Hi Scott,
Apologies if what I am asking is not related here.
I have upgraded one of my environment from ISAV 10.0.3.0 to 10.0.3.1 and before that Security Directory server was upgraded from 6.4.0.24 to 6.4.0.25
After the above upgrades, Business who uses portal to login to their daily tasks is failing to load with System error.
Below are seen in their console logs
Failed to load resource: the server responded with a status of 401 (unauthorized)
and below in their in Splunk logs
response_body: { "httpCode":"401", "httpMessage":"Unauthorized", "moreInformation":"Failed to connect to introspection endpoint" }
I have restored back to snapshot taken before start of change. But still the same error is appearing.
Was something corrupted after the upgrade?
I am unable to identity anything to fix this.
Any inputs is greatly appreciated.
Regards,
Sesha
IAM Engineer
------------------------------
Seshagiri Ravipati
------------------------------
Original Message:
Sent: Wed February 23, 2022 05:47 PM
From: Seshagiri Ravipati
Subject: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Hi Scott,
Thanks for quick update.
I will go ahead with 10.0.3.1
Regards,
Sesha
IAM Engineer
------------------------------
Seshagiri Ravipati
Original Message:
Sent: Wed February 23, 2022 05:16 PM
From: Scott Exton
Subject: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Sesha,
A direct upgrade will work just fine.
Thanks.
Sent from my iPhone
Original Message:
Sent: 2/23/2022 5:15:00 PM
From: Seshagiri Ravipati
Subject: RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Hi Scott,
Thanks for the quick update. I wil make a note of that.
We have most of our environments running on 9.0.7.2IF3.
We have recently updated one of it to 10.0.3.0 and then we got 10.0.3.1 release.
Can I directly upgrade from 9.0.7.2IF3 to 10.0.3.1 in other environments? Or should I first update to 10.0.3.0 and then to 10.0.3.1?
Regards,
Sesha
IAM Engineer
------------------------------
Seshagiri Ravipati
Original Message:
Sent: Wed February 23, 2022 03:13 PM
From: Scott Exton
Subject: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Sesha,
10.0.3.1 is a full firmware update. It can sometimes be called a 'fixpack' because of the versioning scheme which is being used (i.e. V.R.M.F == Version.Release.Mod.Fixpack). So the '1', in 10.0.3.1, is the 'Fixpack' part of the version number. Unfortunately, this term is overloaded in the appliance as it also refers to the ability to apply a small, limited change, update to the appliance.
Anyway, 10.0.3.1 is a full firmware update.
Thanks.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 2/22/2022 7:04:00 PM
From: Seshagiri Ravipati
Subject: RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Hi Scott,
Thanks for your inputs here. It is very useful.
Apologies if my question is not related to this topic.
I have updated my environment with ISVA 10.0.3.1 today.
Its referred as Fixpack. But this is not like how we normally apply fixpack on 9.0.7.2. Right?
It is firmware update same as how we update to 10.0.3.0. Right?
https://www.ibm.com/docs/en/sva/10.0.3?topic=overview-upgrading-current-version
If my understanding is not right, would you be able to share the link or the steps we use to apply this fixpack?
Regards,
Sesha
------------------------------
Seshagiri Ravipati
Original Message:
Sent: Mon February 21, 2022 02:45 PM
From: Scott Exton
Subject: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Jens,
I can confirm that the 10.0.3.1 release contains a fix for the AAC weak ciphers. This fix is included in 'APAR IJ37888'
Thanks.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 2/21/2022 6:32:00 AM
From: Jens Petersen
Subject: RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Peter,
I couldn't find any hint to that at the ARPA List. Also my PMR on that issue is still open. So I don't think it's solved now which is critical meanwhile.
Mit freundlichem Gruß,
Jens Petersen
www.xing.com/profile/Jens_Petersen2
www.linkedin.com/in/jpe
Blog: www.networkshh.de
______________________________________________________
Mobil: +49 170 7635028
Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich umgehend mit dem Absender dieser E-Mail in Verbindung zu setzen.
This message is intended only for the use of the person(s) (\"the intended recipient(s)\") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible.
Original Message:
Sent: 2/21/2022 5:33:00 AM
From: Peter Volckaert
Subject: RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Hi,
Last Friday a fixpack 1 was released that should address the above issues.
See the email you've received via IBM Support notifications or use this link to the 10.0.3.1 fixpack
Kind regards,
Peter.
------------------------------
Peter Volckaert
Senior Sales Engineer
Authentication and Access
IBM Security
Original Message:
Sent: Wed February 02, 2022 04:28 PM
From: Jens Petersen
Subject: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Scott,
Thanks, can't do that as it would mean to unconfigure all WebSEAL front up. Thought there is anything else like the rt-properties oder tuning parameters I'm not aware off.
Viele Grüße
Jens Petersen
Vom Mobile gesendet
Original Message:
Sent: 2/2/2022 2:53:00 PM
From: Scott Exton
Subject: RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Jen,
When you configure the ISVA runtime, and more specifically, the policy server, you have the option of setting the SSL compliance. If this field is set to something other than 'No additional compliance' (which is the default), the full cipher set should be available to AAC. In a FIPS enabled appliance you are not provided with the option of 'No additional compliance'.
I hope that this explains things better.
Thanks.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 2/2/2022 5:18:00 AM
From: Jens Petersen
Subject: RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Hi Scott,
what exactly is meant by "-but could also be manually specified when you configure the ISVA runtime-"?
thanks,
jens
------------------------------
Jens Petersen
Original Message:
Sent: Tue February 01, 2022 05:48 PM
From: Scott Exton
Subject: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Matt,
This will only effect ISVA runtimes which have not been configured with any SSL compliance requirements (SSL compliance is automatically set if the appliance is running in FIPS mode - but could also be manually specified when you configure the ISVA runtime - it is not set by default when not running in FIPS mode). This means that Docker environments will not suffer from the same problem.
Thanks.
Scott A. ExtonSenior Software Engineer
Chief Programmer - IBM Security Verify AccessIBM Master Inventor
Original Message:
Sent: 2/1/2022 8:49:00 AM
From: Matt Jenkins
Subject: RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Does the docker image suffer from these ciphers being missing in AAC? Or does this only impact the virtual appliances that are in non-FIPS mode? Thanks!
Original Message:
Sent: Mon January 31, 2022 03:16 PM
From: Scott Exton
Subject: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Jen,
IBM understands the issue and a code change will be available in the upcoming 10.0.3.1 fix-pack (which is due out in the next couple of weeks). If you need a fix prior to this I would suggest that you request an early fix from the IBM support team via the PMR. Unfortunately the only work-around at the moment is to re-install the appliance with FIPS enabled as a FIPS enabled appliance does not suffer from the same cipher limitations.
I hope that this helps.
Thanks.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 1/31/2022 6:40:00 AM
From: Jens Petersen
Subject: RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Hi Andre,
not so far. The PMR is still at L3 for a FIX. Everything I tried so far didn't work. For us this meanwhile becomes a real problem as we have several Infomaps using the UserLookupHelper. I'm not sure IBM has the necessary attention on it.
Mit freundlichem Gruß,
Jens Petersen
www.xing.com/profile/Jens_Petersen2
www.linkedin.com/in/jpe
Blog: www.networkshh.de
______________________________________________________
Mobil: +49 170 7635028
Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich umgehend mit dem Absender dieser E-Mail in Verbindung zu setzen.
This message is intended only for the use of the person(s) (\"the intended recipient(s)\") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible.
Original Message:
Sent: 1/31/2022 6:22:00 AM
From: André Leruitte
Subject: RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Hi all,
Has anyone found a definitive solution to these cipher issues between ISAM 10.0.3 and their LDAP ?
We would like to retry deploying this v10.0.3, but we are still waiting for a proper solution confirmation.
Thank you
------------------------------
André Leruitte
Original Message:
Sent: Fri January 14, 2022 07:18 AM
From: Jens Petersen
Subject: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Jack,
that was my first guess, didn't work. It's set like this now. Shall I add or change anything?
Mit freundlichem Gruß,
Jens Petersen
www.xing.com/profile/Jens_Petersen2
www.linkedin.com/in/jpe
Blog: www.networkshh.de
______________________________________________________
Mobil: +49 170 7635028
Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich umgehend mit dem Absender dieser E-Mail in Verbindung zu setzen.
This message is intended only for the use of the person(s) (\"the intended recipient(s)\") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible.
Original Message:
Sent: 1/13/2022 4:24:00 PM
From: JACK YARBOROUGH
Subject: RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Hello Jens,
The following is the Advanced Tuning Parameter that can be used to set the '<sslDefault ...><ssl ... enabledCiphers="__">' property in the Runtime XML file:
Key: runtime_profile.enable.ciphers
Value:<Cipher List>
Here are the Ciphers supported by OpenJDK:
https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/ssl/CipherSuite.java
Try to set the server ciphers to known working ciphers and confirm whether that helps your outbound connections.
------------------------------
JACK YARBOROUGH
Original Message:
Sent: Thu January 13, 2022 09:25 AM
From: Jens Petersen
Subject: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Scott,
thanks for the link. I know how to initialize, my point is that this property isn't documented at the Javadoc. So I was wondering but I'll try to use it that way.
Mit freundlichem Gruß,
Jens Petersen
www.xing.com/profile/Jens_Petersen2
www.linkedin.com/in/jpe
Blog: www.networkshh.de
______________________________________________________
Mobil: +49 170 7635028
Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich umgehend mit dem Absender dieser E-Mail in Verbindung zu setzen.
This message is intended only for the use of the person(s) (\"the intended recipient(s)\") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible.
Original Message:
Sent: 1/12/2022 4:06:00 PM
From: Scott Exton
Subject: RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Jens,
Unfortunately I am not very experienced with InfoMap's, but when you initialise the UserLookupHelper class you should be able to supply a 'properties' object, which contains additional properties to include in the initialisation. This is where you want to put the 'ldap.cipher-suites' property.
The original problem that you were experiencing with the UserLookupHelper is limited to how the UserLookupHelper code was written (it was specifically restricting certain ciphers based on the compliance level set in the ISVA runtime). The native LDAP helper does not share this code and so it should not suffer from the same problem. You should just need to ensure that you specify a TLS protocol which supports the required ciphers. For example, if you are using any of the GCM ciphers you will need to ensure that TLS 1.2 is specified.
I hope that this helps.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 1/12/2022 9:37:00 AM
From: Jens Petersen
Subject: RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Hi Scott,
I couldn't find anything like that in the JavaDoc. Is it some undocumented property? How can we work around with native LDAP helper, as we are using that one also?
cheers,
jens
------------------------------
Jens Petersen
Original Message:
Sent: Wed January 12, 2022 01:34 AM
From: Scott Exton
Subject: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Jens,
In the 10.0.3 release the underlying Java runtime was updated, and this appears to have had the unfortunate side-effect of reducing the number of supported ciphers used by the UserLookupHelper Infomap class. The development team is working on a fix for this issue now.
In the meantime, you are able to manually specify the supported ciphers by providing the 'ldap.cipher-suites' override property when initialising the UserLookupHelp class. This property is a list of strings, with each element in the list corresponding the name of a supported cipher.
I hope that this helps.
------------------------------
Scott Exton
IBM
Gold Coast
Original Message:
Sent: Tue January 11, 2022 06:24 AM
From: Jens Petersen
Subject: 10.0.3 AAC Cipher Sets are weak, any sugestion?
Hi all,
after updating to 10.0.3 I run into a lot of trouble because all the AAC TLS connections to our LDAP didn't work any longer. So UserInit() throws Eeptions and the Infomaps stopped working. Eventually after rising a PMR we found that the cipher sets offered by AAC have been changed. A packet trace showed up that it was more that 40 support before the update but only 15 supported right now. The major problem is that these Ciphers are all old and depreciated, none is supporting SHA2 and all using CBC. CBC is known to be vulnerable for decryption and should be disabled, even with TLSv3. (Qualys Discussions)
Any suggestion on how to fix? We don't want week ciphers enabled on our VIP'S.
Cheers,
jens
------------------------------
Jens Petersen
------------------------------