Reflection for Secure IT UNIX 8.0 SP2 Update 2 Release Notes

August 2020

Reflection for Secure IT UNIX 8.0 SP2 U2 was released in August 2020 and is now available for new and maintained customers. This update addresses several security vulnerabilities, and includes several enhancements and software fixes.

1.0 What’s New

Reflection for Secure IT UNIX includes several enhancements and new features.

  • Added support for elliptic curve cryptography

    • Support for elliptic curve kex exchange: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521

    • Support for elliptic curve host and user keys: ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521

    • Support for client certificates with RSA keys signed by ECDSA certificate chains.

  • Added support for SUSE Linux Enterprise Server 15 (64-bit)

  • On AIX, the installed JRE has been updated to IBM Runtime Environment Java Technology Edition Version 8.0 SR6 FP5.

  • Support for BSM logging has been removed in Solaris 11

    The documentation for BSM logging has been removed from the product.

2.0 Known Issues

  • When installing Reflection for Secure IT (RSIT) UNIX, host identity keys of an existing installation of OpenSSH may not be preserved.

    If a fresh installation of RSIT UNIX doesn’t require the preservation of host identity keys run the following:

    sudo ssh-keygen -P /etc/ssh2/hostkey

    To preserve host identity keys of an existing installation of Open SSH

    The package installer output will show the following messages indicating that the server will fail to start:

    Converting OpenSSH hostkey to SSH2 format 
    Failed to read private key: /etc/ssh2/hostkey 
    Starting sshd (via systemctl):  Job for sshd.service failed because the control process exited with error code. 

    A manual process must be followed to preserve the host identity. This process requires:

    • OpenSSH ssh-keygen

    • RSIT Unix ssh-keygen

    • The file /etc/ssh/ssh_host_rsa_key

    IMPORTANT:The file /etc/ssh/ssh_host_rsa_key is a private key file and should be protected. Copies should be removed after the manual conversion has been completed.

    Follow the steps as outlined below:

    1. Copy the file to a machine with OpenSSH's ssh-keygen.

      You may wish to change the owner and file attributes at this point.

      sudo chown someuser:somegroup ssh_host_rsa_key 
      chmod 600 ssh_host_rsa_key
    2. Convert the file to a PEM format using the following OpenSSH ssk-keygen command:

      ssh-keygen -p -N "" -m pem -f ssh_host_rsa_key
    3. Copy the converted file back to the original host.

    4. Convert the key, now in PEM format, to the Reflection format using RSIT Unix ssh-keygen.

      ssh-keygen -O ssh_host_rsa_key -o hostkey

      If desired, create the public key:

      ssh-keygen -D hostkey
    5. Restore the owner and group and attributes with the following commands:

      sudo chown root:root hostkey 
      sudo chown root:root 
      sudo chmod 600 hostkey 
      sudo chmod 644
    6. Move these files to /etc/ssh2.

    7. Restart the RSIT Unix server and check the status.

  • When installing the product on SUSE Linux Enterprise Server (SLES) version 15, the /etc/pam.d/ssh file is not updated. Replace the contents of the /etc/pam.d/ssh file with the example default configuration file below.

    auth     include        common-auth
    auth     required
    account  include        common-account
    password include        common-password
    session  include        common-session
  • Reflection for Secure IT UNIX Server does not properly expand macros such as %D for the AuthorizationFile setting in sshd2_config.

3.0 Installation

For instructions that show how to install this update, see the Installation section in the Reflection for Secure IT UNIX Documentation guide.

Supported Platforms for Reflection for Secure IT UNIX 8.0 Service Pack 2 Update 2

  • SUSE Linux Enterprise Server 15 (64-bit)

  • SUSE Linux Enterprise Server 12 (64-bit)

  • Red Hat Enterprise Linux 7 (64-bit)

  • Red Hat Enterprise Linux 8 (64-bit)

  • IBM AIX PowerPC 7.1

  • IBM AIX PowerPC 7.2

  • HP-UX on Itanium 11i v3

  • Oracle Solaris 11.4 (64-bit)

  • Oracle Solaris 11.4 (SPARC)