search cancel

How can we upgrade the Autosys Web Server on Linux

book

Article ID: 189077

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - System Agent (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent CA Workload Automation AE

Issue/Introduction

The current Autosys Web Server tomcat version is 8.5.37. We require to upgrade the tomcat server to minimum version 8.5.50 to address some vulnerabilities that are fixed in this version.

Environment

Release : 11.3.6

Component : CA Workload Automation AE (AutoSys)

Resolution

These steps are for Linux only.

Please follow the below steps for custom upgrade of Autosys Tomcat server.

Part 1 : $AUTOSYS/../webserver

  1. Take a backup of $AUTOSYS/../webserver.

mv $AUTOSYS/../webserver $AUTOSYS/../webserver.old

 

  1. Download the newer tomcat tar file from http://tomcat/apache.org (for example 8.5.51) or obtain your in-house supported tomcat and extract it at $AUTOSYS/.. 
mv apache-tomcat-8.5.51.tar.gz $AUTOSYS/../
cd $AUTOSYS/../
gunzip apache-tomcat-8.5.51.tar.gz
tar -xvf apache-tomcat-8.5.51.tar
mv apache-tomcat-8.5.51 webserver

 

  1. Copy the below files from old to new.

    Copy old/bin/waae_webserver* to new $AUTOSYS/webserver/bin
    Copy old/bin/wrapper-linux-x86-64 to new $AUTOSYS/webserver/bin 
cp -p $AUTOSYS/../webserver.old/bin/waae_webserver* $AUTOSYS/../webserver/bin
cp -p $AUTOSYS/../webserver.old/bin/wrapper-linux-x86-64 $AUTOSYS/../webserver/bin

 
Copy old/liblibwrapper* to new $AUTOSYS/../webserver/lib
Copy old/lib/wrapper.jar to new $AUTOSYS/../webserver/lib 

cp -p $AUTOSYS/../webserver.old/lib/libwrapper* $AUTOSYS/../webserver/lib
cp -p $AUTOSYS/../webserver.old/lib/wrapper.jar $AUTOSYS/../webserver/lib
 
Copy old/conf/Tomcat-wrapper-license.conf to new $AUTOSYS/../webserver/ conf
Copy old/conf/wrapper.conf to new $AUTOSYS/../webserver/conf
 
cp -p $AUTOSYS/../webserver.old/conf/Tomcat-wrapper-license.conf $AUTOSYS/../webserver/conf
cp -p $AUTOSYS/../webserver.old/conf/wrapper.conf $AUTOSYS/../webserver/conf

 

  1. Make following modifications to $AUTOSYS/../webserver/conf/server.xml 
    • ORIGINAL 
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
 
UPDATED
 
    <Connector port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" acceptCount="100"
               keystoreType="BCFKS"              
               keystoreFile="/opt/CA/WorkloadAutomationAE/autouser.MUN/webserver/conf/.keystore"
               keystorePass="changeit"
               maxThreads="400" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" relaxedQueryChars="|&lt;&gt;"
               ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
               TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
               SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />
 
             Remarks:
      • keystorePass might be different if you are using your own keystoreFile
      • port=”9443” needs to be adapted if you have choosen another port number
  
    • ORIGINAL
 
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
 
UPDATED
 
 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="../out"
               prefix="waae_webservices_access_log" suffix=".log"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" /> 

 

  1. Change the owner and permissions of webserver similar to old 
chmod -R 755 $AUTOSYS/../webserver/bin/wrapper-linux-x86-64
chmod -R 775 $AUTOSYS/../webserver/bin/waae_webserver.<instance>
chown -R <install_owner>:<install_group> $AUTOSYS/../webserver

 

Part 2 : $AUTOUSER/webserver

 

  1. Take backup of $AUTOUSER/webserver. Lets name backup name as old 

mv $AUTOUSER/webserver $AUTOUSER/webserver.old

 

  1. Copy the tomcat tar (see step 2 in part1) from $AUTOSYS 
mv $AUTOSYS/../apache-tomcat-8.5.51.tar $AUTOUSER
cd $AUTOUSER
tar -xvf apache-tomcat-8.5.51.tar
mv apache-tomcat-8.5.51 webserver

 

  1. Cleanup directories & files so that it looks identical to old 
rm -Rf $AUTOUSER/webserver/bin
rm -Rf $AUTOUSER/webserver/lib
rm -f $AUTOUSER/webserver/BUILDING.txt $AUTOUSER/webserver/CONTRIBUTING.md $AUTOUSER/webserver/LICENSE $AUTOUSER/webserver/NOTICE $AUTOUSER/webserver/README.md $AUTOUSER/webserver/RELEASE-NOTES $AUTOUSER/webserver/RUNNING.txt
rm -Rf $AUTOUSER/webserver/webapps

 

  1. Copy below files from old to new: 
cp -R $AUTOUSER/webserver.old/webapps $AUTOUSER/webserver
 
cp -p $AUTOUSER/webserver.old/conf/Tomcat-wrapper-license.conf $AUTOUSER/webserver/conf
cp -p $AUTOUSER/webserver.old/conf/wrapper.conf $AUTOUSER/webserver/conf
cp -p $AUTOUSER/webserver.old/conf/.keystore $AUTOUSER/webserver/conf
cp -p $AUTOUSER/webserver.old/conf/logon.conf $AUTOUSER/webserver/conf 

 

  1. Make following modifications to $AUTOUSER/webserver/conf/server.xml 
    • ORIGINAL 
    <!--
     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" acceptCount="100"
               maxThreads="400" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" relaxedQueryChars="|&lt;&gt;"
               ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
               TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
               SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
    --> 

UPDATED 

    <Connector port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" acceptCount="100"
               keystoreType="BCFKS"              
               keystoreFile="/opt/CA/WorkloadAutomationAE/autouser.MUN/webserver/conf/.keystore"
               keystorePass="changeit"
               maxThreads="400" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" relaxedQueryChars="|&lt;&gt;"
               ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
               TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
               SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />
 
Remarks:
        • keystorePass might be different if you are using your own keystoreFile
        • port=”9443” needs to be adapted if you have choosen another port number

 

    • ORIGINAL 
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!--
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8443" />
    --> 

UPDATED 

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3"
redirectPort="8443" secretRequired="false"/> 

 

    • ORIGINAL 
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
 

UPDATED 

 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="../out"
               prefix="waae_webservices_access_log" suffix=".log"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
 
  1. Change the owner and permissions of webserver similar to old            
chmod 700 $AUTOUSER/webserver/conf/.keystore
chown -R <install_owner>:<install_group> $AUTOUSER/webserver

Additional Information

You can find more information on tomcat vulnerabilities on following url

Apache Tomcat 8.x vulnerabilities