Reflection for Secure IT UNIX 8.0 SP2 U2 was released in August 2020 and is now available for new and maintained customers. This update addresses several security vulnerabilities, and includes several enhancements and software fixes.
Reflection for Secure IT UNIX includes several enhancements and new features.
Added support for elliptic curve cryptography
Support for elliptic curve kex exchange: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521
Support for elliptic curve host and user keys: ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
Support for client certificates with RSA keys signed by ECDSA certificate chains.
Added support for SUSE Linux Enterprise Server 15 (64-bit)
On AIX, the installed JRE has been updated to IBM Runtime Environment Java Technology Edition Version 8.0 SR6 FP5.
Support for BSM logging has been removed in Solaris 11
The documentation for BSM logging has been removed from the product.
When installing Reflection for Secure IT (RSIT) UNIX, host identity keys of an existing installation of OpenSSH may not be preserved.
If a fresh installation of RSIT UNIX doesn’t require the preservation of host identity keys run the following:
sudo ssh-keygen -P /etc/ssh2/hostkey
To preserve host identity keys of an existing installation of Open SSH
The package installer output will show the following messages indicating that the server will fail to start:
Converting OpenSSH hostkey to SSH2 format Failed to read private key: /etc/ssh2/hostkey Starting sshd (via systemctl): Job for sshd.service failed because the control process exited with error code.
A manual process must be followed to preserve the host identity. This process requires:
OpenSSH ssh-keygen
RSIT Unix ssh-keygen
The file /etc/ssh/ssh_host_rsa_key
IMPORTANT:The file /etc/ssh/ssh_host_rsa_key is a private key file and should be protected. Copies should be removed after the manual conversion has been completed.
Follow the steps as outlined below:
Copy the file to a machine with OpenSSH's ssh-keygen.
You may wish to change the owner and file attributes at this point.
sudo chown someuser:somegroup ssh_host_rsa_key chmod 600 ssh_host_rsa_key
Convert the file to a PEM format using the following OpenSSH ssk-keygen command:
ssh-keygen -p -N "" -m pem -f ssh_host_rsa_key
Copy the converted file back to the original host.
Convert the key, now in PEM format, to the Reflection format using RSIT Unix ssh-keygen.
ssh-keygen -O ssh_host_rsa_key -o hostkey
If desired, create the public key:
ssh-keygen -D hostkey
Restore the owner and group and attributes with the following commands:
sudo chown root:root hostkey sudo chown root:root hostkey.pub sudo chmod 600 hostkey sudo chmod 644 hostkey.pub
Move these files to /etc/ssh2.
Restart the RSIT Unix server and check the status.
When installing the product on SUSE Linux Enterprise Server (SLES) version 15, the /etc/pam.d/ssh file is not updated. Replace the contents of the /etc/pam.d/ssh file with the example default configuration file below.
#%PAM-1.0 auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session
Reflection for Secure IT UNIX Server does not properly expand macros such as %D for the AuthorizationFile setting in sshd2_config.
For instructions that show how to install this update, see the Installation section in the Reflection for Secure IT UNIX Documentation guide.
Supported Platforms for Reflection for Secure IT UNIX 8.0 Service Pack 2 Update 2
SUSE Linux Enterprise Server 15 (64-bit)
SUSE Linux Enterprise Server 12 (64-bit)
Red Hat Enterprise Linux 7 (64-bit)
Red Hat Enterprise Linux 8 (64-bit)
IBM AIX PowerPC 7.1
IBM AIX PowerPC 7.2
HP-UX on Itanium 11i v3
Oracle Solaris 11.4 (64-bit)
Oracle Solaris 11.4 (SPARC)
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.microfocus.com/about/legal/.
© 2020 Micro Focus. All rights reserved.
The only warranties for this product and any associated updates or services are those that may be described in express warranty statements accompanying the product or in an applicable license agreement you have entered into. Nothing in this document should be construed as creating any warranty for a product, updates, or services. The information contained in this document is subject to change without notice and is provided “AS IS” without any express or implied warranties or conditions. Micro Focus shall not be liable for any technical or other errors or omissions in this document. Please see the product’s applicable end user license agreement for details regarding the license terms and conditions, warranties, and limitations of liability.
Any links to third-party websites take you outside Micro Focus websites, and Micro Focus has no control over and is not responsible for information on third party sites.