Readme File for IBM® Platform Symphony 6.1.1 Interim Fix 497567

Readme file for: Platform Symphony

Product/Component Release: 6.1.1

Update Name: Interim Fix 497567

Fix ID: sym-build497567

Publication date: August 3, 2018

This interim fix provides instructions on upgrading Apache Tomcat from v5.5.36 to v7.0.90 in Platform Symphony 6.1.1 to address security vulnerability CVE-2018-8014 in Tomcat.

Contents

1.      List of fixes

2.      Download location

3.      Scope

4.      Installation and configuration

5.      Uninstallation

6.      List of files

7.      Copyright and trademark information

1.    List of fixes

APAR: P102656

2.    Download location

3.    Scope

Before you install this update in your cluster, note the following requirements:

Applicability

Operating systems

Linux2.6-glibc2.3-x86_64

Product version

Platform Symphony 6.1.1

Cluster type

Single grid cluster

4.    Installation and configuration

Follow the instructions in this section to download and install this update in your cluster.

System requirements

Linux x86_64 hosts

Packages

File name

Description

Sym6.1.1_lnx26-lib23-x64_build497567.tar.gz

Package for Linux management hosts in a 6.1.1 cluster.

Optional prerequisite

For a Platform Symphony 6.1.1 cluster, you can optionally take advantage of a security service pack. To apply this interim fix along with the security service pack:

a.      Install the service pack (sym-6.1.1-spk-Security-build227853).

b.      Apply this interim fix to your cluster (sym6.1.1_lnx26-lib23-x64_build497567.tar.gz).

If you do not want to apply the 6.1.1 security service pack, proceed to directly apply this interim fix to your cluster.

Before installation

a.      Log on to the master host as the cluster administrator and stop the WEBGUI service:

> egosh user logon -u Admin -x Admin

> source $EGO_TOP/cshrc.platform

> egosh service stop WEBGUI

b.      Log on to each management host in the cluster and back up the following files for recovery purposes:

$EGO_TOP/gui/1.2.8/tomcat/

$EGO_CONFDIR/../../gui/conf/catalina.policy

$EGO_CONFDIR/../../gui/conf/catalina.properties

$EGO_CONFDIR/../../gui/conf/server.xml

$EGO_TOP/gui/ego/1.2.8/platform/WEB-INF/web.xml

$EGO_TOP/gui/is/6.1.1/isgui/WEB-INF/web.xml

$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/6.1.1/soamgui/WEB-INF/web.xml

Installation

a.      On each management host, copy the apache-tomcat-7.0.90.tar.gz package to a temporary folder and decompress the file:

> cp apache-tomcat-7.0.90.tar.gz /tmp

> tar zxvf apache-tomcat-7.0.90.tar.gz

> rm -rf apache-tomcat-7.0.90/conf/

> rm -rf apache-tomcat-7.0.90/work/

> rm -rf apache-tomcat-7.0.90/logs/

b.      Copy the Tomcat folder:

> rm -rf $EGO_TOP/gui/1.2.8/tomcat

> cp -rf apache-tomcat-7.0.90 $EGO_TOP/gui/1.2.8/tomcat

c.      Copy the sym6.1.1_lnx26-lib23-x64_build497567.tar.gz package and decompress it:

> tar zxfo sym6.1.1_lnx26-lib23-x64_build497567.tar.gz -C $EGO_TOP

a)     If you ran the “egoconfig mghost shared_dir” command during installation to set up a shared location for configuration files, ensure that the configuration file is changed in the shared directory:

> cp $EGO_TOP/gui/conf/catalina.policy $EGO_CONFDIR/../../gui/conf/catalina.policy

> cp $EGO_TOP/gui/conf/catalina.properties $EGO_CONFDIR/../../gui/conf/catalina.properties

> cp $EGO_TOP/gui/conf/server.xml $EGO_CONFDIR/../../gui/conf/server.xml

b)     If you modified the server.xml configuration file for details such as the GUI service port, manually redo those changes:

$EGO_CONFDIR/../../gui/conf/server.xml

d.      Edit the web.xml files to add the following configuration:

a)     Edit each of the following files:

$EGO_TOP/gui/ego/1.2.8/platform/WEB-INF/web.xml

$EGO_TOP/gui/is/6.1.1/isgui/WEB-INF/web.xml

$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/6.1.1/soamgui/WEB-INF/web.xml

b)     Find the “<servlet-name>dwr-invoker</servlet-name>” line in the “</servlet>” section and add the following configuration:

<init-param>

<param-name>crossDomainSessionSecurity</param-name>

<param-value>false</param-value>

</init-param>

For example:

      <servlet>

         <servlet-name>dwr-invoker</servlet-name>

         <servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class>

             <init-param>

                 <param-name>debug</param-name>

                 <param-value>true</param-value>

             </init-param>

             <init-param>
                 <param-name>crossDomainSessionSecurity</param-name>
                 <param-value>false</param-value>
             </init-param>     

      </servlet>

After installation

a.      On each management host, delete all subdirectories and files in the following directory:

> rm -rf $EGO_TOP/gui/work/*

b.      On all client hosts, open your web browser and clear the browser cache.

c.      Start the WEBGUI service:

> source $EGO_TOP/cshrc.platform

> egosh service start WEBGUI

d.      In the $EGO_TOP/gui/logs/catalina.out file, check whether the GUI version indicates version 7.0.90:

INFO: Server version:        Apache Tomcat/7.0.90

5.    Uninstallation

Follow the instructions in this section to uninstall this update in your cluster, if required.

a.      Log on to the master host as the cluster administrator and stop the WEBGUI service:

> egosh user logon -u Admin -X Admin

> source $EGO_TOP/cshrc.platform

> egosh service stop WEBGUI

b.      On each management host, restore the backup files:

a)     Remove the Tomcat folder, which was introduced by this interim fix:

> rm -rf $EGO_TOP/gui/1.2.8/tomcat

b)     Restore the following folders and files from your backup:

$EGO_TOP/gui/1.2.8/tomcat/

$EGO_CONFDIR/../../gui/conf/catalina.policy

$EGO_CONFDIR/../../gui/conf/catalina.properties

$EGO_CONFDIR/../../gui/conf/server.xml

$EGO_TOP/gui/ego/1.2.8/platform/WEB-INF/web.xml

$EGO_TOP/gui/is/6.1.1/isgui/WEB-INF/web.xml

$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/6.1.1/soamgui/WEB-INF/web.xml

c.      Delete all subdirectories and files in the following directory:

> rm -rf $EGO_TOP/gui/work/*

d.      On all client hosts, open your web browser and clear the browser cache.

e.      Start the WEBGUI service:

> source $EGO_TOP/cshrc.platform

> egosh service start WEBGUI

6.    List of files

gui/conf/catalina.policy

gui/conf/catalina.properties

gui/conf/server.xml

gui/1.2.8/tomcat/bin/catalina.sh

7.    Copyright and trademark information

© Copyright IBM Corporation 2018

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo, and ibm.com_ are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.