Reflection for Secure IT UNIX 8.4 was released in February 2021 and is now available for new and maintained customers. This update addresses several security vulnerabilities, and includes several enhancements and software fixes.
Reflection for Secure IT UNIX includes several enhancements and new features.
Added support for elliptic curve cryptography
Support for elliptic curve key exchange: ecdh-sha2-nistp256,
ecdh-sha2-nistp384, ecdh-sha2-nistp521
Support for elliptic curve host and user keys:
ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
Added support for both user and server certificates using the following additional RFC 6187 key formats: x509v3-ecdsa-sha2, x509v3-ssh-rsa, and x509v3-ssh-dss.
Reflection for Secure IT UNIX Server correctly expands macros for
the Authorization File setting in sshd2.config.
In the previous version of Reflection for Secure IT UNIX server
macros, such as %D for the Authorization File setting in
sshd2_config, did not expand as expected. This known issue has been
fixed.
Added support for SUSE Linux Enterprise Server 15 (64-bit)
Support for BSM logging has been removed in Solaris 11
The documentation for BSM logging has been removed from the product.
When installing Reflection for Secure IT (RSIT) UNIX, host identity keys of an existing installation of OpenSSH may not be preserved.
If a fresh installation of RSIT UNIX doesn’t require the preservation of host identity keys run the following:
sudo ssh-keygen -P /etc/ssh2/hostkey
To preserve host identity keys of an existing installation of Open SSH
The package installer output will show the following messages indicating that the server will fail to start:
Converting OpenSSH hostkey to SSH2 format Failed to read private key: /etc/ssh2/hostkey Starting sshd (via systemctl): Job for sshd.service failed because the control process exited with error code.
A manual process must be followed to preserve the host identity. This process requires:
OpenSSH ssh-keygen
RSIT Unix ssh-keygen
The file /etc/ssh/ssh_host_rsa_key
IMPORTANT:The file /etc/ssh/ssh_host_rsa_key is a private key file and should be protected. Copies should be removed after the manual conversion has been completed.
Follow the steps as outlined below:
Copy the file to a machine with OpenSSH's ssh-keygen.
You may wish to change the owner and file attributes at this point.
sudo chown someuser:somegroup ssh_host_rsa_key chmod 600 ssh_host_rsa_key
Convert the file to a PEM format using the following OpenSSH ssk-keygen command:
ssh-keygen -p -N "" -m pem -f ssh_host_rsa_key
Copy the converted file back to the original host.
Convert the key, now in PEM format, to the Reflection format using RSIT Unix ssh-keygen.
ssh-keygen -O ssh_host_rsa_key -o hostkey
If desired, create the public key:
ssh-keygen -D hostkey
When RSIT Unix is installed alongside OpenSSH, use the full path of ssh-keygen, e.g.
/opt/rsit/bin/ssh-keygen -O ssh_host_rsa_key -o hostkey /opt/rsit/bin/ssh-keygen -D hostkey
Restore the owner and group and attributes with the following commands:
sudo chown root:root hostkey sudo chown root:root hostkey.pub sudo chmod 600 hostkey sudo chmod 644 hostkey.pub
Move these files to /etc/ssh2.
Or in case of relocation to e.g. /opt/rsit/etc.
Restart the RSIT Unix server and check the status.
For instructions that show how to install this update, see the Installation section in the Reflection for Secure IT UNIX Documentation guide.
Supported Platforms for Reflection for Secure IT UNIX
SUSE Linux Enterprise Server 15 (64-bit)
SUSE Linux Enterprise Server 12 (64-bit)
Red Hat Enterprise Linux 7 (64-bit)
Red Hat Enterprise Linux 8 (64-bit)
IBM AIX PowerPC 7.1
IBM AIX PowerPC 7.2
HP-UX on Itanium 11i v3
Oracle Solaris 11.4 (64-bit)
Oracle Solaris 11.4 (SPARC)
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.microfocus.com/about/legal/.
© 2021 Micro Focus. All rights reserved.
The only warranties for this product and any associated updates or services are those that may be described in express warranty statements accompanying the product or in an applicable license agreement you have entered into. Nothing in this document should be construed as creating any warranty for a product, updates, or services. The information contained in this document is subject to change without notice and is provided “AS IS” without any express or implied warranties or conditions. Micro Focus shall not be liable for any technical or other errors or omissions in this document. Please see the product’s applicable end user license agreement for details regarding the license terms and conditions, warranties, and limitations of liability.
Any links to third-party websites take you outside Micro Focus websites, and Micro Focus has no control over and is not responsible for information on third party sites.