in the keystore". Resolution: Ignore the case of the alias when searching for the key in the keystore, since they are always stored there in lowercase. MFT-11043/ - Bind to Active Directory getting Unresolved address Customer attempting to set up an LDAP query but getting the following: AUTH002E Ldap Bind failed for service principal x.x.x.x:389 Cause: ConnectionException: java.net.SocketException: Unresolved address. AUTH200D Communication failure, could not connect to the LDAP server. The Customer had misconfigured their LDAP connection definition and put the LDAP bind "CN=..." info in the local socket ipaddress field. Resolution: Added an error message at the time of the failed bind on the local IP address in order to catch this problem earlier: ERROR binding ldap socket local address to . MFT-11147/IT33020 - CRL checking fails after upgrade to SEAS2432 iFix 7 The Customer, who had Certificate Revocation List (CRL) checking enabled, upgraded to SEAS2432 iFix 7 and began seeing ERROR CertValidator - CERT005E Failed to complete required CRL check. Problem 1 of 1: Insufficient information to locate CRL for issuer: CN=... This is a companion to issue SEAS-1230. Resolution: Switched to compile SEAS with the IBM 8.0.6.5 JDK and updated the API call to use a different method to get the CRL distribution points from the certificate. MFT-11154/ - GUI connection to SEAS secure port fails The Customer was trying to access their SEAS secure port from the Webstart GUI, but kept getting unhelpful messages which indicated a handshake failure after the connection was made: ClientConnectionException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure Resolution: Added diagnostics on the client side which more clearly showed that the problem was in connecting to the port (a firewall issue) rather than a handshake error. MFT-11195/IT33131 - Mapped loginPwd not being processed properly from IBM SDS The Customer is using the IBM Secure Directory Server (ISDS) for their LDAP server and pulling mapped credentials to their back end protocol server. The ISDS server returns the loginPwd value as a binary byte array rather than a string, so it is not handled correctly. Resolution: Now handle the mapped loginPwd field whether it comes as a byte array or a string value. Also, mask the loginPwd when tracing in the log. SEAS-692/ - Add HTTP header Cache-Control: max-age=0 Internal security testing indicated that our HTTP headers should contain the Cache-Control: max-age=0 parm. Resolution: Now set cache-control = "no-cache, must-revalidate, max-age=0" in the HTTP headers returned. SEAS-970/ - Uninstaller files deleted on upgrade on Linux During an upgrade install on Linux, the Uninstaller script was getting added with the wrong name and then deleted. Resolution: Now build the install script in the UninstallerData directory so that it can be executed with ./"Uninstall IBM Secure External Authentication Server 6.0.1.1" SEAS-1024/ - GUI Auth exit radio buttons not warning if class missing Found that one could select the radio buttons for the pre- and post- auth exits and click OK without any warning that there is no class name or properties specified. Resolution: Now put out an error dialog, "'Pre' Custom Exit is selected but no class provided. Either un-check, or provide a valid fully qualified class name." SEAS-1184/SEAS-1194 - RESTAPI improved validation during import Internal testing found inconsistent validation of supplied values during RESTAPI import operations. Resolution: Now do more robust validation of input data during RESTAPI import operations, including common SQL injection signatures. SEAS-1205/ - Set HTTP security headers on by default in GUI Defect RTC557573 from January 2018 allowed the ability to add HTTP security headers to Webstart GUI sessions if a box was checked in the GUI. By default, the box was not checked during an install. Resolution: Now set the Manage -> System Settings -> Globals "Enable HTTP security Header for webstart" checkbox to true by default. SEAS-1234/ - Apply password policy during new install for system passphrase and admin password Resolution: New installs of SEAS will impose a password policy during the install process requiring the system passphrase and admin password to be 6 to 28 characters in length with at least one upper case letter, one lower case, one digit, and one special character (“!@#$%^&”) with not more than 2 consecutive characters repeated. SEAS-1255/SEAS-1257 - RESTAPI not encrypting LDAP ServicePrincipal password during export of Authentication, CertValidation profiles The ServicePrincipal password in the LDAPQuery definition was not being encrypted during a RESTAPI export or get operation of the Authentication or CertValidation profiles. Resolution: Now encrypt/decrypt the LDAP ServicePrincipal password during import/export/get operations. SEAS-1259/ADV0021791/ADV0023736 - Update IBM JRE 1.8 to SR6 FP10 (8.0.6.10) for security patches Resolution: Update the JRE 1.8 to bring it up to the Oracle April 2020 level to satisfy the CVEs in PSIRT advisories ADV0021791 and ADV0023736. See https://www.ibm.com/support/pages/node/6249381 and https://www.ibm.com/support/pages/node/6249391 for the Security Bulletins. The ADV0021791 was tracked internally as SEAS-1235. SEAS-1261/ - SEAS Root Logger settings not honored across the product Customers setting in /conf/log4j2.xml were not getting debug output from most classes in the product unless a specific was coded for that class. Resolution: Corrected the LogManager class name in every class which was still using the Log4j format instead of the newer Log4j2 format. SEAS-1341/ - Add HTTP header Cache-Control: no-store Internal OWASP testing indicated that our HTTP headers should contain the Cache-Control: no-store parm. Resolution: Now set cache-control = "no-cache, no-store, must-revalidate, max-age=0" in the HTTP headers returned. SEAS-1345/ - SEAS health check monitoring overriding SEAS log level When running with SEAS health check monitoring, the thread was changing the root logging level set from the GUI. Resolution: Modified the heath monitoring thread to only update the healthmonitoring appender log level instead of overriding the root log level. MFT-11215/IT33497 - SEAS silent install giving bad port error During a silent install, if the port value is incorrect, the install gets into an infinite loop resulting in a stackOverflow error. Resolution: Added custom Java code to handle the error condition and exit the install with a message to in install log MFT-11249/IT33604 - SEAS GUI not allowing # in keystore/truststore password When adding a new keystore in SEAS in the GUI Manage -> System Settings -> SSL tab, the password may not contain a hash (#) character. Resolution: Add #&<> as valid characters for keystore passwords in the SEAS GUI. MFT-11261/IT33503 - Webstart GUI gets Invalid Keystore: null error After upgrading to SEAS6011 GA, the Customer could not launch the Webstart GUI with a secure connection using a custom keystore. Resolution: Fix SEAS-1171 which was applied to SEAS6010 before it went GA was not applied to the development branch which eventually became SEAS6011. SEAS-1354/ - Installation rejects password with $$ A new install of SEAS would not accept passwords with multiple dollar ($) symbols, such as Pa$$w0rd or Pa$wor$d123. Resolution: Now correctly handle passwords with multiple dollar ($) symbols. MFT-11252/IT33690 - SEAS GUI does not timeout The SEAS GUI stayed indefinitely connected to the SEAS Server. Resolution: Now allow the GUI administrator to configure how long the SEAS GUI can stay connected with the SEAS before being disconnected and forced to login again. SystemSettings->Globals->SEAS GUI Connection timeout. SEAS-967/ - SEAS displays protocol as TLSv1.2 if the value is empty When a protocol value is null and saved, no protocol tag is stored in defSslInfo.xml. Resolution: Now add a protocol tag with default value "TLSv1.2" in defSslInfo.xml if the user selects a null protocol value. SEAS-1166/ - Better validation of SEAS server ID field The SEAS server ID field in the Globals tab was accepting binary data and strings over 50 characters Resolution: Now test the input for the SEA server ID field to make sure it is character data and no more than 50 characters. SEAS-1337/ - stopSeas fails if "&" in passphrase/password The stopSeas.sh utility fails to stop SEAS if the passphrase or password contains an ampersand "&" character. SEAS004E Xml Parsing Error: Invalid xml request was received Resolution: Now enclose the credentials in the CDATA[] xml construct so that they pass safely between the utility and the SEAS server. MFT-11248/ - Cannot add new keystore to SEAS When adding a new keystore to SEAS, it must contain a keycert with the alias name currently being pointed to. SEAS puts out message SYST045E Specified certificate alias [ defSslInfo ] doesn't exist in the keystore. (But defSslInfo is not the actual alias name). Resolution: Now, the message will be: ERROR SysConfigManager - SEAS is expecting a keycert with an alias name of . (SSO will be the actual alias name). INFO SYST045E AbstractConfigMgr - SYST045E Specified certificate alias [ SSO ] doesn't exist in the keystore. SEAS-1163/ - Limit numeric field lengths in SEAS GUI password policy There were no validations to check the numeric fields in the SEAS Password Policy GUI tab for the values that can be entered. Resolution: Updated the GUI screen to limit the size for Days Valid, Password Minimum Length, Password Maximum Length, and Keep In History. SEAS-1193/ - SEAS server prompts for passphrase during silent upgrade During a silent install upgrade, the step to obtain the encryption passphrase from the boostrap file was being bypassed, so it prompted for the passphrase. Resolution: Correct the InstallAnywhere logic to silently obtain the passphrase during a silent upgrade. SEAS-1334/ - Extend password validation to silent install No rules were specified in InstallAnywhere to do validations on passwords in silent mode installations. Resolution: Added rules specifically for silent mode installation so that proper validation occurs. SEAS-1338/ - RESTAPI failures with tokens and Export/Import The RESTAPI was having difficulty working with token definitions and doing exports and imports due to a flaw in exporting the keystore password. Resolution: Corrected the setting of the restAPI tag during the RESTAPI so that authentication data is exported correctly. SEAS-1346/ - Improve RESTAPI handling of SQL Injection. Internal scanning detected areas in the RESTAPI which were vulnerable to an SQL injection. Resolution: Added validation in the RESTAPI so that any known SQL injections detected in the data will be rejected. SEAS-1368/ - Remove token pool exceptions from log at startup When token synchronization is activated and SEAS is started, it may get an exception at startup if another member in the group is not up yet. Resolution: Now log the initial connection exception at DEBUG log level during token synchronization startup. SEAS-1372/ - Reduce SSPDummyProfile clutter in log Failover PING responses were getting logged at INFO mode, leading to clutter in the logs. Resolution: Require the logging level to be in TRACE mode for any SSPDummyProfile error messages. SEAS-1395/ - RESTAPI valdation error during import of Service principal Validation of LDAP Service Principal did not take into account the Active Diretory admin format. Resolution: Removed the validation of service principal logic that did not take into account the AD format. MFT-11237 - Added properties/version/*swidtag file for ILMT discovery Resolution: Added the software ID tag (swidtag) file to the properties/version for easier detection by the ILMT license tool. MFT-11359/IT33971 - AUTH061E NullPointerException during AttributeAssertion [VerifySSHPublicKey] SEAS was doing many successful SSH public key authentications, then they all began failing with NullPointerExceptions (NPEs). Messages received: AssertionProcessor - Exception processing assertion: java.lang.NullPointerException AUTH061E Exception encountered while evaluating authentication AttributeAssertion[VerifySSHPublicKey]: null. Other SEAS going to the same LDAP were not failing. Restarting the failing SEAS resolved the NPEs. Resolution: Added defensive code in areas that appeared vulnerable, especially checking for null values in our map of LDAP variables, the LDAP query response, and the assertion string itself. We also added code to print the assertion expression in case of an exception during processing it. Also added diagnostic stack traces in the area that the NPEs were thrown to catch the exact location for further diagnosis. SEAS-1256/ - StartTLS is Yes/No on the GUI but True/False in the API The Start TLS setting in the LDAP Connaction Settings tab of the authentication definition has a Yes/No value, while the RESTAPI only accepted true or false. Resolution: Updated the RESTAPI validation to allow Yes/No in addition to true/false for the startTLS tag. SEAS-1331/ - Ability to change keystore/truststore password from CLI Until now, the only way to change the keystore password wass through the Java keytool command and then update it to match in the GUI. Resolution: Updated the SEASCipherConfigTool utility to add new options [-x: update kesytore password] and [-y: update truststore password] to facilitate changing the password in the keystore/truststore and the SEAS configuration files. SEAS-1352/ - Added validation for validLDAPVersion This is a continuation of the fix for defect SEAS-961. One of the fields (validLDAPVersion) was not being validated correctly in the LDAP Connection tab of the authentication definition screen. Resolution: Now validate the validLDAPVersion for both the GUI and the RESTAPI. Also added Base DN validation at 'Add LDAP auth profile' screen in the authentication definition in the GUI. The valid values for base DN can either include the '=' operator or be contained within curly braces{}. SEAS-1396/ - Cannot remove global connection even if unreferenced After deleting all the Attribute Query Definitions pointing to a Global Connection, the Global Connection can still not be deleted. Resolution: Now properly delete the reference entries in the map when deleting the Attribute Query Definitions. SEAS-1397/ - SEAS fails to start in disable bootstrap mode. When passphrase bootstrapping is turned off, the startup does not prompt the user for the passphrase and fails with javax.crypto.BadPaddingException. Resolution: Now prompt for the password from a Java class rather than directly from the startup script. SEAS-1398/ - RESTAPI not reporting exception stacktraces in log file SEAS Rest API services do not report exception stacktraces in the SEAS log file, making it more time consuming to determine the point of failure when an issue occurs. Resolution: Added logic in over 15 places in the RESTAPI code to extract the full exception stacktrace when an error occurs and write it into the log file. SEAS-1404/ - Several sysGlobals fields accept empty values in RESTAPI The cache-control, strict-transport-security and content security policy entries in SysGlobals were allowing the tag to be set with an empty value. Resolution: Now validate during the RESTAPI import that if the above fields are set in the SysGlobals field, they include a valid value. Also updated the upper limit for several other fields which accept numeric values in the GUI and the RESTAPI. SEAS-1422/ - RESTAPI import fails with "SSL Protocol Not be Null" When exporting the SEAS configuration using the RESTAPI, the protocol tag was missing in sysSslInfoDef. A subsequent import failed with the above message. Resolution: Now set the protocol in sysSslInfoDef to TLSv1.2 if it is null or empty during a RESTAPI export or get operation. SEAS-1423/ - RESTAPI import fails with invalid content when keystore or truststore password changed. Ohanged the keystore and truststore passwords after a new install and exported the configuration. On import, got "Invalid content was found starting with element 'createdBy'." Resolution: Updated the sysSslInfoDef and sysTruststoreInfoDef xsd files to allow 0 or more of the missing elements mentioned in the error. SEAS-1429/ - Vulnerability in Apache Commons Codec HIPER: Updated the Apache Commons Codec toolkit to v1.15 to address security advisory PSIRT25470 - CVEID: 177835 (CVSS: 7.5). See https://www.ibm.com/support/pages/node/6339801 for security bulletin. MFT-11367/IT34033 - Nullpointer in SingleSignonServiceImpl The Customer is monitoring their logs for NullPointerExceptions and seeing the following: ERROR SingleSignonServiceImpl - AUTH094E SSO token generation failed (Reason: null). ERROR SingleSignonServiceImpl - java.lang.NullPointerException This caused only the one session to fail, no further fallout. Resolution: Added defensive code to check for null values in the areas around token generation, including before scanning the tokenGroup and tokenRealm lists. Also added code to print more relevant messages and stack traces closer to where the null values may be presenting themselves. SEAS-985/ - Improve the validation of custom exit initialization and execution Exceptions during custom exit initialization and execution were not being properly reported in SEAS log files. Resolution: Added additional error capturing during custom exit initialization and execution. SEAS-1415/ - SSO Plugin changes to return Client IP address The SEAS SSO-plugin for B2Bi was not returning client IP address via the application output during token validation and authentication Resolution: Updated the sso-plugin jar file to allow the client's IP address to be passed to B2Bi during authentication and SSO SEAS-1417/ - Client IP address enabled during regular Authentication The client IP address was not being passed to B2Bi during a successful authentication that does not involve SSO. Resolution: Now enable the passing of the client IP address after a successful authentication. SEAS-1421/ - Client IP Address not returned when ssoAuthRequest has a token in the password field The Client IP address was not being returned when an ssoAuthRequest with an embedded token is set in the password field. Resolution: Now enable the passing of the client IP address even when an ssoAuthRequest has a token in the password field. MFT-11489/IT34631 - Not finding passwordPolicySubentry attribute on Oracle DS The Customer upgraded their Oracle DS LDAP server and found that their password change operations began failing. The server added a new passwordPolicySubentry in addition to the pwdPolicySubentry tag. Resolution: Added support for both variations of the pwdPolicySubentry tag. MFT-11500/IT34551 - NULL pointer exception during script engine allocation SEAS is getting ERROR AssertionProcessor - java.lang.NullPointerException at com.sterlingcommerce.hadrian.common.util.HadrianScriptingEngine.eval(). This is in the area where we process an assertion (i.e. compare a value from LDAP with a supplied value, such as a user’s SSH public key). SEAS requested a script processing engine, but failed to check whether the engine was actually allocated before calilng it. Resolution: Now allocate only one script engine during class load instead of getting a new one with every call. If a null pointer is detected, make 3 attempts to re-establish a good script engine. SEAS-1396/ - Unable to remove an unreferenced global connection A global connection definition referenced by an attribute query definition could not be deleted even when the attribute query definition was deleted. Resolution: Now delete the map entry for the Attribute Query Definition when it is deleted so that the global connection defintion can be deleted. SEAS-1440/ - SEAS hearbeat interval being sent to Control Center as a string and not a number The SEAS hearbeat interval was being sent to Control Center as a string Control Center was expecting a number. Also known internally as SSP-4718. Resolution: Now send the SEAS hearbeat interval in the correct format. MFT-11533/IT34738 - After new install of SEAS 6011 any new SEAS keystore must have alias name sso After a new install of SEAS 6011, the Customer wanted to use their own JKS keystore and keycerts. However, when specifying the new keystore in the GUI Manage -> System Settings -> SSL tab, the user gets the message: SYST045E Specified certificate alias [sso] doesn't exist in the keystore. The default sso alias added at install time was defined in the Listener and SSO tabs and would not allow the new keystore to be saved unless it contained a keycert with that alias. Resolution: When adding a new keystore, the Manage -> System Settings screen will allow the user to navigate to the Listener and SSO tabs to specify aliases of keycerts which exist in the new keystore before hitting OK to save the new configuration. MFT-11590/ - SEAS install default host of 0.0.0.0 causes webGUI to fail When installing SEAS for the first time, the default host name is supplied as 0.0.0.0 which causes an issue later when launching the SEAS GUI through Webstart from another host. Resolution: Added custom InstallAnywhere code for new installs of SEAS to supply the fully qualified DNS hostname as a default. SEAS-694/ - Enforce a maximum header length and content size for the SEAS Webstart GUI. The SEAS GUI could get overrun with data if a large HTTP header or page content is received. Resolution: Now set a maximum header size (8192) and content size (200,000) to protect the SEAS GUI from an overrun. These are configurable in the Globals tab of the System Settings tab of the SEAS GUI. SEAS-1051/ - SEAS logs passwords from exit properties at startup Passwords supplied to SEAS custom exits via properties were being logged in DEBUG mode at startup. Resolution: Now mask passwords/passphrases contained in custom exits properties as we do everywhere else in the product. SEAS-1349/ - Fix resource leak issues reported by internal code scan Resolution: Corrected various coding issues detected by our internal code scan tool. Removed dead code, avoid NullPointerExceptions, use IOException instead of Exception when closing resources. SEAS-1360/ - Apply more restrictive password policy for admin userid The password policy for the admin id were not consistent between install time and at password change time. Resolution: Added flags on the password policy panel to require upper and lower case characters and/or digits and specify the special characters allowed. Also ensured that all are verified correctly through the RESTAPI. Also worked internally under SEAS-1366 and SEAS-1374 defect ids. SEAS-1373/ - SEAS server ID field does not handle IPV6 addresses The SEAS Server Id field was not allowing strings with ":" so IPv6 addresses could not be specified. Follow on to SEAS-1366. Resolution: Now validate the SEAS Server Id to be no more than 50 chars, have no binary data, and handle IPV6 addresses. SEAS-1377/ - Log stacktraces when startup fails The SEAS startup process does not log encountered exceptions properly to enable prompt resolution of Customers' startup failures. Resolution: Now ensure that fatal exceptions log their stacktrace into the SEAS log file. SEAS-1401/ - RESTAPI certValidation export not prompting for passphrase The RESTAPI certValidation export was not prompting for a passphrase to encrypt the export file. Resolution: Now prompt for an encrypt/decrypt passphrase when using the RESTAPI to export cert validation configurations. The same passphrase will then be expected during import. SEAS-1430/ADV0026225 - Upgrade IBM JRE to 8.0.6.15 level for security patches Resolution: Update the IBM JRE to satisfy the CVEs in the Oracle July 2020 CPU, PSIRT advisory 26225. See https://www.ibm.com/support/pages/node/6398778 for the Security Bulletin. SEAS-1478/ADV0028030 - Update Jetty toolkit to v9.4.34 for security patches Resolution: Updated the Eclipse Jetty toolkit to 9.4.34 to mitigate CVE-2020-27216, dealing with elevated privileges. This is PSIRT advisory 28030. See https://www.ibm.com/support/pages/node/6398776 for the Security Bulletin. SSP-4736/ - Upgrade Jackson jars to latest Resolution: Upgraded the Jackson jars to v1.9.14 for the latest JSON streaming technology. MFT-11742/IT35559 - Jetty failure at SEAS startup after upgrade to iFix 03 Customers installing the new SSPCM or SEAS for iFix 03 could not bring up the SSPCM or SEAS. The error message was KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead) The new Jetty for PSIRT ADV0028030 introduced a requirement of having only one CA-signed keycert in the keystore unless using a server form of the SslContextFactory class. The problem could also occur with one Subject Alternative Name (SAN) keycert which has multiple hosts. Resolution: Updated our Jetty instance to use the SslContextFactory$Server class as required when SAN certificates or multiple signed certificates are present in the keystore. MFT-11661/IT35686 - Allow SEAS RESTAPI command line utility to use TLSv1.2 The seasRestAPI command line utility was hardcoded to use the TLS1.0 protocol. Updated the utility and the sample seasRestAPI.properties file to support the new "TLS_PROTOCOL=TLSv1.2" property. Also supports TLSv1 and TLSv1.1. MFT-11747/IT35923 - Error accessing SEAS GUI with Oracle Java 10 from Windows When attempting to start the Webstart GUI from a Windows box with Java 10 installed, it puts out an error message, "class com.sterlingcommerce.hadrian.common.logging.ProxyLog4j2XmlConfig (in unnamed module ...) cannot access class com.sun.org.apache.xerces.internal.parsers.DOMParser (in module java.xml) because module java.xml does not export com.sun.org.apache.xerces.internal.parsers to unnamed module ..." Resolution: Switched to use org.apache.xerces.parsers.DOMParser, which is compatible with Java versions through 10. MFT-11774/IT35934 - SingleSignonServiceImpl getting IllegalStateException: Queue full When SEAS is configured in a token synchronization group and is doing a large amount of token generations, it may exhaust the 5000 default limit for the token synchronization queue, where tokens are added to be sent to other SEAS in the group. This may result in the "ERROR SingleSignonServiceImpl - java.lang.IllegalStateException: Queue full" msg. Resolution: Now prune the queue of any expired tokens and retry the add of a newly created or newly invalidated token to the synchronization queue if the operation fails due to a full queue. Also, cleaned up much of the logging so that the token synchronization messages are not logged to systemout.log, but to seas.log instead. And many of the previous debug messages may only be seen if in TRACE mode. MFT-11869/IT36159 - SEAS silent install fails with bad port error The SEAS silent install recorder was saving the port value as a string rather than numeric, which caused a message that it was out of bounds. Resolution: Now parse either a string or numeric value for the port and validate that is between 1 and 65365. SEAS-1401/ - RESTAPI export/import for certValidation not requiring passphrase for encrypt/decrypt The RESTAPI utility was not requiring a passphrase for encrypting/ decrypting the certValidation artifacts. Resolution: Now ensure the user supplies a passphrase for encrypting/ decrypting the certValidatio artifacts. SEAS-1472/ - RESTAPI import of user fails if role not admin or anon Recent SQL injection validations for user definitions threw exceptions whenever a role other than the defaults "admin" or "anon" was assigned. Resolution: Now take into account any user defined roles other than admin or anon when validating roles for incoming users in the RESTAPI. SEAS-1529/ - SEAS installation logs showing passphrases in plain text On a new install, SEAS echoed the passphrases supplied by the admin into the install log. Resolution: Now mask all passwords and passphrases entered by the user. SEAS-1554/ - EOFException in validateTokenViaGroupMember In a Token Synchronization Group, if one member gets a request to validate a token before the token been broadcast by the authenticating member, it must ask the authenticating member to validate the token and sent it back with the validation response. The sender was sending all the tokens in its cache instead of just the one requested, and this caused an EOFEception on the receiving side, and typically a failure to start the back end session. Resolution: Now send just the one token requested during the validation. SSP-4965/ - Updated code signing certificate for signing jarfiles The code signing certificate for signing jar files expired March 14, 2021. Internal testing with dates beyond the expiration date showed no side effects on starting and running SEAS. However, the Webstart GUI would reject jar files after the expiration date of the signing certificate. Workaround: Use the bin/startGUI.sh script to invoke the SEAS GUI in an X11 session. Resolution: Now sign all jars with an IBM jar signing certificate which expires in 2031. MFT-11853/IT36501 - Invalid Eyecatcher exception in logs SSP logs were showing Invalid Eyecatcher exceptions when interacting with SEAS. There is built in logic to make sure that every header received by SEAS and returned from SEAS has a 4 character eyecatcher as a validation. Resolution: Now dump the eyecatcher when the error happens so that the underlying issue with the send/receive on the SEAS socket can be diagnosed. MFT-11876/IT36502 - ERROR LdapSearcherRetriever - Naming exception iterating search return: Unprocessed Continuation Reference A Customer with an LDAP set up with the "Follow" option may take a longer time to get a complete answer from all subdomains, even if the original answer has been obtained. The LDAP system may throw the above Naming Exception in that case. The Customer's security team wanted this message suppressed if it was not a true error. Resolution: Now put out the LDAP Naming Exception in DEBUG mode if it is of the "Unprocessed Continuation Reference" variety. Other exceptions would still be logged in ERROR mode. MFT-12011/IT36505 - Token synchronization SAML Decoding exception A secondary SEAS attempting to validate a token created on another SEAS in the token group got an exception decoding and adding the token to its local store. In some cases, the token validation succeeded despite the exception. Resolution: Corrected the token decoding process to check all fields for null while creating the local token. Also cleaned up some logging and added some metrics to note the time spent in the broadcast queue, the broadcast turnaround, etc. MFT-12017/IT36712 - SEAS6011 plug-in after iFix 2+ Build 192 causes B2Bi Dashboard GUI to display a blank screen After updating the SEAS SSO plug-in in B2Bi 6.1.0.1 to the SEAS6011 ifix 3+ level, the B2Bi dashboard page is blank. The SEAS6011 iFix 2+ Build 194 added a new authenticaion feature which was intended for a future B2Bi version, and is incompatible with all current B2Bi versions. Resolution: Reverted the SEAS plug-in to the pre-Build 194 level. Note: The SEAS SSO Plug-in is normally farily static and does not have to be updated on B2Bi every time SEAS is upgraded. MFT-12029/IT36505 - Token syncrhonization pruning causing performance issue When the token broadcast queue filled up, each task that was attempting to add to it invoked the pruning method, so that multiple threads were tied up trying to prune the queue. This caused a significant performance issue until the queue size was relieved of expired tokens. Resolution: Turn off the pruning process to correct the performance problem. SEAS-1197/ - DisableEndpointIdentification parm missing on Windows The override parm provided in MFT-10204 was not carried forward in the SEAS lax file, so Customers did not have a reference for setting it to disable endpoint checking to an LDAP server using a SAN certificate. Resolution: Updated the SEAS$$.lax file on Windows to include a commented -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true parameter which the Customer can uncomment if needed. See MFT-10204 for more details. SEAS-1605/ - Clear text passphrase in the seas.log for API request Internal testing showed that when logging in debug mode, certain RESTAPI commands logged the X-passphrase: value in clear text. Resolution: Eliminated the unnecessary logging of the X-passphrase value. MFT-11879/IT37158 - Custom exit parms not passed after upgrade After upgrading SEAS from 2432, the custom exit was not coming up properly because the custom token manager was trying to fully initialize in its constructor rather than when it was called later. SEAS was not sending the parms in the constructor. Resolution: SEAS now retries the initial call to the custom token manager if it fails the first time, so that the parms can be properly passed. MFT-11997/IT36905 - Unable to fetch non-default user password policies for the OpenDJ LDAP server SEAS was only searching the default attribute in which user-specific password policies could be stored by the OpenDJ LDAP server. Fix also known internally as SEAS-1623. Resolution: Now support the OpenDJ password policy attributes pwdPolicySubentry, collectiveAttributeSubentries, and ds-pwp-password-policy-dn. MFT-12001/IT37433 - Lost connection to EA server error during high load During high load when using the XAPI custom exit for authentication through B2Bi, the connection to SI intermittently took too long (6 minutes). This caused SSP to think that SEAS was unresponsive 1 minute later and it took the adapter down: SSP0361E Stopping listener for adapter xxx: !Lost connection to EA server The connection timeout parm in the XAPI exit was not being passed correctly to the HttpClient toolkit. The default connTimeout is 30 seconds which would have allowed the connection to fail and retry before SSP timed its connection out. Resolution: Correctly pass the connection timeout parm in the custom XAPI exit to the HttpClient toolkit. MFT-12044/IT36953 - Improve token broadcasting between SEAS token group members In a SEAS Token Synchronization Group, the broadcast operation of tokens was taking an undue amount of time to send to other members in the group. All tokens were being broadcast one at a time from one thread, which could cause a large backup during high periods of authentication. Resolution: Added a new Token Synchronization Queue Manager Thread Group with a default of 2 threads for broadcasting tokens to each other member in the group. Increase this count by adding -Dseas.token.sync.threads=10 to the startSeas.sh java call lines. MFT-12065/IT37026 - SEAS failing to suppress load balancer pings SEAS was not suppressing the logging for load balancer pings from the IP addresses in the Manage System -> Global -> Load Balancer IP. There was a hidden check box which could not be overridden which allowed the logging. Resolution: Removed the hidden check box so that any addresses in the Load Balancer IP Address field would cause logging to be suppressed from those addresses. MFT-12220/IT37303 - Allow free-format for LDAP Query Match Attribute The Customer needed to limit the number of entries returned for a certificate validation request, but could not specify UserCertificate=* in the matchAttributes filter for a Cert Validation query. The GUI would not allow the *. Resolution: Relaxed the syntax for the objectNames filters in the Match Attributes section of the certification validation query. SEAS-1547/ADV0027664 - Upgrade httpcomponents-client to 4.5.13 An internal scan suggested a newer version of the httpcomponents-client toolkit. Upgraded to the 4.5.13 version of the httpcomponents-client toolkit. This also fixes several serialization and URL processing issues. See https://www.ibm.com/support/pages/node/6471615 for the Security Bulletin. SEAS-1549/ADV0031888 - Resource leakage vulnerability found in scan An internal scan revealed that resources were not being closed properly in all circumstances, resulting in memory leakage. Resolution: Now close the resources properly to avoid the memory issues. See https://www.ibm.com/support/pages/node/6471615 for the Security Bulletin. SEAS-1558/ADV0031895 - Unrestricted document type definition vulnerability found in scan Internal scans revealed an Unrestricted document type definition (DTD) vulnerability. Resolution: Disabled the DTD feature on the DocumentBuilder factory. See https://www.ibm.com/support/pages/node/6471621 for the Security Bulletin. SEAS-1586/ADV0031844 - Upgrade to Cryptacular 1.2.4 An internal scan suggested a newer version of the Cryptacular toolkit Upgraded to the 1.2.4 version of the Cryptacular toolkit. See https://www.ibm.com/support/pages/node/6471621 for the Security Bulletin. SEAS-1588/ADV0031824 - Upgrade Guava: Google Core Libraries for Java to 30.1.1 An internal scan suggested a newer version of Guava: Google Core Libraries for Java. Resolution: Upgraded the Guava toolkit to the 30.1.1 level. This has been re-evaluated and determined to not be a vulnerability. SEAS-1589/ADV0031827 - Upgrade Eclipse Jetty to 9.4.41 An internal scan suggested a newer version of the Jetty toolkit. Resolution: Upgraded the Jetty toolkit to the 9.4.41 level. See https://www.ibm.com/support/pages/node/6471615 for the Security Bulletin. SEAS-1612 - Improperly handled clientConnectionException during SSL Handshake The SEAS GUI client was failing to make a TLS/SSL connection when the default protocol was not set to TLSv1.2 because a ClientConnectionException was not being handled properly. Resolution: Added logic to handle the ClientConnectionException properly so that the retry logic for the connection may kick in. MFT-12363/ - NPE when pointing to new keystore and alias When using the GUI System Settings tabs to add a keystore and keycert alias other than the defaults, the Customer gets a NullPointerException (NPE) and message, "CRUD033E Operation: update failed: Could not load key with alias [sso] in keystore [../conf/system/keystore]: null" Resolution: Corrected the NPE and put out a more meaningful message. MFT-12388/ - SEAS Webstart client not working with newer Oracle Java Some Customers discovered that they were unable to access the SEAS Webstart GUI when using the Oracle Java 8 buid 191 and higher on their WIndows box. It complained about the way the SEAS jars were signed. This is also tracked internally as SEAS-1719. Resolution: Now sign the SEAS jar files using the SHA-256 message digest rather than the legacy SHA1 digest. MFT-12389/IT38148 - RESTAPI authentication definition import failure The SEAS Rest API was unable to export and import an Authentication configuration because the contents were not encrypted during the export, while encryption was expected on the way in. It works if exported as part of a full configuration. Resolution: Added a prompt for the encryption password during the export of an Authentication configuration so that the data is encrypted. SEAS-1505/ADV0028445 - Oracle Java Oct 2020 CPU deferred CVE Resolution: Upgraded the IBM JRE to the 8.0.6.30 level to satisfy the CVEs in the Oracle October 2020 CPU, PSIRT advisory 28445. See the Security Bulletin at https://www.ibm.com/support/pages/node/6484683 SEAS-1522/ADV0029821 - Oracle Java Oct 2020 CPU deferred CVE Resolution: Upgraded the IBM JRE to the 8.0.6.30 level to satisfy the CVEs in the Oracle October 2020 CPU, PSIRT advisory 29821. See the Security Bulletin at https://www.ibm.com/support/pages/node/6484683 SEAS-1537/ADV0031846 - Risky cryptographic algorithm vulnerability This vulnerability was fixed as part of SEAS-1561/ADV0031848. See that defect for more information. SEAS-1557/ADV0031847 - Hard-coded secrets vulnerability An internal security scan revealed the use of a hard-coded password in some SEAS files. Resolution: Now read the truststore password from defTrustStore.xml when loading the truststore for SAML-IDP signature validation. See the Security Bulletin at https://www.ibm.com/support/pages/node/6484685 SEAS-1561/ADV0031848 - Weak hash vulnerability An internal security scan revealed the use of hash values which were not computationally intensive enough. Also tracked internally as SSP-5012. Resolution: Now use a strong salt and a PDKSF2 hashing technique. See the Security Bulletin at https://www.ibm.com/support/pages/node/6484685 SEAS-1595/ADV0029859 - Oracle Java Jan 2021 CPU Resolution: Upgraded the IBM JRE to the 8.0.6.30 level to satisfy the CVEs in the Oracle January 2021 CPU, PSIRT advisory 29859. See the Security Bulletin at https://www.ibm.com/support/pages/node/6484683 SEAS-1657/ - Update SEAS B2Bi plugin to work in all versions of B2Bi The SEAS plug-in which allows B2Bi to connect to SEAS for authentication and token validation was not able to work with pre- and post-B2Bi 6.1.1 versions. Also tracked internally as SEAS-1709 and SEAS-1718. Resolution: Worked with the B2Bi team to ensure that the SEAS plug-in works for pre-B2Bi 6.1.1 and for the features in 6.1.1. SEAS-1666/ - User with Anon role can shut down SEAS server from GUI A SEAS GUI user with the non-Admin role of Anon has most everything grayed out in the GUI, but does have access to File/Shutdown Server. Resolution: Now grey out the Shutdown Server option in the GUI for non-Admin users. SEAS-1713/ - Unable to save secure connection configuration from Webstart under Oracle Java When running the SEAS Webstart GUI under Oracle Java, e.g. on a Windows system and attempting to configure a TLS connection, the application was not able to find the "SHA2DRBG" algorithm. Running it under the IBM Java it works as expected. Resolution: Updated the Webstart GUI logic to support both the IBM and Oracle Java. SEAS-1720/ - Keep the hash value for ssotokens consistent in debug logs While doing work on hash values in SEAS-1537 and SEAS-1561, it was noticed that SSO tokens were not being logged consistently, which made it hard to keep track of session flows. Resolution: Created a separate hash function without the salt used for logging the SSO tokens. SEAS-1733/ - Add java.security.override file to allow disabled TLSv1 The java.security file provided with the IBM JRE 8.0.6.30 disables the TLSv1 and TLSv1.1 protocols, leaving only TLSv1.2 as an option. Many Customers still have configurations which use TLSv1 for LDAPs or for connections from SSP. Resolution: Add a new java.security.override file in the conf directory with instructions on how to override keywords in the java.security file. Point to the new file when invoking startSeas, startGUI, stopSeas and the Windows services. Back up and replace it with each new install. ACTION: For this iFix, the TLSv1 and TLSv1.1 protocols continue to be allowed. In the next iFix, they will be disabled by default. Customers should change all TLS connections to use the TLSv1.2 protocol. MFT-12464/IT38350 - Old Windows service not deleted when upgrading Doing an upgrade of SSP6011 to SSP6020 on Windows, the old Windows service name was not deleted. Resolution: Updated the InstallAnywhere deck to remove old SSP or SEAS services from x.4.2.0 through 6.0.1.1 if the install directory matches the executable path in the old service. MFT-12468/IT38244 - OKTA SAML Response verification issue During SAML Token Validation in SEAS, if the idpAlias cert name is not configured in the SSO tab of SEAS and/or the idpAlias cert is not in the SEAS configured truststore, a NullPointerException occurs which causes the SAML token validation to fail. Resolution: Now validate the existence of the idpAlias cert before doing SAML signature validation in SEAS. If a problem, put out message: Specified IdP certificate alias: [ ] does not exist in SEAS truststore MFT-12500/ - DEBUG logging though log4j2.xml says INFO The Customer noticed that even though they had the Root level logging in SEAS/conf/log4j2.xml set to INFO, they were getting DEBUG messsages. They did not realize the (little known) fact that the logging value in the GUI overrides the value in the log4j2.xml file. Resolution: Added the following comment above the Root level line in log4j2.xml: "The Root level logging value is overridden at startup by the value in the SEAS GUI Manage System Settings Globals tab." SEAS-1761/ - Plaintext admin.xml created during upgrade, SEAS won't come up When the SEAS admin creates new userids with admin authority and deletes the admin user, the next upgrade of the product inserts a plaintext copy of the /conf/haas/users/admin.xml but does not encrypt it. This causes a failure at startup. Workaround: Delete the plaintext admin.xml file and restart SEAS. Resolution: Now only install a copy of the admin.xml on a new install, not an upgrade. MFT-12550/IT38601 - SEAS not working with Oracle Internet Directory The LDAP query for an Oracle Internet Directory was not working because SEAS assumed that the query must start with "cn=" rather than "uid=" or something else. Resolution: Now adjust when the LDAP DN does not start with "cn=" in order to perform the DN validation. SEAS-1196/ - Allow setting passphrases for keystore and truststore For new installs, the passphrase for the default JKS keystore and truststore were were always "password" and "changeit". Resolution: For new installs, prompt for the passphrases to use for accessing these files. SEAS-1350/ - Various issues reported by internal code scans Internal code scans revealed potential issues in several areas: synchronized Lock/Wait, field validation, weak password hashing, unrestricted document type, resource leak Resolution: Corrected the issues to use best practices and reran the scans to ensure compliance. Also tracked internally with defects SEAS-1449, SEAS-1451 ,SEAS-1536, SEAS-1638, SEAS-1755, SEAS-1757 SEAS-1454/ - Add Hostname Verifier in Health Check Monitoring Resolution: Added a checkbox in the Health Check Monitoring tab to validate that the certificate coming from Control Center matches the hostname we are connecting to. SEAS-1461/ - Use more efficient Java Script engine for queries Resolution: Enhancement to upgrade the Java Script engine that SEAS uses for LDAP searches to Nashorn. This engine is more efficient and has a smaller memory footprint. SEAS-1470/ - Apply default password policy on passphrase used for RESTAPI exports The RESTAPI prompts for a passphrase to encrypt sensitive information, but the only requirement has been that it be at lease 8 characters long. Resolution: Now apply the default password policy on the passwphrase chosen and prompt again if necessary for a compliant passphrase. Also, ensure that all exports for sensitive information supply a valid passphrase. SEAS-1507/ - Update SEAS to support TLSv1.3 Resolution: Enhancement to support the TLSv1.3 security protocol for connections to SEAS. The TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, and TLS_CHACHA20_POLY1305_SHA256 ciphers are supported. SEAS-1509/ - Support multiple ICC EP support in SEAS Resolution: Enhancement to support multiple Control Center Event Processors (EPs). Post events to the current EP in the list until it encounters an error, then move to the next one in a circular list. If all EPs fail, wait for a specified time and try again. SEAS-1600 added RESTAPI support. SEAS-1553/ - RESTAPI - Show appropriate message if the passphrase was actually used to encrypt/decrypt sensitive information Resolution: Added a message to the RESTAPI response when the passphrase is used to encrypt or decrypt sensitive data. Export example: SEAS Configuration export operation succeed. – Since there is sensitive data to be encrypted in the exported configuration, the passphrase provided was used. SEAS-1565/ - Enforce password policy when creating new user When creating new users in the SEAS user store, the password policy could be selected as None. Resolution: In keeping with security standards, now force the admin to select a password policy for the new user being created. SEAS-1710/ - Online Certificate Status Protocol (OCSP) for certificate validation OCSP allows a generally faster alternative to Certificate Revocation Lists (CRLs) or Distribution Points (DPs). Resolution: OCSP support in SEAS is implemented through a custom exit, which is compiled by the customer. For more information, please see https://www.ibm.com/docs/en/external-auth-server/6.0.3? topic=securing-configuring-online-certificate-status-protocol-ocsp-validate-certificates SEAS-1713/ - Unable to save secure connection configuration from Webstart under Oracle Java When running the SEAS Webstart GUI under Oracle Java, e.g. on a Windows system and attempting to configure a TLS connection, the application was not able to find the "SHA2DRBG" algorithm. Running it under the IBM Java it works as expected. Resolution: Updated the Webstart GUI logic to support both the IBM and Oracle Java. SEAS-1723/ - RESTAPI import fails with alternate keystore Using the RESTAPI to create an alternate keystore, the import fails with, [sysSslInfoDef field keyStoreFile must be specified as ../conf/system/keystore] which suggests that the import is expecting the default name. Resolution: Corrected the hard-coded keystore and truststore names expected in the RESTAPI. SEAS-1749/ - SEAS uses Java security file that disables TLS1.0 The jre/lib/security/java.security file which ships with the IBM JRE now disables the TLSv1 and TLSv1.1 security protocols by default. Customers are encouraged to use the TLSv1.2 protocol. Resolution: Now ship a conf/java.security.override file which allows the Customer to enable the TLSv1 and TLSv1.1 protocols. ACTION: With 6.0.3.0, TLSv1 and TLSv1.1 security protocols are disabled by default. If your shop is not ready to disable them, remove the "#" from the following line in the conf/java.security.override file to take TLSv1 and TLSv1.1 off the disabled algorithms list: #jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, ... SEAS-1752/ - Support for hostname verification in RESTAPI Resolution: Added "ENABLE_HOSTNAME_VERIFICATION=false" in the seasRestAPI.properties. To enable hostname verification on the CM certificate, set this property to true to assure the CM is using a certificate whose subject or subject alternate names matches the hostname or IP. SEAS-1785/ - Upgrade thirdparty jars for SEAS 6.0.3.0 Resolution: Updated the following third party jars: commons-io-2.11.0.jar jdom-1.1.3.jar log4j-*-2.14.1.jar xmlsec-2.2.3.jar MFT-11975/IT39083 - Broken Pipe issue using XAPI authentication to B2Bi When using the SIUserAuthExit Custom exit to do authentication against the B2Bi user store via the XAPI interface, the Customer was seeing Broken Pipe exceptions during high activity. Sockets created for the persistent connection between SEAS and B2Bi were being closed after the time specified by the inactivity timer, rather than waiting for the sockets to be inactive. Resolution: Now honor the inactivity timer for persistent sockets and close them only after they have been inactive for that long. MFT-12618/ - Set Maxheap on Windows via LAX file lax.nl.java.option.additional parm Java Max Heapsize for Windows services was not honoring the lax.nl.java.option.java.heap.size.max in the $LAX file. Resolution: Updated comments in the bin\SEAS$$.lax file to override the Max heap via the lax.nl.java.option.additional property. MFT-12763/ADV0040089 - Log4j CVE-2021-44228 JNDILookup issue HIPER: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Resolution: Now supply log4j 2.15.0, where this behavior has been disabled by default. SEAS-1902/ADV0040239 - Log4j CVE-2021-45046 JNDILookup issue Apache Log4j is vulnerable to a denial of service, caused by an incomplete fix of CVE-2021-44228 in certain non-default configurations. A remote attacker with control over Thread Context Map (MDC) input data or a Thread Context Map pattern to exploit this vulnerability to craft malicious input data using a JNDI Lookup pattern and cause a denial of service. Resolution: Now supply log4j 2.16.0, which corrects this behavior. Follow-on in Build 205: Added extra check to validate requests from Webservices clients to ensure they cannot access lib resources. MFT-12817/ - NullPointerException during LDAP search operation LDAP authentication failing with “ERROR LdapSearcherRetriever - java.lang.NullPointerException” (NPE). SEAS was using a null message to check if an error occurred during an LDAP operation which specified "follow" for referral. Resolution: Now verify that the message associated with the follow operation is not null before attempting to analyze it. SEAS-1898/ADV0040738 - Log4j CVE-2021-45105 JNDILookup issue - Follow on Apache Log4j is vulnerable to a denial of service, caused by the failure to protect from uncontrolled recursion from self-referential lookups. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input data that contains a recursive lookup to cause a StackOverflowError that will terminate the process. Resolution: Now supply log4j 2.17.0, which corrects this behavior. See the Security Bulletin at https://www.ibm.com/support/pages/node/6538102 SEAS-1908/ADV0040204 - Upgrade all Log4j 1.x to 2.17.1 Resolution: Updated SEAS to remove all dependance on Log4j 1.x and use the 2.17.1 level to satisfy CVE-2021-4104. The 2.17.1 level also satisfies CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. See the Security Bulletin at https://www.ibm.com/support/pages/node/6538954 SEAS-1912/ADV0040951 - Log4j CVE-2021-44832 JNDILookup issue - Follow on Description: Apache Log4j could allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system. By constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI , an attacker could exploit this vulnerability to execute remote code. Resolution: Now supply log4j 2.17.1, which corrects this behavior. The 2.17.1 level addresses CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. See the Security Bulletin at https://www.ibm.com/support/pages/node/6538684 MFT-12495/IT39273 - New JRE breaks FIPS mode processing The upgrade to IBM JRE 8.0.6.30 introduced the new IBMJCEPlusFIPS provider which was not understood by SEAS when FIPS is enabled. SEAS was using the IBMJCEFIPS provider. Resolution: Converted SEAS to use the new IBMJCEPlusFIPS security provider when started in FIPS mode. Also tracked internally as SEAS-1867 SEAS-694/ADV0038393 - Validate input size limits (Jetty) The Jetty web server in the web GUI was not enforcing a maximum form content and the maximum HTTP header length was hard-coded to 3548. A malicious internal user could craft a large payload to disrupt service. Resolution: Added the maximum form content size and maximum HTTP header length in the Manage/System Settings/Globals tab of the SEAS GUI. See the security bulletin at https://www.ibm.com/support/pages/node/6558928 SEAS-1745/ADV0038390 - Path traversal and field validation issues Internal testing found that SEAS RESTAPI processing was vulnerable to path traversal and SQL injections, due to not properly validating the RESTAPI configuration data on import. A malicious authorized user could import data which could be used for an attack. Resolution: Added the appropriate field validations and failure messages. Also tracked internally as SEAS-1746. See the security bulletin at https://www.ibm.com/support/pages/node/6558928 SEAS-1921/ - New install fails to start with javax.crypto.IllegalBlockSizeException During internal testing of a new install (not an upgrade), the support calls done for encrypting the configuration during the InstallAnywhere phase were failing because the classpath was pointing to the wrong location for a couple of jar files. On startup, the configuration files could not be decrypted, resulting in the error message. Resolution: Corrected the classpath issues in the InstallAnywhere deck to ensure that all internal utilities have the correct classpath. MFT-12942/ - LDAP Multiple domain search issues SEAS was not decoding LDAP encoded search results from an AD Multiple Domain Search and also failed to extract the DN from the FQDN results. Resolution: Now properly decode LDAP search results from an AD multi-DOMAIN search and extract the DN. MFT-12972/ - Handshake failures with FIPS enabled and RSASSA-PSS, RSAPSS not disabled Customers with FIPS enabled may get handshake failures when verifying key signatures. Resolution: Add an example line in the conf/java.security.override file to disable the RSASSA-PSS, RSAPSS algorithms causing the FIPS errors. Customers may uncomment the line to disable these algorithms. MFT-13162/ - Attribute query error with a new SEAS profile (Implement MFT-12550 in 6030) Resolution: The fix for MFT-12550 did not make it into 6030. This is now resolved. SEAS-1590/ADV0031889 - Hostname verification Internal scans indicated that SEAS should do host name verifications during SSL/TLS connections to ensure that the certificate matches the hostname. Resolution: By changing the host.name.verification.enabled=false parameter to true in the bin/security.properties file, SEAS will do additional hostname checking on the certificate to make sure that it matches the hostname of the system it is coming from. See the Security Bulletin at https://www.ibm.com/support/pages/node/6586756 SEAS-1907/ADV0034524 - Oracle Java Jul 2021 CPU SEAS-1910/ADV0038361 - Oracle Java Oct 2021 CPU SEAS-1933/ADV0043610 - Oracle Java Jan 2022 CPU Resolution: Upgraded the IBM JRE to the 8.0.7.5 level to satisfy the CVEs in the quarterly Oracle July 2021, October 2021 and January 2022 CPUs. These are addressed in PSIRT advisories 34524, 38361, and 43610. See the Security Bulletin at https://www.ibm.com/support/pages/node/6586700 MFT-13171/ - Webstart OpenJDK client fails to start SEAS GUI fails to start via webstart when OPEN JDK is the client JRE. Resolution: Corrected the GUI code to enable OPEN JDK to download guilog4j2.xml. SEAS-1992/ADV0049489 - Upgrade Eclipse Jetty to 9.4.48 SEAS-2249/ADV0059312 A newer version of the Jetty toolkit is available. Resolution: Upgraded the Jetty toolkit to the 9.4.48 level to address several vulnerabilities. See https://www.ibm.com/support/pages/node/6608554 for the Security Bulletin. SSP-5756/ADV0040204 - Upgrade all Log4j to 2.17.2 Resolution: The product has been upgraded to use the Log4j 2.17.2 jars. See https://www.ibm.com/support/pages/node/6608552 for the Security Bulletin. MFT-13549/IT41719 - SAML Token Restriction issue SEAS was not properly validating the SAML Assertion signature from a third party SSO SAML2 token provider, allowing an insecure assertion. Resolution: Added logic to throw an exception and fail a SAML Assertion which has no signature when it is encountered. Note: To turn off the exception message, "SAML Assertion must have a valid signature block", add the -Dseas.enforce.saml.signature.validation=false Java parm to the SEAS startup script. MFT-13525/ - SSL Handshake failing with PingID Server from SEAS custom exit Customer has a customer SEAS exit to connect to a PingID server. It was getting an SSL handshake failure because it was expecting the Java default jsse.enableSNIExtension=true to be set. This had been set to false for a legacy fix. Resolution: Added the -Djsse.enableSNIExtension property to the SEAS startup scripts so that an admin user could set and modify it. MFT-13576/ - Token Synchronization slow with only 2 threads Resolution: Increased the default worker threads to 10 when token synchronization is enabled. MFT-13776/ - Token sent as Password is too long Customer was sending a token in the password field to be validated by a SEAS custom exit. The token was over 1000 characters and the SEAS password maximum length was hardcoded to 128. Resolution: Added a -Dseas.maximum.password.length.override=XXXXXX in the startSeas scripts to allow the maximum password length to be extended. SEAS-2485/ - Mapped Credential functionality failing Mapped Credential functionality based FindUserDN LDAP query was failing due to an extra bracket character used in the construction of the LDAP query scripting. Resolution: Removed the extra bracket and also changed logic to be able to handle Application Output that was constructed using the old format using the extra square bracket. SEAS-2843/ - Remove weak ciphers in default ciphers for TLSv1.2 Resolution: Removed CBC ciphers from or default list of ciphers when selecting the TLSv1.2 protocol. They are now considered weak. MFT-13463/ - Native memory leak in IBMJCEPlus provider SFTP Customers were reporting a native memory leak. Over days or weeks their memory usge showed to be using a larger percentage of the system native memory. Running with the IBMJCE provider ahead of the IBMJCEPlus provider in the jre/lib/security/java.security file provided some mild relief. Resolution: The IBM Java team found a memory leak in the IBMJCEPlus provider and provided the 8.0.7.16 JRE with the IJ44040 fix applied. MFT-13737/ - HSM manageCSR -update unable to add certificate from CA SSP Customer using an HSM device with FIPS turned on were unable to successfully use the GenerateCSR operation to create a certificate keypair. Resolution: The IBM Java team updated the temporary signing operation done during keypair generation in the IBMPKCS11 HSM code to utilize SHA256withRSA. They provided the 8.0.7.16 JRE with the IJ44075 fix applied. SEAS-1413/ - Upgrade cipher for encrypting the configuration files. Internal scans showed that the algorithm used to encrypt configuration files was not computationally intensive enough. Resolution: Changed the existing encryption algorithm from "PBEWithSHAAnd3KeyTripleDES" to "PBEWithHmacSHA512AndAES_256" and also added backward compatibility code. SEAS-2161/ - Include iFix, Build, and Platform in SEAS startup, shutdown messages Resolution: Include the iFix, Build, and Platform in SEAS startup and shutdown messages in the seas.log file. SEAS-2541/ - NPE in SEAS plugin with B2Bi - jdom incompatibility After applying newer jdom 2.0.6.1 toolkit for SEAS 6.1, the B2Bi plugin received a NullPointerException (NPE). The newer jdom classes were not compatible with the older classes in the B2Bi jdom jar. Resolution: Now package the newer jdom jar with the SEAS plugin so that it does not depend on the jdom jar in B2Bi. Tested with older and newer versions of B2Bi to verify compatibility. SEAS-2451/ - Remove the startup bootstrap listener on port 61367 In previous releases, SEAS opened a listening port on 61367 to get bootstrap information from itself for startup. Resolution: The startup process has been revamped to no longer require the bootstrap port. SEAS-2756/ - Avoid spurious errors in Attribute Queries Some processing in the attribute query area could delete objects before they were de-referenced. Resolution: Created a common validator for attribute query updates which works for the old RESTAPI and the new GUI RESTAPI. SEAS-2792/ - ADV0034524 - Oracle Deferred CVE from Java Apr 2021 CPU When JAR files signed with SHA-1 are disallowed (now the default behavior), they may not be rejected in some circumstances. (CVE-2021-2163) Resolution: The fix ensures that JAR files signed with SHA-1 are always rejected when SHA-1 is disabled via the jdk.security.legacyAlgorithms security property. This iFix delivers IBM JRE 8.0.7.16. SEAS-2843/ - ADV0054062 – Insecure TLS/SSL in use Resolution: Moved TLS ciphers which use SHA1 or CBC out of the default selected ciphers lists. SEAS-2892/ - Ambiguous error message when deleting referenced policy The error message produced when deleting a referenced password policy were different in the GUI and REST APIs. Resolution: Now produce a standardized error message for both APIs: A referenced Password Policy [policy1] may not be deleted until it is dereferenced. SEAS-2893/ - SEAS RESTAPI export/import failing on CCPort validation Exporting the full SEAS config and importing it again was not working as the health check CCPort had a value of 0. Resolution: Removed the validation on the CCPort as the facility to change it no longer exists in the new web-based GUI. SEAS-2906/ - Unable to create attribute assertion query if it contains string "attr" If an attribute assertion contains the "attr" string in its assertion data then it throws: ERROR ApplicationExceptionHandler - java.lang.StringIndexOutOfBoundsException: begin 1, end -1, length 1 Resolution: Corrected the evaluation assertion logic to correctly handle the "attr" string in the data. SEAS-2909/ - GUI Help/About not showing iFix level with build info Resolution: Updated the About screen to display the iFix level. MFT-13889/ - SEAS GUI read only access not working The SEAS GUI does not allow profiles to be viewed when a user is assigned a role with only the "READ" attributes selected for SEAS operations. Resolution: Now allow configured profiles to be viewed when the "READ" role attribute is assigned. MFT-14024/ - XAPI authentication to SI not working after upgrade to SEAS 6.1 After upgrading to SEAS 6.1, the Customer's XAPI authentication through the SEAS custom SIUserAuthExit_Xapi exit began failing. They were getting ERROR - com.sterlingcommerce.hadrian.api.SEASCustomExitException: AUTH071E Authentication failed for (Reason: invalid HTTP basic authentication credentials for ) The B2Bi admin password saved in the custom exit properties was changed to a character array for security purposes and was not being converted back to the correct format to pass to B2Bi. Resolution: Now correctly convert the password to the format expected by the B2Bi XAPI interface. SEAS-1987/ADV0054854 - Generate unique vector during install to use for encryption Internal scans showed that the Initialization Vector (IV) used to seed encryption operations in the product was the same for all installations. Resolution: For new installs only (not upgrades), generate a unique IV for that installation and save it in the ./conf/system/iv.enc file. This is CVE-2022-35720. See https://www.ibm.com/support/pages/node/6890669 for the security bulletin. SEAS-2916/ADV0060993 - Upgrade axios toolkit to 0.26.0 Internal scans showed that a CVE (CVE-232247) had been raised against the version of the Axios toolkit shipped with SEAS. We are proactively upgrading the toolkit to satisfy Customer scans. Resolution: Upgraded the axios toolkit to 0.26.0. See https://www.ibm.com/support/pages/node/6890669 for the security bulletin. SEAS-2917/ADV0038730 - Upgrade normalize-url toolkit to 6.1.0 Internal scans showed that a CVE (CVE-2021-33502) had been raised against the version of the normalize-url toolkit shipped with SEAS. We are proactively upgrading the toolkit to satisfy Customer scans. Resolution: Upgraded the normalize toolkit to 6.1.0. See https://www.ibm.com/support/pages/node/6890669 for the security bulletin. MFT-14019/ - Web GUI SSL issues after upgrade to SEAS 6.1.0.0 After upgrading to SEAS6100, the Jetty/web-server failed to make a secure connection with the SEAS backend 61366 port because the trust cert chain (server/leaf cert) was not available in the SEAS truststore. Resolution: Now ensure during SEAS6100 upgrade that the public alias associated with the keycert alias in the keystore is in the SEAS truststore. If not, add it to the SEAS truststore. MFT-14066/ - SEAS 6.1.0.0 upgrade on Windows does not remove 6.0.3.0 service When upgrading to SEAS6100 on Windows, the new SEAS_V6.1.0.0 service was added, but the old SEAS_V6.0.3.0 service was not removed. Resolution: Updated the InstallAnywhere directives to remove the SEAS_V6.0.3.0 service if it points to the same directory the upgrade happened in. MFT-14080/IT43248 - Unable to save defSslInfo SSL config across restart of SEAS6100 When an authentication profile is configured with the default SSL configuration profile, any changes get reset after the SEAS server is restarted. Resolution: Now ensure that any changes to the default defSslInfo are honored across a restart. MFT-14096/IT43249 - SFTP password authentication not working after SEAS6030 upgrade After upgrading from SEAS 2432 to 6030 iFix 5, the SSH password authentication failed because the SSO token manager object was null and the operation got a NullPointerException. Resolution: Now validate the SSO token manager pointer is non-null before entering code that uses it. SEAS-2939/ - Increase internal encryption key length to 256 bits Resolution: Increased the length of the internal encryption key from 128 to 256 bits to make it more computationally intensive. SSP-6217/ - Drop stray copies of Log4j 2.17.1 jars in seasrest war The Log4j 2.17.1 jar files had been checked in directly to the ./conf/jetty/webservices/webapps/seasrest/WEB-INF/lib directory in a a previous fix and were not removed, while the 2.17.2 jars were placed next to them during the build process. Resolution: Removed the Log4j 2.17.1 jars from the seasrest directories. Also streamlined the checkout process to eliminate old duplicate jar files. MFT-14028/ - Unable to login to SEAS 6.1 when FIPS mode is enabled In SEAS 6.1, the GUI session was attempting to connect to the SEAS server in order of descending TLS protocol, starting with TLSv1,3, then if that connection failed, try TLSv1.2, etc. When FIPS mode was enabled, the JRE complained that TLSv1.3 was not FIPS enabled, so the connections stopped. Resolution: Now configure the connection with TLSv1.2 by default so that if FIPS mode is enabled, the connection will still work. If the defSslInfo configuration is updated, the connection info will follow suit. MFT-14085/IT43450 - SEAS 6.1 New User GUI requires password even when userid is external The SEAS 6.1 New User screen was requiring the password policy, password, and confirm password fields to be filled in, even when the user was defined as an external user (i.e. defined in LDAP). A user defined in LDAP already has the password confirmed, and follows its own password policy guidelines. Resolution: Updated the New User screen to first check whether the user is defined as local or external. Only if local, require the password and password policy values. MFT-14108 - SEAS custom exit after upgrade to 6.1.0.0 gets java.lang.String incompatible with [Char] The custom exit failed after upgrading to SEAS6100 because the password value was being passed as a string into the custom exit instead of as a character array (char[]). This was caused by earlier fix SEAS-1707. Resolution: Fixed on 2 fronts: Updated the custom exit sample java code to allow receiving the password as a character array or as a string. Also updated the method which calls the custom exit to pass the password as a character array, as was always done prior to SEAS 6.1. MFT-14239/IT43518 - LDAP password change issue on SEAS 6.1 After upgrading to SEAS 6.1, a password change operation for a userid in LDAP was resulting in a StackOverflowError due to the password being passed to encryption in the wrong format. This was caused by earlier fix SEAS-1707. Resolution: Now correctly call the encryption operation with the password in the expected format. SEAS-2934/ - Apply password policy to SEAS key/trust store passwords Resolution: On a new install, apply the same password policy requrements (length, special characters, etc) to the new SEAS key/trust store passwords ss is done for the admin passphrase. Note: Defect SEAS-2935 handles the same for the silent install. MFT-14242/ - SEAS secure GUI not working after upgrade to SEAS 6.1 When upgrading from an older version of SEAS (2.4.3.2) which did not specify a secure session for the 9080 port nor use a secure session for the connections to SEAS, the connections to both were failing. The default TLS version was not being set during upgrade from SEAS2432 to SEAS6100. Resolution: Now set the default TLS version to TLSv1.2 when the value is null or blank or empty. Resolution Part 2: Update SEASCipherConfigTool to allow the -n option to validate and set keycerts before the SEAS server could be started SEAS-2890/ADV0070229 - IBM Java CPU Oct2022 CVE-2022-21628 - CVSS 5.3 SEAS-2914/ADV0070230 - IBM Java OpenJ9 - CVE-2022-3676 - CVSS 6.5 SEAS-2948/ADV0077814 - IBM Java CPU Jan2023 CVE-2023-21830 - CVSS 5.3 SEAS-2950/ADV0081465 - IBM Java XML vulnerability deferred from Oracle Apr 2022 CPU CVE-2022-21426 - CVSS 5.3 Resolution: Upgraded the IBM JRE to the 8.0.8.0 level to satisfy the CVEs in the quarterly Oracle October 2022 and January 2023 CPUs. See the Security Bulletin at https://www.ibm.com/support/pages/node/6987177. SEAS-2963/ - SEASConfigCipherTool utility does not allow CBC ciphers The SEASCipherConfigTool had been updated to not allow CBC ciphersuites for the TLSv1.2 protocol, which was limiting some legacy Customers. Resolution: Now revert to allowing the CBC ciphers to be added for the TLSv1.2 protocol. MFT-14403/IT43978 - Authenticating to LDAP gets No trusted certificate found when doing SFTP password and key auth SSL Connection data was not being properly initialized during LDAP Service Principal connection with the LDAP server Resolution: Added logic to check if sslInfoName has been resolved to its concrete value. SEAS-1831/ - Unable to add two EPs with same IP/Hostname Current SEAS logic does not allow for EPs with same IP/Hostname to be added to the IP/Hostname table Resolution: Now allow EPs with same IP/hostname to be added to the EP IP/Hostname table as long as the ports are different SEAS-1900/ - EP table's validation failing for HostName in GUI EPs do not update properly, when user tries to delete all EPs from the list. Validations were working only if healthcheck monitoring was enabled Resolution: Moved the valdiation code outside of healthcheck monitoring so that validations are performed regardless of healthcheck monitoring is enabled or disabled. Also added extra valdiations for EP table to make rest and GUI valdiations in sync. SEAS-2928/ - Web GUI does not mask admin passphrase in Custom exit properties Properties in custom Exit, pre-custom Exit, post-custom Exit, containing "password" or "pwd" or "passphrase", their values were not being masked Resolution: Always mask the properties value which have sensitive info like password, passphrase. SEAS-2952/ - SystemHealthCheck GET command Rest API throws nullPointerException (NPE) Nullpointer Exception when there are no EPs present in system Health Check Monitoring Resolution: Added a check to avoid NPE if no EP is present in system health check tab while get/import. SSP-6408/ - Support for SSH Key Signature Verification Ehancement to support SSH Public Key signature verification in SEAS custom exit for SSH key authentication Resolution: Changes are made in SSP6030 iFix7Plus to provide additional data collected during key authentication in the SEAS key authentication request. This will be made available to key authentication custom exit in SEAS. Also tracked internally as SSP-6105. MFT-14546/ - GUI - Hostname Verification = Yes saved, then shows as No Customer is enabling the hostname validation. However, it shows as “No” after trying to edit after saving the validation. Resolution: Now ensure that hostname validation checkbox value is displayed correctly after saving the screen SEAS-2989 - The Flag that is used to control Client Endpoint Identification for Jetty Http Server was not specified in SEAS startup script Customer wants the ability to control Endpoint Indentification for Jetty Http, but the flag was not available in SEAS startup script Resolution: Added the java system flag -DseasDisableClientEndpointIdentification=false to the SEAS startup script for enable/disable Client Endpoint Identification by Jetty Http Server. Also tracked internally as SEAS-2997 SEAS-2990 - SEAS server is not properly handling an empty message returned by the LDAP server When LDAP bind operation returns a null message, the SEAS server was not properly processing the returned message, which results in a null pointer exception Resolution: Added logic to check for empty or null message, when response is received from the LDAP server. SEAS-3003 - SEASConfig API export failed with NullPointerException when keystore and truststore specified in SysSslInfoDefinition does not exist Stand-alone keystores are no longer supported, and because of this, the previous logic that expected stand-alone keystores was not chnaged to the current behavior of non-support ofstand-alone keystores Resolution: Added logic to check to make sure that the keystore and truststore location that were to be exported does exist. SEAS-3006 - The values of properties in custom Exit that contain "password" or "pwd" or "passphrase", were not being masked The values of properties in custom Exit that contain "password" or "pwd" or "passphrase" were not masked when a custom exit is configured in SEAS. Resolution: Applied code fix to mask the properties value which have sensitive info like password, passphrase. SEAS-2959/ADV0083078 - Updated jettison version to 1.5.4 Multiple vulnerabilities affect Codehaus Jettison older version Resolution: Upgraded version of jettison to 1.5.4 SEAS-2960/ADV0083296 - Updated velocity version to 2.3 Apache Velocity is vulnerable to remote code execution Resolution: Upgraded version of velocity to 2.3 SEAS-2964 - SEAS full config import failed while importing user due to missing password policy tag SEAS older version do not have passwordpolicyId mandatory, so when upgrading to SEAS6100, this causes an exception to be thrown. Resolution: Applied a fix to set passwordPolicyId as "defPasswordPolicy" if passwordPolicyID is null for User profile which have null Authentication Profile selected. SEAS-3009 - Issue with stop server from SEAS UI dashboard The response object was not mapped properly in GUIAgent for bad passphrase and -v program argument was missing in startup script Resolution: Mapped String reponse object and added -v option in startup script. SEAS-2919 CLONE - Update JDOM in SEAS6030 plugin The current B2Bi versions (6.1.x) use older than 2.0.6.1 version of jdom jar. The newer jdom classes are not compatible with those in the older jdom jar. This caused the error when using the plugin. Resolution: Package JDOM.jar with SEAS PLUGIN SEAS-2965/ADV0084109 - Upgrade Jetty version to v9.4.51 from v9.4.48 Upgrade of version is required for Jetty. Resolution: Upgrade jetty v9.4.48 to v.9.4.51 SEAS-3014/ADV0088146 - IBM Apr 2023 Java CPU IBM JRE must be updated to 8.0.8.5 version Jetty Upgrade JRE to 8.0.8.5 SEAS-2969/ADV0083077 - Container - Silent install may log credentials SEAS-693/ADV0038395 - ThreatModel - Sanitize Credentials and Cryptographic keys from memory SEAS-2959/ADV0083078 - Multiple vulnerabilities affect Codehaus Jettison SEAS-2960/ADV0083296 - Apache Velocity is vulnerable to remote code execution (RCE) SEAS-2965/ADV0084109 - Upgrade Eclipse Jetty to 9.4.51 SEAS-3031/ADV0093561 - Java deserialization filters (JEP 290) ignored during IBM ORB deserialization SEAS-3014/ADV0088146 - IBM Apr 2023 Java CPU Resolution: Upgraded various toolkits to current levels to satisfy the CVEs in PSIRT advisories. See the Security Bulletin at https://www.ibm.com/support/pages/node/7029765. MFT-14716 - SEAS Extended key usage does not permit use for TLS client authentication - Solution needed to use SEAS different certs for Client and Server authentication. Extended Key Usage does not permit use of Server Keycert for TLS Client Authenticatrion. Resolution: Implement logic to enable SEAS admin user to set SSL Config for SEAS client, via the command-line script (SESACipherConfigTools) MFT-14940/IT44697 - Customer is using SEAS to integrate with PEM and LDAP, but invalid ApplicationOutput value was being returned for multi-valued attributes Description: When SEAS generates ApplicationOutput for clients and an LDAP attribute is multi-valued, SEAS generates hyphenated indexed values Resolution: Added logic to SEAS to generate a concatenated version of the multi-valued LDAP attribute, in addition to hyphenated indexed values MFT-14706 - Password with Danish Character is not working when use is logging into SSP's HTTP-SSO page Description: XML data was not been encoded with UTF-8 character set Resoution: Added logic to encode XML data with UTF-8 character set MFT-14952 - Upgrade Bouncycastle security provider ver to 1.76 Description: Upgrade of version is needed for both FIPS and non-FIPS Bouncycastle secruity provider Resolution: Upgraded Bouncycastle v1.73 to v1.76 and upgraded Bouncycastle FIPS from version 1.0.2.3 to version 1.0.2.4 MFT-14999 - Secure connection between SEAS6100 and B2B XAPI adapter is not working Description: XAPI custom exit configured with secure connection fails during SSL handshake Resolution: Added logic to consume configured SSL configuration during XAPI custom exit initialization