SecureTransport 5.3.3 Release Notes

This document applies to Axway SecureTransport Server 5.3.3 for all supported platforms, databases, and cluster types.

The information in this document supersedes any corresponding information in the documentation (online or printed) previously supplied for the product.

About this release

File packages:

  • SecureTransport_5.3.3_Install_aix-power-64_BN692.zip
    MD5 checksum: 99ab4b6d8b6fe04cae190acf60c73649
    Size: 529.31 MB
  • SecureTransport_5.3.3_Install_ap-x86-64_BN692.iso
    MD5 checksum: dc151822e60fecd88995cf5120cb6b77
    Size: 2.59 GB
  • SecureTransport_5.3.3_Install_linux-x86-64_BN692.zip
    MD5 checksum: 7c2be485487cbdf66993388ab1b512d6
    Size: 654.76 MB
  • SecureTransport_5.3.3_Install_sun-sparc-64_BN692.zip
    MD5 checksum: f3b6813b66d66048f9648ed49787bd86
    Size: 1.41 GB
  • SecureTransport_5.3.3_Install_win-x86-64_BN700.zip
    MD5 checksum: b86206fc8782d79703c2fe7241a0aabf
    Size: 712.46 MB
  • SecureTransport_5.3.3_UP1-from-5.3.1_aix-power-64_BN692.jar
    MD5 checksum: 915b0b8979799ec3d20c80beb38f8edd
    Size: 298.02 MB
  • SecureTransport_5.3.3_UP1-from-5.3.1_linux-x86-64_BN692.jar
    MD5 checksum: b0658d65b1f7439b4a46d4654caabe1f
    Size: 522.21 MB
  • SecureTransport_5.3.3_UP1-from-5.3.1_sun-sparc-64_BN692.jar
    MD5 checksum: 702e3e50fe6aabdeda3066c14b9e0ccb
    Size: 1.23 GB
  • SecureTransport_5.3.3_UP1-from-5.3.1_win-x86-64_BN700.jar
    MD5 checksum: aae97ba8f8a55e68c79776495cca0e8e
    Size: 583.75 MB

New features and enhancements

Advanced Routing improvements:

The main function of the Advanced Routing feature is to act as an intelligent routing engine. Additionally, it allows SecureTransport users to flexibly provision new data flows and to create diverse patterns for data movement between different participants, partner systems, and applications. The Advanced Routing also functions as a placeholder for implementation of routing mechanisms beyond those already developed in SecureTransport.

Advanced Routing provides advanced transformation and routing capabilities for the SecureTransport Server. On a high level, when specific conditions are met, particular steps are performed. Conditions and steps are wrapped in routes as part of a Route Package Template or Route Package.

Advanced Routing for SecureTransport 5.3.3 has the following new features and enhancements:

  • Process only results from previous step - only the results from the previous route step or transformation are processed by next route step or transformation
  • Remove post processing rename - the post processing rename is removed
  • Rename step - new route step to rename files
  • First N bytes for trigger file - only the first N (number) of bytes are used for trigger file

Archiving and resubmit:

The archiving of server initiated transfers (SITs) and client initiated tranfers (CITs) can now be configured. The archived server initiated transfers and client initiated transfers can be resubmitted.

  • Archiving - for both server initiated transfers (SITs) and client initiated transfers (CITs)
  • Resubmit - allows resubmitting of server initiated transfers (SITs) and client initiated transfers (CITs)
  • Data migration script with native query for every supported database
  • Ability to cancel retries for server initiated transfers (SITs) initiated via Advanced Routing

Login restriction policies:

Login restrictions define and restrict the rights of individuals to login into SecureTransport Servers or SecureTransport Edges through the configuration and use of login restriction policies. The configured login restriction policies are applicable to user accounts, account templates, and business units in a hierarchical inheritance and precedence order.

  • Login restriction policies - define and restrict the rights of individuals to login into SecureTransport Servers or SecureTransport Edges

Flow attributes:

Two new flow attributes are introduced.

  • Flow attributes - subscription level custom attributes
  • Sentinel Custom attributes - custom sentinel attributes on the Sentinel configuration page

APIs:

Developer's can now configure Custom Transfer Sites (Pluggable Transfer Sites) using the customer connectors API. The Custom Transfer Sites can be plugged into the SecureTransport Administration Tool.

SecureTransport APIs meet Swagger specifications.

  • Custom connectors API
  • Swagger specifications

Security

SecureTransport is now secured by default.

  • TLS for Sentinel
  • TLS for ICAP
  • Updated security ciphers lists
  • SHA2 signatures and bigger key size for certificate generation
  • SHA2 signatures for AS2 (payload signing only, no MDN)
  • Login threshold restriction
  • Option to disable TLS 1.0 for FIPS connections
  • Option to disable password reset
  • Lock accounts on too many failed password changes

Supportability

  • Support for AIX 7.2
  • Support for SUSE 12
  • Certification of MS AD 2012
  • Backward support for Oracle 11g
  • Partitioning for MSSQL
  • Support for GPFS
  • Option to disable cron on install
  • Option to disable DATAPUMP

ST Web Client

The new ST Web Client user interface replaces the SecureTransport Web Access Plus user interface.

  • ST Web Client user interface - replaces Web Access Plus
  • Display partially uploaded files - file uploads are now monitored when in progress and partially uploaded files files are displayed
  • Folder rename - files and folders can be renamed

Upgrade of third party libraries:

  • Upgrade MySQL to 5.6.30 on all Operating Systems except for on IBM AIX where the version is 5.0.72
  • Upgrade Oracle JRE to 8u92
  • Upgrade IBM JRE to 1.8.0_130_SR3
  • Upgrade Hibernate Validator to 4.3.2
  • Upgrade CA Siteminder to Version 12.52
  • Upgrade JDBC drivers to the latest
  • Upgrade Apache Tomcat to Version 7.0.68
  • Upgrade BouncyCastle to Version 1.54
  • Upgrade Apache Commons BeanUtils to Version 1.9.2

Corrections and fixed problems

SecureTransport 5.3.3 provides the following corrections and fixed problems:

Case ID Internal ID Description
SecureTransport 5.0 Patch 96
00824313 D-103897
  • Issue: Previously, SecureTransport did not trim spaces from remote host fields in HTTP, FTP, SSH and AS2 transfer sites.
    Resolution: Now, SecureTransport trims all spaces from host fields.
  • Issue: Previously, SecureTransport did not trim spaces from email fields in AS2 transfer sites.
    Resolution: Now, SecureTransport trims all spaces from email fields in AS2 transfer sites.
  • Issue:Previously, SecureTransport did not return correct message when an administrator was trying to set a non valid port in HTTP, FTP or SSH transfer site of virtual or service account.
    Resolution: Now, SecureTransport returns correct error message when wrong port is set.
SecureTransport 5.2.1 SP6 Patch 11
00831098 D-104225 Issue: Previously, SecureTransport SSH daemon didn't allow initial key exchange for server-initiated transfers using the diffie-hellman-group1-sha1 method which is considered vulnerable to Logjam (CVE-2015-4000).
Resolution: Now, there is a server configuration parameter named Ssh.SIT.SupportGroup1SHA1 that controls the usage of diffie-hellman-group1-sha1 key exchange method for server-initiated transfers. By default it is disabled. You should restart TM daemon after changing this parameter.
Patch 3
00801464
D-98301 Issue: Previously, SecureTransport SSH daemon didn't allow initial key exchange using the diffie-hellman-group1-sha1 method which is considered vulnerable to Logjam (CVE-2015-4000).
Resolution: Now, there is a server configuration parameter Ssh.SupportGroup1SHA1 that controls the usage of diffie-hellman-group1-sha1 key exchange method. By default it is disabled. You should restart SSH daemon after changing this parameter.
SecureTransport 5.2.1 SP7
813534 101238 Issue: Previously, the Edge PeSIT daemon was replacing the Edge Internal CA with the CA from the Backend during the SSL handshake.
Resolution: Now, the Edge PeSIT daemon is not replacing the Edge Internal CA with the CA from the Backend during the SSL handshake.
711155 121172 Issue: Previously, there was an issue in the implementation of TransactionManager.concurrentFileIOMax configuration option.
Resolution: Now, the issue is fixed.
(none) 144807 Issue: Previously, there was a concurrency issue in SecureTransport's STFS which occasionally caused transfers to fail.
Resolution: Now, the STFS concurrency issue is fixed and a lock caching mechanism is introduced.
768134 145055 Issue: Previously, SecureTransport left meta .stpack files in the _mailbox subfolders that referred to deleted AdHoc packages.
Resolution: Now, SecureTransport deletes all references to packages that have been deleted.
772668 146793 Issue: Previously, SecureTransport could not tune the transfer speeds for SITs over SFTP and low performance was registered for large files.
Resolution: Now, transfer speed may be tuned by configuring the following SSH transfer site properties:
  • Connection Read Buffer Size
  • Connection Write Buffer Size
  • Local Filesystem Buffer Size
  • Sftp Message Block Size
  • Enable TCP_NODELAY
788139 152895 Issue: Previously, when performing a server-initiated push via SSH to a remote server configured with user quota, sometimes SecureTransport entered an infinite loop and ended up with OutOfMemory error.
Resolution: Now, SecureTransport no longer hangs when performing such transfers.
(none) B-96974 Issue: Previously, there was a memory leak when transferring files using pTCP.
Resolution: Now, the memory leak is eliminated.
(none) B-102561 The Perl library is no longer shipped with SecureTransport, to reduce the risk of future vulnerabilities.
Note: Customers who have custom code written in Perl can continue using it but should rely on external Perl interpreter.
(none) B-103706 Certificate generation in SecureTransport now allows the administrator to choose the certificate hash algorithm for newly generated certificates. By default, the value is SHA256withRSA.
MD5withRSA and SHA1withRSA are still present for compatibility reasons, but their usage is strongly discouraged.
729673 D-69746 Issue: Previously, SecureTransport used JRE's default ParallelGC garbage collector.
Resolution: Now, SecureTransport uses the G1 garbage collector for all Java processes.
The following tuning parameters are configured on installation:
  • MaxGCPauseMillis=200
  • InitiatingHeapOccupancyPercent=45
  • NumberOfGCLogFiles=10
  • GCLogFileSize=1000K
Note: The G1 log files are stored under <FILEDRIVEHOME>/var/logs/.
730198 D-70195 Issue: Previously, SecureTransport did not evaluate specific regular expression patterns for SSH transfer sites.
Resolution: Now, SecureTransport evaluates regular expression patterns consistently.
732877 D-70972 Issue: Previously, when creating FTP/SSH/HTTP transfer sites, the Download Pattern filed was required, but not marked as such.
Resolution: Now, the Download Pattern field is correctly marked as a required field.
733165 D-71606 Issue: Previously, when a user tried to access a download link sent from S2H transfer site more than once, a "Not-valid CSRF prevention token" error message was received.
Resolution: Now, CSRF prevention token is not required for idempotent GET requests and no error messages will be returned.
735573 D-72094 Issue: Previously, SecureTransport responded with exception to incorrect requests to the REST API /transfers/{transferId} resource.
Resolution: Now, SecureTransport returns error message consistent with other REST API resources.
738106 D-73926 Issue: Previously, when a file was uploaded via REST API to a subscription directory for multiple transfer sites, the file was processed only by the last created transfer site.
Resolution: Now, the uploaded file is successfully processed by all transfer sites.
740022 D-74221 Issue: Previously, when a file was moved to a Standard Router's outbox folder using SecureTransport Web Access Plus, an "Error 500" message was returned.
Resolution: Now, SecureTransport's Web Access Plus does not return an error when a file is moved to a Standard Router's outbox folder.
744196 D-76171 Issue: Previously, when trying to obtain account information via SecureTransport's REST API accounts/{accountId}/users resource, there was no information about the last login time.
Resolution: Now, SecureTransport returns the user's last login time as part of the response.
744931 D-76566 Issue: Previously, when a folder was created in a shared folder, the newly created subfolder had different permissions.
Resolution: Now, all subfolders in a shared folder have the same permissions as the shared folder.
00800266 D-84896 Issue: Previously, SecureTransport reported a misleading error when clicking several times on an attachment download link in Web Access Plus web client using the Internet Explorer browser.
Resolution: Now, a detailed error message is reported.
765978 D-87226 Issue: Previously, in Disaster Recovery setup, the passive node was not able to establish streaming connections.
Resolution: Now, in Disaster Recovery setup, the passive node successfully establishes streaming connections.
754651 D-87880 Issue: Previously, SecureTransport did not authenticate the FTP data channel when client certificate authentication was used.
Resolution: Now, SecureTransport's FTP server requires a certificate for both command and data channels when client certificate authentication is mandatory.
If no certificate is present or the certificate is invalid, the server rejects the data connection.
(none) D-88602 Issue: Previously, System Import was not working properly in standard cluster.
Resolution: Now, System Import is working as expected in standard cluster.
772119 D-89639 Issue: Previously, SecureTransport running on Microsoft Windows failed to initiate second data connection when another one was established.
Resolution: Now, SecureTransport running on Microsoft Windows successfully establishes and processes more than one data connections simultaneously.
772014 D-90275 Issue: Previously, the built-in openssl tool in the $FILEDRIVEHOME/bin/ folder was associated with the following CVEs:
CVE-2015-0209
CVE-2015-0286
CVE-2015-0287
CVE-2015-0288
CVE-2015-0289
CVE-2015-0292
CVE-2015-0293

Resolution: Now, the tool has been removed to eliminate the vulnerabilities.
Note: Customers who have custom code that use SecureTransport's openssl tool can continue using it, but should rely on external openssl provider.
When running SecureTransport on Microsoft Windows, the runas executable does not depend on the previously shipped libraries. Instead, it is statically linked to those required libraries.
00807416 D-91703 Issue: Previously, SecureTransport did not provide functionality to control the trimming of padding symbols for incoming file transfers over PeSIT protocol when the record format was set to FIXED. By default, SecureTransport would strip the padding symbols.
Resolution: Now, SecureTransport administrators can select whether or not to strip the padding symbols by selecting a new checkbox in the transfer profiles.
775195 D-92159 Issue: Previously, SecureTransport's Folder Monitor did not remove file metadata (located inside .stfs/attrs).
Resolution: Now, the metadata is removed only if the monitored Download Folder is inside the same account's home folder.
(none) D-93194 Issue: Previously, there was a session leak when an anonymous account canceled the download of a package protected with secret question.
Resolution: Now, the session leak is fixed.
782268 D-93471 Issue: Previously, trying to access SecureTransport's Network zone details when having many local certificates resulted in an Internal Server Error.
Resolution: Now, the Network zone details are accessible regardless of the number of local certificates.
Note: Issue is fixed for Oracle database users only.
00800571 D-94218 Issue: Previously, a maximum file size was not set for backing up the SecureTransport map cache, which could lead to disk overflow errors.
Resolution: Now, the file size for the off-heap cache is initially set to 10MB with a maximum of 512MB per page.
The cache size can be configured by modifying the <FILEDRIVEHOME>/conf/coherence-cache-config.xml and <FILEDRIVEHOME>/conf/hibernate-cache-config.xml.
Note: This is applicable only for Large Enterprise Clusters.
784101 D-94224 Issue: Previously, SecureTransport server-initiated transfers via FTP Active mode to remote servers were failing randomly.
Resolution: Now, SecureTransport server-initiated transfers via FTP Active mode to remote servers are successful.
(none) D-95428 Issue: Previously, there was a deadlock when multiple users tried to log in simultaneously.
Resolution: Now, the deadlock is fixed.
788134 D-96113 Issue: Previously, when a Server Initiated pull through the REST API was triggered, there was no information in the file tracking.
Resolution: Now, the file tracking information is correctly populated.
788930 D-96563 Issue: Previously, users could not login via REST API using a client certificate unless a Referer header was provided.
Resolution: Now, users logging in via REST API using a client certificate are successfully authenticated without setting the Referer header.
790016-2
790016-3
790016-4
00813698
D-96837
D-96838
D-96839
D-100850
Issue: Previously, SecureTransport was vulnerable to several CVEs (CVE-2011-3190, CVE-2009-3548, CVE-2014-0230) due to an old version of Apache Tomcat being used.
Resolution: Now, SecureTransport has upgraded Apache Tomcat, thus resolving the vulnerabilities.
00800468 D-97098 Issue: Previously, SecureTransport failed to pull a zero byte file with Folder Monitor.
Resolution: Now, SecureTransport successfully pulls files with zero bytes.
788720-1 D-97311 Issue: Previously, when a certificate was retrieved via REST API, the information for Serial Number, Issuer, and Signature Algorithm was missing.
Resolution: Now, when you get a certificate via REST API call, these three fields are also returned.
788720-2
(none)
D-97313
D-38346
Issue: Previously, when certificate details were returned as a result of a REST API call, the SSH Key Fingerprint was displayed in a format different than the one used in Administration Tool.
Resolution: Now, SSH Key Fingerprint is the same if the certificate is viewed in the Administration Tool or via the REST API.
788742-1 D-97390 Issue: Previously, when an already existing certificate was imported via REST API, a too generic error was returned in the response.
Resolution: Now, a descriptive error message visible in the Administration Tool is returned, instead of the generic "Error occurred while importing certificate".
00800610 D-97714 Issue: Previously, SecureTransport FTP server would not process any commands if the response from the FTP STOR command was "553 Permission Denied".
Resolution: Now, any command sent to SecureTransport FTP server after the FTP STOR command works as expected.
00801164 D-97780 Issue: Previously, SecureTransport's HTTP server was vulnerable to Slow HTTP attacks, which could be exploited via one or more of the following 3 vectors: slow headers, slow body, slow reads.
Resolution: Now, 2 of the 3 attack vectors are mitigated by SecureTransport HTTP server's configuration.
Two new server configuration options are added:
  • Http.Request.MinBandwidth - defines the minimum processing speed of incoming HTTP requests.
  • Http.Monitor.IterationCount - defines the maximum number of drops below the threshold for incoming HTTP requests.
The slow reads attack vector should be mitigated by setting proper firewall settings regarding the minimum outbound bandwidth.
00801795 D-97917 Issue: Previously, SecureTransport FTP Server did not treat the FTP PROT command in compliance with RFC2228.
Resolution: Now, SecureTransport FTP Server treats PROT command in compliance with RFC2228.
00802076 D-98072 Issue: Previously, the SecureTransport Edge SOCKS proxy was listening only on 127.0.0.1 network interface when upgraded to Service Pack 6, thus causing failure of all server initiated transfers.
Resolution: Now, the Edge SOCKS proxy is listening on all network interfaces and the server initiated transfers are no longer failing.
802683 D-98134 Issue: Previously, SecureTransport server did not support the AES128-CTR, AES192-CTR, and AES256-CTR ciphers for SFTP server-initiated transfers.
Resolution: Now, SecureTransport server offers three new configuration parameters to control the support for the AES128-CTR, AES192-CTR, and AES256-CTR ciphers for server-initiated transfers. By default their value is true.
  • Ssh.Sit.Ciphers.Cipher.enable.aes128-ctr
  • Ssh.Sit.Ciphers.Cipher.enable.aes192-ctr
  • Ssh.Sit.Ciphers.Cipher.enable.aes256-ctr
00802713 D-98262 Issue: Previously, SecureTransport did not provide the ability to control which protocols the connection to the SecureTransport FTP daemon would accept and the SecureTransport FTP daemon was not able to accept "SSLv2 Client Hello" messages although the actual handshake later was completed with TLS1.x ciphers.
Resolution: Now, SecureTransport provides the ability to enable the specific protocols that should be used by the FTP daemon by setting the value of new Ftp.Listeners.Ssl.enabledProtocols configuration parameter. TLSv1, TLSv1.1, TLSv1.2 is he default value of the parameter.
Note: When the SSLv2Hello value is added to the Ftp.Listeners.Ssl.enabledProtocols parameter, the SecureTransport FTP daemon will accept "SSLv2 Client Hello" messages although the actual handshake later will be completed by the specified protocol, so SSLv2Hello cannot be the only protocol specified in the Ftp.Listeners.Ssl.enabledProtocols configuration parameter.
00803315 D-98291 Issue: Previously, SecureTransport Oracle Large Enterprise Cluster failed to export TRANSFERSTATUS data on Transfer Log Maintenance Application runs and database tablespace grew drastically.
Resolution: Now, SecureTransport successfully exports the data and database size is maintained in the user-defined limits.
00801464 D-98301 Issue: Previously, SecureTransport SSH daemon didn't allow initial key exchange using the diffie-hellman-group1-sha1 method which is considered vulnerable to Logjam (CVE-2015-4000).
Resolution: Now, there is a server configuration parameter Ssh.SupportGroup1SHA1 that controls the usage of diffie-hellman-group1-sha1 key exchange method. By default it is disabled. You should restart SSH daemon after changing this parameter.
00803255 D-98468 Issue: Previously, when using folder monitor with configured subfolder monitoring, the file tracking information did not show subfolders.
Resolution: Now, file tracking information correctly shows the monitored subfolders.
00803500 D-98595 Issue: Previously, uploading a file using SecureTransport Web Access Plus with Java Applet over TLSv1.1 and TLSv1.2 failed.
Resolution: Now, TLSv1.1 and TLSv1.2 are fully supported in SecureTransport Web Access Plus.
In order to enforce TLSv1.1 and TLSv1.2, both client and server must be configured properly:
  • On SecureTransport configure the security protocols using the configuration options Http.Ssl.Protocol and Http.Ssl.Protocols.
    To enforce only TLSv1.1 and TLSv1.2 set the options to:
    Http.Ssl.Protocol = TLS
    Http.Ssl.Protocols = TLSv1.1, TLSv1.2
  • On the client machine where SecureTransport Web Access Plus with Java Applet is running:
    • Enable TLS 1.1 and 1.2 in the used browser.
      For more information on how to setup the security protocols on specific browser refer to the browser's documentation.
    • Enable TLS 1.1 and 1.2 in the Java Plug-in from the Java Control Panel.
      Note that Java 8 enables TLS 1.1 and TLS 1.2 by default while in Java 7 these protocols have to be enabled manually.
00803405 D-98911 Issue: Previously, SecureTransport failed to push a file to a remote FTP server that allowed only TLSv1.1. The SSL handshake failed and connection was not established.
Resolution: Now, SecureTransport successfully operates with such FTP servers.
00805893 D-99049 Issue: Previously, when performing a server-initiated push of a file larger than 1 GB via SSH to a remote server, SecureTransport occasionally entered an infinite loop and ended up with an OutOfMemory error.
Resolution: Now, SecureTransport no longer hangs when performing such transfers.
802097 D-99338 Issue: Previously, there was a concurrency issue in SecureTransport AdHoc functionality, which occasionally caused delays in the AdHoc anonymous delivery.
Resolution: Now, the concurrency issue is fixed and the events are executed in the correct order.
Now, the HTTP daemon waits for upload completion when uploading attachments.
Resolution: Now, a threshold has been introduced, which limits the duration of delivery execution. The threshold can be configured by setting one or more of the following system properties in start_tm_console:
  • PackageManagerInterlockTimingOn: default value: false; possible values: true or false; enables or disables the threshold.
  • PackageManagerInterlockOperationTimeout: default value: 5000 milliseconds; determines the maximum duration of the package delivery operation.
  • PackageManagerInterlockThreadsMin: default value: 3; determines the minimum size of the thread pool used for AdHoc delivery operations.
  • PackageManagerInterlockThreadsMax: default value: 300; determines the maximum size of the thread pool used for AdHoc delivery operations.
00806404 D-99518 Issue: Previously, SecureTransport SSH daemon supported the diffie-hellman-group-exchange-sha1 key exchange method, which is considered vulnerable to Logjam (CVE-2015-4000).
Resolution: Now, a new server configuration option named Ssh.SupportGroupExchangeSHA1 is added to control whether this key exchange method is supported. Requires a restart of the SSH daemon on change.
Default value is false which disables the method. The option will be ignored in FIPS mode.
00806560 D-99846 Issue: Previously, listing a folder via FTPS using client certificate authentication failed unless the client explicitly sent the CWD command.
Resolution: Now, directories and folders are listed successfully.
00806531 D-100383 Issue: Previously, a user account with encrypt mode enabled received a plain file (not encrypted) from a service account with encrypt mode enabled via the StandardRouter application.
Resolution: Now, if the user account has encrypt mode enabled, the received file is also encrypted.
00808409 D-100554 Issue: Previously, a service account with encrypt mode enabled received a plain file (not encrypted) from an account with encrypt mode enabled via the StandardRouter application.
Resolution: Now, if the service account has encrypt mode enabled, the received file is also encrypted.
00812295 D-100728 Issue: Previously, SecureTransport did not report the client IP address for unsuccessful login attempts over HTTP(S).
Resolution: Now, SecureTransport provides the client IP address for unsuccessful login attempts over HTTP(S).
00809883 D-101658 Issue: Previously, SecureTransport stored the wrong file size information in both the database and the xferlog for files pulled over SFTP using binary mode.
Resolution: Now, the correct file size information is stored in both the database and the xferlog.
00809451 D-102070 Issue: Previously, the amount of protocol commands logged when performing a transfer of a file larger than 100 GB using SecureTransport's PeSIT protocol caused an OutOfMemory error.
Resolution: Now, SecureTransport offers control over the size of the protocol commands logged during the transfer.
A new server configuration option named TransactionManager.DetailedProtocolCommandsLogging.MaxSize is added. It is used to limit the protocol commands logging by defining the maximum size of the protocol commands that will be logged in kilobytes (KB). Default value is -1 - unlimited protocol commands logging. Possible values: <size of commands in KB> | -1.
SecureTransport 5.2.1 SP7 Patch 1
741163 D-74841 Issue: Previously, the algorithm used by SecureTransport for generating cycle ID for Sentinel reporting allowed creating of duplicate values for different transfers in some cases.
Resolution: Now, the algorithm is enhanced and the possibility for duplicate cycle IDs is significantly reduced.
00828611 D-103770 Issue: Previously, users could not login via SSH using a DSA private key.
Resolution: Now, users logging via SSH with a DSA private key are successfully authenticated.
00816546 D-104080 Issue: Previously, SecureTransport sent unencrypted files instead of PGP encrypted to outbound partners upon resubmitting the transfers when the archive functionality was enabled.
Resolution: Now, SecureTransport sends properly PGP encrypted files to the outbound partners upon resubmission of the transfers when the archive functionality is enabled.
00830685 D-104126 Issue: Previously, when trying to disable TCP_NODELAY checkbox for a SSH transfer site, it stayed enabled.
Resolution: Now, the issue is resolved and the administrator can disable the option.
SecureTransport 5.2.1 SP7 Patch 2
00830619 D-104231 Issue: Previously, when a user tried to attach multiple files (one at a time) to an AdHoc package in SecureTransport Web Access Plus, some of the attachments were uploaded as 0-size files with no name.
Resolution: Now, attachments are uploaded with their actual name and size.
00818735 D-104862 Issue: Previously, SecureTransport rejected the sending of scanned AdHoc packages with the Antivirus Integration Accelerator.
Resolution: Now, scanned packages can be sent.
(none) D-105161 Issue: Previously, the expected SecureTransport uninstallation errors were not documented in the SecureTransport Installation Guide.
Resolution: Now, the expected uninstallation errors are documented.
00833967 D-105170 Issue: Previously, after an upgrade to SecureTransport 5.2.1 Service Pack 7, monitor server ceased to function properly.
Resolution: Now, SecureTransport monitor server is functioning properly.
(none) D-105177 Issue: Previously, administrators were not able to import DSA certificates.
Resolution: Now, DSA certificates can be imported and exported in SecureTransport.
(none) D-105179 Issue: Previously, the working namespaces were not clearly documented in the SecureTransport Administrator's Guide.
Resolution: Now, the namespaces tool tip and the SecureTransport Administrator's Guide have been updated to clearly indicate which expressions can be used.
(none) D-105376 Issue: Previously, it was not documented that the overwrite of a Custom Transfer Site upload folder would not work in the Advanced Routing Send To Partner step.
Resolution: Now, it is clearly documented that the Send To Partner step can not overwrite the upload folder of Custom Transfer Site.
(none) D-105419 Issue: Previously, it appeared that the Expression Language worked for a Pluggable Transfer Site in the SecureTransport Administration Tool Account template page.
Resolution: Now, it is documented that Expression Language is not supported for the Pluggable Transfer Site feature.
00836849 D-105472 Issue: Previously, SecureTransport administrators with the administrative role Delegated Administrator were not able to download exported accounts.
Resolution: Now, Delegated Administrators are able to download exported accounts.
00833731 D-105549 Issue: Previously, SecureTransport did not allow configuration of usage of supported Key Exchange Algorithms for SSH transfers.
Resolution: Now, SecureTransport provides the following configuration options for controlling the Key Exchange Algorithms:
  • For client-initiated transfers:
    • Ssh.SupportGroup1SHA1 - for diffie-hellman-group1-sha1
    • Ssh.SupportGroup14SHA1 - for diffie-hellman-group14-sha1
    • Ssh.SupportGroupExchangeSHA1 - for diffie-hellman-group-exchange-sha1
    • Ssh.SupportGroupExchangeSHA256 - for diffie-hellman-group-exchange-sha256
  • For server-initiated transfers:
    • Ssh.SIT.SupportGroup1SHA1 - for diffie-hellman-group1-sha1
    • Ssh.SIT.SupportGroup14SHA1 - for diffie-hellman-group14-sha1
    • Ssh.SIT.SupportGroupExchangeSHA1 - for diffie-hellman-group-exchange-sha1
    • Ssh.SIT.SupportGroupExchangeSHA256 - for diffie-hellman-group-exchange-sha256
Note: When FIPS mode is enabled, the configuration does not have effect and the promoted algorithms are always diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, and diffie-hellman-group-exchange-sha1.
SecureTransport 5.3.0 Patch 17
00804103 D-98649 Issue: Previously, SecureTransport would try to create a SecureTransport system folder (named .stfs) outside of the account's home folder.
Resolution: Now, SecureTransport will not try to create any SecureTransport system folders outside the account's home folder.
Patch 16
760570-1
141359 Issue: Previously, SecureTransport was vulnerable to "FTP bounce attack".
Resolution: Now, the "FTP bounce attack" vulnerability is eliminated.
Patch 16
777332-1
149618 Issue: Previously, SecureTransport deleted all Anonymous packages every time the Save button was clicked on the Setup > Adhoc settings page in the Administration tool.
Resolution: Now, SecureTransport does not delete Anonymous packages and they are available after Adhoc settings are changed.
Patch 16
00818530
00800471
D-102830
D-96191
Issue: Previously, the coherence cluster of a SecureTransport Large Enterprise Cluster running on AIX platforms would crash and could not be recovered, because of a deadlock issue in IBM JRE (ID: IV70545).
Resolution: Now, the IBM JRE is upgraded to Version 7 R1 SR3 to eliminate the deadlock issue and make the coherence cluster on AIX platforms stable.
Patch 15
00811551
D-100358 Issue: Previously, SecureTransport running on IBM AIX platform left open file descriptors for each executed AdHoc transfer.
Resolution: Now, SecureTransport executes all AdHoc transfers without leaving open file descriptors.
Patch 14
00802439
D-98069 Issue: Previously, a service account with encrypt mode enabled received a plain file (not encrypted) from an account with encrypt mode enabled via the StandardRouter application.
Resolution: Now, if the service account has encrypt mode enabled, the received file is also encrypted.
Patch 14
00802543
D-98237 Issue: Previously, when LDAP users tried to login with email address in SecureTransport Web Access Plus client and login by email was not allowed in the associated account template, some browsers did not get an indication of an error.
Resolution: Now, a login failure message is displayed on all supported browsers.
Patch 14
00802720
D-98300 Issue: Previously, Sharing button in SecureTransport Web Access Plus client was always disabled when a folder was selected in the Remote tree pane.
Resolution: Now, the button is functional when a folder is selected in both the Remote tree and the SecureTransport panes.
Patch 14
00804580
D-98655 Issue: Previously, reverse DNS lookups always occurred even when the option was disabled from Setup > Miscellaneous > FTP (HTTP) Reverse DNS Lookups. There were specific options for FTP and HTTP. SSH used the value from HTTP option.
Resolution: Now, reverse DNS lookups are triggered only when the option is enabled. When the option is disabled no lookups occur. The FTP and HTTP options are removed and there is one global option for HTTP, FTP, and SSH.
Patch 14
00803298
D-99008 Issue: Previously, SecureTransport running in Standard Cluster mode did not correctly process client-initiated transfers and would reach a point at which protocol daemons were not able to connect to SecureTransport Transaction Manager without restart.
Resolution: Now, SecureTransport running in Standard Cluster processes client-initiated transfers correctly and connections between Transaction Manager and SecureTransport daemons are stable.
Patch 13
00804369
D-98549 Issue: Previously, it wasn't possible to resume an interrupted file download from SecureTransport Web Access Plus client using Chrome, Firefox, Internet Explorer, and Safari built-in download managers.
Resolution: Now, Now, transfer on ranges from the browsers built-in download managers are supported, making it possible to resume transfers after a network outage or when the transfers are manually paused.
Unlike in Firefox, Internet Explorer, and Safari 9 browsers, downloads on ranges in Chrome is toggled by the enable-download-resumption configuration option from chrome://flags features. For more information on how to enable the feature refer to the Chrome documentation.
Patch 13
00804773
D-98644 Issue: Previously, when a user using FTP tried to list a directory different than the root with an absolute path, the directory listing failed.
Resolution: Now, the listing of directory is successful in this case.
Patch 12
00800093
D-96401 Issue: Previously, when an attachment was removed from an AdHoc message in Web Access Plus or the entire message was discarded, the attachment was not visible in Sentinel as deleted and was part of the package Cycle Graph.
Resolution: Now, if a user removes one or more attachments before sending the message or discards a message with attachments, these attachments are marked as deleted in Sentinel and do not appear in the package Cycle Graph.
Patch 11
782230
150353 Issue: Previously, sharing a folder from SecureTransport Web Access Plus to an account whose home folder has been removed, failed with a non-descriptive error message.
Resolution: Now, users can successfully share folders to accounts whose home folder has been removed.
Patch 11
781953-5
150934 Issue: Previously, info, warning and error messages in SecureTransport Web Access Plus remained on the screen unless explicitly closed.
Resolution: Now, all notification messages are automatically closed after 4 seconds.
Patch 11
783072
151201 Issue: Previously, a Folder Monitor transfer site would try to create a SecureTransport system folder (named .stfs) into a folder, prior to the folder where it should pull the files from.
Resolution: Now, a Folder monitor transfer site will not try to create any SecureTransport system folders.
Patch 11
(none)
151318 Issue: Previously, moving a message by selecting Create new folder from the mail folders list in SecureTransport Web Access Plus failed with error "400: Bad Request".
Resolution: Now, moving a message in a newly created mail folder is successful.
Patch 11
785389
151649 Issue: Previously, characters outside the ASCII set or unsafe ASCII characters in mailbox folders names were not handled properly on Internet Explorer when using SecureTransport Web Access Plus, causing errors when opening the folder.
Resolution: Now, mailbox folders content is loaded successfully even when containing such characters.
Patch 11
785538
151711 Issue: Previously, when a user logged in SecureTransport Web Access Plus on Firefox multiple times, the Inbox tab was opened together with the SecureTransport tab. Then after closing the Inbox tab, the Open folder progress bar was stuck on the screen and disappeared only after logging out.
Resolution: Now, only the SecureTransport tab is opened and the progress bar is closed after loading all files in the folder.
Patch 11
(none)
151721
151722
Issue: Previously, keyboard shortcuts 'S' (Share a selected folder) and 'G + S' (Go to the Sent tab) in SecureTransport Web Access Plus were overlapping.
Resolution: Now, pressing 'S' on a selected folder opens the sharing options and 'G + S' opens the Sent tab.
Patch 11
785733
151900 Issue: Previously, it was possible for FTPD or HTTPD to be bound to the address defined for another LEC node.
Resolution: Now, each daemon is bound to the address specified per its node.
Patch 11
779714
151980 Issue: Previously, when a user tried to upload a file using SecureTransport REST API (POST request to https://<server>:<port>api/v1.2/files), the file was successfully uploaded, but the transfer appeared as failed in the File Tracking page.
Resolution: Now, upload transfer through REST API appears in File Tracking page as successful.
Patch 11
786270
152102 Issue: Previously, a Standard Router application did not work correctly when repository encryption mode was disabled for the service account and enabled for the user account subscribed to the application. A file sent from the service account was received unencrypted by the user.
Resolution: Now, the file is received encrypted regardless of the service account's settings.
Note: For all application types, the encryption of the received file depends on the repository encryption mode of the recipient and not the sender. The following are some scenario descriptions:
1. Both the sender and recipient have repository encryption enabled. The received file will be encrypted.
2. The sender has repository encryption disabled and recipient has repository encryption enabled. The received file will be encrypted.
3. The sender has repository encryption enabled and recipient has repository encryption disabled. The received file will be unencrypted.
4. Both the sender and recipient have repository encryption disabled. The received file will be unencrypted.
Patch 11
787015
152448 Issue: Previously, listing a folder via FTPS using client certificate authentication failed unless the client explicitly sent the CWD command.
Resolution: Now, directories and folders are listed successfully.
Patch 11
(none)
153414 Issue: Previously, when a SecureTransport user shared a folder and specified Download and Upload permissions, if a collaborator without overwrite permission tried to overwrite a file in the shared directory, upload failed as expected but after three retries.
Resolution: Now, the upload fails without retries when there are no overwrite permissions.
Patch 11
(none)
153771 Issue: Previously, AS2 messages received from a Linoma Partner (Go Anywhere 5.1) were not processed correctly because there was a problem with Base64 decoding.
Resolution: Now, AS2 messages are correctly processed.
Patch 10
(none)
(none) Add support for McAfee Web Gateway version 7.5.2 and later as external ICAP Anti-virus engine.
Patch 10
785225
151581 Issue: Previously, users could not login via SSH using a DSA private key.
Resolution: Now, users logging via SSH with a DSA private key are successfully authenticated.
Patch 10
(none)
151679 Issue: Previously, when downloading a file with special characters in its name, using the link in the Properties dialog in SecureTransport Web Access Plus web client, an error was thrown:
{"message" : "Error validating request","validationErrors" : [ "Error occurred while getting file size and type." ]}

Resolution: Now, this link is URL encoded and the file is downloaded successfully.
Patch 10
785390-1
151773 Issue: Previously, when using custom variables in REST API calls to specify transfer site fields, requests failed and errors were reported in the SecureTransport server log.
Resolution: Now, transfer site fields can be successfully modified using custom variables in REST API requests.
Patch 10
785390
151774 Issue: Previously, when pulling files to a SharedFolder subscription via REST API, the files were transferred to the subscription directory under the user's home folder.
Resolution: Now, the pulled files are stored in the actual shared folder location.
Patch 10
(none)
151938 Issue: Previously, HTML character entities SecureTransport Web Access Plus were rendered as symbols when used in mail folders, mail attachments, local and remote files, and folders names.
Resolution: Now, text is displayed without HTML interpretations.
Patch 10
(none)
151945 Issue: Previously, SecureTransport Web Access Plus was vulnerable to HTML injection attack by uploading a file containing HTML code in its name.
Resolution: Now, uploaded files names are encoded properly and HTML injection is prevented.
Patch 10
785390-2
152040 Issue: Previously, users could not login via RestAPI using a client certificate unless a Referrer header was provided.
Resolution: Now, users logging in via RestAPI using a client certificate are successfully authenticated without setting the Referrer header.
Patch 10
(none)
152429 Issue: Previously, when a message with triangle brackets in its body was composed in SecureTransport Web Access Plus and delivered to a standard mailbox, the parts of the message enclosed in triangle brackets was missing on the received.
Resolution: Now, the complete message is received including the parts enclosed in triangle brackets.
Patch 10
(none)
152857 Issue: Previously, in a standard cluster environment with streaming and ICAP scanning enabled, there was an "MD5 checksum verification failed" error message in SecureTransport Web Access Plus when a user uploaded a file on the edge.
Resolution: Now, SecureTransport Web Access Plus displays correct upload statuses.
Patch 9
772607
146931 Issue: Previously, when saving a route package in the SecureTransport Administration Tool, all routes were saved, resulting in decreased performance.
Resolution: Now, when saving a route package, fewer requests are sent and the performance is improved.
Patch 9
781953-3
150932 Issue: Previously, when dragging and dropping multiple files from a folder to another folder in SecureTransport Web Access Plus, the folder view was not properly refreshed. Some of the files still appeared to be present although they had been successfully moved to the new location.
Resolution: Now, all successfully moved files are not visible in the previous folder.
Patch 9
783808
150995 Issue: Previously, when a user shared a folder that contained subfolders and immediately navigated to it, the Sharing button was available for the subfolders although it should not have been.
Resolution: Now, when the user navigates to a shared folder, the Sharing button is not available.
Patch 9
785751
151841 Issue: Previously, when SecureTransport was configured to use Basic Authentication as an authentication method, the user session expiring would lead to an infinite loop.
Resolution: Now, using Basic Authentication no longer leads to an infinite loop.
Patch 8
781648
150195 Issue: Previously, when a user shared a folder with accounts that have upper-case email addresses, a "Linking to directories is not supported" error message was displayed in SecureTransport Web Access Plus.
Resolution: Now, using upper or lower case in the account email addresses is irrelevant to SecureTransport Web Access Plus shared folders functionality.
Patch 8
782148
150447 Issue: Previously, when SecureTransport Web Access Plus was configured to use Basic Authentication instead of a HTML form by setting Http.FdxAuthReply configuration parameter to BA, after the user logged out and tried to login again, the Basic Authentication prompt appeared and never went away.
Resolution: Now, a user can successfully logout and then login using Basic Authentication.
Patch 8
782976
150663 Issue: Previously, when creating a directory using SecureTransport Web Access Plus in list file view on Internet Explorer 11, the notification message "Creating directory (1)" remained on the screen until the user is logged out.
Resolution: Now, the notification dialog is hidden once the operation is finished for all file and folder actions.
Patch 8
783009
150754 Issue: Previously, when an AdHoc package with large attachment(s) was forwarded in SecureTransport Web Access Plus, an error message "Draft was not saved" was occasionally displayed.
Resolution: Now, users can successfully forward an email with large attachment(s).
Patch 8
781953
150930 Issue: Previously, when a user shared a folder with a # character and/or a & character in its name, the shared information was missing in SecureTransport Web Access Plus.
Resolution: Now, characters like # and & do not cause corruptions in the shared folder.
Patch 8
781953
150931
  • Issue: Previously, when a user tried to delete a non-empty shared folder, the delete operation failed but the folder was unshared leading to an inconsistency between the main and the tree view in SecureTransport Web Access Plus.
    Resolution: Now, the folder status is updated properly in both main and tree views.
  • Issue: Previously, when a user shared a folder and switched between list and icons views the status of the shared folder was not properly updated.
    Resolution: Now, the folder status is updated properly in both list and icons views.
Patch 8
783785
150942 Issue: Previously, when sending mail using SecureTransport Web Access Plus to multiple recipients and at least one address was not formatted properly, an unclear and misspelled error message was displayed.
Resolution: Now, a descriptive message is displayed, explaining the actual error cause.
Patch 8
(none)
150970 Issue: Previously, when a user tried to add a collaborator in the sharing dialog without entering any symbols, there was a non-descriptive warning message.
Resolution: Now, there is a more descriptive warning message stating that the user must enter a valid email address.
Patch 8
(none)
151053 Issue: Previously, when a user was tried to compose an email using SecureTransport Web Access Plus and requests were redirected trough a HTTP proxy server, occasionally a "ConcurrentModificationExeption" was thrown and a warning message was reported in the Server Log.
Resolution: Now, users can successfully compose an email using SecureTransport Web Access Plus while requests are redirected trough a HTTP proxy, and no warning message will be reported in the Server Log.
Patch 8
(none)
151628 Issue: Previously, an unlicensed user replying to a message was unable to access the custom properties of the messages RestAPI resource.
Resolution: Now, the custom properties of the messages resource are accessible by an unlicensed user.
Patch 7
752176-2
139021 Issue: Previously, when sending a file to SecureTransport via Integrator, there were errors in the Server log.
Resolution: Now, the file is successfully transfered and there are no errors in the Server log.
Patch 7
762325
144053 Issue: Previously, selecting Upload restriction replaced the user's file UID with the GID number.
Resolution: Now, UID and GID numbers are properly set after upload.
NOTE: This issue is applicable only for UNIX platforms and it does not apply to SecureTransport running on Windows environment.
Patch 7
771349
147149 Issue: Previously, selecting Mode for Upload restrictions set GID:GID for file ownership instead of UID:GID.
Resolution: Now, the ownership of the file is properly set.
NOTE: This issue is applicable only for UNIX platforms and it does not apply to SecureTransport running on Windows environment.
Patch 7
780321
772704-1
147386
149688
Issue: Previously, when a collaborator's account had been deleted or their home folder had been changed and the folder owner decided to unshare it, the folder still appeared as shared. Also when the folder owner account had been deleted or their home folder had been changed, all of the collaborators were still able to see the shared folder and if they tried to access it an error message was displayed.
Resolution: Now, when account is deleted or the home folder changed from the SecureTransport Administration Tool, all of the shared folders links are removed and no broken links remain.
Patch 7
773447
147466 Issue: Previously, filesystem restrictions did not work as expected when using FTP - restrictions for deleting a file operation from the m Admin UI > Access > Restrictions-Filesystem page. Allow folder/deny all else did not take effect over FTP or FTPS and "Permission denied" errors were observed.
Resolution: Now, the filesystem restrictions work properly when using FTP.
Also, a new server configuration option is introduced - Restrictions.OrderOfApplication
There are 2 values available for the option - new and legacy.
Legacy (default) - rules are applied from bottom to top.
New - rules are applied from top to bottom.
Patch 7
776806
148108 Issue: Previously, when a file was uploaded the SecureTransport Server always applied the owner, group, and mode configured in the first upload restriction from the Upload restriction list.
Resolution: Now, SecureTransport Server applies the owner, group, and mode using the settings of the correct upload restriction matching the file transfer.
Previously, SecureTransport Server ignored the owner, group, and mode values configured in an upload restriction when the file mode was set by the client during the transfer.
Now, you can use the new server configuration parameter Users.Uploads.RestrictionsApplication to control SecureTransport behavior.
  • limited (default) - preserves the current behavior. SecureTransport server applies the owner, group and mode values set in an upload restriction only when the file mode is not set by the client.
  • full - SecureTransport Server applies the owner, group and mode values set in an upload restriction regardless of the file mode set by the client during the transfer. SecureTransport Server applies the file mode set by the client when the mode value in the upload restriction is left empty.
NOTE: This issue is applicable only for UNIX platforms and it does not apply to SecureTransport running on Windows environment.
Patch 7
776806-1
148270 Issue: Previously, SecureTransport Server ignored the value of the Users.DefaultUmask configuration parameter and created the uploaded files with default permissions of 644.
Resolution: Now, the correct value of the Users.DefaultUmask configuration parameter is used.
NOTE: This issue is applicable only for UNIX platforms and it does not apply to SecureTransport running on Windows environment.
Patch 7
(none)
149700 Issue: Previously, when ICAP scanning and repository encryption for an account were enabled, client initiated uploads failed because the ICAP server blocked the transfer.
Resolution: Now, repository encryption does not affect the file upload and all transfers are correctly passed or blocked by the ICAP scanning.
Patch 7
781955
150310 Issue: Previously, when deleting a non-empty folder from SecureTransport Web Access Plus, there was a generic error stating that the operation was denied.
Resolution: Now, the error is more descriptive stating that the operation was unsuccessful because the directory is not empty.
Patch 7
782185
150333 Issue: Previously, an "Not-valid CSRF prevention token" error message was received in the browser if the user clicked on more than one download notification link originating from the Shared Folder Collaboration functionality.
Resolution: Now, a CSRF prevention token is not required for idempotent GET requests and user will not receive an error message in this case.
Patch 7
783009
150624 Issue: Previously, when installing or uninstalling a SecureTransport patch, database operations were always performed and SecureTransport services always started automatically after an update.
Resolution: Now, SecureTransport offers an option to skip database changes and control services start when installing or uninstalling a patch update.
NOTE: This is applicable only for SecureTransport Large Enterprise Cluster. The only supported install procedure is console mode. In order to skip database operations when installing or uninstalling a patch update, add the following command line Java argument: -javaargument -DST_UPDATEDB=false.
For example:
  • <AxwayHome>/update.sh -i <UPDATE_PACKAGE_FILE_LOCATION>/SecureTransport_5.3.0_Patch11_allOS_BN1390.jar -javaargument -DST_UPDATEDB=false for UNIX-based platforms and Axway Appliances.
  • <AxwayHome>\update64.exe -i <UPDATE_PACKAGE_FILE_LOCATION>\SecureTransport_5.3.0_Patch11_allOS_BN1390.jar -javaargument -DST_UPDATEDB=false for Microsoft Windows.
In order to skip start of SecureTransport services, set a system environment variable STARTSERVICES with value false.
Patch 6
773912
147546 Issue: Previously, when Advanced Routing was configured with two steps (Decompress and Publish to Folder), and NFS share was used for the account home folder, in some cases the SecureTransport Server tried to decompress the files already decompressed from the original archive.
Resolution: Now, the Decompress step does not attempt to decompress the files already decompressed from the original archive.
Patch 6
779833
149406 Issue: Previously, when a folder had been shared to an LDAP user, and the owner of the folder opened the sharing pop-up, but did no changes and clicked the Share button, an error message was returned in SecureTransport Web Access Plus.
Resolution: Now, there are no error messages in this case.
Patch 6
779377
149424 Issue: Previously, when SecureTransport Server was installed on Microsoft Windows and updated with Patch 3 or newer, virtual users mapped to a real user account in the Password Vault were unable to upload files.
Resolution: Now, virtual users are able to upload files.
Patch 6
780322
149650 Issue: Previously, unlicensed users were able to reply only to the first received message from a conversation using SecureTransport Web Access Plus or REST API. Replying to a subsequent message in the same conversation was rejected with error: "Unlicensed user cannot change message subject."
Resolution: Now, replying to a subsequent message in a conversation is allowed as long as the unlicensed user replies only once to the message.
NOTE: That there is a difference between replying multiple times to one message and replying to a subsequent message in the same conversation.
Patch 6
780122
149697 Issue: Previously, when new account was created by the SecureTransport enrollment mechanism, Lock account after X failed attempts was not set.
Resolution: Now, there is a new server configuration option named Users.DefaultLockoutLimit. It is used when enrolling a user account to specify the default value of the Lock account after X failed login attempts property.
Patch 6
781430
150194 Issue: Previously, when a user shared a folder from SecureTransport Web Access Plus to an LDAP account that has not yet logged in SecureTransport, the LDAP account's home folder was created with an incorrect UID and GID.
Resolution: Now, when a user shares a folder to an LDAP account, the LDAP account's home folder is correctly created with the UID and GID specified in the corresponding Account Template.
Patch 6
781954
150309 Issue: Previously, the Java Applet was loaded on Internet Explorer 11 in SecureTransport Web Access Plus even when set to Java Applet disabled.
Resolution: Now, the Java Applet is loaded on all supported browsers only when SecureTransport Web Access Plus is set to Java Applet enabled.
Patch 5
772419
146455 Issue: Previously, SecureTransport did not honor the related configuration options Users.LoginNames.normalizedCaseInsensitiveUsername and Users.LoginNames.virtualUserCaseSensitive.
Resolution: Now, if the configuration option Users.LoginNames.virtualUserCaseSensitive is set to false and the configuration option Users.LoginNames.normalizedCaseInsensitiveUsernamel is not set to none but one of lower or upper values, the SecureTransport normalizes the typed user name before logging in.
Patch 5
(none)
148693 Issue: Previously, SecureTransport Web Access Plus occasionally threw exceptions when multiple asynchronous requests were sent to mailbox resources.
Resolution: Now, SecureTransport REST mailbox resources function properly.
Patch 5
778205
148694 Issue: Previously, AdHoc messages with binary attachments were blocked by the ICAP server with preview mode enabled when SecureTransport ICAP scanning and package encryption were configured.
Resolution: Now, AdHoc message with binary attachments are successfully sent.
Patch 5
(none)
148697 Issue: Previously, Sentinel ICAP scanning events for Adhoc message subject and body were not linked to the original AdHoc package.
Resolution: Now, AdHoc message and subject ICAP events are linked to the AdHoc package Cycle Id.
Patch 5
779781
149486 Issue: Previously, the SecureTransport Administration Tool ICAP Settings page did not support custom service input, other than REQMOD and RESPMOD.
Resolution: Now, SecureTransport administrator can edit the entire DLP/AV ICAP URL in the following format icap://dlpav-address:port/servicename
Patch 5
777951
149795 Issue: Previously, SecureTransport Web Access Plus shared folders functionality did not work with SecureTransport Edge installed on Windows and SecureTransport Server installed on IBM AIX.
Resolution: Now, user logged in SecureTransport Web Access Plus through SecureTransport Edge running on Windows, can successfully share folders if SecureTransport Server is running on IBM AIX.
Patch 5
780810
149860 Issue: Previously, file paths used on the SecureTransport Server were constructed using the SecureTransport Edge file system path separator.
Resolution: Now, UNIX path separators are always used for communication between modules and are converted to Windows at the SecureTransport Server, if necessary.
Patch 4
771260
145835 Issue: Previously, unlicensed users with access to an AdHoc Shared Folder were able to view home folders of other users.
Resolution: Now, unlicensed user only have access to their home folders.
Patch 4
771114
778498
145836
148994
Issue: Previously, unlicensed users attempting to reply to an AdHoc message using SecureTransport Web Access Plus, were redirected to the login page with an "Invalid username or password" error message.
Resolution: Now, unlicensed users are able to reply to an AdHoc message.
Patch 4
772597
147179 Issue: Previously, an existing user was unable use non-existing users as collaborators with AdHoc Shared Folders.
Resolution: Now, sharing between existing and non-existing users is possible.
Patch 4
772597
147183
  • Issue: Previously, a SecureTransport user was not able to enroll collaborators if default network zone was not configured.
    Resolution: Now, AdHoc Shared Folder functionality is working correctly, even if there is not a default network zone configured.
  • Issue: Previously, a SecureTransport user that was part of business unit with a Default enrollment template, was not able to enroll collaborators.
    Resolution: Now, the Adhoc account enrollment template global setting is used even if Business Unit enrollment template is set to Default.
  • Issue: Previously, expressions set in the enrollment account template, were not resolved.
    Resolution: Now, expressions set in the enrollment account templates are working correctly.
Patch 4
773915
147531 Issue: Previously, file upload using SecureTransport Web Access Plus triggering Publish to Account step, was blocked by the ICAP scan when Delete On Success Post Processing was selected.
Resolution: Now, the upload is successful and the Advanced Routing is triggered.
Patch 4
(none)
148975
  • Issue: Previously, SecureTransport Web Access Plus transfers were retried in infinite loop when an error affected the whole transfer.
    Resolution: Now, SecureTransport Web Access Plus resets the transfer retries counter on each successfully uploaded chunk.
  • Issue: Previously, when a network outage occurred, the SecureTransport Web Access Plus retry timer was not stopped when the transfer was paused or canceled by the user.
    Resolution: Now, the retry timer is stopped.
Patch 3
773164
147266 Issue: Previously, in a non-root SecureTransport installation, there were significant performance issues and warnings when using the Shared Folder type application and the shared folder was outside the account home directory.
Resolution: Now, there are no performance issues or warnings in this case.
Patch 3
774508
147268 Issue: Previously, in a non-root SecureTransport installation, a Folder Monitor transfer site did not process files when the download directory was outside the account home directory.
Resolution: Now, Folder Monitor transfer sites process files correctly in this case.
Patch 2
770370
145421 Issue: Previously, a user upload of a file larger than 2GB failed using SecureTransport Web Access Plus with the Java Applet disabled.
Resolution: Now, uploads of files larger than 2GB are successful.
Patch 2
772739
147052
  • Issue: Previously, when using SecureTransport Web Access Plus, a temporarily failing upload was retried from the beginning.
    Resolution: Now, the retries of such failures are started from the last successfully uploaded chunk.
  • Issue: Previously, SecureTransport Web Access Plus counted the retry attempts for the whole transfer.
    Resolution: Now, SecureTransport Web Access Plus resets this counter on each successfully uploaded chunk.
  • Issue: Previously, SecureTransport Web Access Plus attempted to retry a transfer right after a failure was detected.
    Resolution: Now, in case of a failure SecureTransport Web Access Plus will wait 10 seconds between each attempt.
Patch 2
772640
147544 Issue: Previously, when there was temporary transfer failure (for example network outage) the transfer retry started from the beginning, and it started in the folder where the user was currently located, instead of the folder where the upload was interrupted.
Resolution: Now, retries start with the last chunk (100 MB segment) and in the same folder where the upload was interrupted.
Patch 1 144463 Issue: Previously, the template of the LDAP recipient was not calculated correctly by a SecureTransport Server with installed EAAS customization.
Resolution: Now, the SecureTransport Server correctly calculates the template.
SecureTransport 5.3.1 Patch 7
00837057 D-105622 Issue: Previously, after upgrading SecureTransport to version 5.3.1 on AIX, in some cases administrators and users created before the upgrade were not able to login unless an Administrator reset their passwords.
Resolution: Now, SecureTransport users and administrators can successfully login.
Patch 6
00829106
D-103983 Issue: Previously, there was a possibility for an attacker to modify some of the contents of already sent AdHoc messages using crafted REST API calls.
Resolution: Now, there is no possibility to make any changes to already sent AdHoc messages.
Patch 6
00834301
D-104936 Issue: Previously, in Server Log there was "Password verification failed" log message before successful authentication over FTP.
Resolution: Now, this message is no longer present at the default logging level.
Patch 5
00804103
D-98649 Issue: Previously, SecureTransport would try to create a SecureTransport system folder (named .stfs) outside of the account's home folder.
Resolution: Now, SecureTransport will not try to create any SecureTransport system folders outside the account's home folder.
Patch 5
00805479
D-99464 Issue: Previously, when user logged out or when a SendToPartner step was triggered, the logging information did not provide sessionId information for "Removed session..." log messages.
Resolution: Now, SecureTransport does provide sessionId entries for such messages when user logs out or executes SendToPartner routing step.
Patch 5
00808322
D-99551
D-99547
Issue: Previously, when transferring big files over PeSIT with ASCII mode enabled, out of memory errors could appear causing incomplete transfers and crashes of the PeSIT and the TM daemons.
Resolution: Now, no such errors appear and the transfers finish successfully independent from the file sizes. A new configuration option is added - Pesit.ASCII.recordsInfo.bulk.size. Default value: 32768. Minimum accepted value: 1024.
Patch 5
00809451
D-102070 Issue: Previously, the amount of protocol commands logged when performing a transfer of a file larger than 100 GB using SecureTransport's PeSIT protocol caused an OutOfMemory error.
Resolution: Now, SecureTransport offers control over the size of the protocol commands logged during the transfer.
A new server configuration option named TransactionManager.DetailedProtocolCommandsLogging.MaxSize is added. It is used to limit the protocol commands logging by defining the maximum size of the protocol commands that will be logged in kilobytes (KB). Default value: -1 - unlimited protocol commands logging. Possible values: <size of commands in KB> | -1.
Patch 5
00828055
D-103662 Issue: Previously, users with email address containing an underscore (_) were not able to login in some cases.
Resolution: Now, users with such email address are able to login successfully.
Patch 5
00828593
D-104035 Issue: Previously, there was a possibility files to be processed through wrong transfer site as a result of mixed up subscriptions' transfer configurations during dynamic synchronization in Standard Cluster.
Resolution: Now, the issue is resolved and it is not possible transfer configurations of different subscriptions to be mixed and files to be processed by wrong transfer site.
Patch 5
none
D-104848 JRE is upgraded to latest version which resolves several security vulnerabilities.
  • IBM JRE is upgraded to version 8 Service Release 3
  • Linux, Solaris and Windows JRE is upgraded to 1.8.0 update 92
Patch 4
none
D-104652 Issue: Previously, after applying SecureTransport 5.3.1 Patch 3 the newly created subscriptions were corrupted preventing the execution of server-initiated transfers.
Resolution: Now, the subscriptions are properly created and the server-initiated transfers are successfully executed.
Note: Subscriptions created before applying SecureTransport 5.3.1 Patch 4 will not be corrected by the patch. To fix the subscriptions, you need to:
  • Open them for editing using the Administration Tool and save them without doing any actual changes
  • Or update them using subscriptions RESTful API
Note: Files already uploaded in a corrupted subscription folder will not trigger the chained flow. You need to re-upload the files to trigger the flows.
Patch 3
00815930
D-101294 Issue: Previously, administrators were not able to subscribe an account to an application when there was no common business unit between them.
Resolution: Now, there is a global configuration option CrossBusinessUnitSubscription.enable which specifies whether or not to accept requests to subscribe an account to an application when there is no business unit in common between them. The available configuration values are true or false. The default value is false.
Patch 3
00815909
D-101597 Issue: Previously, there was a progressive slowness upon subscribing an account with many subscriptions to an application via REST API calls.
Resolution: Now, the progressive slowness is resolved and the time for each consecutive subscription is consistent.
Patch 3
00822830
D-102774 Issue: Previously, calls to the REST API business units resource filtered by application name were failing.
Resolution: Now, the REST API calls are successfully processed and the correct information is returned.
Patch 3
00827018
D-103463 Issue: Previously, after upgrading SecureTransport to version 5.3.1, administrators and users with passwords longer than nine symbols and/or containing special characters were not recognized and the users were not able to login unless an Administrator reset their passwords.
Resolution: Now, SecureTransport users and administrators can successfully login after upgrade to SecureTransport version 5.3.1 and later.
Patch 3
00830237
D-104064 Issue: Previously, when directory was selected in Web Access Plus, there was a Rename button in the Organize menu.
Resolution: Now, there is no Rename button in the Organize menu if a directory or multiple entities (directories or files) are selected.
Patch 3
(none)
D-104286 Issue: Previously, business units could not be created from the SecureTransport Administration Tool.
Resolution: Now, business units are created successfully.
Patch 2
00802539
D-99209 Issue: Previously, DXAGENT_BUSINESS_UNIT_NAME environment variable was not exposed for Outgoing events.
Resolution: Now, DXAGENT_BUSINESS_UNIT_NAME and DXAGENT_BUSINESS_UNIT_ID environment variables are exposed in the environment for all events.
Patch 2
00822315
00822316
00822317
00822318
D-102686
D-102687
D-102688
D-102689
Issue: Previously, SecureTransport was vulnerable to several CVEs (CVE-2016-0706, CVE-2016-0714, CVE-2015-5345, CVE-2015-5174).
Resolution: Now, the Apache Tomcat library is upgraded and SecureTransport is no longer vulnerable.
Patch 2
00823028
D-103363 Issue: Previously, SecureTransport logged the user passwords in plain text when debug mode was enabled.
Resolution: Now, the user passwords are no longer reported as plain text when in debug mode.
Patch 1
(none)
D-99615 Issue: Previously, the SecureTransport Administration tool login form was vulnerable to Reflected Cross-Site Scripting attacks by passing malicious data in the initial request parameters.
Resolution: Now, the SecureTransport Administration Tool is protected against this vulnerability.
SecureTransport 5.3.1 Patch 8
00833877 D-104853 Issue: Previously, the OutboundConnections.maxConnectionsPerHost parameter limited Folder Monitor transfers.
Resolution: Now, this parameter is ignored for FolderMonitor transfers.
00832224 D-105019 Issue: Previously, SecureTransport SFTP outbound connections with compression could fail with ZStreamNoClassDefFoundError.
Resolution: Now, connections with compression to remote SFTP servers complete successfully.
00825247 D-105073 Issue: Previously, when a business unit is assigned to a Delegated Administrator and if a respective child business unit is created, the child business unit did not get automatically assigned to that administrator.
Resolution: Now, SecureTransport automatically assigns newly created child business units to the Delegated Administrators.
00834937 D-105165 Issue: Previously, when end user downloaded a file with HTTP third party client which supports disposition, SecureTransport did not set some environment variables starting with DXAGENT_HTTP_ on Outgoing End event.
Resolution: Now, SecureTransport populates DXAGENT_HTTP_* variables on Outgoing End event for any of the supported HTTP third party clients.
SecureTransport 5.3.1 Patch 8
00841858 D-106524 Issue: Previously, files uploaded over SFTP with SSH_FXF_EXCL option set were not repository encrypted.
Resolution: Now, the files uploaded with the SSH_FXF_EXCL option set are repository encrypted.
SecureTransport 5.3.2 Resolved Defects
(none) B-103810 Issue: Previously, the SecureTransport administrator could not disable or enable the password reset functionality.
Resolution: Now, the SecureTransport administrator can enable or disable the password reset functionality with the PasswordReset.Enabled server configuration parameter.
Note: The default value of PasswordReset.Enabled server configuration parameter is true and the password reset feature is enabled. If the value is changed to false, SecureTransport will not initiate password reset requests. The Web Access Plus end-user experience is not changed. Users can still submit password reset requests and SecureTransport informs the users the request has been submitted. However, SecureTransport will not send password reset emails or perform any password reset actions. Only a server log message will be logged to inform administrator's that a password reset request has been submitted.
755675
127477
D-82290 Issue: Previously, an error was logged in the SecureTransport Server Log when a download of of attachment was canceled. For example, when an user received an email notification (from adhoc for the received file) and clicked on the download link, a dialog asking for for download was displayed. However, if the user clicked on Cancel button (or interrupted the downloading during its progress) an error message was logged in SecureTransport Server Log and the transfer with status failed was listed in the File Tracking log.
Resolution: Now, the download of attachments via email notifications can be interrupted or canceled without errors.
(none) D-86029 Issue: Previously, a failed transfer could not be canceled from the SecureTransport File Tracking page when SecureTransport was running in passive_legacy mode on an IBM AIX.
Resolution: Now, a failed transfer can be canceled.
(none) D-91319 Issue: Previously, when trying to download a non-existing file file over FTP (plain) through a SecureTransport Edge socks proxy, the error reported was incorrect: "Connection refused." or "Connection timed out."
Resolution: Now, the correct error is reported when trying to download a non-existing file: "No such file or directory."
(none) D-95074 Issue: Previously, a SecureTransport administrator was unable to remotely bounce a passive node from the primary node in a cluster. The following error would be received in the SecureTransport Administration Tool: "Slave node02: Failed. Unable to bounce server."
Resolution: Now, a passive node can be successfully bounced remotely from the primary node in a SecureTransport cluster.
(none) D-95118 Issue: Previously, when a folder with a long name was created, the folder creation would fail and SecureTransport would return a non-descriptive "500: Internal server error" message.
Resolution: Now, when a folder creation fails SecureTransport returns a failure message that provides a descriptive reason for the folder creation failure.
786611 D-95438 Issue: Previously, when a new server was installed in a SecureTransport Large Enterprise Cluster, the new server overwrote the LEC email templates with the default email templates.
Resolution: Now, the newly installed server inherits the email templates from the LEC instead of replacing them with the default email templates.
00804580 D-98768 Issue: Previously, SecureTransport non-root installations allowed users to navigate to the .stfs folder which could cause undesired behavior in the nested .stfs folder structure.
Resolution: Now, SecureTransport does not allow access to the .stfs folder structure or any interaction with it. Additionally, SecureTransport does not allow access to any hidden folders.
(none) D-98790 Issue: Previously, SecureTransport was vulnerable to the LogJam vulnerability ( CVE-2015-4000 aka LogJam).
Resolution: Now, full support of Elliptic Curve (EC) ciphers has been added to SecureTransport to eliminate the vulnerability.
(none) D-98809 Issue: Previously, when an alias query within the SecureTransport Administration Tool > LDAP > ldap domain > LDAP Searches > Alias Query was saved, SecureTransport would add amp; to the query name.
Resolution: Now, SecureTransport does not add extra characters/symbols to the Query Name field.
(none) D-99048 Issue: Previously, a SecureTransport delegated administrator, with read only access to accounts, could not view account transfer sites, certificates, or subscriptions.
Resolution: Now, SecureTransport delegated administrators with read only access can view view account transfer sites, certificates, and subscriptions.
130641 D-99280 Issue: Previously, there was insufficient documentation for what was accepted in the Expression Language (EL) functions and variables by each EL field. For example, there was no exact information on the difference between the "STFS PeSIT" and "PeSIT" expressions (described in the Advanced Routing > Custom Expression Language functions and variables section of the SecureTransport Administrator's Guide ) and by which fields they are accepted.
Resolution: Now, the the Advanced Routing > Custom Expression Language functions and variables section of the SecureTransport Administrator's Guide has been updated to include additional details for the "STFS PeSIT" and "PeSIT" expressions.
74864 D-99532 Issue: Previously, SecureTransport administrators could change their password from the Administration Tool > Accounts > Change password page without providing the current one.
Resolution: Now, SecureTransport administrators must provide their current or old password to change their password.
(none) D-100474 Issue: Previously, when a SecureTransport transfer failed with an "Invalid Subscriber ID" error, the .m_inproc file for the failed file transfer was not removed from the service account.
Resolution: Now, when a SecureTransport transfer fails with an "Invalid Subscriber ID" error, the .m_inproc file for the failed file transfer is removed from the service account.
00819411 D-102128 Issue: Previously, the SecureTransport Edge SOCKS proxy was listening only on 127.0.0.1 network interface when upgraded from Service Pack 6 causing failure of all server initiated transfers.
Resolution: Now, the Edge SOCKS proxy is listening on all network interfaces and the server initiated transfers are no longer failing.
(none) D-102680 Issue: Previously, SecureTransport shipped with the default Apache Tomcat applications "webapps/host-manager", "webapps/manager", and "webapps/examples".
Resolution: Now, SecureTransport no longer ships with the default Apache Tomcat applications.
SecureTransport 5.3.3 Resolved Defects
135200 D-78985 Issue: Previously, when the AS2 daemon was started, both ports associated to the AS2 daemon via non SSL (10080) and the AS2 daemon via SSL (10443) were opened, no matter which options where selected in the SecureTransport Administration Tool.
Resolution: Now, when the AS2 daemon is started, only the ports associated with the selected options are opened.
142143 D-85772 Issue: Previously, SecureTransport did not enforce an unique email address for each user account which led to login failures.
Resolution: Now, the SecureTransport Administrator's Guide has been updated to stress that each user account must have a unique password.
148039 D-91319 Issue: Previously, when an attempt was made to download a non-existing file over FTP (plain) protocol through a SecureTransport Edge socks proxy, the error reported is incorrect: "Connection refused." or "Connection timed out." rather than "No such file or directory."
Resolution: Now, the correct error is reported when attempting to download a non-exist file.
148671 D-91862 Issue: Previously, SecureTransport 5.2.1 SP5 had a possible hibernate-validator vulnerability.
Resolution: Now, the hibernate-validator vulnerability is eliminated.
151634 D-94669 Issue: Previously, AdHoc email content was truncated.
Resolution: Now, AdHoc email content is not truncated.
151640 D-94674 Issue: Previously, a SecureTransport Web Access Plus user could download a file while it was being uploaded.
Resolution: Now, in progress files can not be downloaded when using the new SecureTransport Web Client.
151645 D-94679 Issue: Previously, when using SecureTransport Web Access Plus, there were issues with resizing the Compose Mail textbox.
Resolution: Now, the Compose Email textbox can be resized in the new SecureTransport Web Client.
(none) D-95121 Issue: Previously, when using SecureTransport Web Access Plus, inaccessible and invalid folders could be created.
Resolution: Now, when using the new SecureTransport Web Client, the inaccessible and invalid folders can not be created.
00804414 D-98514 Issue: Previously, when using SecureTransport Web Access Plus, unlicensed accounts do not see a Progress bar when uploading files.
Resolution: Now, when using the new SecureTransport Web Client, unlicensed accounts see a Progress bar when uploading files.
00801975 D-98790 Issue: Previously, SecureTransport was not able to connect to Microsoft services (LDAPS; MSSQL, and etc.) when Microsoft Security Update KB 3042058 was installed.
Resolution: Now, SecureTransport is able to connect to Microsoft services with Microsoft Security Update KB 3042058 installed.
00804365 D-100470 Issue: Previously, attempts to form a secure FTP CIT connection to remote server would fail due to network disconnects.
Resolution: Now, secure FTP CIT connections to remote servers can be formed.
00803538 D-101709 Issue: Previously, intermittently SecureTransport could not delete the sandbox folders after successfully executing a route step. As a result of the intermittent sandbox folder deletion problem, there were leftover files and folders on the filesystem.
Resolution: Now, the sandbox folders are always deleted after successfully executing a route step.
(none) D-102130 Issue: Previously, the Cancel and Resubmit functionalities in SecureTransport File Tracking were not available for Advanced Routing.
Resolution: Now, the Cancel and Resubmit functionalities in are available for Advanced Routing.
00820013 D-102287 Issue: Previously, there was a typographical error on the SecureTransport Administration Tool Cluster Management > Edit Email Notification.
Resolution: Now, the typographical error is corrected.
D-102286 Issue: Previously, during key exchange method negotiation and after the negotiated algorithm is established to use either diffie-hellman-group-exchange-sha1 or diffie-hellman-group-exchange-sha256, in the key size negotiation stage the SecureTransport SSH server always replies with 1024 no matter what the requested boundaries are from the client.
Resolution: Now, the SecureTransport SSH server replies with the correct response.
(none) D-102753 Issue: Previously, the encryption of archive file was successful with an invalid or expired certificate.
Resolution: Now, it is documented that when changing the encryption certificate, the Transaction Manager should be restarted in order for the changes to be applied.
(none) D-103028 Issue: Previously, the protocol stack on an IBM AIX could not be setup which lead to the inability to initialize ClusterListener.
Resolution: Now, the workaround is documented in the SecureTransport Installation Guide.
(none) D-103084 Issue: Previously, SecureTransport administrator accounts could not be created with names consisting of only numbers (for example, 000 or 111).
Resolution: Now, SecureTransport administrator accounts can be created with name consisting of only numbers.
00824000 D-103123 Issue: Previously, a procedure for SecureTransport Oracle RAC node failover and load balancing was not documented.
Resolution: Now, the SecureTransport Administrator's Guide has been updated to include an Oracle RAC node failover and load balancing procedure.
00825570 D-103406 Issue: Previously, an incoming error was thrown for transfers from Tectia that were blocked by an Incoming Start.
Resolution: Now, the transfers occur without errors.
(none) D-103558 Issue: Previously, the Advanced Routing Decompress step failed when there was more than one text file in the .zip or .tar file.
Resolution: Now, the Decompress step successfully decompresses .zip or .tar files that include more than one text file.
(none) D-103597 Issue: Previously, it was documented in the SecureTransport Administrator's Guide that a maximum of four servers (nodes) can be deployed in an active/active Standard Cluster.
Resolution: Now, it documented that a maximum of three servers (nodes) can be deployed in an active/active Standard Cluster.
00828918 D-103950 Issue: Previously, when XML was copied into a REST API account creation/update statement, the values of some of the XML settings were ignored.
Resolution: Now, the values of all of settings are passed into the REST API account creation/update statement.
00828515 D-103998 Issue: Previously, using SecureTransport Web Access Plus, the Cancel option to cancel the Discard did not work when composing a message.
Resolution: Now, when using the new SecureTransport Web Client, all compose message options function correctly.
00829890 D-104001 Issue: Previously, a potential SecureTransport password encoding and BASIC authentication security issue was not documented.
Resolution: Now, the guidelines and best practices for avoiding the potential password encoding and BASIC authentication security issue is documented in SecureTransport Security Guide.
D-104107 Issue: Previously, the small prime number used by Key Exchange (KEX) algorithms (less than 1024) was vulnerable.
Resolution: Now, SecureTransport has the default prime number of 2048 to eliminate the KEX vulnerability.
00820126 D-104222 Issue: Previously, the SecureTransport Installation Guide stated that the gcc-3.4.6-sol10-sparc-local package must installed on the Solaris Operating System in order to install SecureTransport.
Resolution: Now, the incorrect statement has been removed from the SecureTransport Installation Guide.
00831511 D-104611 Issue: Previously, when using SecureTransport Web Access Plus, there was a color contrast issue between background and foreground colors.
Resolution: Now, when using the new SecureTransport Web Client, there is no longer a color contrast issue.
00833870 D-104758 Issue: Previously, the SecureTransport Installation Guide - Prerequisites chapter contain prerequisites version and byte size information that could be misinterpreted.
Resolution: Now, the version and byte size information in the SecureTransport Installation Guide - Prerequisites chapter has been clarified and should not be misinterpreted.
00834145 D-104944 Issue: Previously, the number of Streaming connections between a single protocol daemon and the Transaction Manager was calculated using the following formula: 2 * number of CPUs on the machine, which leads to a high number of Streaming connections if the number of CPUs on the machine is big enough.
Resolution: Now, the number of Streaming connections per single protocol daemon is calculated using the following formula: minimum of 20 and 2 * number of CPUs on the machine. This way number of Streaming connections will be maximum 20 by default. Also, the Streaming number of connection per protocol daemon can be manually configured by placing a Java system property inside start_tm_console script named: Streaming.numberOfConnections
00836817 D-105441 Issue: Previously, the SecureTransport Web Access Plus change password functionality was vulnerable to brute-force attacks.
Resolution: Now, when using the new SecureTransport Web Client, the change password functionality is not vulnerable to brute-force attacks.
00837968 D-105621 Issue: Previously, is was possible to initiate a denial of service (DoS) attack on SecureTransport using password reset emails.
Resolution: Now, the number of allowed password reset emails can be configured and the DoS attack vulnerability using password reset emails is resolved
00837980 D-105699 Issue: Previously, when a licensed user shared a folder with an unlicensed user, if the unlicensed user was deleted and purged by the SecureTransport administrator using REST API, the share link was not deleted.
Resolution: Now, the shared link is also deleted when an unlicensed user assigned a shared folder is deleted and purged by the SecureTransport administrator using REST API.
00837970 D-105710 Issue: Previously, users could generate multiple password reset emails using SecureTransport Web Access Plus, and any one of them could be used to send the new password to the user.
Resolution: Now, the number of accepted password reset emails can be limited.
00837969 D-105712 Issue: Previously, the password reset links in the Password reset confirmation for email notification could always be used to generate a new password, even though the notification said This link will expire in 24 hours.. Any of the received password reset links could be used to send the user a new password even after their mentioned validity of 24 hours.
Resolution: Now, the link in the Password reset confirmation for email notification expires in 24 hours.
(none) D-105834 Issue: Previously, when running the migration script on an upgraded SecureTransport without dropping the old tables (TransferStatus, TransferData_old, and SubtransmissionStatus_old) and the temporary table MigrationProgress, the migration from Microsoft MySQL Server to Oracle fails with errors displayed in migration log.
Resolution: Now, it documented in the SecureTransport Installation Guide that the file tracking migration process must be completed (and old tables dropped) prior migrating to a newer SecureTransport version.
(none) D-106945 Issue: Previously, there was an inconsistency between Administration Tool and REST API when a Business Unit was created by a delegated administrator.
Resolution: Now, a delegated administrator can create a Business Unit without setting a parent Business Unit. If a Business Unit created by a delegated administrator is edited and the parent Business Unit is set to none, the other delegated administrators assigned to the parent Business Unit will be unlinked from the edited Business Unit. The present behavior is consistent in the Administration Tool and REST API.
D-106976 Issue: Previously, the streaming connection number formula was not configurable and depended on the CPU core number.
Resolution: Now, the DStreaming.numberOfConnections system property is configurable and is referenced when account connections are established.

Known issues and limitations

Internal ID Case ID Description
148039 D-91319 Pull of non-existing file over ftp (plain) going through Edge socks proxy, results in incorrect error reported : "Connection refused" or "Connection timed out" rather than "No such file or directory "
(none) D-94999 When creating a new file or directory whose name begins with a dot (.ssh or .profile), the file and directory will become inaccessible. Additionally, it is not possible to access or to remove directories or files whose names begin with a dot. However, the directories remain visible in the side-menu until there is refresh and then they become ghost directories or files. They are still present since another directory or file with the same name cannot be created.
00800843 D-97719 When an user starts SecureTransport Administration service who has the JRE_HOME variable defined in their OS environment variables, JRE_HOME is not revalidated and the Tomcat process is started with Java executable from JRE_HOME instead of Java executable inside the SecureTransport installation.
Workaround: Unset the JRE_HOME variable before starting the SecureTransport Administration service.
(none) D-103060 POST_PROC/Archived event for outbound transfers is not reported to Sentinel.
(none) D-106421 Uploading files from a mapped network drive using SecureTransport Web Client and Microsoft Edge browser results in a 0-bytes successful transfer. The problem is that Microsoft Edge can not correctly load files form a network location. This is a browser specific issue that's why it is also reproducible if any other SecureTransport HTML template is used. But is not reproducible if any other supported browser is used.
00826131 D-103368 A SecureTransport Enterprise Cluster installation fails if database password contains '$' and other special characters.
(none) D-103631 Due to a Java Critical Patch update, certificates, using MD5 signature algorithm can no longer be used. Details: https://blogs.oracle.com/java-platform-group/entry/strengthening_signatures_part_2
(none) D-103685 Resubmit is failing for failed transfers caused by failover.
(none) D-103717 A warn message is reported in the SecureTransport Server Log for every expired administrator's session caused by an upgrade of Apache Tomcat server to version 7.0.68. In the previous Tomcat version this message was logged by Tomcat classes with level debug, but in the latest version it is changed to level warn and is logged directly to SecureTransport Server Log.
(none) D-105747 As the result of SecureTransport 5.3.3 being updated to the latest Java 1.8 version, AS2 transfers over SSL between SecureTransport 5.3.3 and earlier SecureTransport versions fail.
Workaround:As of SecureTransport 5.2.1 SP7, regenerate the trusted CAs (and also the other certificates in the chain) using SHA256withRSA.
(none) D-106147 SecureClient 6.1.0 SP5 and earlier versions can not connect to SecureTransport.
Workaround: For older versions of SecureClient (6.1.0 SP5 and earlier) to be able to successfully SSH handshake with SecureTransport, at least one of the following Server Configuration options must be set: Ssh.SupportGroup1SHA1, Ssh.SupportGroupExchangeSHA1, or Ssh.SupportGroupExchangeSHA256 on SecureTransport should be set to true. Also, FIPS mode should not be turned ON, because it ignores the Ssh.SupportGroup1SHA1, Ssh.SupportGroupExchangeSHA1, and Ssh.SupportGroupExchangeSHA256 Server Configuration options.

Documentation

This section describes related documentation

Go to Axway Support at https://support.axway.com to find all documentation for this product version.

SecureTransport provides the following documentation:

  • SecureTransport Administrator's Guide - This guide describes how to use the SecureTransport Administrator's Tool to configure and administer your SecureTransport Server. The content of this guide is also available in the Administration Tool online help.
  • SecureTransport Capacity Planning Guide – This guides provides information useful when planning your production environment for SecureTransport.
  • SecureTransport Developer's Guide - This guide provides the descriptions and usage of the plug-able information for the SecureTransport Pluggable Transfer Site and how to implement a Pluggable Transfer Site.
  • SecureTransport Getting Started Guide - This guide explains the initial setup and configuration of SecureTransport using the SecureTransport Administrator setup interface.
  • SecureTransport Installation Guide - This guide explains how to install, upgrade, and uninstall SecureTransport Server on UNIX-based platforms, Microsoft Windows, and Axway Appliances.
  • SecureTransport Release Notes - This document contains information about new features and enhancements, late-breaking information that could not be included in one of the other documents, and a list of known and fixed issues.
  • SecureTransport REST API online reference – The SecureTransport server hosts an HTML-based API reference developers can use while developing integrations for SecureTransport.
  • SecureTransport Security Guide - This guide provides security information necessary for the secure operation of the SecureTransport product.
  • SecureTransport Web Client Configuration Guide – This guide describes how to configure and customize the ST Web Client user interface.
  • SecureTransport Web Client User Guide - This guide describes how to use the ST Web Client.
  • Axway Appliance Quick Start Guide - This document provides instructions for unpacking, mounting, connecting, and powering up an appliance, provides instructions for installing and deploying an Axway Appliance, plus technical specifications and references to safety, regulatory, and recycling information.
  • Axway Integrator and SecureTransport Interoperability Guide - This guide describes the interface between Axway Integrator and Axway SecureTransport and how to configure those products to interoperate.
  • Axway Outlook Add-in Installation Guide - This guide provides instructions for installing and deploying the Axway Microsoft Outlook add-in .
  • Axway Outlook Add-in Release Notes – This document contains information about installation and upgrade packages, new features, and a list of known limitations.

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.

Copyright © 2015 Axway. All rights reserved

 

Related Links