IBM Security Verify

 View Only
Expand all | Collapse all

10.0.3 AAC Cipher Sets are weak, any sugestion?

  • 1.  10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Tue January 11, 2022 06:24 AM

    Hi all,

    after updating to 10.0.3 I run into a lot of trouble because all the AAC TLS connections to our LDAP didn't work any longer. So UserInit() throws Eeptions and the Infomaps stopped working. Eventually after rising a PMR we found that the cipher sets offered by AAC have been changed. A packet trace showed up that it was more that 40 support before the update but only 15 supported right now. The major problem is that these Ciphers are all old and depreciated, none is supporting SHA2 and all using CBC. CBC is known to be vulnerable for decryption and should be disabled, even with TLSv3. (Qualys Discussions)

    Any suggestion on how to fix? We don't want week ciphers enabled on our VIP'S.

    Cheers,
    jens



    ------------------------------
    Jens Petersen
    ------------------------------


  • 2.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed January 12, 2022 01:35 AM
    Jens,

    In the 10.0.3 release the underlying Java runtime was updated, and this appears to have had the unfortunate side-effect of reducing the number of supported ciphers used by the UserLookupHelper Infomap class.  The development team is working on a fix for this issue now. 

    In the meantime, you are able to manually specify the supported ciphers by providing the 'ldap.cipher-suites' override property when initialising the UserLookupHelp class.  This property is a list of strings, with each element in the list corresponding the name of a supported cipher.

    I hope that this helps.

    ------------------------------
    Scott Exton
    IBM
    Gold Coast
    ------------------------------



  • 3.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed January 12, 2022 03:39 AM

    Scott,

     

    thanks for quick answer, I'm giving it a try today. While saying that, how can I fix smtp connections for MailOTP and also ServerConnection?

     

    Mit freundlichem Gruß,

    Jens Petersen

     

    www.xing.com/profile/Jens_Petersen2

    www.linkedin.com/in/jpe

    Blog: www.networkshh.de

    ______________________________________________________
    Mobil:    +49 170 7635028

     

    Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich umgehend mit dem Absender dieser E-Mail in Verbindung zu setzen.

    This message is intended only for the use of the person(s) (\"the intended recipient(s)\") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible.

     

     






  • 4.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed January 12, 2022 03:55 AM
    Jens,
     
    I don't believe that the SMTP connections will suffer from the same problem.  This problem was limited to the direct registry API which is used by the UserLookupHelper class.
     
    Thanks.
     
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor
     
     





  • 5.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed January 12, 2022 04:46 AM
    Scott,
    unfortunately in fact it does. I didn't verify with a packet trace so far but same issue - enabling TLS no connection, disabling all fine.

    thanks,
    Jens

    ------------------------------
    Jens Petersen
    ------------------------------



  • 6.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed January 12, 2022 03:42 PM
    Jens,
     
    When you enabled the TLS connection which TLS version did you specify?  What happens if you change this to 'TLS v1.2'?
     
    Thanks.
     
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

     
     
     





  • 7.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Thu January 13, 2022 06:04 AM

    Scott,

    using Server Connections for LDAP there is no choice. You can just select using SSL Yes/No, the store and the cert.

     

    Mit freundlichem Gruß,

    Jens Petersen

     

    www.xing.com/profile/Jens_Petersen2

    www.linkedin.com/in/jpe

    Blog: www.networkshh.de

    ______________________________________________________
    Mobil:    +49 170 7635028

     

    Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich umgehend mit dem Absender dieser E-Mail in Verbindung zu setzen.

    This message is intended only for the use of the person(s) (\"the intended recipient(s)\") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible.

     

     

     






  • 8.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Thu January 13, 2022 09:23 AM

    Scott,

     

    I just gave it a try with the smtp server connection. It's possible to configure tls1.2 and that works fine. The full ciphers are send. Think I'm switching to native LDAP helper from User Lookup helper if I can't get it fixed. I've also opened a PMR and was told, that L3 is already working on that issue. Depending on who is faster we'll get it fixed but it's becoming urgent as we where depending on the VHj Alias for our release end of month.

     

    Mit freundlichem Gruß,

    Jens Petersen

     

    www.xing.com/profile/Jens_Petersen2

    www.linkedin.com/in/jpe

    Blog: www.networkshh.de

    ______________________________________________________
    Mobil:    +49 170 7635028

     

    Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich umgehend mit dem Absender dieser E-Mail in Verbindung zu setzen.

    This message is intended only for the use of the person(s) (\"the intended recipient(s)\") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible.

     

     

     






  • 9.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed January 12, 2022 09:37 AM

    Hi Scott,
    I couldn't find anything like that in the JavaDoc. Is it some undocumented property? How can we work around with native LDAP helper, as we are using that one also?

    cheers,
    jens



    ------------------------------
    Jens Petersen
    ------------------------------



  • 10.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed January 12, 2022 04:06 PM
    Jens,
     
    Unfortunately I am not very experienced with InfoMap's, but when you initialise the UserLookupHelper class you should be able to supply a 'properties' object, which contains additional properties to include in the initialisation.  This is where you want to put the 'ldap.cipher-suites' property.
     
    I did find the following example InfoMap which shows how to use custom properties to initialise the UserLookupHelper class: https://github.com/IBM-Security/isam-support/blob/master/config-example/aac/info_map_js/infomap_authenticate_ulh_custom-properties_LDAP-server-connection.js#L108.  I don't believe that you want to do exactly the same thing, as you just want to provide an additional property to the existing initialisation, but it might help you to understand how to create the properties object.  If this doesn't help there should be other people in this community who are much more experienced than me with InfoMap who might be able to assist.
     
    The original problem that you were experiencing with the UserLookupHelper is limited to how the UserLookupHelper code was written (it was specifically restricting certain ciphers based on the compliance level set in the ISVA runtime).  The native LDAP helper does not share this code and so it should not suffer from the same problem.  You should just need to ensure that you specify a TLS protocol which supports the required ciphers.  For example, if you are using any of the GCM ciphers you will need to ensure that TLS 1.2 is specified.  
     
    I hope that this helps.
     
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor
     
     
     





  • 11.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    IBM Champion
    Posted Wed January 12, 2022 04:17 PM
    Edited by Sylvain Gilbert Wed January 12, 2022 04:18 PM
    Hi

    Here is a short example in an InfoMap how to specify additionnal properties. This sample does not deal specifically with setting ciphers but it should head you in the right direction which you can adapt to your needs:

    var prps = new java.util.Properties();
    prps.put("ldap.enable-last-login","true");
    var hlpr = new UserLookupHelper();
    hlpr.init(ldapConnection, ldapFilter, "Default", false, prps);


    Cheers

    ------------------------------
    Sylvain Gilbert
    ------------------------------



  • 12.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Thu January 13, 2022 01:26 PM

    Sylvian,

     

    thanks, I could figure out from JavaDocs and the sample Scott pointed out. So far I'm not having success. Looking at Scotts example again I found the following peace of Code, which is thrown, once the mapping rule finds a ssl connection configured for the LDAP Server Connection it parses.

     

    if(isSSL){

                        IDMappingExtUtils.throwSTSException("TLS is not currently supported with user lookup helper. The initialization using 'Custom Properties' requires the keystore passwords and there is not a way to get those passwords at this point in time");

     

    Maybe that's why it doesn't work. Trying more tomorrow. Debugging Mapping Rules is quite nasty ...

     

    Mit freundlichem Gruß,

    Jens Petersen

     

    www.xing.com/profile/Jens_Petersen2

    www.linkedin.com/in/jpe

    Blog: www.networkshh.de

    ______________________________________________________
    Mobil:    +49 170 7635028

     

    Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich umgehend mit dem Absender dieser E-Mail in Verbindung zu setzen.

    This message is intended only for the use of the person(s) (\"the intended recipient(s)\") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible.

     

     

     






  • 13.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Thu January 13, 2022 09:26 AM

    Scott,

    thanks for the link. I know how to initialize, my point is that this property isn't documented at the Javadoc. So I was wondering but I'll try to use it that way.

     

    Mit freundlichem Gruß,

    Jens Petersen

     

    www.xing.com/profile/Jens_Petersen2

    www.linkedin.com/in/jpe

    Blog: www.networkshh.de

    ______________________________________________________
    Mobil:    +49 170 7635028

     

    Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich umgehend mit dem Absender dieser E-Mail in Verbindung zu setzen.

    This message is intended only for the use of the person(s) (\"the intended recipient(s)\") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible.

     

     

     






  • 14.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Thu January 13, 2022 04:24 PM

    Hello Jens,

    The following is the Advanced Tuning Parameter that can be used to set the '<sslDefault ...><ssl ... enabledCiphers="__">' property in the Runtime XML file:
    Key: runtime_profile.enable.ciphers
    Value:<Cipher List>

    Here are the Ciphers supported by OpenJDK:
    https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/sun/security/ssl/CipherSuite.java

    Try to set the server ciphers to known working ciphers and confirm whether that helps your outbound connections.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 15.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Fri January 14, 2022 07:19 AM

    Jack,

    that was my first guess, didn't work. It's set like this now. Shall I add or change anything?

     

    Mit freundlichem Gruß,

    Jens Petersen

     

    www.xing.com/profile/Jens_Petersen2

    www.linkedin.com/in/jpe

    Blog: www.networkshh.de

    ______________________________________________________
    Mobil:    +49 170 7635028

     

    Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich umgehend mit dem Absender dieser E-Mail in Verbindung zu setzen.

    This message is intended only for the use of the person(s) (\"the intended recipient(s)\") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible.

     

     

     






  • 16.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    IBM Champion
    Posted Mon January 31, 2022 06:22 AM
    Hi all,
    Has anyone found a definitive solution to these cipher issues between ISAM 10.0.3 and their LDAP ?

    We would like to retry deploying this v10.0.3, but we are still waiting for a proper solution confirmation.


    Thank you

    ------------------------------
    André Leruitte
    ------------------------------



  • 17.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Mon January 31, 2022 06:40 AM

    Hi Andre,

     

    not so far. The PMR is still at L3 for a FIX. Everything I tried so far didn't work. For us this meanwhile becomes a real problem as we have several Infomaps using the UserLookupHelper. I'm not sure IBM has the necessary attention on it.

     

    Mit freundlichem Gruß,

    Jens Petersen

     

    www.xing.com/profile/Jens_Petersen2

    www.linkedin.com/in/jpe

    Blog: www.networkshh.de

    ______________________________________________________
    Mobil:    +49 170 7635028

     

    Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich umgehend mit dem Absender dieser E-Mail in Verbindung zu setzen.

    This message is intended only for the use of the person(s) (\"the intended recipient(s)\") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible.

     

     

     






  • 18.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    IBM Champion
    Posted Mon January 31, 2022 11:40 AM
    Hi Jens,
    Thanks for your reply.

    This is also becoming a real problem for us, especially with the following security bulletin urging to update to 10.0.3 : Security Bulletin: IBM Security Verify Access fixed a security vulnerability in the product.

    I hope L3 will be able to find a solution or at least a workaround quickly.


    Regards

    ------------------------------
    André Leruitte
    ------------------------------



  • 19.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Mon January 31, 2022 12:17 PM
    André, Jens, all,

    I hear you... I will try to get some information.

    Jon.


    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 20.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Mon January 31, 2022 03:17 PM
    Jen,
     
    IBM understands the issue and a code change will be available in the upcoming 10.0.3.1 fix-pack (which is due out in the next couple of weeks).  If you need a fix prior to this I would suggest that you request an early fix from the IBM support team via the PMR.  Unfortunately the only work-around at the moment is to re-install the appliance with FIPS enabled as a FIPS enabled appliance does not suffer from the same cipher limitations.
     
    I hope that this helps.
     
    Thanks.
     
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

     
     
     





  • 21.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Mon January 31, 2022 04:45 PM
    Scott,

    Thanks Scott, I've already risen a PMR with the response that IBM is working on a fix. That was actually shortly after 10.0.3 was released. 

    Going to push a bit with reference to you, if that is ok ...

    Viele Grüße 
    Jens Petersen
    Vom Mobile gesendet





  • 22.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    IBM Champion
    Posted Tue February 01, 2022 05:06 PM
    Does the docker image suffer from these ciphers being missing in AAC?  Or does this only impact the virtual appliances that are in non-FIPS mode?  Thanks!


  • 23.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Tue February 01, 2022 05:49 PM
    Matt,
     
    This will only effect ISVA runtimes which have not been configured with any SSL compliance requirements (SSL compliance is automatically set if the appliance is running in FIPS mode - but could also be manually specified when you configure the ISVA runtime - it is not set by default when not running in FIPS mode).  This means that Docker environments will not suffer from the same problem.
     
    Thanks.
     
     
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor
     

       





  • 24.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed February 02, 2022 05:18 AM
    Hi Scott,
    what exactly is meant by "-but could also be manually specified when you configure the ISVA runtime-"?
    thanks,
    jens


    ------------------------------
    Jens Petersen
    ------------------------------



  • 25.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed February 02, 2022 02:53 PM
    Jen,
     
    When you configure the ISVA runtime, and more specifically, the policy server, you have the option of setting the SSL compliance.  If this field is set to something other than 'No additional compliance' (which is the default), the full cipher set should be available to AAC.  In a FIPS enabled appliance you are not provided with the option of 'No additional compliance'.
     
    I hope that this explains things better.
     
    Thanks.
     
     
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

     
     
     





  • 26.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed February 02, 2022 04:29 PM
    Scott,
    Thanks, can't do that as it would mean to unconfigure all WebSEAL front up. Thought there is anything else like the rt-properties oder tuning parameters I'm not aware off. 

    Viele Grüße 
    Jens Petersen
    Vom Mobile gesendet





  • 27.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Mon February 21, 2022 05:33 AM
    Hi,

    Last Friday a fixpack 1 was released that should address the above issues.
    See the email you've received via IBM Support notifications or use this link to the 10.0.3.1 fixpack

    Kind regards,

    Peter.

    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------



  • 28.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Mon February 21, 2022 06:32 AM

    Peter,

     

    I couldn't find any hint to that at the ARPA List. Also my PMR on that issue is still open. So I don't think it's solved now which is critical meanwhile.

     

    Mit freundlichem Gruß,

    Jens Petersen

     

    www.xing.com/profile/Jens_Petersen2

    www.linkedin.com/in/jpe

    Blog: www.networkshh.de

    ______________________________________________________
    Mobil:    +49 170 7635028

     

    Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich umgehend mit dem Absender dieser E-Mail in Verbindung zu setzen.

    This message is intended only for the use of the person(s) (\"the intended recipient(s)\") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible.

     

     






  • 29.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Mon February 21, 2022 11:55 AM

    Hi Jens,

    Please ask for an update in your support ticket.
    You can find the complete list of fixed APARs here: https://www.ibm.com/support/pages/node/6556988
    Some of these seem to suggest a fix for your problem, but we do not publish details about the APARs, so please contact IBM Support to verify what this fixpack can do for you.

    Kind regards, Peter.



    ------------------------------
    Peter Volckaert
    Senior Sales Engineer
    Authentication and Access
    IBM Security
    ------------------------------



  • 30.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Mon February 21, 2022 12:15 PM

    Peter,

    I'd asked for and was told to wait until the fix is released for public. But just pinged them again, lets see what happens.

     

    Mit freundlichem Gruß,

    Jens Petersen

     

    www.xing.com/profile/Jens_Petersen2

    www.linkedin.com/in/jpe

    Blog: www.networkshh.de

    ______________________________________________________
    Mobil:    +49 170 7635028

     

    Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie, sich umgehend mit dem Absender dieser E-Mail in Verbindung zu setzen.

    This message is intended only for the use of the person(s) (\"the intended recipient(s)\") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible.

     

     

     






  • 31.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Mon February 21, 2022 02:46 PM

    Jens,

     

    I can confirm that the 10.0.3.1 release contains a fix for the AAC weak ciphers.  This fix is included in 'APAR IJ37888'

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

     

     






  • 32.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Mon February 21, 2022 03:21 PM
    Thanks Scott,

    I'm going to give it a try tomorrow. 

    Viele Grüße 
    Jens Petersen
    Vom Mobile gesendet





  • 33.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed February 23, 2022 09:49 AM
    Scott,
    thanks again, works fine so far I could test ist. The PMR still hasn't got an answer even as I've asked them on Monday whether the fix solves the Problem....

    ------------------------------
    Jens Petersen
    ------------------------------



  • 34.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed February 23, 2022 03:02 PM

    Jens,

     

    Thanks for the confirmation that the problem is fixed.  I'm not sure why the PMR has not been updated with this information, but will reach out to the support team directly to see if they can update the PMR.

     

    Thanks,

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

     

     






  • 35.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed February 23, 2022 12:38 PM

    Hi Scott,

    Thanks for your inputs here. It is very useful.

    Apologies if my question is not related to this topic.

    I have updated my environment with ISVA 10.0.3.1 today.
    Its referred as Fixpack. But this is not like how we normally apply fixpack on 9.0.7.2. Right?

    It is firmware update same as how we update to 10.0.3.0. Right?
    https://www.ibm.com/docs/en/sva/10.0.3?topic=overview-upgrading-current-version

    If my understanding is not right, would you be able to share the link or the steps we use to apply this fixpack?

    Regards,
    Sesha






    ------------------------------
    Seshagiri Ravipati
    ------------------------------



  • 36.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed February 23, 2022 03:14 PM

    Sesha,

     

    10.0.3.1 is a full firmware update.  It can sometimes be called a 'fixpack' because of the versioning scheme which is being used (i.e. V.R.M.F == Version.Release.Mod.Fixpack).  So the '1', in 10.0.3.1, is the 'Fixpack' part of the version number.  Unfortunately, this term is overloaded in the appliance as it also refers to the ability to apply a small, limited change, update to the appliance.

     

    Anyway, 10.0.3.1 is a full firmware update.

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

     

     






  • 37.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed February 23, 2022 05:15 PM
    Hi Scott,

    Thanks for the quick update. I wil make a note of that.

    We have most of our environments running on 9.0.7.2IF3.
    We have recently updated one of it to 10.0.3.0 and then we got 10.0.3.1 release.

    Can I directly upgrade from 9.0.7.2IF3 to 10.0.3.1 in other environments? Or should I first update to 10.0.3.0 and then to 10.0.3.1?

    Regards,
    Sesha
    IAM Engineer

    ------------------------------
    Seshagiri Ravipati
    ------------------------------



  • 38.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed February 23, 2022 05:17 PM
    Sesha,

    A direct upgrade will work just fine.

    Thanks.

    Sent from my iPhone





  • 39.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed February 23, 2022 05:48 PM
    Hi Scott,

    Thanks for quick update.
    I will go ahead with 10.0.3.1

    Regards,
    Sesha
    IAM Engineer

    ------------------------------
    Seshagiri Ravipati
    ------------------------------



  • 40.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Wed February 23, 2022 11:57 PM
    Hi Scott,

    Apologies if what I am asking is not related here.

    I have upgraded one of my environment from ISAV 10.0.3.0 to 10.0.3.1 and before that Security Directory server was upgraded from 6.4.0.24 to 6.4.0.25

    After the above upgrades, Business who uses portal to login to their daily tasks is failing to load with System error.

    Below are seen in their console logs
    Failed to load resource: the server responded with a status of 401 (unauthorized)

    and below in their in Splunk logs
    response_body: { "httpCode":"401", "httpMessage":"Unauthorized", "moreInformation":"Failed to connect to introspection endpoint" }

    I have restored back to snapshot taken before start of change. But still the same error is appearing.

    Was something corrupted after the upgrade?

    I am unable to identity anything to fix this.

    Any inputs is greatly appreciated.

    Regards,
    Sesha
    IAM Engineer

    ------------------------------
    Seshagiri Ravipati
    ------------------------------



  • 41.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Thu February 24, 2022 12:00 AM

    Sesha,

     

    I would suggest that you raise a ticket with the IBM support team and get them to have a look.

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

     

     






  • 42.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Thu February 24, 2022 12:12 AM
    Hi Scott,

    Thank you.

    Have done that and waiting for an update.
    Sorry for all those messages here. Just thought you might have seen those error messages before.

    Regards,
    Sesha
    IAM Engineer

    ------------------------------
    Seshagiri Ravipati
    ------------------------------



  • 43.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    IBM Champion
    Posted Tue May 24, 2022 08:53 AM
    Does anyone have any news regarding the issues encountered when upgrading to 10.0.3.1 ? 

    We are trying to upgrade to this 10.0.3.1 since january without any succes. I have opened a case 2 months ago (TS008910441) and I haven't good any meaningful advice on how to proceed.

    This is really becoming a huge issue for us, there are known vulnerabilities that we need to patch.

    Any help on the matter would be appreciated...


    ------------------------------
    André Leruitte
    ------------------------------



  • 44.  RE: 10.0.3 AAC Cipher Sets are weak, any sugestion?

    Posted Tue May 24, 2022 06:27 PM

    Andre,

     

    I'm sorry to hear that you are still having the same issue with the upgrade.  I'll reach out to the support team to see if we can get the support case moving forward again.

     

    Thanks.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">