Readme File for IBM® Platform Symphony 7.1 Interim Fix 458079

Readme file for: IBM Platform Symphony

Product/Component Release: 7.1 Fix Pack 1

Update Name: Interim Fix 458079

Fix ID: sym-7.1-build458079

Publication date: July 10, 2017

This interim fix provides instructions on upgrading the Apache Tomcat version from v6.0.43 to v7.0.78 in IBM Platform Symphony 7.1 Fix Pack 1 in order to address multiple security vulnerabilities in Tomcat (CVE-2017-5647, CVE-2017-5648, and CVE-2017-5651).

Contents

1.     List of fixes

2.     Download location

3.     Scope

4.     Installation and configuration

5.     List of files

6.     Copyright and trademark information

1.   List of fixes

APAR: P102279

2.   Download location

3.   Scope

Before you install this update in your cluster, note the following requirements:

Applicability

Operating systems

Linux2.6-glibc2.3-x86_64

Product version

IBM Platform Symphony 7.1 Fix Pack 1

Cluster type

Single grid cluster

4.   Installation and configuration

Follow the instructions in this section to download and install this update in your cluster.

System requirements

Linux x86_64 hosts

Packages

File name

Description

sym7.1_lnx26-lib23-x64_build458079.tar.gz

Package for Linux management hosts in a 7.1 Fix Pack 1 cluster.

Before installation

1.     Log on to the master host as the cluster administrator and stop the WEBGUI service:

> source $EGO_TOP/cshrc.platform

> egosh service stop WEBGUI

2.     For recovery purposes, back up the following files:

On each management host in a Platform Symphony 7.1 Fix Pack 1 cluster, back up:

$EGO_TOP/gui/3.1/tomcat/

$EGO_CONFDIR/../../gui/conf/catalina.policy

$EGO_CONFDIR/../../gui/conf/catalina.properties

$EGO_CONFDIR/../../gui/conf/server.xml

$EGO_TOP/gui/ego/3.1/platform/WEB-INF/web.xml

$EGO_TOP/gui/is/7.1/isgui/WEB-INF/web.xml

$EGO_TOP/gui/perf/3.1/perfgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/7.1/soamgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/7.1/symgui/WEB-INF/web.xml

Installation

1.     Copy the apache-tomcat-7.0.78.tar.gz package to a temporary folder and decompress the file:

> cp apache-tomcat-7.0.78.tar.gz /tmp

> tar -zxvf apache-tomcat-7.0.78.tar.gz

> rm -rf apache-tomcat-7.0.78/conf/

> rm -rf apache-tomcat-7.0.78/work/

> rm -rf apache-tomcat-7.0.78/logs/

2.     Copy the Tomcat folder to each management host:

> rm -rf $EGO_TOP/gui/3.1/tomcat

> cp -rf apache-tomcat-7.0.78 $EGO_TOP/gui/3.1/tomcat

3.     On each management host, copy the sym7.1_lnx26-lib23-x64_build458079.tar.gz package and decompress it:

> tar zxfo sym7.1_lnx26-lib23-x64_build458079.tar.gz -C $EGO_TOP

a.     If you ran the ¡°egoconfig mghost shared_dir¡± command during installation to set up a shared location for configuration files, ensure that the configuration file is changed in the shared directory:

> cp $EGO_TOP/gui/conf/catalina.policy $EGO_CONFDIR/../../gui/conf/catalina.policy

> cp $EGO_TOP/gui/conf/catalina.properties $EGO_CONFDIR/../../gui/conf/catalina.properties

> cp $EGO_TOP/gui/conf/server.xml $EGO_CONFDIR/../../gui/conf/server.xml

b.     If you modified the server.xml configuration file for details such as the GUI service port, manually redo those changes:

$EGO_CONFDIR/../../gui/conf/server.xml

4.     Edit the web.xml files to add the following configuration:

a.     Edit each of the following files:

$EGO_TOP/gui/ego/3.1/platform/WEB-INF/web.xml

$EGO_TOP/gui/is/7.1/isgui/WEB-INF/web.xml

$EGO_TOP/gui/perf/3.1/perfgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/7.1/symgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/7.1/soamgui/WEB-INF/web.xml

b.     Find the ¡°<servlet-name>dwr-invoker</servlet-name>¡± line in the ¡°</servlet>¡± section.

c.     Add the following configuration:

<init-param>

<param-name>crossDomainSessionSecurity</param-name>

<param-value>false</param-value>

</init-param>

For example:

      <servlet>

         <servlet-name>dwr-invoker</servlet-name>

         <servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class>

             <init-param>

                 <param-name>debug</param-name>

                 <param-value>true</param-value>

             </init-param>

             <init-param>
                 <param-name>crossDomainSessionSecurity</param-name>
                 <param-value>false</param-value>
             </init-param>     

      </servlet>

After installation

1.     On each management host, delete all subdirectories and files in the following directory:

> rm -rf $EGO_TOP/gui/work/*

2.     On all client hosts, open your web browser and clear the browser cache.

3.     Start the WEBGUI service:

> source $EGO_TOP/cshrc.platform

> egosh service start WEBGUI

4.     In the $EGO_TOP/gui/logs/catalina.out file, check whether the GUI start version indicates version 7.0.78:

INFO: Starting Servlet Engine: Apache Tomcat/7.0.78

Uninstallation (if required)

1.     Log on to the master host as the cluster administrator and stop the WEBGUI service:

> source $EGO_TOP/cshrc.platform

> egosh service stop WEBGUI

2.     Restore the backup files:

a.     Remove the Tomcat folder from management hosts, which was introduced by this fix:

> rm -rf $EGO_TOP/gui/3.1/tomcat

b.     On each management host, restore the following folders and files from your backup:

$EGO_TOP/gui/3.1/tomcat

$EGO_CONFDIR/../../gui/conf/catalina.policy

$EGO_CONFDIR/../../gui/conf/catalina.properties

$EGO_CONFDIR/../../gui/conf/server.xml

$EGO_TOP/gui/ego/3.1/platform/WEB-INF/web.xml

$EGO_TOP/gui/is/7.1/isgui/WEB-INF/web.xml

$EGO_TOP/gui/perf/3.1/perfgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/7.1/soamgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/7.1/symgui/WEB-INF/web.xml

3.     On each management host, delete all subdirectories and files in the following directory:

> rm -rf $EGO_TOP/gui/work/*

4.     On all client hosts, open your web browser and clear the browser cache.

5.     Start the WEBGUI service:

> source $EGO_TOP/cshrc.platform

> egosh service start WEBGUI

5.   List of files

gui/conf/catalina.policy

gui/conf/catalina.properties

gui/conf/server.xml

catalina.sh

6.   Copyright and trademark information

© Copyright IBM Corporation 2017

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.