+-----------------------------------------------------+ Interim Fix 7.2.0-ISS-SDI-LA0007 README Security Directory Integrator 7.2.0 LA Interim Fix 7 (All platforms) Date: April 2015 +-----------------------------------------------------+ COPYRIGHT STATEMENT ==================== April 2015 References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM program product in this publication is not intended to state or imply that only IBM's program product may be used. Any functionally equivalent program may be used instead. IBM is a trademark of the International Business Machines Corporation. Copyright International Business Machines Corporation 2015. All rights Reserved. Fix For ======== APAR - NA PMR - NA General Description: ==================== SDI FIXES FOR RC4 BAR MITZVAH ATTACK VULNERABILITY Details: ======== For details about the vulnerability refer the bulletin link -> http://www-01.ibm.com/support/docview.wss?uid=swg21883309 Prerequisites: ============== Security Directory Integrator v7.2.0 along with 7.2.0-ISS-SDI-FP0002 should be applied. Platforms: ========== All supported Platforms Applying the Fix: ================= - Shutdown SDI. - Unzip the fix package to a temporary directory. The LA contains miserver.jar, diserverapi.jar and diserverapirmi.jar - Backup the older miserver.jar, diserverapi.jar and diserverapirmi.jar dir under /jars/common folder. For this, rename the older jar by changing its name to anything other than .jar. - Replace the miserver.jar, diserverapi.jar and diserverapirmi.jar from the extracted fix package to /jars/common. Mandatory Steps for disabling RC4 from SDI JRE ==================================== Java 7 Mitigation: - Disabling RC4. This can be achieved by adding RC4 to the list of disabled algorithms defined by the jdk.tls.disabledAlgorithms security property in java.security file - Stop SDI - Edit java.security file from /jvm/jre/lib/security - Comment out below line and modify the line as below jdk.tls.disabledAlgorithms=RC4 - Start SDI. Confirming the Fix has been applied successfully: ================================================= The RC4 Bar Mitzvah Attack vulnerability will be resolved. md5sum of Files Included in this Fix: ===================================== b14ad92d77ff52090b2978cb45710881 miserver.jar 49525a1f6bf72399ee97b874a7ae4347 diserverapi.jar b713fbe430b8d68192edc756f04febb3 diserverapirmi.jar