Readme File for IBM_
Platform Symphony 6.1.1 Interim Fix 466859
Readme file for: IBM Platform Symphony
Product/Component Release: 6.1.1
Update
Name: Interim Fix 466859
Fix
ID: sym-6.1.1-build466859
Publication
date:
September 12, 2017
This interim fix provides instructions on upgrading the Apache
Tomcat version for IBM Platform Symphony 6.1.1 in order to address multiple
security vulnerabilities in Tomcat (CVE-2017-7674). Use this document to
upgrade Tomcat as follows:
Contents
1.
List
of fixes
2. Download location
3.
Scope
4. Installation and
configuration
5. List of files
6. Copyright and trademark
information
1.
List of fixes
APAR: P102354
2.
Download location
3.
Scope
Before you
install this update in your cluster, note the following requirements:
Applicability |
|
Operating systems |
Linux2.6-glibc2.3-x86_64 |
Product version |
IBM Platform Symphony 6.1.1 |
Cluster type |
Single
grid cluster |
4.
Installation and configuration
Follow
the instructions in this section to download and install this update in your
cluster.
System
requirements
Linux x86_64 hosts
Optional
prerequisite
For a Platform Symphony
6.1.1 cluster, you can optionally take advantage of a security service pack. To
apply this interim fix along with that security service pack, install the
service pack first (sym-6.1.1-spk-Security-build227853). Then, apply this interim fix to your cluster.
If you do not want to
apply the security service pack, directly apply this interim fix to your
cluster.
File
name |
Description |
sym6.1.1_lnx26-lib23-x64_build466859.tar.gz |
Package for Linux management hosts in
a 6.1.1 cluster. |
Before
installation
1. Log on to the master host as the cluster administrator
and stop the WEBGUI service:
> source $EGO_TOP/cshrc.platform
> egosh service stop
WEBGUI
2. For recovery purposes, back up the following files:
$EGO_TOP/gui/1.2.8/tomcat/
$EGO_CONFDIR/../../gui/conf/catalina.policy
$EGO_CONFDIR/../../gui/conf/catalina.properties
$EGO_CONFDIR/../../gui/conf/server.xml
$EGO_TOP/gui/ego/1.2.8/platform/WEB-INF/web.xml
$EGO_TOP/gui/is/6.1.1/isgui/WEB-INF/web.xml
$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/web.xml
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml
$EGO_TOP/gui/soam/6.1.1/soamgui/WEB-INF/web.xml
Installation
1. Copy the apache-tomcat-7.0.79.tar.gz package to
a temporary folder and decompress the file:
> cp apache-tomcat-7.0.79.tar.gz /tmp
> tar -zxvf apache-tomcat-7.0.79.tar.gz
> rm -rf apache-tomcat-7.0.79/conf/
> rm -rf apache-tomcat-7.0.79/work/
> rm -rf apache-tomcat-7.0.79/logs/
2.
Copy the Tomcat folder to each management host:
> rm -rf $EGO_TOP/gui/1.2.8/tomcat
> cp -rf apache-tomcat-7.0.79
$EGO_TOP/gui/1.2.8/tomcat
3.
On each management host, copy the sym6.1.1_lnx26-lib23-x64_build466859.tar.gz package
and decompress it:
> tar zxfo sym6.1.1_lnx26-lib23-x64_build466859.tar.gz -C $EGO_TOP
a. If you ran
the ¡°egoconfig mghost shared_dir¡± command during installation to set up a
shared location for configuration files, ensure that the configuration file is
changed in the shared directory:
> cp $EGO_TOP/gui/conf/catalina.policy
$EGO_CONFDIR/../../gui/conf/catalina.policy
> cp $EGO_TOP/gui/conf/catalina.properties
$EGO_CONFDIR/../../gui/conf/catalina.properties
> cp $EGO_TOP/gui/conf/server.xml
$EGO_CONFDIR/../../gui/conf/server.xml
b. If you
modified the server.xml configuration file for details such as the GUI service port,
manually redo those changes:
$EGO_CONFDIR/../../gui/conf/server.xml
4.
Edit the web.xml files to add the following configuration:
a.
Edit each of the following files:
$EGO_TOP/gui/ego/1.2.8/platform/WEB-INF/web.xml
$EGO_TOP/gui/is/6.1.1/isgui/WEB-INF/web.xml
$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/web.xml
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml
$EGO_TOP/gui/soam/6.1.1/soamgui/WEB-INF/web.xml
b.
Find the ¡°<servlet-name>dwr-invoker</servlet-name>¡± line in
the ¡°</servlet>¡± section.
c.
Add the following configuration:
<init-param>
<param-name>crossDomainSessionSecurity</param-name>
<param-value>false</param-value>
</init-param>
For example:
<servlet>
<servlet-name>dwr-invoker</servlet-name>
<servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>crossDomainSessionSecurity</param-name>
<param-value>false</param-value>
</init-param>
</servlet>
After
installation
1.
On each management host, delete all subdirectories and files in
the following directory:
>
rm -rf $EGO_TOP/gui/work/*
2.
On all client hosts, open your web browser and clear the browser
cache.
3.
Start the WEBGUI service:
> source $EGO_TOP/cshrc.platform
> egosh service start WEBGUI
4. In the $EGO_TOP/gui/logs/catalina.out file,
check whether the GUI start version indicates version 7.0.79:
INFO: Starting Servlet Engine: Apache
Tomcat/7.0.79
Uninstallation
(if required)
1. Log on to the master host as the cluster administrator
and stop the WEBGUI service:
> source
$EGO_TOP/cshrc.platform
> egosh service stop
WEBGUI
2. Restore the backup files:
a. Remove the Tomcat folder from management hosts, which
was introduced by this fix:
> rm
-rf $EGO_TOP/gui/1.2.8/tomcat
b. On each
management host, restore the following folders and files from your backup:
$EGO_TOP/gui/1.2.8/tomcat/
$EGO_CONFDIR/../../gui/conf/catalina.policy
$EGO_CONFDIR/../../gui/conf/catalina.properties
$EGO_CONFDIR/../../gui/conf/server.xml
$EGO_TOP/gui/ego/1.2.8/platform/WEB-INF/web.xml
$EGO_TOP/gui/is/6.1.1/isgui/WEB-INF/web.xml
$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/web.xml
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml
$EGO_TOP/gui/soam/6.1.1/soamgui/WEB-INF/web.xml
3.
On each management host, delete all subdirectories
and files in the following directory:
> rm -rf
$EGO_TOP/gui/work/*
4.
On all client hosts, open your web browser and clear the browser
cache.
5.
Start the WEBGUI service:
> source
$EGO_TOP/cshrc.platform
> egosh service start
WEBGUI
5.
List of files
gui/conf/catalina.policy
gui/conf/catalina.properties
gui/conf/server.xml
catalina.sh
6.
Copyright and trademark information
© Copyright IBM Corporation 2017
U.S. Government Users Restricted
Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
IBM®, the IBM logo, and ibm.com®
are trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of
IBM or other companies. A current list of IBM trademarks is available on the
Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.