Readme File for IBM_ Platform Symphony 6.1.1 Interim Fix 466859

Readme file for: IBM Platform Symphony

Product/Component Release: 6.1.1

Update Name: Interim Fix 466859

Fix ID: sym-6.1.1-build466859

Publication date: September 12, 2017

This interim fix provides instructions on upgrading the Apache Tomcat version for IBM Platform Symphony 6.1.1 in order to address multiple security vulnerabilities in Tomcat (CVE-2017-7674). Use this document to upgrade Tomcat as follows:

 

Contents

1.      List of fixes

2.      Download location

3.      Scope

4.      Installation and configuration

5.      List of files

6.      Copyright and trademark information

1.    List of fixes

APAR: P102354

2.    Download location

3.    Scope

Before you install this update in your cluster, note the following requirements:

Applicability

Operating systems

Linux2.6-glibc2.3-x86_64

Product version

IBM Platform Symphony 6.1.1

Cluster type

Single grid cluster

4.    Installation and configuration

Follow the instructions in this section to download and install this update in your cluster.

System requirements

Linux x86_64 hosts

Optional prerequisite

For a Platform Symphony 6.1.1 cluster, you can optionally take advantage of a security service pack. To apply this interim fix along with that security service pack, install the service pack first (sym-6.1.1-spk-Security-build227853). Then, apply this interim fix to your cluster.

If you do not want to apply the security service pack, directly apply this interim fix to your cluster.

Packages

File name

Description

sym6.1.1_lnx26-lib23-x64_build466859.tar.gz

Package for Linux management hosts in a 6.1.1 cluster.

Before installation

1.      Log on to the master host as the cluster administrator and stop the WEBGUI service:

> source $EGO_TOP/cshrc.platform

> egosh service stop WEBGUI

2.      For recovery purposes, back up the following files:

$EGO_TOP/gui/1.2.8/tomcat/

$EGO_CONFDIR/../../gui/conf/catalina.policy

$EGO_CONFDIR/../../gui/conf/catalina.properties

$EGO_CONFDIR/../../gui/conf/server.xml

$EGO_TOP/gui/ego/1.2.8/platform/WEB-INF/web.xml

$EGO_TOP/gui/is/6.1.1/isgui/WEB-INF/web.xml

$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/6.1.1/soamgui/WEB-INF/web.xml

Installation

1.      Copy the apache-tomcat-7.0.79.tar.gz package to a temporary folder and decompress the file:

> cp apache-tomcat-7.0.79.tar.gz /tmp

> tar -zxvf apache-tomcat-7.0.79.tar.gz

> rm -rf apache-tomcat-7.0.79/conf/

> rm -rf apache-tomcat-7.0.79/work/

> rm -rf apache-tomcat-7.0.79/logs/

2.      Copy the Tomcat folder to each management host:

> rm -rf $EGO_TOP/gui/1.2.8/tomcat

> cp -rf apache-tomcat-7.0.79 $EGO_TOP/gui/1.2.8/tomcat

3.      On each management host, copy the sym6.1.1_lnx26-lib23-x64_build466859.tar.gz package and decompress it:

> tar zxfo sym6.1.1_lnx26-lib23-x64_build466859.tar.gz -C $EGO_TOP

a.      If you ran the ¡°egoconfig mghost shared_dir¡± command during installation to set up a shared location for configuration files, ensure that the configuration file is changed in the shared directory:

> cp $EGO_TOP/gui/conf/catalina.policy $EGO_CONFDIR/../../gui/conf/catalina.policy

> cp $EGO_TOP/gui/conf/catalina.properties $EGO_CONFDIR/../../gui/conf/catalina.properties

> cp $EGO_TOP/gui/conf/server.xml $EGO_CONFDIR/../../gui/conf/server.xml

b.      If you modified the server.xml configuration file for details such as the GUI service port, manually redo those changes:

$EGO_CONFDIR/../../gui/conf/server.xml

4.      Edit the web.xml files to add the following configuration:

a.      Edit each of the following files:

$EGO_TOP/gui/ego/1.2.8/platform/WEB-INF/web.xml

$EGO_TOP/gui/is/6.1.1/isgui/WEB-INF/web.xml

$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/6.1.1/soamgui/WEB-INF/web.xml

b.      Find the ¡°<servlet-name>dwr-invoker</servlet-name>¡± line in the ¡°</servlet>¡± section.

c.      Add the following configuration:

<init-param>

<param-name>crossDomainSessionSecurity</param-name>

<param-value>false</param-value>

</init-param>

For example:

      <servlet>

         <servlet-name>dwr-invoker</servlet-name>

         <servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class>

             <init-param>

                 <param-name>debug</param-name>

                 <param-value>true</param-value>

             </init-param>

             <init-param>
                 <param-name>crossDomainSessionSecurity</param-name>
                 <param-value>false</param-value>
             </init-param>     

      </servlet>

 

After installation

1.      On each management host, delete all subdirectories and files in the following directory:

> rm -rf $EGO_TOP/gui/work/*

2.      On all client hosts, open your web browser and clear the browser cache.

3.      Start the WEBGUI service:

> source $EGO_TOP/cshrc.platform

> egosh service start WEBGUI

4.      In the $EGO_TOP/gui/logs/catalina.out file, check whether the GUI start version indicates version 7.0.79:

INFO: Starting Servlet Engine: Apache Tomcat/7.0.79

Uninstallation (if required)

1.      Log on to the master host as the cluster administrator and stop the WEBGUI service:

> source $EGO_TOP/cshrc.platform

> egosh service stop WEBGUI

2.      Restore the backup files:

a.      Remove the Tomcat folder from management hosts, which was introduced by this fix:

> rm -rf $EGO_TOP/gui/1.2.8/tomcat

b.      On each management host, restore the following folders and files from your backup:

$EGO_TOP/gui/1.2.8/tomcat/

$EGO_CONFDIR/../../gui/conf/catalina.policy

$EGO_CONFDIR/../../gui/conf/catalina.properties

$EGO_CONFDIR/../../gui/conf/server.xml

$EGO_TOP/gui/ego/1.2.8/platform/WEB-INF/web.xml

$EGO_TOP/gui/is/6.1.1/isgui/WEB-INF/web.xml

$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/6.1.1/soamgui/WEB-INF/web.xml

3.      On each management host, delete all subdirectories and files in the following directory:

> rm -rf $EGO_TOP/gui/work/*

4.      On all client hosts, open your web browser and clear the browser cache.

5.      Start the WEBGUI service:

> source $EGO_TOP/cshrc.platform

> egosh service start WEBGUI

5.    List of files

gui/conf/catalina.policy

gui/conf/catalina.properties

gui/conf/server.xml

catalina.sh

6.    Copyright and trademark information

© Copyright IBM Corporation 2017

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.