+-----------------------------------------------------+ Interim Fix 7.0.0-TIV-TDI-LA0020 README Tivoli Directory Integrator 7.0.0 LA Interim Fix 20 (All platforms) Date: Nov 2014 +-----------------------------------------------------+ COPYRIGHT STATEMENT ==================== Nov 2014 References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM program product in this publication is not intended to state or imply that only IBM's program product may be used. Any functionally equivalent program may be used instead. IBM is a trademark of the International Business Machines Corporation. Copyright International Business Machines Corporation 2014. All rights Reserved. Fix For ======== APAR - NA PMR - NA General Description: ==================== This Limited Availability Interim Fix contains fix for the SSLv3 CVE-2014-3566 POODLE Vulnerability. Details: ======== CVE-ID: CVE-2014-3566 DESCRIPTION: SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. This vulnerability could allow a man-in-the-middle attacker to access the plain text of network traffic encrypted using SSLv3. CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) Prerequisites: ============== Tivoli Directory Integrator v7.0 Fix pack 08 should be installed. Platforms: ========== All supported Platforms Applying the Fix: ================= - Shutdown TDI. - Download the fix package to a temporary directory. The LA contains miserver.jar, diserverapirmi.jar and HTTPClientConnector.jar. - Backup the older \jars\common\miserver.jar, \jars\common\diserverapirmi.jar and \jars\connectors\HTTPClientConnector.jar from the TDI installed system. For this, rename the older files by changing its extension (Change extension to something other than .jar, .zip). - Replace the existing miserver.jar, diserverapirmi.jar and HTTPClientConnector.jar files which were backed up earlier with the fix files. - In the solution.properties add the following new property ## ---------------------------------- ## Protocols to use for SSL ## ---------------------------------- com.ibm.di.SSLProtocols=TLS - Restart TDI. AMC/LWI Related changes. ================== - Stop the application server. The stop_tdiamc.bat is present in the TDI_Install_Dir/bin/amc directory. - Add or Modify below property in /lwi/conf/webcontainer.properties com.ibm.ssl.protocol.13101=TLS - This will force LWI to use TLS protocol instead of SSLv3 protocol. - Start the application server. Confirming the Fix has been applied successfully: ================================================= Problem should be resolved. md5sum of Files Included in this Fix: ===================================== c65cf789518dae578918da23ac555faf miserver.jar 2f87c7eb30f5e91d0be7df5d096aeb80 diserverapirmi.jar 68980b8bd8c4db01587a6bfb22ceb4d4 HTTPClientConnector.jar