7.1.0-TIV-TDI-LA0016

Download Description

+-----------------------------------------------------+
Interim Fix 7.1.0-TIV-TDI-LA0016 README
Tivoli Directory Integrator 7.1.0
LA Interim Fix 16
(All platforms)
Date: Nov 2014
+-----------------------------------------------------+

COPYRIGHT STATEMENT
====================
Nov 2014

References in this publication to IBM products, programs, or services do
not imply that IBM intends to make these available in all countries in
which IBM operates. Any reference to an IBM program product in this
publication is not intended to state or imply that only IBM's program
product may be used. Any functionally equivalent program may be used
instead.

IBM is a trademark of the International Business Machines Corporation.

Copyright International Business Machines Corporation 2014. All rights
Reserved.

Fix For
========

APAR - NA
PMR - NA


General Description:
====================
This Limited Availability Interim Fix contains fix for the SSLv3 CVE-2014-3566 POODLE Vulnerability.

Details:
========
CVE-ID: CVE-2014-3566

DESCRIPTION: SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack.
This vulnerability could allow a man-in-the-middle attacker to access the plain text of network traffic encrypted using SSLv3.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Prerequisites:
==============
Tivoli Directory Integrator v7.1.0 Fix pack 08 should be installed.

Platforms:
==========
All supported Platforms

Applying the Fix:
=================

- Shutdown TDI.
- Download the fix package to a temporary directory. The LA contains miserver.jar, diserverapirmi.jar and HTTPClientConnector.jar.
- Backup the older <TDI_Install_Dir>\jars\common\miserver.jar, TDI Install dir\jars\common\diserverapirmi.jar and <TDI_Install_Dir>\jars\connectors\HTTPClientConnector.jar from the TDI installed system. For this, rename the older files by changing its extension (Change extension to something other than .jar, .zip).
- Replace the existing miserver.jar, diserverapirmi.jar and HTTPClientConnector.jar files which were backed up earlier with the fix files.

- In the solution.properties add the following new property

## ----------------------------------
## Protocols to use for SSL
## ----------------------------------
com.ibm.di.SSLProtocols=TLS

- Restart TDI.

AMC/LWI Related changes.
==================
- Stop the application server. The stop_tdiamc.bat is present in the TDI_Install_Dir/bin/amc directory.
- Add or Modify below property in <TDI_Install_Dir>/lwi/conf/webcontainer.properties

com.ibm.ssl.protocol.13101=TLS

- This will force LWI to use TLS protocol instead of SSLv3 protocol.
- Start the application server.


Confirming the Fix has been applied successfully:
=================================================
Problem should be resolved.

md5sum of Files Included in this Fix:
=====================================
ca658b9d183057ce2f68f1fd21e70323 miserver.jar
9f9fb8b924e6f36da8f5d73668b7c4cd diserverapirmi.jar
f5cc2e0dd597a6f34a8a9d3a0c56c447 HTTPClientConnector.jar