test

Sun Java System Web Server 7.0 Update 7 Release Notes

What's New in This Release

Web Server 7.0 Update 7 introduces Kerberos/SPNEGO support. This release introduces a new ACL authentication method called gssapi. The gssapi authentication method works with a Kerberos user repository. This release also introduces a suitable auth-db of type kerberos for use with the gssapi authentication method.

For more information on configuring a Kerberos authentication, see Working With the Authentication Database in Sun Java System Web Server 7.0 Update 7 Administrator’s Guide

Note –

Kerberos enabled Web Server on Solaris are tested with clients such as IE on Windows 2003 and Firefox on RHEL 5.3.

Web Server 7.0 Update 7 supports Windows 2008 SP2 32 bit (x86) Enterprise Edition.

Web Server 7.0 Update 7 is bundled with JDK 6. There is an improvement in the performance in admin server.

Web Server 7.0 Update 7 is integrated with new Xerces C++ patch which fixes the vulnerability. For more information, see http://www.cert.fi/en/reports/2009/vulnerability2009085.html.

Note –

Web Server 7.0 Update 7 resolves a regression in LDAP authentication (6888100) accidentally introduced in Update 6. All customers using LDAP authentication are encouraged to upgrade to Update 7.

Deprecated Platforms

Note –

Platforms, Solaris 8 and Windows 2000 are deprecated. They will not be supported from Web Server 7.0 Update 9 onwards.

SSL/TLS Vulnerability Fix (CVE-2009-3555)

Web Server 7.0 Update 7 is upgraded to include NSS 3.12.5 which provides relief for the SSL/TLS renegotiation vulnerability: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555

This vulnerability is a flaw in the current SSL/TLS renegotiation protocol definition. It is not a bug in the Web Server implementation. Due to this reason, there is no implementation-level fix for this vulnerability. The only workaround is to disable renegotiation entirely in order to protect the Web Server from attack.

Therefore, Web Server 7.0 Update 7 disables all use of SSL/TLS renegotiation. If either the client or the Web Server attempt to trigger renegotiation on an existing SSL/TLS session, the connection will fail.

Typically renegotiation was used to obtain a client certificate sometime after the SSL/TLS connection was first established. Web applications which attempt to obtain a client certificate in this fashion will now fail.

Obtaining a client certificate during the initial connection handshake will continue to work correctly. This mode can be configured by setting the client-auth element to 'required' in server.xml:


<http-listener>
   <ssl>
      <client-auth>required</client-auth>
   </ssl>
</http-listener>

A future update of Web Server 7 will implement a safe renegotiation protocol as soon as the IETF finalizes the design of the new protocol enhancement. It is possible to re-enable the vulnerable SSL/TLS renegotiation capability by setting the environment variable: NSS_SSL_ENABLE_RENEGOTIATION=1. This mode is known to be vulnerable to attack as described in CVE-2009-3555.