SecureTransport 5.3.6 Release Notes

This document applies to Axway SecureTransport Server 5.3.6, to Axway SecureTransport Edge 5.3.6, and to Axway ST Web Client 5.3.6 for all supported platforms, databases, and cluster types.

The information in this document supersedes any corresponding information in the documentation (online or printed) previously supplied for the product.

About this release

File packages:

  • SecureTransport_5.3.6_Install_ap-x86-64_BN436.iso
    MD5 checksum: 7c4f3ed2e223ee5938acc983f30d5af1
    Size: 3.02 GB
  • SecureTransport_5.3.6_Install_aix-power-64_BN436.zip
    MD5 checksum: 6a7d7f11aca75cdecd6d6cf6c2e48f04
    Size: 593.39 MB
  • SecureTransport_5.3.6_Install_linux-x86-64_BN436.zip
    MD5 checksum: f6acff0ee2856cebe3c91b1c9779a87e
    Size: 697.72 MB
  • SecureTransport_5.3.6_Install_sun-sparc-64_BN436.zip
    MD5 checksum: c006a52de45c63725adca31c672fc272
    Size: 1.48 GB
  • SecureTransport_5.3.6_Install_win-x86-64_BN436.zip
    MD5 checksum: de7f95e49bcc735f69544ccd77adc1a5
    Size: 786.13 MB
  • SecureTransport_5.3.6_UP1-from-5.3.3-5.3.5_aix-power-64_BN436.jar
    MD5 checksum: df0c8f52a2e5224fe3d49e45173bf258
    Size: 362.11 MB
  • SecureTransport_5.3.6_UP1-from-5.3.3-5.3.5_linux-x86-64_BN436.jar
    MD5 checksum: e9a06a57e82b3308945860920fda1dd4
    Size: 565.16 MB
  • SecureTransport_5.3.6_UP1-from-5.3.3-5.3.5_sun-sparc-64_BN436.jar
    MD5 checksum: b7d5677a1d4bacd27b3485d55d57f722
    Size: 1.3 GB
  • SecureTransport_5.3.6_UP1-from-5.3.3-5.3.5_win-x86-64_BN436.jar
    MD5 checksum: 2468d4f86cbd763dd6a51a42c8e0a3d1
    Size: 657.36 MB

SecureTransport new features and enhancements

Address Book

The new Address Book feature provides built-in and custom Address Book data sources to the SecureTransport server. End users are allowed via the ST Web Client to send messages or share folders to a predefined list (Address Book) of users and groups. End users are able to send or share folders directly by using the display name defined in the Address Book. Implementing Address Book functionality allows SecureTransport administrators to control the user's collaboration with external (non-Address Book) users.

AdHoc notification enhancement

AdHoc email notifications can now be globally disabled or enabled for AdHoc package deliveries and account enrollment.

Administration Tool user interface enhancements

The Administration Tool login, header, and navigation user interfaces have been enhanced to align with the Axway Amplify platform user interface specifications.

Advanced Routing enhancements

The following Advanced Routing enhancements have been introduced in SecureTransport 5.3.6.

Advanced Routing triggering on all file events

In previous releases, Advanced Routing was triggered only upon the successful upload or pull of a file inside the subscription folder. All other cases (failed pull, temporary failure, and so forth) were only handled through basic post transmission actions. This greatly limited the flexibility of Advanced Routing and made it impossible to set up simple use case scenarios.

Now, Advanced Routing can be used as a post transmission action for all the basic file transfer events that occur within a subscription folder. Advanced Routing can now be triggered for the following events:

  • Successful client upload
  • Failed client upload
  • Successful client download
  • Failed client download
  • Successful server pull
  • Temporary failure of a server pull
  • Failed server pull - Also applies to failed wildcard and individual file pulls

Configurable Advanced Routing sandbox

Advanced Routing securely processes received files, which are assumed to be untrusted, in isolation in a sandbox. Previously, this required copying files during each processing step. In a clustered environment, each file copy resulted in a file being streamed from the shared storage device to a SecureTransport node and then streamed back to the storage device. Now, with new AdvancedRouting.sandboxFolderLocation server configuration option enabled, a sandbox folder will be created locally on each processing node. This reduces the network file copy to once at the beginning of the route and once at the end.

Improved Advanced Routing email notifications

The SecureTransport email templates now support additional user variables and flow attributes for Advanced Routing email notifications.

Audit log enhancements

The Audit log has been enhanced to use standard log4j libraries in order to be consistent with the Server log and to ease the configuration of logging audit messages into a database or a flat file.

Authentication

The Administration Tool LDAP menu has been renamed to Authentication and all SecureTransport authentication and login methods have been consolidated to the new Login Settings page in the Authentication menu. The new Login Settings page includes end-user and administrator login options.

The end-user login options include:

  • SSO - Required/Disabled (Default)
  • Certificate - Enabled/Disabled (Default) - When enabled, client certificate settings for HTTPS, FTPS, SSH, PeSIT protocols are displayed.
  • LDAP - Required/Optional/Disabled (Default)
  • SiteMinder - Optional/Disabled (Default)

The administrator login options include:

  • SSO - Required/Disabled (Default)
  • Certificate - Enabled/Disabled (Default) - When enabled, administrator certificate settings options are displayed.

Certificate and authentication methods have been removed from the following Administration Tool pages and moved to the new Login Settings page.

  • Access > Secure Socket Layer - Client certificate authentication settings
  • Setup > SiteMinder Settings - Enable SiteMinder settings
  • Setup > Admin Settings - Certificate settings
  • LDAP > LDAP Domains - LDAP authentication option

Additionally, the SiteMinder Settings page has been moved from the Setup menu to the Authentication menu.

A new account templates option allows users to be enrolled in SecureTransport without generating and sending internal passwords to the users. This option defines whether users, enrolled using the template, use the local or an external password store.

Migrate Certificate Management from IAIK to Bouncy Castle

The migration of certificate management from IAIK to Bouncy Caste re-implements the following:

  • Generation of CSR and CA certificates
  • Generation of local certificates
  • Import of SSH keys
  • Import and export of PKCS12 files
  • Import and export of CSR certificates
  • Certificate authentication for Admin and End User interfaces

Publish Swagger in API manager

The SecureTransport Swagger REST API can be integrated and published into API Manager. Once the Swagger REST API is integrated and published into API Manager, the Frontend API and its Swagger definition from API Manager can be used to acquire a Java Client on API Gateway.

Security enhancement

HSTS and HTTPOnly headers added to issued cookies

The HTTP Strict Transport Security (HSTS) and HTTPOnly headers are added to issued cookies for the administrator and end-users HTTP listeners. Adding the HSTS header to redirect HTTP connections to HTTPS is configurable on the Administration Tool Server Control page.

Secure-Enhanced Linux (SELinux ) support

SecureTransport is compatible and able to operate with enabled Secure-Enhanced Linux.

Sentinel reporting enhancements

SecureTransport includes the following Axway Sentinel reporting enhancements.

New attributes

The following attributes have been added to each state:

  • CoreId - The preserved file identifier.
  • EventTimeStamp - The timestamp of the current event reported with every state.

SecureTransport SSH daemon server configuration options

The new SecureTransport SSH daemon server configuration options are:

  • Ssh.KeyExchangeAlgorithms - Controls the list of supported Key Exchange Algorithms by the SecureTransport SSH daemon. Its value must be an ordered list of comma separated Key Exchange Algorithm names. The preferred Key Exchange Algorithm must be listed first. The default value is: diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256
  • Ssh.PublicKeys - Controls the supported the SecureTransport SSH daemon SSH public keys for client authentication. Its value must be ordered list of comma separated Public Key names. The default value is: ssh-rsa, ssh-dss, x509v3-sign-rsa, x509v3-sign-rsa-sha1

Note: In FIPS mode, both of the new options are ignored by the SecureTransport SSH daemon and the predefined FIPS compliant configuration settings are used.

The following server configuration options are removed:

  • Ssh.SupportGroup14SHA1
  • Ssh.SupportGroup1SHA1
  • Ssh.SupportGroupExchangeSHA1
  • Ssh.SupportGroupExchangeSHA256

On upgrade from SecureTransport 5.3.3 to SecureTransport 5.3.6, the Ssh.KeyExchangeAlgorithms value is determined according to the values of options above.

For example before upgrade:

  • Ssh.SupportGroup14SHA1 = true
  • Ssh.SupportGroup1SHA1 = false
  • Ssh.SupportGroupExchangeSHA1 = false
  • Ssh.SupportGroupExchangeSHA256 = true

For example after upgrade:

  • Ssh.KeyExchangeAlgorithms = diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha256

On legacy import, the Ssh.KeyExchangeAlgorithms value is determined according to the values of options above as part of the configuration archive. If there are new Key Exchange algorithms, they are appended to the already existing value of the Ssh.KeyExchangeAlgorithms.

For example before import:

  • Ssh.KeyExchangeAlgorithms = diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha256

From the imported archive:

  • Ssh.SupportGroup14SHA1 = false
  • Ssh.SupportGroup1SHA1 = false
  • Ssh.SupportGroupExchangeSHA1 = true
  • Ssh.SupportGroupExchangeSHA256 = true

For example after import:

  • Ssh.KeyExchangeAlgorithms = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1

SecureTransport Transaction Manager server configuration options

The new SecureTransport Transaction Manager server configuration options are:

  • Ssh.SIT.KeyExchangeAlgorithms - Controls the list of the supported Key Exchange Algorithms used by Transaction Manager during SSH Server Initiated transfers. Its value must be an ordered list of comma separated Key Exchange Algorithm names. The preferred Key Exchange Algorithm must be listed first. The default value is : diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256
  • Ssh.SIT.PublicKeys - Controls the list of the supported SSH public keys used for client authentication during server initiated transfers. Its value must be an ordered list of comma separated Public Key names. The preferred Public Key must be listed first. The default value is : ssh-rsa, ssh-dss, x509v3-sign-rsa, x509v3-sign-rsa-sha1
  • Ssh.SIT.AllowedMacs - Controls the list of the supported MAC algorithms used for server initiated transfers. Its value must be ordered list of comma separated MAC algorithm names. The preferred MAC algorithm must be listed first. The default value is: hmac-sha1, hmac-md5, hmac-sha1-96, hmac-md5-96, hmac-sha256, hmac-sha256@ssh.com

Note: In the FIPS mode, the three new options are ignored and the predefined FIPS compliant configuration settings are used.

The following server configuration options are removed:

  • Ssh.SIT.SupportGroup14SHA1
  • Ssh.SIT.SupportGroup1SHA1
  • Ssh.SIT.SupportGroupExchangeSHA1
  • Ssh.SIT.SupportGroupExchangeSHA256

On upgrade from SecureTransport 5.3.3 to SecureTransport 5.3.6, the Ssh.SIT.KeyExchangeAlgorithms value is determined according to the values of options above.

For example before upgrade:

  • Ssh.SIT.SupportGroup14SHA1 = true
  • Ssh.SIT.SupportGroup1SHA1 = false
  • Ssh.SIT.SupportGroupExchangeSHA1 = false
  • Ssh.SIT.SupportGroupExchangeSHA256 = true

For example after upgrade:

  • Ssh.SIT.KeyExchangeAlgorithms = diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha256

On legacy import, the Ssh.SIT.KeyExchangeAlgorithms value is determined according to the values of options above as part of the configuration archive. If there are new Key Exchange algorithms, they are appended to the already existing value of the Ssh.SIT.KeyExchangeAlgorithms.

For example before import:

  • Ssh.SIT.KeyExchangeAlgorithms = diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha256

From the imported archive:

  • Ssh.SIT.SupportGroup14SHA1 = false
  • Ssh.SIT.SupportGroup1SHA1 = false
  • Ssh.SIT.SupportGroupExchangeSHA1 = true
  • Ssh.SIT.SupportGroupExchangeSHA256 = true

For example after import:

  • Ssh.SIT.KeyExchangeAlgorithms = diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1

Single sign-on and single logout

Single sign-on (SSO) is a session/user authentication process that authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. Essentially, it removes the need for your users to log into multiple applications in a particular browser session. Once they log into one system, it exchanges authentication data with another service you have SSO set up with and automatically logs the user in.

The single logout (SLO) profile enables a user to log out of all participating applications in a created session nearly simultaneously.

SecureTransport implements:

  • Single Sign-On (SSO)
  • Single Logout (SLO)

Supported protocols:

  • SAML 2.0 for Administrators and End-users
  • Kerberos 5 for End-users
Note SSO authentication is only applicable for the HTTP protocol.

It also supports user attribute mapping and authentication decisions on attribute maps.

Subscription enhancements

The following subscription enhancements have been introduced in SecureTransport 5.3.6.

Parallel transfers

The maximum number of parallel transfers or pulls can now be configured by entering the desired maximum number of parallel transfers in the Maximum number of parallel transfers field. If you enter a value greater than zero, SecureTransport executes only the specified number of transfers in parallel. If the value is null or zero, the maximum number of parallel transfers is limited by system capacity.

Repository encryption

Repository encryption can now be enabled per subscription by selecting the Encrypt mode. Selecting the Encrypt mode allows you to configure repository encryption for accounts at the per-subscription level.

  • Select Default to inherit the encryption mode for the subscription folder from the account or the global settings.
  • Select Enable to encrypt all files uploaded to the subscription folder.
  • Select Disable to upload unencrypted files to the subscription folder.

Retrieve files now

One-time pulls can now be triggered by clicking the Retrieve Files Now button on the Administration Tool Subscription page.

Transfer sites

The list of supported transfer site protocols has been expanded to include the Amazon S3, Generic-HTTP, SharePoint, and SMB protocols.

  • Amazon S3 - Enables pushes to and pulls from a specified Amazon S3 bucket.
  • Generic-HTTP - Enables file exchange via HTTP protocol with third-party partners over an authenticated connection. The supported authentication methods are:
    • Basic - The client provides a user ID or user ID and password when exchanging files.
    • Form-Based – The client will send a request to a remote HTTP server to obtain an authentication cookie.
    • Certificate – A HTTPS client certificate is used for mutual authentication. The client certificate can be used in combination with basic or form-based authentications.
  • SharePoint - Supports pushes and pulls from SecureTransport to the SharePoint 2013 file system. A user name and password are used for SharePoint file system authentication.
  • SMB - Provides access to shared files and directories over the SMB (CIFS) protocol.

Upgrade of third-party libraries:

The following third-party libraries were upgraded:

  • Patch Oracle JDBC driver with patch 23727148 due to security vulnerabilities
  • Upgrade Apache Commons FileUpload to 1.3.2
  • Upgrade Apache Tomcat to 7.0.75
  • Upgrade BouncyCastle to 1.56
  • Upgrade Hibernate to 5.0.2
  • Upgrade IBM JRE to 1.8.0_322
  • Upgrade Maverick Legacy Client to 1.7.1
  • Upgrade Maverick Legacy Server to 1.7.1
  • Upgrade MySQL to 5.6.35 on all Operating Systems except on IBM AIX where the version is 5.0.72
  • Upgrade Oracle JRE to 1.8.0_121
  • Upgrade XStream to 1.4.9

ST Web Client new features and enhancements

Accessibility

ST Web Client is now aligned with Section 508, WCAG 2.0 accessibility standards.

Address Book

The Address Book user interface has been added to ST Web Client. It is accessed by clicking the Address Book button from the Share pane or from the Compose pane. The Address Book list of global contacts is automatically populated and end users can search and select contacts from the list. Contacts can also be selected using the auto complete function in the People field while sharing folders and in the To field while composing mail.

Address Book with favorites

ST Web Client users are able to add and remove favorite contacts from the Address Book global list using the Star icon. Users can select from their list of favorite contacts while composing mail and sharing folders.

Branding improvements

ST Web Client administrators can now brand and change the application name on the login and header.

Configurable application date format

ST Web Client administrators can configure the format of the displayed date and time.

Configurable views

ST Web Client administrators can enable and disable the ST Web Client user interface File and Mail views. They can also select one of the views as the default view.

Default language

The ST Web Client default user interface language is now based on the supported browser language.

Design and usability improvements

The ST Web Client user interface design style and icons have been updated in order to improve the overall user experience, to improve accessibility and usability, and to provide a common look and feel across Axway end-user interfaces.

Localization and multiple language support

ST Web Client administrators can configure multiple additional supported languages and localize the ST Web Client user interface. The localization of ST Web Client interface can include modifying a supported language. For example, changing the Welcome greeting to "Hello Mate." ST Web Client users can select their preferred language from the list of configured languages from the Language drop-down menu on the Preferences pane.

Persisted upload history

The Transfer queue upload history is now stored on the SecureTransport server and persisted across browsers. ST Web Client users can switch between browsers and their upload history will be automatically retrieved.

Secret questions

A secret question ensures that you are entitled to reset your password. It also eliminates the security risks of replacing passwords with temporary ones and sending passwords via email.

The Secret question page is displayed if the secret question feature is enabled on your system and your system administrator has required you to change your secret question on login. You can also optionally select and answer a secret question or change your secret question from the Welcome drop-down by selecting Secret Question if the secret question feature is enabled.

Upgrade improvements

Most customizations (feature toggles, localization, branding texts, and view configuration) do not have to be recreated after patching or upgrading SecureTransport.

SecureTransport corrections and fixed issues

Fixed security vulnerabilities

SecureTransport 5.3.6 provides the following fixed security vulnerabilities:

Case ID Internal ID CVE ID Description
00822315
00822316
00822317
00822318
D-102686
D-102687
D-102688
D-102689
CVE-2016-0706
CVE-2016-0714
CVE-2015-5345
CVE-2015-5174
Issue: Previously, SecureTransport was vulnerable to several CVEs (CVE-2016-0706, CVE-2016-0714, CVE-2015-5345, and CVE-2015-5174).
Resolution: Now, the Apache Tomcat library is upgraded and SecureTransport is no longer vulnerable.
00837856 RDST-412 CVE-2013-7057 Issue: Previously, there was no CSRF protection for the SecureTransport REST API.
Resolution: Now, every POST, PUT or DELETE request must contain a custom header with the CSRF token if the Webservices.Http.CsrfToken.enabled or Webservices.Admin.CsrfToken.enabled server configuration parameter options are set to true.
00863489 RDST-1909
RDST-1910
CVE-2016-0762
CVE-2016-6794
Issue: Previously, SecureTransport was vulnerable to CVE-2016-0762 and CVE-2016-6794.
Resolution: Now, the Apache Tomcat component in SecureTransport is upgraded to a non-vulnerable version. The new version is 7.0.75.
00873451 RDST-3997 CVE-2013-6429
CVE-2013-4152
CVE-2013-7315
CVE-2014-0054
CVE-2014-1904
CVE-2014-3578
CVE-2014-3625
Issue: Previously, SecureTransport was susceptible to multiple Spring Framework vulnerabilities (CVE-2013-6429, CVE-2013-4152, CVE-2013-7315, CVE-2014-0054, CVE-2014-1904, CVE-2014-3578, and CVE-2014-3625).
Resolution: Now, the vulnerable Spring Framework component in SecureTransport is removed.

Other fixed issues

SecureTransport 5.3.6 provides the following corrections and fixed issues:

Case ID Internal ID Description
SecureTransport 5.2.1 SP7 Patch 9
00833888
00847790
RDST-566 Issue: Previously, some server-initiated pulls would fail with a "No files matching the <remote pattern>..." error message although files matching the pattern existed on the remote site. The issue was observed when ZeroByteWildcardPullAllowed option was set to true in a Microsoft Windows environment.
Resolution: Now, SecureTransport correctly matches file patterns on server-initiated pulls.
00855388
00836213
RDST-567
RDST-1579
Issue: Previously, some server-initiated transfers would remain in progress and would be retried, when the ZeroByteWildcardPullAllowed option was set to true in a Microsoft Windows environment.
Resolution: Now, SecureTransport handles server-initiated transfers correctly.
00850759 RDST-2128 Issue: Previously, it was not possible to edit an account from a business unit that was subscribed to an application that had other business units assigned.
Resolution: Now, it is possible to edit accounts that are subscribed to applications that have different business units assigned.
00859848 RDST-2709 Issue: Previously, when trying to export logs for a specific interval of time using the SecureTransport RESTful API, the endDate parameter was ignored.
Resolution: Now, all parameters are properly evaluated and the correct log entries are returned.
Patch 8
00852885
RDST-1335 Issue: Previously, SecureTransport did not pull files from z/OS IBM mainframe operating system over FTP/S.
Resolution: Now, SecureTransport pulls the files successfully.
Patch 7
00849811
RDST-864 Issue: Previously, the SecureTransport FTP server did not limit the number of failed login attempts for an existing user account.
Resolution: Now, the SecureTransport FTP server disconnects the client after the maximum permitted failed login attempts are reached.
Patch 6
00847871
RDST-736 Issue: Previously, the Oracle JDBC driver shipped with SecureTransport used DES algorithm for password hashing, which is no longer deemed secure.
Resolution: Now, the Oracle JDBC driver shipped with SecureTransport is upgraded to version 11.2.0.4 which allows the usage of more secure algorithms for password hashing.
Patch 5
00845183
RDST-572 Issue: Previously, the email address within the password reset functionality was validated case sensitive by SecureTransport.
Resolution: Now, the email is validated case insensitive when an attempt to recover the password is made within the forgot password link in ST Web Client.
Patch 4
00843180
D-106743 Issue: Previously, the SecureTransport Package Retention Maintenance Application did not clean all metadata sub-directories inside Package Manager Base Folder left from AdHoc transfers.
Resolution: Now, the SecureTransport Package Retention Maintenance Application cleans all metadata sub-directories inside Package Manager Base Folder.
Patch 4
00841308
D-106427 Issue: Previously, SecureTransport Package Retention Maintenance Application would fail in some cases.
Resolution: Now, SecureTransport Package Retention Maintenance Application will not fail in these cases.
Patch 4
00842127
D-106517 Issue: Previously, SecureTransport Package Retention Maintenance Application could fail with a "NoSuchAccountException" and did not purge all links and folders in some cases.
Resolution: Now, SecureTransport Package Retention Maintenance Application will not fail with a "NoSuchAccountException" and will purge all links and folders.
Patch 4
00842130
D-106518 Issue: Previously, SecureTransport Package Retention Maintenance Application did not clean all metadata inside sender's account mailbox folder and anonymous mailbox folder left from AdHoc transfers.
Resolution: Now, SecureTransport Package Retention Maintenance Application cleans all metadata from the sender's account mailbox folder and anonymous mailbox folder.
Patch 4
00843171
D-106738 Issue: Previously, SecureTransport Package Retention Maintenance Application would not purge expired packages inside UNCOMMITTED directory in some cases.
Resolution: Now, SecureTransport Package Retention Maintenance Application purges all expired packages inside UNCOMMITTED directory.
Patch 4
00844368
D-106963 Issue: Previously, SecureTransport was not able to receive AS2 messages signed with the SHA256 signing algorithm.
Resolution: Now, SecureTransport successfully receives AS2 messages signed with the SHA256 and SHA384 signing algorithms.
Patch 3
00819624
D-102286 Issue: Previously, SecureTransport SSH daemon always returned 1024 for key size during key exchange method negotiation after the negotiated algorithm was established to diffie-hellman-group-exchange-sha1 or diffie-hellman-group-exchange-sha256, no matter what were the requested boundaries from the client, and connection was not established.
Resolution: Now, the key size is correctly negotiated and the connection is established successfully.
Patch 3
00833742
D-104731 Issue: Previously, SecureTransport did not allow configuration of usage of supported Key Exchange Algorithms for SSH transfers.
Resolution: Now, SecureTransport provides the following configuration options for controlling the Key Exchange Algorithms:
For client-initiated transfers:
  • Ssh.SupportGroup1SHA1 - for diffie-hellman-group1-sha1
  • Ssh.SupportGroup14SHA1 - for diffie-hellman-group14-sha1
  • Ssh.SupportGroupExchangeSHA1 - for diffie-hellman-group-exchange-sha1
  • Ssh.SupportGroupExchangeSHA256 - for diffie-hellman-group-exchange-sha256
For server-initiated transfers:
  • Ssh.SIT.SupportGroup1SHA1 - for diffie-hellman-group1-sha1
  • Ssh.SIT.SupportGroup14SHA1 - for diffie-hellman-group14-sha1
  • Ssh.SIT.SupportGroupExchangeSHA1 - for diffie-hellman-group-exchange-sha1
  • Ssh.SIT.SupportGroupExchangeSHA256 - for diffie-hellman-group-exchange-sha256
Note: When FIPS mode is enabled, the configuration does not have effect and the promoted algorithms are always diffie-hellman-group1-sha1, diffie-hellman-group14-sha1 and diffie-hellman-group-exchange-sha1.
Patch 2
00830619
D-104231 Issue: Previously, when a user tried to attach multiple files (one at a time) to an AdHoc package in ST Web Client, some of the attachments were uploaded as 0-size files with no name.
Resolution: Now, attachments are uploaded with their actual name and size.
Patch 2
00818735
D-104862 Issue: Previously, SecureTransport rejected the sending of scanned AdHoc packages with the Antivirus Integration Accelerator.
Resolution: Now, scanned packages can be sent.
Patch 2
00833967
D-105170 Issue: Previously, after an upgrade to SecureTransport 5.2.1 Service Pack 7, monitor server ceased to function properly.
Resolution: Now, SecureTransport monitor server is functioning properly.
Patch 2
none
D-105177 Issue: Previously, administrators were not able to import DSA certificates.
Resolution: Now, DSA certificates can be imported and exported in SecureTransport.
Patch 2
00836849
D-105472 Issue: Previously, SecureTransport administrators with the administrative role Delegated Administrator were not able to download exported accounts.
Resolution: Now, Delegated Administrators are able to download exported accounts.
Patch 2
00833731
D-105549 Issue: Previously SecureTransport SSH daemon did not allow initial key exchange for server-initiated transfers using the diffie-hellman-group1-sha1 and diffie-hellman-group-exchange-sha1 methods which are considered vulnerable to Logjam (CVE-2015-4000).
Resolution: Now, there are server configuration parameters named Ssh.SIT.SupportGroup1SHA1 and Ssh.SIT.SupportGroupExchangeSHA1 that control the usage of diffie-hellman-group1-sha1 and diffie-hellman-group-exchange-sha1 key exchange methods. For both parameters the default value is false. Changing the value of the parameters requires restart of the Transaction Manager.
Patch 1
741163
D-74841 Issue: Previously, the algorithm used by SecureTransport for generating cycle ID for Sentinel reporting allowed creating of duplicate values for different transfers in some cases.
Resolution: Now, the algorithm is enhanced and the possibility for duplicate cycle IDs is significantly reduced.
Patch 1
00828611
D-103770 Issue: Previously, users could not login via SSH using a DSA private key.
Resolution: Now, users logging via SSH with a DSA private key are successfully authenticated.
Patch 1
00816546
D-104080 Issue: Previously, SecureTransport sent unencrypted files instead of PGP encrypted files to outbound partners upon resubmitting the transfers when the archive functionality was enabled.
Resolution: Now, SecureTransport sends properly PGP encrypted files to the outbound partners upon resubmission of the transfers when the archive functionality is enabled.
Patch 1
00830685
D-104126 Issue: Previously, when trying to disable the TCP_NODELAY checkbox for SSH transfer site, it stayed enabled.
Resolution: Now, the issue is resolved and the administrator can disable the option.
SecureTransport 5.2.1 SP8
none
00843977
RDST-401
RDST-583
Issue: Previously, the CSRF token was passed in the URL, which was not secure.
Resolution: Now, the CSRF token is either passed in the request body or in the request header, but never in the URL.
none RDST-410 Issue: Previously, when the current SecureTransport Edge was whitelisted, Transaction Manager did not check if the SecureTransport Edge was up.
Resolution: Now, when the current SecureTransport Edge is whitelisted, Transaction Manager checks if the SecureTransport Edge is up, if not Transaction Manager sets it back to blacklisted.
00837856 RDST-412 Issue: Previously, there was no CSRF protection for the SecureTransport REST API.
Resolution: Now, every POST, PUT or DELETE request must contain a custom header with the CSRF token if the Webservices.Http.CsrfToken.enabled or Webservices.Admin.CsrfToken.enabled server configuration parameter options are set to true.
00800226 RDST-432 Issue: Previously, SecureTransport extensively used GET request to execute HTTP transfer site server-initiated transfers.
Resolution: Now, there a new HTTP transfer site Request Mode option that can turn off the usage of GET requests for server-initiated transfers so only POST requests are used.
00821053 RDST-457 Issue: Previously, the SecureTransport server log entry would be unavailable when trying to log an exception with a line 2048 characters or longer.
Resolution: Now, when the line character limit is reached, an error message is logged into the server log and the stack trace is written in the fallback log file.
00820566 RDST-494 Issue: Previously, the Base Folder field on the Business Unit Settings page was limited to 80 characters.
Resolution: Now, the character limit for the Base Folder field is enlarged to 250 characters.
00832443 RDST-512 Issue: Previously, there was a session leak in the SecureTransport FTP component when a login attempt was performed using a non-existent user.
Resolution: Now, the session leak is fixed and no sessions are left open when performing login attempts with a non-existent user.
00822859 RDST-531 Issue: Previously, the server-initiated transfer retries continued to maxRetryCount + 1.
Resolution: Now, the server-initiated transfer retries continue to the maxRetryCount.
00848502 RDST-532 Issue: Previously, when upgrading SecureTransport instance, the installation log contained the database password in plain text.
Resolution: Now, the database password is not written in the installation log on upgrade.
00829677 RDST-534 Issue: Previously, it was possible to render the SecureTransport Administration Tool help in a frame even if both the frame and the parent had a different origin. The result was a possible XSS if a help site was used.
Resolution: Now, the SecureTransport Administration Tool help is rendered in a frame only if both the frame and the parent have the same origin.
00837200
00839079
RDST-580
RDST-581
Issue: Previously, the SecureTransport Administration Tool SSO did not behave properly and would log out the administrator.
Resolution: Now, Tomcat is upgraded from 7.0.68 to 7.0.75 and the SSO log out problem is resolved.
00843559 RDST-585 Issue: Previously, the CSRF token was passed in the URL of all GET requests.
Resolution: Now, the CSRF is either passed in the custom header or it is not passed in GET requests.
00842589 RDST-587 Issue: Previously, it was possible to use GET requests to login or change the password of users.
Resolution: Now, only POST requests can be used to login or change the password of users.
00842118 RDST-589 Issue: Previously, it was possible to launch cross-site scripting attacks using a file name and the Axway Jelly Ball 9 and Axway Box and Stripe in Blue skins.
Resolution: Now, file names in the Axway Jelly Ball 9 and Axway Box and Stripe in Blue skins are escaped properly and launching cross-site scripting attacks is no longer possible.
00852915
00861685
RDST-1150
RDST-3381
Issue: Previously, indexes were left in an unusable state after the execution of the Log Entry Maintenance application or Transfer Log Maintenance application on SecureTransport using an Oracle database.
Resolution: Now, all indexes are updated and left in an usable state on every execution of the Log Entry Maintenance application or Transfer Log Maintenance application.
SecureTransport 5.3.1 Patch 12
00858866 RDST-1539 Issue: Previously, administrators could not import public SHH keys which were in SSH2 format.
Resolution: Now, administrators are able to import public ssh keys which are in SSH2 format.
00863489 RDST-1909
RDST-1910
Issue: Previously, SecureTransport was vulnerable to CVE-2016-0762 and CVE-2016-6794.
Resolution: Now, the Apache Tomcat component in SecureTransport is upgraded to a non-vulnerable version. The new version is 7.0.75.
00863684 RDST-1912 Issue: Previously, the Archive Maintenance application did not remove the archive metadata files stored in the .stfs directory.
Resolution: Now, the Archive Maintenance application is properly removing the archive metadata files stored in the .stfs directory.
Patch 11
00835840
RDST-514 Issue: Previously, in some cases files were not delivered to the partner site when a PGP Decryption step was used in conjunction with a Send To Partner step.
Resolution: Now, files are correctly delivered in these cases.
Patch 11
00837236
RDST-515 Issue: Previously, SecureTransport did not show correctly the date in the schedule page and calendar popup window when the server and browser timezones differed.
Resolution: Now, the date is shown according to the server timezone.
Patch 11
00842286
RDST-546 Issue: Previously, the Advanced Routing Decompress step failed when processing archives containing a zero byte file as the first file.
Resolution: Now, the Decompress step correctly processes such archives.
Patch 11
00839015
RDST-575 Issue: Previously, Advanced Router reported subtransmission failures when the Users.LoginNames.virtualUserCaseSensitive configuration parameter was set to false and a user logged in using the wrong letter case.
Resolution: Now, there are no failures in this case.
Patch 11
00849811
RDST-871 Issue: Previously, SecureTransport FTP server did not limit the number of failed login attempts for an existing user account.
Resolution: Now, SecureTransport FTP server disconnects the client after the maximum permitted failed login attempts are reached.
Patch 10
00836711
D-105580 Issue: Previously, in some cases transfers of large files over FTP were failing because the FTP control channel was timing out.
Resolution: Now, SecureTransport FTP server handles NOOP commands asynchronously and FTP control channel is not timing out during large file transfers.
Patch 10
00841362
D-106447 Issue: Previously, when user account with disabled repository encryption downloaded encrypted files, the downloaded content was automatically decrypted.
Resolution: Now, the files will not be automatically decrypted in this case.
Patch 9
00819624
D-102286 Issue: Previously, SecureTransport SSH daemon always returned 1024 for key size during key exchange method negotiation after the negotiated algorithm was established to diffie-hellman-group-exchange-sha1 or diffie-hellman-group-exchange-sha256, no matter what were the requested boundaries from the client, and connection was not established.
Resolution: Now, the key size is correctly negotiated and the connection is established successfully.
Patch 9
00841858
D-106524 Issue: Previously, files uploaded over SFTP with SSH_FXF_EXCL option set were not repository encrypted.
Resolution: Now, the files uploaded with the SSH_FXF_EXCL option set are repository encrypted.
Patch 9
none
D-106970 Issue: Previously, the TransactionManager.concurrentFileIOMax server configuration option was not honored when persisting stfs attributes.
Resolution: Now, the TransactionManager.concurrentFileIOMax server configuration option is taken into account when persisting stfs attributes.
Patch 8
00833742
D-104731 Issue: Previously, SecureTransport did not allow usage configuration of supported Key Exchange Algorithms for SSH transfers.
Resolution: Now, SecureTransport provides the following configuration options for controlling the Key Exchange Algorithms:
For client-initiated transfers:
  • Ssh.SupportGroup1SHA1 - for diffie-hellman-group1-sha1
  • Ssh.SupportGroup14SHA1 - for diffie-hellman-group14-sha1
  • Ssh.SupportGroupExchangeSHA1 - for diffie-hellman-group-exchange-sha1
  • Ssh.SupportGroupExchangeSHA256 - for diffie-hellman-group-exchange-sha256
For server-initiated transfers:
  • Ssh.SIT.SupportGroup1SHA1 - for diffie-hellman-group1-sha1
  • Ssh.SIT.SupportGroup14SHA1 - for diffie-hellman-group14-sha1
  • Ssh.SIT.SupportGroupExchangeSHA1 - for diffie-hellman-group-exchange-sha1
  • Ssh.SIT.SupportGroupExchangeSHA256 - for diffie-hellman-group-exchange-sha256
Note: When FIPS mode is enabled, the configuration does not have effect and the promoted algorithms are always diffie-hellman-group1-sha1, diffie-hellman-group14-sha1 and diffie-hellman-group-exchange-sha1.
Patch 8
00833877
D-104853 Issue: Previously, the OutboundConnections.maxConnectionsPerHost parameter limited Folder Monitor transfers.
Resolution: Now, this parameter is ignored for FolderMonitor transfers.
Patch 8
00832224
D-105019 Issue: Previously, SecureTransport SFTP outbound connections with compression could fail with a ZStream NoClassDefFoundError.
Resolution: Now, connections with compression to remote SFTP servers complete successfully.
Patch 8
00825247
D-105073 Issue: Previously, when a business unit is assigned to a delegated administrator and if a respective child business unit is created, the child business unit did not get automatically assigned to the delegated administrator.
Resolution: Now, SecureTransport automatically assigns newly created child business units to the delegated administrator.
Patch 8
00834937
D-105165 Issue: Previously, when end user downloaded a file with HTTP third party client which supports disposition, SecureTransport did not set some environment variables starting with DXAGENT_HTTP_ on Outgoing End event.
Resolution: Now, SecureTransport populates DXAGENT_HTTP_* variables on Outgoing End event for any of the supported HTTP third party clients.
Patch 8
none
D-105178 Issue: Previously, administrators were not able to import DSA certificates.
Resolution: Now, DSA certificates can be imported and exported in SecureTransport.
Patch 7
00837057
D-105622 Issue: Previously, after upgrading SecureTransport to version 5.3.1 on AIX, in some cases administrators and users created before the upgrade were not able to login unless an administrator reset their passwords.
Resolution: Now, SecureTransport users and administrators can successfully login.
Patch 6
00829106
D-103983 Issue: Previously, there was a possibility for an attacker to modify some of the contents of already sent AdHoc messages using crafted REST API calls.
Resolution: Now, there is no possibility to make any changes to already sent AdHoc messages.
Patch 6
00834301
D-104936 Issue: Previously, in Server Log there was "Password verification failed" log message before successful authentication over FTP.
Resolution: Now, this message is no longer present at default logging level.
Patch 5
00804103
D-98649 Issue: Previously, SecureTransport would try to create a SecureTransport system folder (named .stfs) outside of the account's home folder.
Resolution: Now, SecureTransport will not try to create any SecureTransport system folders outside the account's home folder.
Patch 5
00805479
D-99464 Issue: Previously, when user logged out or when a SendToPartner step was triggered, the logging information did not provide sessionId information for "Removed session..." log messages.
Resolution: Now, SecureTransport does provide sessionId entries for such messages when user logs out or executes SendToPartner routing step.
Patch 5
00808322
D-99551
D-99547
Issue: Previously, when transferring big files over PeSIT with ASCII mode enabled, out of memory errors could appear causing incomplete transfers and crashes of the PeSIT and the TM daemons.
Resolution: Now, no such errors appear and the transfers finish successfully independent from the file sizes. A new configuration option is added - Pesit.ASCII.recordsInfo.bulk.size. Default value: 32768. Minimum accepted value: 1024.
Patch 5
00809451
D-102070 Issue: Previously, the amount of protocol commands logged when performing a transfer of a file larger than 100 GB using SecureTransport's PeSIT protocol caused an OutOfMemory error.
Resolution: Now, SecureTransport offers control over the size of the protocol commands logged during the transfer.
A new server configuration option named TransactionManager.DetailedProtocolCommandsLogging.MaxSize is added. It is used to limit the protocol commands logging by defining the maximum size of the protocol commands that will be logged in kilobytes (KB). Default value: -1 - unlimited protocol commands logging. Possible values: <size of commands in KB> | -1.
Patch 5
00828055
D-103662 Issue: Previously, users with email address containing an underscore (_) were not able to login in some cases.
Resolution: Now, users with such email address are able to login successfully.
Patch 5
00828593
D-104035 Issue: Previously, there was a possibility files to be processed through wrong transfer site as a result of mixed up subscriptions' transfer configurations during dynamic synchronization in Standard Cluster.
Resolution: Now, the issue is resolved and it is not possible transfer configurations of different subscriptions to be mixed and files to be processed by wrong transfer site.
Patch 5
none
D-104848 JRE is upgraded to latest version which resolves several security vulnerabilities.
  • IBM JRE is upgraded to version 8 Service Release 3
  • Linux, Solaris and Windows JRE is upgraded to 1.8.0 update 92
Patch 4
none
D-104652 Issue: Previously, after applying SecureTransport 5.3.1 Patch 3 the newly created subscriptions were corrupted preventing the execution of server-initiated transfers.
Resolution: Now, the subscriptions are properly created and the server-initiated transfers are successfully executed.
Note: Subscriptions created before applying SecureTransport 5.3.1 Patch 4 will not be corrected by the patch. To fix the subscriptions, you need to:
  • open them for editing using the Administration Tool and save them without doing any actual changes
  • or update them using subscriptions RESTful API
Note: Files already uploaded in a corrupted subscription folder will not trigger the chained flow. You need to re-upload the files to trigger the flows.
Patch 3
00815930
D-101294 Issue: Previously, administrators were not able to subscribe an account to an application when there was no common business unit between them.
Resolution: Now, there is a global configuration option CrossBusinessUnitSubscription.enable which specifies whether or not to accept requests to subscribe an account to an application when there is no business unit in common between them. The available configuration values are true or false. The default value is false.
Patch 3
00815909
D-101597 Issue: Previously, there was a progressive slowness upon subscribing an account with many subscriptions to an application via REST API calls.
Resolution: Now, the progressive slowness is resolved and the time for each consecutive subscription is consistent.
Patch 3
00822830
D-102774 Issue: Previously, calls to the REST API business units resource filtered by application name were failing.
Resolution: Now, the REST API calls are successfully processed and the correct information is returned.
Patch 3
00827018
D-103463 Issue: Previously, After upgrading SecureTransport to version 5.3.1, administrators and users with passwords longer than nine symbols and/or containing special characters were not recognized and the users were not able to login unless an Administrator reset their passwords.
Resolution: Now, SecureTransport users and administrators can successfully login after upgrade to version 5.3.1.
Patch 3
00830237
D-104064 Issue: Previously, when a directory was selected in ST Web Client, there was a Rename button in the Organize menu.
Resolution: Now, there is no Rename button in the Organize menu if a directory or multiple entities (directories or files) are selected.
Patch 3
none
D-104286 Issue: Previously, business units could not be created from the SecureTransport Administration Tool.
Resolution: Now, business units are created successfully.
Patch 2
00802539
D-99209 Issue: Previously, DXAGENT_BUSINESS_UNIT_NAME environment variable was not exposed for Outgoing events.
Resolution: Now, DXAGENT_BUSINESS_UNIT_NAME and DXAGENT_BUSINESS_UNIT_ID environment variables are exposed in the environment for all events.
Patch 2
00822315
00822316
00822317
00822318
D-102686
D-102687
D-102688
D-102689
Issue: Previously, SecureTransport was vulnerable to several CVEs (CVE-2016-0706, CVE-2016-0714, CVE-2015-5345, CVE-2015-5174).
Resolution: Now, the Apache Tomcat library is upgraded and SecureTransport is no longer vulnerable.
Patch 2
00823028
D-103363 Issue: Previously, SecureTransport logged the user passwords in plain text when debug mode was enabled.
Resolution: Now, the user passwords are no longer reported as plain text when in debug mode.
Patch 1
none
D-99615 Issue: Previously, the SecureTransport Administration tool login form was vulnerable to Reflected Cross-Site Scripting attacks by passing malicious data in the initial request parameters.
Resolution: Now, Administration Tool is protected against this vulnerability.
SecureTransport 5.3.3 Patch 15
00844753 RDST-1072 Issue: Previously, when a load balancer or reverse proxy was used for HTTP(S) connections, an incorrect client IP address was reported to SiteMinder for authentication and authorization.
Resolution: Now, SecureTransport provides the Siteminder.RemoteAddressHeaderName configuration option which can specify the HTTP header set used by the load balancer or reverse proxy for the correct client IP address.
00873329 RDST-2993
RDST-4450
Issue: Previously, when file was moved from an allowed folder to a restricted folder, SecureTransport did not perform a check on the upload and rename permissions of the destination folder.
Resolution: Now, when a file is moved from an allowed folder to a restricted folder, SecureTransport performs a check and respects the upload and rename permissions of the destination folder.
00876243 RDST-3170
RDST-4449
Issue: Previously, an administrator was unable to filter file tracking records by the Pluggable transfer site custom protocols on the Administration Tool File tracking page.
Resolution: Now, an administrator can filter file tracking records by Pluggable transfer site custom protocols on the Administration Tool File Tracking page.
00876657 RDST-3451 Issue: Previously, when delegated administrators assigned to a business unit created a new user account, the new account fields were not populated automatically with the information configured in the business unit.
Resolution: Now, when delegated administrators assigned to a business unit create a new user account, the new account fields are populated automatically with the information configured in the business unit.
00879073 RDST-3575 Issue: Previously, when the Server Log was exported through REST API, the logs resource did not limit exports to within the configured fromDate and endDate parameters.
Resolution: Now, when the Server Log is exported through REST API, the logs resource is correctly limiting exports within the configured fromDate and endDate parameters.
00879410 RDST-3576 Issue: Previously, a timeout mechanism in SecureTransport caused HTTP sessions to leak, which exhausted the Http.MaxLoggedInUsers limit (if set). Reaching the limit introduced an additional increase in Transaction Manager sessions which were not released, which caused a Transaction Manager sessions leak as well.
Resolution: Now, the HTTP and Transaction Manager sessions leaks are corrected.
00880229 RDST-3870
RDST-4448
Issue: Previously, the creation of an account through REST API in XML format would fail when metadata was included in the request.
Resolution: Now, the creation of an account through REST API in XML format is successful when metadata is included in the request.
00881692
00882477
RDST-3995
RDST-4092
Issue: Previously, the calendar controls on the Administration Tool File Tracking and Server Log pages did not work.
Resolution: Now, the calendar controls on the File Tracking and Server Log pages are working.
Patch 14
00870918
RDST-2698 Issue: Previously, SecureTransport did not support connections to an Oracle database over TLSv1.2 and TLSv1.1.
Resolution: Now, SecureTransport supports connections to an Oracle database over TLSv1.2 and TLSv1.1.
Patch 14
00869900
RDST-2704 Issue: Previously, transfers performed by users who were not allowed to log into SecureTransport could not be resubmitted.
Resolution: Now, the transfers can be resubmitted.
Patch 14
None
RDST-3035 Improvements to SecureTransport have been made in the following areas:
  • Reduced disk I/O when checking if folders are shared
  • Reduced disk I/O when resolving symbolic links
  • Reduced database I/O when finalizing transfers
  • Optimized Advanced Routing Decompress step
  • Overall reduction of disk I/O when working with STFS
  • Better disk I/O control for TM (control is achieved by configuration options:
    TransactionManager.fileIOBufferSizeInKB and TransactionManager.syncFileToDiskEveryKB)
  • Event distribution in Enterprise Clusters
  • New configuration options are introduced to enable fine tuning of resource allocation separately for events initiated by transfers and Advanced Routing post-processing events. The following options control the new thread pool used for only processing Advanced Routing events:
    • EventQueue.ThreadPools.AdvancedRouting.
      maxThreads
      - Default value: 128
    • EventQueue.ThreadPools.AdvancedRouting.
      minThreads
      - Default value: 16
    • EventQueue.ThreadPools.AdvancedRouting.
      IdleTime
      - Default value: 60
  • The new server AdvancedRouting.sandboxFolderLocation configuration option has been introduced to enable creation of the sandbox folder locally on each processing node outside of the user home folder. This reduces the network file copy to once at the beginning of the route and once at the end of the route in cluster environment. The default value is empty which means that Advanced Routing will create its sandbox folder under the user account home folder which is the legacy behavior.
Patch 14
00879051
RDST-3512 Issue: Previously, there was a typographical error in the SecureTransport Server Log message on an unsuccessful authentication attempt over HTTP.
Resolution: Now, there is no typographical error in the SecureTransport Server Log message on an unsuccessful authentication attempt over HTTP.
Patch 14
00879052
RDST-3513 Issue: Previously, the SecureTransport HTTP daemon was restarted continuously by the Monitor Server when the Client Certificate Authentication option was set to Mandatory.
Resolution: Now, the SecureTransport HTTP daemon is not continuously restarted by the Monitor Server when the Client Certificate Authentication option is set to Mandatory.
Patch 14
00876869
RDST-3515 Issue: Previously, after migration from a MySQL database to an Oracle database, it was not possible to perform server-initiated transfers over PeSIT with SSL enabled.
Resolution: Now, after migration from a MySQL database to an Oracle database, the server-initiated transfers over PeSIT with SSL enabled are successfully executed.
Patch 13
00869157
RDST-2733 Issue: Previously, all DELETE requests to the /mailbox/myself resource lead to the inability to log in, when the session timed out and the Basic Authentication option was enabled.
Resolution: Now, it is possible to log in after DELETE requests to the /mailbox/myself resource when the session time outs and Basic Authentication is enabled.
Note: There is similar behavior with the inability to log in, because of the Google Chrome browser not removing cookies that SecureTransport has expired.
Patch 13
00873326
RDST-2984 Issue: Previously, some server-initiated pull transfers would fail with a "No files matching the <remote pattern>..." error message although files matching the pattern were present on the remote site. The issue was observed when the ZeroByteWildcardPullAllowed configuration option was set to true in a Microsoft Windows environment.
Resolution: Now, server-initiated pull transfers are correctly executed when files matching the pattern are present on on the remote site.
Patch 13
00874571
RDST-3091 Issue: Previously, the SecureTransport HTTPD daemon did not log failed login attempts.
Resolution: Now, the SecureTransport HTTPD daemon is correctly logs failed login attempts.
Patch 13
00872868
RDST-3092 Issue: Previously, in a SecureTransport Edge cluster environment, performing manual synchronization caused all nodes to have the same value for the OutboundConnections.Proxy.clientHost configuration option. On machines with more than a single network interface, this resulted in the SOCKS proxy service being unable to start.
Resolution: Now, the OutboundConnections.Proxy.clientHost configuration option is local for each SecureTransport Edge.
Patch 12
00834814
RDST-505
RDST-3241
Issue: Previously, when running on Microsoft Windows, SecureTransport Advanced Routing required impersonated access to the <FILEDRIVEHOME>\conf\configuration.xml file. This caused Advanced Routing to fail if the impersonated user did not have access to the configuration file.
Resolution: Now, SecureTransport Advanced Routing does not require access to the configuration file.
Patch 12
00838735
RDST-513 Issue: Previously, the CSRF token was passed in the URL of all GET requests.
Resolution: Now, the CSRF is either passed in the custom header or it is not passed in GET requests.
Patch 12
00869669
00868221
RDST-2584
RDST-3237
RDST-3238
Issue: Previously, when creating a file using SecureTransport RESTful API, if the file had flow attributes added as metadata, the attributes were not persisted and an exception was thrown if there were multiple attributes.
Resolution: Now, the flow attributes are persisted and multiple attributes per file are allowed.
Patch 12
none
RDST-2971
RDST-3247
Issue: Previously, after applying Patch 11, dual authentication over SSH did not take the password into consideration.
Resolution: Now, dual authentication over SSH properly uses the provided password and fails if the password is not correct.
Patch 12
none
RDST-3138
RDST-3246
Issue: Previously, if a user was authenticated via EAAS and mapped to an account template, login restrictions were not applied correctly.
Resolution: Now, login restrictions are applied correctly for all types of EAAS users.
Patch 11
00852909
RDST-1015
RDST-3229
RDST-3231
Issue: Previously, SecureTransport ignored proxy settings and attempted to make a direct connection while performing server-initiated transfers when there were no available proxies.
Resolution: Now, a new configuration option, Direct.Connection.When.Proxy.Down, controls whether SecureTransport should attempt a direct connection or not. The default value is true.
Patch 11
none
RDST-1411 Issue: Previously, a user account was not locked after exceeding the maximum amount of successful logins specified in the Lock account after X successfull login option.
Resolution: Now, the user account is locked after exceeding the maximum amount of successful logins.
Patch 11
00867712
00861973
RDST-2071
RDST-3233
Issue: Previously, the Resubmit button was present for ongoing transfers currently being retried.
Resolution: Now, outgoing transfers that are currently being retried cannot be resubmitted.
Patch 11
none
RDST-2642 Issue: Previously, after applying Patch 10, certificate authentication in EAAS was unsuccessful.
Resolution: Now, certificate authentication in EAAS is working correctly.
Patch 11
00868481
RDST-2690 Issue: Previously, after applying Patch 9, authentication through EAAS failed because of a missing session variable - "AUTHENTICATION_RESULT".
Resolution: Now, authentication through EAAS is working correctly and all needed session variables are present.
Patch 10
00800565
RDST-477 Issue: Previously, stop_* scripts did not check if the process ID specified in the process PID file located in FILEDRIVEHOME/var/run/ belonged to the respective SecureTransport daemon.
Resolution: Now, stop_* scripts check if the process ID specified in the process PID file corresponds to the correct SecureTransport daemon.
Note: This fix does not work for Microsoft Windows, because of cygwin limitation.
Patch 10
00852892
RDST-2010 Issue: Previously, when SecureTransport was installed using an Oracle database with DATA_PUMP disabled, the execution of the Log Entry Maintenance application failed.
Resolution: Now, the execution of the Log Entry Maintenance application is successful.
Note: The default Log Entry and Transfer Log maintenance applications, created on a fresh install of SecureTransport, have a exportDir property in the CustomProperties table. These values are not used, but the both maintenance applications should be recreated for consistency.
Patch 10
00864430
RDST-2029 Issue: Previously, when the only enabled key exchange method was Ssh.SupportGroupExchangeSHA256, the SSH service failed to start.
Resolution: Now, the SSH service starts successfully with Ssh.SupportGroupExchangeSHA256 as the only key exchange method.
Patch 10
00867508
RDST-2478 Issue: Previously, impersonation on Microsoft Windows did not work for local administrators.
Resolution: Now, the impersonation on Microsoft Windows is working for local administrators.
Patch 10
none
RDST-2480 Issue: Previously, after installing SecureTransport 5.3.3 Patch 9, the user certificate authentication did not work for FTP, HTTP and SSH protocols.
Resolution: Now, user certificate authentication is working for FTP, HTTP and SSH protocols.
Patch 10
none
STWC-1522 Issue: Previously, transfers over ST Web Client are neither processed nor recorded in SecureTransport FileTracking when an identical file is present in the user home/subscription directory.
Resolution: Now, there is a client notification that the transfer will not be processed if the exact same file is on the server.
Patch 9
none
RDST-11 Issue: Previously, when a user account logged out from a HTTP or FTP session, SecureTransport did not log any messages about account logout activity.
Resolution: Now, SecureTransport reports the same log messages for HTTP and FTP user logouts, identical to the SSH sessions logout messages.
Note: The message format is: PROTOCOL: User USERNAME logged out from IP_ADDRESS.
Patch 9
00832022
RDST-504 Issue: Previously, when performing file removal operations, significant delays occurred when NFS Support classes were enabled in the start_tm_console.
Resolution: Now, the file removal delays caused by NFS retries no longer occur.
Patch 9
00853454
RDST-1296 Issue: Previously, responses from SecureTransport HTTP server did not contain the Keep-Alive header.
Resolution: Now, responses from SecureTransport HTTP server contain the Keep-Alive header. Its value can be configured using the Http.Connection.MaxIdleTime configuration parameter.
Patch 9
00851996
RDST-1893 Issue: Previously, when the Send to Partner routing step was used to send files via another account's SSH Transfer site with Overwrite Upload Folder enabled in the routing step and the subscription folder of the Advanced Routing application set to the root of the account's home folder, the information about the remote directory in the Transfer Details was left blank.
Resolution: Now, the remote directory information in the Transfer Details is correct.
Patch 9
00856693
RDST-1941 Issue: Previously, when a HTTP proxy was configured, SecureTransport would ignore it when attempting server-initiated transfers.
Resolution: Now, when a HTTP proxy is configured, SecureTransport uses the configured HTTP proxy instead of attempting a direct connection to the remote host.
Patch 9
00852892
RDST-2010 Issue: Previously, when SecureTransport was installed with an Oracle database without DATA_PUMP, the execution of the Log Entry Maintenance application would fail. When you tried to create a new Transfer Log Maintenance application, the checkbox for enabling the export functionality was checked and disabled.
Resolution: Now, the execution of the Log Entry Maintenance application is successful and the export checkbox in the Transfer Log Maintenance application is not checked.
Note: The default Log Entry and Transfer Log maintenance applications, created on a fresh install of SecureTransport, have an exportDir property in the CustomProperties table. These values are not used, but the both maintenance applications should be recreated for consistency.
Patch 9
00865975
RDST-2138 Issue: Previously, after installing SecureTransport 5.3.3 Patch 4, login restriction policies defined at Account or Business unit level were ignored.
Resolution: Now, login restriction policies defined at Account or Business unit level are not ignored.
Patch 9
00865975
RDST-2174 Issue: Previously, when installing patches released after SecureTransport 5.3.3 Patch 7, the Axway Installer log contained misleading information referencing Patch 7.
Resolution: Now, the Axway Installer log does not contain information referencing wrong patch numbers.
Patch 9
00867508
RDST-2478 Issue: Previously, when local administrators were configured as Real Users under the SecureTransport account, the impersonation in SecureTransport on Microsoft Windows did not work.
Resolution: Now, impersonation in SecureTransport on Microsoft Windows works for local administrators configured as Real Users.
Patch 9
none
RDST-2480 Issue: Previously, SSH key authentication failed
Resolution: Now, SSH key authentication works properly.
Patch 8
00854536
RDST-1402 Issue: Previously, when running SecureTransport on Microsoft Windows, the archiving of outbound transfers would fail when the archive folder was set to a shared folder on another Microsoft Windows server.
Resolution: Now, the archiving of outbound transfers into shared folder on another Microsoft Windows server is successful.
Patch 8
00856865
RDST-1712 Issue: Previously, the Standard Router application would fail to route files when a recipient's account name and login name were different.
Resolution: Now, the file is successfully routed even if the account name and login name of the recipient are different.
Patch 8
00861470
RDST-1763 Issue: Previously, the download of a file would halt once the download reached a specific point, when using SecureClient with SFTP as the SecureTransport client.
Resolution: Now, the download of the complete file is successful.
Patch 8
00860772
RDST-1775 Issue: Previously, the upload multiple files in ST Web Client would fail when one of the old SecureTransport HTML templates was used. Only one of the files would upload and a "Error: 500" was displayed.
Resolution: Now, it is possible to upload multiple files using all SecureTransport HTML templates.
Patch 8
00847100
RDST-2048 Issue: Previously, when a ST Web Client user shared a folder with a single email or lists of emails and clicked on the Share button, the email list the folder was shared with would be empty.
Resolution: Now, the shared folder displays the list of emails.
Patch 7
00856110
RDST-1270 Issue: Previously, when performing server-initiated transfers over FTP through a SecureTransport Edge server with SOCKS proxy, SecureTransport would fall back to the host specified in the transfer site after attempting to use the host from the PASV command response. The subsequent connection bypassed the SOCKS proxy and SecureTransport server attempted a direct connection.
Resolution: Now, the FTP transfers are correctly executed through the SOCKS proxy.
Patch 7
00856904
RDST-1450 Issue: Previously, when there was a configured password policy, it was displayed only after the end user tried to change their password and there was a mismatch with the password policy.
Resolution: Now, when there is a configured password policy, it is displayed when the password change page is loaded.
Patch 7
00853359
RDST-1466 Issue: Previously, if a ST Web Client account did not have mailbox enabled, the Accessibility shortcuts for mailbox were shown.
Resolution: Now, if a ST Web Client account does not have an mailbox enabled, the Accessibility shortcuts for mailbox are not shown.
Patch 7
none
RDST-1772 Issue: Previously, when performing direct server-initiated transfers over FTP, SecureTransport would fall back to the host specified in the transfer site after attempting to use the host specified in the PASV command response. As a result, the transfer was reported as successful, even though no actual transfer was started.
Resolution: Now, when performing direct server-initiated transfers over FTP, SecureTransport falls back to the host specified in the transfer site after attempting to use the host from the PASV command response, and the transfer is successfully started.
Patch 5
00800559
RDST-476 Issue: Previously, when editing an account, the value of the home folder was not populated correctly. This occurred when the account was created with a home folder different than the default one, and the account was edited immediately following the creation, edit, or deletion of a subscription or a transfer site within the account.
Resolution: Now, the account home folder is populated with the original value.
Patch 5
00822053
RDST-1319 Issue: Previously, when running non-root SecureTransport Edges in cluster with a unmask of 0027 on the non-root user of the operating system, manual synchronization of the nodes would fail.
Resolution: Now, manual synchronization of the nodes is successful.
Patch 5
00856110
RDST-1531 Issue: Previously, the password reset of a ST Web Client account failed when the account name and the login name were different.
Resolution: Now, the password reset of an account which has a different login name is successful.
Patch 5
00861457
RDST-1718 Issue: Previously, SecureTransport would try to authenticate a LDAP user after only the user name was received.
Resolution: Now, the LDAP authentication process is triggered when both user name and password are entered.
Patch 4
00800548
RDST-431 Issue: Previously, when subscribing or editing a subscription of an account, the name of the application and the business units assigned to the application were not shown.
Resolution: Now, the information is shown as: Subscription to: applicationName (Business Unit: buName)
Patch 4
00813087
00848312
RDST-463
RDST-691
Issue: Previously, when running SecureTransport on Microsoft Windows, Advanced Routing routes were not executed if the sandbox or temporary folder path exceeded 255 characters.
Resolution: Now, Advanced Routing routes are successfully executed if the sandbox or temporary folder path exceeds 255 characters.
Patch 4
00800556
RDST-475 Issue: Previously, percent (%) and underscore (_) characters were treated as wild-cards in account searches and it was not possible to find accounts containing these characters in their name.
Resolution: Now, percent (%) and underscore (_) characters are not treated as wild-cards.
Patch 4
00850053
RDST-875 Issue: Previously, the Rename existing file collision setting in the Advanced Routing Publish to Account step was not honoring the ServerInitiated.Access.Restricted configuration parameter when there was a rename file system restriction.
Resolution: Now, the ServerInitiated.Access.Restricted configuration parameter is honored and the file is successfully renamed if the configuration parameter is set to false.
Patch 4
00850050
RDST-892 Issue: Previously, if the Advanced Routing Send to Partner step was configured to send a trigger file, but the Trigger File Content field was left blank, the trigger file was not sent.
Resolution: Now, the trigger file is sent even when Trigger File Content field is left blank.
Patch 4
00851596
RDST-943 Issue: Previously, login restriction policies were applied after the failed login counter was updated, which locked login restricted accounts.
Resolution: Now, the login restriction policies are applied before updating the failed login counter.
Patch 4
00856718
RDST-1334 Issue: Previously, it was not possible to set "/" as the receive folder of a Standard Router or Site Mailbox subscription.
Resolution: Now, it is possible to set "/" as the receive folder and route the files directly in the subscription folder.
Patch 4
00855322
RDST-1353 Issue: Previously, the import of an account from a business unit with a route package derived from a route template that did not have the business unit assigned was successful, but an Internal Server Error would occur when the account was edited.
Resolution: Now, an account is not imported if there is incompatibility between the business unit of the account and the list of business units assigned to the route template.
Patch 3
00850468
00850151
RDST-762 Issue: Previously, there were performance issues when uploading files using ST Web Client with Microsoft Internet Explorer 11 and Microsoft Edge browsers.
Resolution: Now, the performance of file uploads when using ST Web Client with Microsoft Internet Explorer 11 and Microsoft Edge is improved and comparable to the other supported browsers.
Patch 3
00851165
RDST-978 Issue: Previously, the value of the Use Secure Connection option was not honored when testing the connection to Axway Sentinel Server.
Resolution: Now, the value of the Use Secure Connection option is honored when testing the connection to Axway Sentinel Server.
Patch 3
none
RDST-984 Issue: Previously, when a resubmit of a non-existing file was tried using the SecureTransport REST API, a status code 200 was returned.
Resolution: Now, when trying to resubmit a non-existing file using the SecureTransport REST API, a status code 500 is returned.
Note: The response message is: Error while resubmitting transfer. Source for file "filename" does not exist.
Patch 3
00852494
RDST-986 Issue: Previously, when trying to upload a file using ST Web Client with Microsoft Internet Explorer, a warning message "Folder uploads are not allowed" was displayed.
Resolution: Now, no warning message is displayed and uploads are correctly transferred.
Patch 3
00807954
RDST-1132 Issue: Previously, when an administrator tried to change another administrator's password using the SecureTransport Administration tool, the old password was required.
Resolution: Now, the old password is not longer required.
Note: The old password is still required when changing administrator's own password.
Patch 3
none
RDST-1133 Issue: Previously, when setting up a SecureTransport Folder Monitor Transfer Site, the Upload folder was not allowed to be /.
Resolution: Now, when setting up a SecureTransport Folder Monitor Transfer Site, the Upload folder can be set to /.
Patch 3
none
RDST-1134 Issue: Previously, when SecureTransport archiving is enabled, pausing and resuming client-initiated transfers using ST Web Client resulted in two partially corrupted archives.
Resolution: Now, when SecureTransport archiving is enabled, pausing and resuming client-initiated transfers using ST Web Client results in one full-sized, non-corrupted archive.
Patch 3
00837236
RDST-1201 Issue: Previously, the SecureTransport Administration Tool did not display the correct time and date in the Configure Schedule dialog box when the SecureTransport server and browser timezones were different.
Resolution: Now, the time and date is displayed according to the SecureTransport server timezone.
Patch 3
00842286
RDST-1202 Issue: Previously, the Advanced Routing Decompress step failed when processing archives containing a zero byte file as the first file.
Resolution: Now, the Decompress step correctly processes archives containing a zero byte file as the first file.
Patch 3
00835840
RDST-1203 Issue: Previously, an Advanced Route with a Send to Partner step configured would not process plain files with a .pgp extension.
Resolution: Now, the files are correctly delivered.
Patch 3
none
RDST-1293 Issue: Previously, deploying a certificate on a SecureTransport Edge installation via SecureTransport REST API failed.
Resolution: Now, the certificate deployment is successful and no errors are observed.
Patch 3
00855508
00854621
RDST-1307 Issue: Previously, after deploying SecureTransport 5.3.3 Patch 2 on a SecureTransport Edge installation, the services did not start.
Resolution: Now, after deploying SecureTransport 5.3.3 Patch 3 on a SecureTransport Edge installation, the services start properly.
Patch 3
00856522
RDST-1331 Issue: Previously, the client was not alerted when an AdHoc upload of a file larger than 4GB using ST Web Client with Microsoft Internet Explorer 11 was not successfully processed.
Resolution: Now, an alert message is implemented notifying the client about the Microsoft Internet Explorer 11 limitation with a list of files that cannot be processed using ST Web Client with Microsoft Internet Explorer 11.
Patch 2
none
RDST-152 Optimizing and refactoring of the resubmit code.
Patch 2
none
RDST-190 Issue: Previously, when the File Archiving functionality was on, after deleting a relatively big file right after the end of the upload in home folder, the archiving was failing.
Resolution: Now, the archiving is not failing. The archived file is stored simultaneously with the uploaded file in the home folder.
Patch 2
00837288
RDST-497 Issue: Previously, SecureTransport Package Retention Maintenance Application would fail in some cases.
Resolution: Now, SecureTransport Package Retention Maintenance Application will not fail in these cases.
Patch 2
00841696
RDST-548 Issue: Previously, SecureTransport Package Retention Maintenance Application did not clean all metadata inside sender's account mailbox folder and anonymous mailbox folder left from AdHoc transfers.
Resolution: Now, SecureTransport Package Retention Maintenance Application cleans all metadata from the sender's account mailbox folder and anonymous mailbox folder.
Patch 2
00846081
RDST-550 Issue: Previously, SecureTransport FTP server did not compare the MD5 sum of the sent (STCK) and the received file (RTCK).
Resolution: Now, the comparison is performed and if the MD5 checksums do not match, the transfer will be marked as failed.
Patch 2
00850177
RDST-767 Issue: Previously, connection attempts to the Administration Tool over TLSv1 did not work.
Resolution: Now, connections to the Administration Tool over TLSv1 are successful.
Patch 2
00849811
RDST-954 Issue: Previously, SecureTransport FTP server did not limit the number of failed login attempts for existing user account.
Resolution: Now, SecureTransport FTP server disconnects the client after the maximum permitted failed login attempts are reached.
Patch 2
00850203
RDST-963 Issue: Previously, after triggering the Archive Maintenance Application there were handles left open by the TransactionManager process.
Resolution: Now, there are no handles left open in this case.
Patch 1
00847096
RDST-544 Issue: Previously, there was no error message when trying to upload a folder through SecureTransport Web Client using Internet Explorer.
Resolution: Now, an error message is displayed in this case.
Patch 1
00836602
RDST-547 Issue: Previously, intermittent errors during creation of .stfs/objects folder resulted in failed processing of the advanced route.
Resolution: Now, these errors are handled gracefully and the processing is successful.
Patch 1
00834764
RDST-569 Issue: Previously, there were intermittent failures when a Standard Router application was triggered.
Resolution: Now, those failures are fixed and no errors are observed when a Standard Router application is triggered.
Patch 1
00847877
RDST-576 Issue: Previously, SecureTransport Web Client displayed a wrong client name on all pages.
Resolution: Now, the correct name is displayed on all pages.
Patch 1
00839015
RDST-673 Issue: Previously, Advanced Router reported subtransmission failures when Users.LoginNames.virtualUserCaseSensitive was set to false and a user logged in using the wrong letter case.
Resolution: Now, there are no failures in this case.
Patch 1
none
RDST-678 Issue: Previously, when trying to resubmit transfers using an LDAP user without an account template, the resubmit was not successful.
Resolution: Now, the resubmit is successful in this case.
Patch 1
none
RDST-735 Issue: Previously, delegated administrator could add a Login Restriction Policy to a Business Unit to which they do not belong.
Resolution: Now, delegated administrator can do this only for the Business Units they belong to.
SecureTransport 5.3.3 Patch 16
00879410 RDST-3869 Issue: Previously, it was impossible to collect Java thread and heap dump data on AIX.
Resolution: Now, there is not a problem collecting Java thread and heap dump on on AIX.
SecureTransport 5.3.5 Resolved Defects
00848610 RDST-498 Issue: Previously, when a transfer site used in Advanced Routing was renamed, the transfer site name was not automatically updated in the route settings and the route execution failed.
Resolution: Now, a warning message is displayed that some functionality (for example, routes) will be affected when a transfer site is edited.
00848615 RDST-499 Issue: Previously, it was not possible to enable the HTTPOnly flag for session cookies.
Resolution: Now, the HTTPOnly flag is added to all session cookies for administrator and end-user HTTP listeners.
00848668 RDST-500 Issue: Previously, some SecureTransport REST API error messages contained detailed stack trace information.
Resolution: Now, SecureTransport REST API provides general error messages and they do not contain stack trace information.
00839654 RDST-527 Issue: Previously, the SecureTransport Administration Tool File Tracking page listed 101 transfers per page instead of 100 transfers per page.
Resolution: Now, the File Tracking page lists 100 transfers per page.
00837582 RDST-537 Issue: Previously, the list of Account Transfer Sites in the Advanced Routing Send to Partner step was not re-sizable. When the names of the transfer sites were the same to the 28th character, the administrator could not distinguish between the transfer site names.
Resolution: Now, the list of Account Transfer Sites is re-sizable and administrator can distinguish between transfer site names.
00844321 RDST-564 Issue: Previously, when a ST Web Client user uploaded a duplicate file, ST Web Client would report a successful upload even though the upload of the duplicate file was not processed or reported on the SecureTransport File Tracking page.
Resolution: Now, ST Web Client users are notified that the transfer will not be processed if they attempt to upload a duplicate file.
00837866 RDST-568 Issue: Previously, client initiated transfers to folders with consecutive underscore (_) and pound sign (#) characters in their names would fail.
Resolution: Now, client initiated transfers are successful to folders named with "_#" in their names.
00850450 RDST-787 Issue: Previously, SecureTransport would generate a certificate or Certificate Signing Request (CSR) with invalid fields if optional fields were left empty.
Resolution: Now, if optional fields are left empty, the empty or invalid fields will not appear in the generated certificate or CSR.
00850674 RDST-800 Issue: Previously, the Reverse DNS Lookups selection on the SecureTransport Administration Tool Miscellaneous page was not persisted. When Disabled was selected, the page would refresh and the Reverse DNS Lookups selection would default to Enabled.
Resolution: Now the Reverse DNS Lookups selection is persisted and the last selection is displayed when the Miscellaneous page refreshes.
00850644 RDST-874 Issue: Previously, changes made in the DataManager.js file were not reflected in all ST Web Client pages.
Resolution: Now, the branding procedure has been updated and changes made in the custom/stwebclient.config.json file are reflected in all affected ST Web Client pages.
00854350
00854842
RDST-1213 Issue: Previously, the list of Account Transfer Sites in the Advanced Routing Send to Partner step was not re-sizable and the end of long transfer site names were hidden.
Resolution: Now, the list of Account Transfer Sites is re-sizable and the end of long transfer site names are visible.
00841067 RDST-1243 Issue: Previously, the SecureTransport File Tracking export took an extended period of time when a large time range with multiple entries was exported.
Resolution: The default chunk size of data retrieved from database is tuned for better performance. The log_export command line utility is extended with a new --chunk-size parameter for tuning according to use case.
00851996 RDST-1348 Issue: Previously, when using the Advanced Routing Send to Partner routing step to send files to a SSH transfer site of another account, the information for the Transfer Details for the remote directory was left blank.
Resolution: Now, the Transfer Details for the remote directory are displayed.
00857367 RDST-1379 Issue: Previously, failed login attempts to ST Web Client over HTTP were not displayed in SecureTransport Server Log.
Resolution: Now, failed login attempts ST Web Client over HTTP are displayed in the Server Log.
00857578 RDST-1425 Issue: Previously, misleading error messages were displayed when attempting to import a SSH login certificate and mandatory Import Certificate/Key fields were left blank.
Resolution: Now, valid error messages are displayed when mandatory Import Certificate/Key fields are left blank.
none RDST-1433 Issue: Previously, SecureTransport did not gracefully handle STFS file corruptions caused by sharing the file system where the user home directories are located.
Resolution: Now, the SecureTransport Administrator's Guide has been updated as follows: Multiple deployed standalone SecureTransport instances sharing the file system where the user home directories are located is not a supported configuration.
SecureTransport 5.3.6 Resolved Defects
none RDST-439 Issue: Previously, when composing AdHoc emails, the names of attachments with long file names are not shown in the Attachment Filename field.
Resolution: Now, the names of attachments with long file names are shown in the Attachment field.
none RDST-440 Issue: Previously, files with long names could not be uploaded into a user folder.
Resolution: Now, files with long names can be uploaded into a user folder.
00810896 RDST-461 Issue: Previously, when attempting to create an Enterprise Cluster in a Microsoft Windows environment, a cluster could not be formed if one of the Secure Transport servers had two network interface cards (NICs).
Resolution: Now, the Enterprise Cluster can be created if you replace localhost with the address of the NIC which you want to use in the tangosol-coherence-override file located in the <FILEDRIVEHOME>\conf\ directory.
00802123 RDST-483 Issue: Previously, the SecureTransport HTTP daemon did not interrupt transfers when the user did not have permission to upload files per their configured access rules.
Resolution: Now, when a user does not have permission to upload files per their configured access rules, the HTTP daemon will interrupt the transfer and the user will not be able to upload files.
00834403 RDST-539 Issue: Previously, the SecureTransport HTTP daemon was vulnerable to buffer overflows due to the lack of a size limit on the value sizes that could be processed on HTTP requests.
Resolution: Now, the SecureTransport HTTP daemon is no longer vulnerable to buffer overflows.
00842137 RDST-542 Issue: Previously, it was possible to launch cross-site scripting attacks using a file name and the Axway Jelly Ball 9 and Axway Box and Stripe in Blue skins.
Resolution: Now, file names in the Axway Jelly Ball 9 and Axway Box and Stripe in Blue skins are escaped properly and launching cross-site scripting attacks is no longer possible.
00847121 RDST-561 Issue: Previously, access to SecureTransport metadata files was not restricted and the metadata files were readable.
Resolution: Now, access to SecureTransport metadata files is restricted and the following configuration options have been added:
  • Stfs.Files.Permissions - The file permissions are set on all of the files in the .stfs directories. In format rwx------.
  • Mailbox.Directories.Permissions - The file permissions are set in the mailbox directories. In format rwx------.
  • Default.Directories.Permissions - The file permissions are set on directories created by the SecureTransport. For example: home folders, subscription folders, and so forth. In format rwx------.
Note: These options are not used in Microsoft Windows environments.
00854980 RDST-1259
RDST-5165
Issue: Previously, TLSv1 connections between Solaris nodes would fail.
Resolution: Now, TLSv1 connections on between Solaris nodes are successful.
00855600 RDST-1332 Issue: Previously, when a user with an expired password logged into ST Web Client, the user was forwarded to a page asking to them change their password. If an incorrect details were entered, the user was forwarded to an error message page without link to go back and change their password details.
Resolution: Now, the users is redirected to the Change Password page and given a meaningful reason for the redirection
00875985 RDST-3160 Issue: Previously, a link provided for the Central Governance logs location in the SecureTransport Administrator's Guide was incorrect.
Resolution: Now, the SecureTransport Administrator's Guide provides the correct location of the Central Governance logs.
none RDST-3257 Issue: Previously, the SecureTransport Administration Tool did not validate the Preview Size setting on the ICAP Settings page on save. The Preview Size field could contain extra spaces and be saved as a valid entry.
Resolution: Now, the Preview Size is checked for extra spaces and cannot be saved as a valid entry if it contains extra spaces.
00847090 RDST-3559 Issue: Previously, ST Web Client used the <FILEDRIVEHOME>/share/ftdocs/icons/dark_logo.png for user notifications when the ST Web Client template was selected for the user account.
Resolution: Now, the correct logo is used for user notifications when the ST Web Client template is selected for the user account.
00873451 RDST-3997 Issue: Previously, SecureTransport was susceptible to multiple Spring Framework vulnerabilities (CVE-2013-6429, CVE-2013-4152, CVE-2013-7315, CVE-2014-0054, CVE-2014-1904, CVE-2014-3578, and CVE-2014-3625).
Resolution: Now, the vulnerable Spring Framework component in SecureTransport is removed.
00883967 RDST-4255 Issue: Previously, the SecureTransport Installation Guide referenced that the Perl Data Dumper is required to install SecureTransport with an embedded Microsoft SQL Server database on Oracle Linux and RHEL operating systems.
Resolution: Now, the reference is corrected to state that the Perl Data Dumper is required to install SecureTransport with an embedded MySQL database on Oracle Linux and RHEL operating systems.
00879410 RDST-4923 Issue: Previously, Java dumps could not be collected when SecureTransport is running on AIX.
Resolution: Now, Java dumps can be collected when SecureTransport is running on AIX.
00937358 RDST-11762

Issue: Previously, an XML export of accounts containing login restriction policy with rules could not be imported afterwards.
Resolution: Now, such an XML export can be successfully imported.

ST Web Client corrections and fixed issues

ST Web Client 5.3.6 provides the following corrections and fixed issues:

Case ID Internal ID Description
ST Web Client 5.3.5 Resolved Defects
00846852 STWC-1218 Issue: Previously, when the instructions in the ST Web Client Branding Guide were followed and default theme was used, the generated wap.css file did not match the default wap.css file. Overwriting the default wap.css file with the generated file would change the ST Web Client color scheme.
Resolution: Now, when the default theme is used, the generated wap.css file matches the default wap.css file. Overwriting the default wap.css file with the generated file no longer changes the ST Web Client color scheme.
00847877 STWC-1271 Issue: Previously, changes made in the DataManager.js file were not reflected in all ST Web Client pages.
Resolution: Now, the branding procedure has been updated and changes made in the custom/stwebclient.config.json file are reflected in all affected ST Web Client pages.
00851847 STWC-1309 Issue: Previously, when running the lessc wap.less wap.css_flat_color_false --clean-css command per the instructions in the ST Web Client Branding Guide, the following error message was received: "extend ' .dialog .toolbar button:first-of-type' has no matches"
Resolution: Now, the wap.less file has been updated and error the message is no longer received.
00853641 STWC-1440 Issue: Previously, when a ST Web Client adhoc user composed an email and attempted to send it to multiple recipients separated by white spaces in the To field, a "Message Sent" popup was displayed instead of an error notification.
Resolution: Now, the ST Web Client Compose pane has been updated and valid email address entries in the To field are processed as pills.
00853359 STWC-1462 Issue: Previously, if a ST Web Client account did not have mailbox enabled, the Accessibility shortcuts for mailbox were shown.
Resolution: Now, if a ST Web Client account does not have an mailbox enabled, the Accessibility shortcuts for mailbox are not shown.
00856904 STWC-1483 Issue: Previously, when there was a configured password policy, it was displayed only after a ST Web Client end user tried to change their password and there was a mismatch with the password policy.
Resolution: Now, when there is a configured password policy, it is displayed when the password change page is loaded.
00850238 STWC-1522 Issue: Previously, when a ST Web Client user uploaded a duplicate file, ST Web Client would report a successful upload even though the upload of the duplicate file was not processed or reported on the SecureTransport File Tracking page.
Resolution: Now, ST Web Client users are notified that the transfer will not be processed if they attempt to upload a duplicate file.
ST Web Client 5.3.6 Resolved Defects
00855600 STWC-1439 Issue: Previously, when a user with an expired password logged into ST Web Client, the user was forwarded to a page asking to them change their password. If an incorrect details were entered, the user was forwarded to an error message page without link to go back and change their password details.
Resolution: Now, the users is redirected to the Change Password page and given a meaningful reason for the redirection
00850151
00850468
STWC-1543 Issue: Previously, ST Web Client file uploads were slow when using Microsoft Internet Explorer 11 on Microsoft Windows 7.
Resolution: Now, ST Web Client file uploads when using Microsoft Internet Explorer 11 on Microsoft Windows 7 are comparable to file upload times for other supported browsers and operating systems.
00818953 STWC-1814 Issue: Previously, ST Web Client was using a JQuery version that was susceptible to security vulnerabilities.
Resolution: Now, the ST Web Client JQuery verson is upgraded to JQuery 2.2.4.

 

Known issues and limitations

Case ID Internal ID Description
(none) D-94999 When creating a new file or directory whose name begins with a dot (.ssh or .profile), the file and directory will become inaccessible. Additionally, it is not possible to access or to remove directories or files whose names begin with a dot. However, the directories remain visible in the side-menu until there is refresh and then they become ghost directories or files. They are still present since another directory or file with the same name cannot be created.
00800843 D-97719 When a user who starts SecureTransport Administration service has the JRE_HOME variable defined in their OS environment variables, JRE_HOME is not revalidated and the Tomcat process is started with Java executable from JRE_HOME instead of Java executable inside the SecureTransport installation.
Workaround: Unset the JRE_HOME variable before starting the SecureTransport Administration service.
(none) D-103631 Due to a Java Critical Patch update, certificates, using the MD5 signature algorithm can no longer be used. Details: https://blogs.oracle.com/java-platform-group/entry/strengthening_signatures_part_2
(none) D-106421 Uploading files from a mapped network drive using SecureTransport Web Client and Microsoft Edge browser results in a 0-bytes successful transfer. The problem is that Microsoft Edge cannot correctly load files form a network location. This is a browser specific issue that's why it is also reproducible if any other SecureTransport HTML template is used. But is not reproducible if any other supported browser is used.
none RDST-212 Archiving for outbound transfers is not reported to Sentinel.
none RDST-238 A user cannot log in to ST Web Client after a filesystem restriction is added. When they attempt to login, an error message is displayed.
none RDST-255 A user authenticated with SiteMinder cannot resubmit transfers. The attempts to resubmit their incoming or outgoing transfers always fail.
none RDST-258 The Send button on the ST Web Client Compose pane is disabled after a file with a long name is attached.
none RDST-266 A SiteMinder user with an account template cannot use Advanced Routing. File copy to the subscription folder fails.
none RDST-336 A delegated administrator with read only rights can enable and disable Real Users.
148039 RDST-415 Pull of non-existing file over FTP (plain) going through Edge socks proxy, results in incorrect error reported : "Connection refused" or "Connection timed out" rather than "No such file or directory"
00826131 RDST-470 A SecureTransport Enterprise Cluster installation fails if the database password contains $ and other special characters.
00832828 RDST-524 LDAP attribute mapping is not honored in case of account login with LDAP authentication.
00848806 RDST-761 When the Compress step of Advanced Routing uses ZIP to compress files, the timestamp (created/accessed/modified) information for the compressed files is not maintained inside the archive.
none RDST-795 File archiving fails when a real user on Microsoft Windows uploads a file.
none RDST-1987

Locally stored sandbox folders are not purged when a two node cluster fails over.

Workaround: Manually clean the sandbox folders.

none RDST-2320 SecureTransport fails to push files to SharePoint over plain HTTP when a HTTP proxy is configured.
none RDST-2231 When SecureTransport is installed without DATA_PUMP, there is a default export directory value in the database for the Log Entry Maintenance application and the application will not trigger because of an exception.
Workaround: Set the export directory of the Log Entry Maintenance application using the REST API exportDir command.
none RDST-2495 A permanent database failure on the primary SecureTransport node does not trigger a cluster failover and recovery in an Active/Active Standard Cluster.
none RDST-2580 Unable to import certificates generated in SecureTransport 5.3.6 into SecureTransport 5.3.3.
Workaround: Use third-party generated certificates or certificates generated in SecureTransport 5.3.3.
none RDST-2635 After network failure where the SecureTransport Edges are not affected, SecureTransport stops accepting transfers from the Edges. All transfers fail with a read timeout even though the other node is healthy and events were failed over to the healthy hode.
00800002 RDST-3519
RDST-5650
RDST-5667
RDST-6751
SecureTransport unlicensed users cannot add attachments to ST Web Client email replies.
none RDST-3694 SecureTransport file transfer flow attributes are not reported to Axway Sentinel if the file has plus symbol (+) in its name.
none RDST-3861 When a Retrieve Files Now is triggered with a new subscription and the subscription folder is not created on the OS level, the one-time pull execution fails and a "Target folder does not exist" error message is displayed.
00880995 RDST-3994 Shared File storage via the Common Internet File System (CIFS) standard is currently not supported on SecureTransport in Linux environments. This known limitation will be resolved and ported into SecureTransport 5.3.6.
none RDST-4116 The SecureTransport Administration Tool pages are displayed poorly using Microsoft Internet Explorer 11 when the Administration Tool is accessed using a hostname (resolved via etc\hosts file).
Workaround: Disable Display Intranet sites in Compatibility View.
none RDST-4154 SecureTranport users that are SSO authenticated by an account template cannot receive emails. They can send emails, but the user and their emails are external to SecureTransport. Responding to their emails is not possible.
Workaround: Create and authenticate users using virtual accounts with externally stored passwords.
none RDST-4244

Disabling Sentinel reporting the feature does not completely disable it, if it has been previously enabled. Even if Send Events to Axway Sentinel/DI Server is unchecked, some Sentinel records are still created in the SentinelLinkData database table, causing performance degradation.

Workaround: Remove all event states from Administration Tool Setup > Axway Sentinel/DI > Event States to Send.

none RDST-4245 ST Web Client folders cannot be shared with SSO user accounts authenticated by an account template, because the users and their emails are external to SecureTransport.
none RDST-4252 SecureTransport users that are SSO authenticated by an account template cannot be used in the Advanced Routing Publish to Account route step.
none RDST-4253 SecureTransport is not be able perform server-initiated pushes or pulls over HTTP to and from another SecureTransport instance if the second instance requires SSO user authentication. HTTP transfer site does not support SSO authentication and cannot authenticate against SecureTransport server which requires SSO authentication.
none RDST-4259 When SecureTransport is deployed in a Standard Cluster environment, a MySQL memory leak is observed on a continuous moderate load of the server. Eventually this results in OutOfMemory errors, failures, and performance degradation, even a MySQL crash. The documentation page at http://dev.mysql.com/doc/mysql/en/crashing.html contains information that should help you find out what is causing the crash. The defect is "MySQL Server crash possibly introduced in the InnoDB statistics calculation". For more information on the defect, refer to https://bugs.mysql.com/bug.php?id=84940.
Workaround: When the described behavior is being observed a restart of the database daemon and the Transaction Manager is necessary.
00883513 RDST-4304 Under very rare circumstances, when upgrade process is executed on Solaris, it might fail with the following error: "A fatal error has been detected by the Java Runtime Environment". It has been discovered that it is related to a rare defect in JRE as described here: http://bugs.java.com/view_bug.do?bug_id=8032207.
Suggested workaround: Following the suggested steps have led to successfully finishing the upgrade process, so we encourage customers to try:
  1. Manually download the latest 32-bit Java 7 Runtime Environment for the respective platform and architecture from https://www.java.com/en/download/manual.jsp.
  2. Extract the JRE downloaded in Step 1 into a temporary folder.
  3. Set the JAVA_HOME environment variable to the value of the folder where the JRE was extracted into in Step 2.
  4. Retry the upgrade process.
none RDST-4328 In order for Internet Explorer 11 to work properly with the Single Sign-On (SSO) functionality, Identity Providers and SecureTransport sites should not run in compatibility mode. By default Intranet sites in IE11 are running in IE7 compatibility mode. This option could be disabled from Compatibility View Settings when Display Intranet sites in Compatibility View is set to disabled.
none RDST-4364 When an action is performed from an iframe to a HTTPS site and the site certificate is not valid, Microsoft Internet Explorer does not send the request because it does not trust the site. This prevents the user from successfully logging out. For proper operation with Microsoft Internet Explorer 11 and Microsoft Edge, the SecureTransport and Identity Provider certificates should be valid.
none RDST-4372 SecureTransport is exposing two SAML services - ST Web Client and SecureTransport Administration Tool. When both services are using the same Identity Provider, permissions and restrictions for the users need to be properly configured on the Identity Provider. For example, if a ST Web Client end user has the same login name as a SecureTransport administrator, the user will be able to access the SecureTransport Administration Tool.
none RDST-4741 Due to the limitation of having only one entity ID for the sso-admin.xml configuration file and the fact that configuration files are synced between the cluster nodes, all administrators will have the same service provider configuration. Since the Identity Provider (IdP) cannot differentiate which request is coming from which node it will always return the user to the assertion consumer service configured on the IdP.
Workaround: Have a separate identity provider for each cluster node, then the user could select the node they want to login to by choosing the dedicated IdP.
none RDST-4835 SecureTransport responds with an Internal Server Error (ISE) when the end-user logs out, but its session in the Identity Provided (IdP) is already closed.
none RDST-4989 Service Provider logout does not work with Microsoft Edge if the Identity Provider (IdP) domain is not listed on local Intranet sites.
none RDST-5051 SecureTransport responds with HTTP Status 403 Authentication failed when the administrator logs out, but its session in the Identity Provider (IdP) is already closed.
none RDST-5055 Enrolled users will not be able to log in if the Identity Provider (IdP) is setup to return the Name ID in other than email format. Another approach is enrolled users to use an IdP which returns the Name ID in email format, this way they will be logged in correctly.
none RDST-5180 On Microsoft Windows, creating an AdHoc package for an anonymous account (download link only) fails due to an Operating System permission check issue.
none RDST-5306 When Single Sign-On (SSO) is Enabled and Client certificates for Administrators is set to Optional and there is a certificate in the user's browser keystore, an administrator will be prompted for a Certificate Selection even when they will be authenticated using an Identity Provider. This prompt could be ignored.
none RDST-5402 When importing Single Sign-On (SSO) Configuration files the Transaction Manager on the SecureTransport node where the files are being uploaded should be running.
none STWC-1438 It is not possible to attach a file with a size 4 GB or larger in the Adhoc functionality (Mailbox > Compose) when using Microsoft Internet Explorer 11 or Microsoft Edge. This is a known and documented limitation of these browsers: File Upload and Download Limits
Workaround: Use another supported browser to attach files 4 GB and larger.
none STWC-2076 When uploading a file the in-progress transfer is visible in all folders and not only in the one where the upload is being done. This is only a presentation problem and it does not affect the result of the upload. The file is only uploaded in the intended target folder.

Documentation

This section describes the related documentation.

Related documentation

Go to Axway Support at https://support.axway.com to find all documentation for this product version.

SecureTransport 5.3.6 provides the following documentation:

  • SecureTransport Administrator's Guide – This guide describes how to use the SecureTransport Administrator's Tool to configure and administer your SecureTransport Server. The content of this guide is also available in the Administration Tool online help.
  • SecureTransport REST API documentation – The portal published API documentation derived from the API Swagger documents. To access the administrator API documentation, go to SecureTransport Administrator API v1.4. To access the end-user API documentation, go to SecureTransport End-User API v1.4.
  • SecureTransport Appliance Guide - This guide provides the SecureTransport Appliance installation, configuration, and operation instructions. It also provides SecureTransport installation and upgrade instructions for Axway Appliances.
  • SecureTransport Capacity Planning Guide – This guides provides information useful when planning your production environment for SecureTransport.
  • SecureTransport Developer's Guide – This guide provides the descriptions and usage of the plug-able information for the SecureTransport Pluggable Transfer Site and how to implement a Pluggable Transfer Site. It also provides Swagger REST API integration instructions and custom Address Book source implementation instructions.
  • SecureTransport Getting Started Guide – This guide explains the initial setup and configuration of SecureTransport using the SecureTransport Administrator setup interface.
  • SecureTransport Installation Guide – This guide explains how to install and uninstall SecureTransport on UNIX-based platforms and Microsoft Windows.
  • SecureTransport Release Notes – This document contains information about new features and enhancements, information received after the finalization of the rest of the documentation, and a list of known and fixed issues.
  • SecureTransport Security Guide – This guide provides security information necessary for the secure operation of the SecureTransport product.
  • SecureTransport Software Development Kit (SDK) – A set of software development tools and examples that allow extending SecureTransport by consuming and implementing available APIs.
  • SecureTransport Upgrade Guide - This guide explains how to upgrade SecureTransport on UNIX-based platforms and Microsoft Windows.
  • ST Web Client Configuration Guide - This guide describes how to configure and customize ST Web Client user interface.
  • ST Web Client User Guide - This guide describes how to use the ST Web Client.

Support services

The Axway Global Support team provides worldwide 24 x 7 support for customers with active support agreements.
Email support@axway.com or visit Axway Support at https://support.axway.com.

Copyright © 2016 Axway. All rights reserved.

Related Links