Direct links to fixes
APAR status
Closed as program error.
Error description
When logging on to the SSPCM to an admin account (not admin itself) user is getting prompted with password expired... When user enters a new password he get an error: System Error, Unexpected System Error has occurred. Please sign in again. If the problem persists, contact your system administrator. We have updated the default password policy as follows: Days Valid: 30 Minimum Length: 8 Maximum Length: 28 Kept in History: 12 Must contain special characters is checked. A variety of different passwords have been used, they all meet the criteria and are not in the history. The account is not locked and I have had no problems logging on to the account before. This is also happening to the admin account as it is part of the same policy.
Local fix
STRRTC - 379216 DE/RJ Circumvention: Update to latest SSP Build
Problem summary
Customer applied SSP3417 and configured a password policy using the CM. The password expired for one of the IDs used to access the CM, and when the user went through the change password screen, it threw an error: System Error, Unexpected System Error has occurred. Please sign in again. If the problem persists, contact your system administrator. The CM log shows an error message ERROR com.sterlingcommerce.sspgui.web.filter.SSPDashboardNonce- ValidationFilter - An invalid system access is detected : /SSPDashboard/faces/changePassword.jsp SSP3417 introduced security code which passes a nonce back and forth from the client and the web screens. The change password screen did not have the correspoding nonce code. Additionally, when the failure was passed to the unauthorized.jsp screen, it was improperly mixing JSP and JSF calls, resulting in this message in the CM log: ERROR /SSPDashboard - org.apache.jasper.JasperException: /unauthorized.jsp(36,712) PWC6228: #{...} not allowed in a template text body.
Problem conclusion
Added nonce logic in the change password screen, and updated the nonce filter to include the change password operation. Also updated the unauthorized.jsp code to correctly call JSP and JSF functions.
Temporary fix
Corrected change password screen and the logic underneath to work with the new nonce logic. The nonce logic improves security by ensuring the client session cannot be spoofed.
Comments
APAR Information
APAR number
IC92879
Reported component name
STR SECURE PROX
Reported component ID
5725D0300
Reported release
341
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2013-06-06
Closed date
2013-06-21
Last modified date
2013-06-21
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STR SECURE PROX
Fixed component ID
5725D0300
Applicable component levels
R341 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6PNW","label":"IBM Sterling Secure Proxy"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"341","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Document Information
Modified date:
21 June 2013