How can we upgrade the Autosys Web Server on Linux
Article ID: 189077
Updated On:
Products
CA Workload Automation AE - Business Agents (AutoSys)
CA Workload Automation AE - System Agent (AutoSys)
CA Workload Automation AE - Scheduler (AutoSys)
Workload Automation Agent
CA Workload Automation AE
Issue/Introduction
The current Autosys Web Server tomcat version is 8.5.37. We require to upgrade the tomcat server to minimum version 8.5.50 to address some vulnerabilities that are fixed in this version.
Environment
Release : 11.3.6
Component : CA Workload Automation AE (AutoSys)
Resolution
These steps are for Linux only.
Please follow the below steps for custom upgrade of Autosys Tomcat server.
Part 1 : $AUTOSYS/../webserver
- Take a backup of $AUTOSYS/../webserver.
mv $AUTOSYS/../webserver $AUTOSYS/../webserver.old
- Download the newer tomcat tar file from http://tomcat/apache.org (for example 8.5.51) or obtain your in-house supported tomcat and extract it at $AUTOSYS/..
mv apache-tomcat-8.5.51.tar.gz $AUTOSYS/../
cd $AUTOSYS/../
gunzip apache-tomcat-8.5.51.tar.gz
tar -xvf apache-tomcat-8.5.51.tar
mv apache-tomcat-8.5.51 webserver
- Copy the below files from old to new.
Copy old/bin/waae_webserver* to new $AUTOSYS/webserver/bin
Copy old/bin/wrapper-linux-x86-64 to new $AUTOSYS/webserver/bin
cp -p $AUTOSYS/../webserver.old/bin/waae_webserver* $AUTOSYS/../webserver/bin
cp -p $AUTOSYS/../webserver.old/bin/wrapper-linux-x86-64 $AUTOSYS/../webserver/bin
Copy old/liblibwrapper* to new $AUTOSYS/../webserver/lib
Copy old/lib/wrapper.jar to new $AUTOSYS/../webserver/lib
cp -p $AUTOSYS/../webserver.old/lib/libwrapper* $AUTOSYS/../webserver/lib
cp -p $AUTOSYS/../webserver.old/lib/wrapper.jar $AUTOSYS/../webserver/lib
Copy old/conf/Tomcat-wrapper-license.conf to new $AUTOSYS/../webserver/ conf
Copy old/conf/wrapper.conf to new $AUTOSYS/../webserver/conf
cp -p $AUTOSYS/../webserver.old/conf/Tomcat-wrapper-license.conf $AUTOSYS/../webserver/conf
cp -p $AUTOSYS/../webserver.old/conf/wrapper.conf $AUTOSYS/../webserver/conf
- Make following modifications to $AUTOSYS/../webserver/conf/server.xml
-
- ORIGINAL
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
UPDATED
<Connector port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" acceptCount="100"
keystoreType="BCFKS"
keystoreFile="/opt/CA/WorkloadAutomationAE/autouser.MUN/webserver/conf/.keystore"
keystoreFile="/opt/CA/WorkloadAutomationAE/autouser.MUN/webserver/conf/.keystore"
keystorePass="changeit"
maxThreads="400" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" relaxedQueryChars="|<>"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />
Remarks:
-
-
- keystorePass might be different if you are using your own keystoreFile
- port=”9443” needs to be adapted if you have choosen another port number
-
-
- ORIGINAL
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
UPDATED
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="../out"
prefix="waae_webservices_access_log" suffix=".log"
pattern="%h %l %u %t "%r" %s %b" />
- Change the owner and permissions of webserver similar to old
chmod -R 755 $AUTOSYS/../webserver/bin/wrapper-linux-x86-64
chmod -R 775 $AUTOSYS/../webserver/bin/waae_webserver.<instance>
chown -R <install_owner>:<install_group> $AUTOSYS/../webserver
Part 2 : $AUTOUSER/webserver
- Take backup of $AUTOUSER/webserver. Lets name backup name as old
mv $AUTOUSER/webserver $AUTOUSER/webserver.old
- Copy the tomcat tar (see step 2 in part1) from $AUTOSYS
mv $AUTOSYS/../apache-tomcat-8.5.51.tar $AUTOUSER
cd $AUTOUSER
tar -xvf apache-tomcat-8.5.51.tar
mv apache-tomcat-8.5.51 webserver
- Cleanup directories & files so that it looks identical to old
rm -Rf $AUTOUSER/webserver/bin
rm -Rf $AUTOUSER/webserver/lib
rm -f $AUTOUSER/webserver/BUILDING.txt $AUTOUSER/webserver/CONTRIBUTING.md $AUTOUSER/webserver/LICENSE $AUTOUSER/webserver/NOTICE $AUTOUSER/webserver/README.md $AUTOUSER/webserver/RELEASE-NOTES $AUTOUSER/webserver/RUNNING.txt
rm -Rf $AUTOUSER/webserver/webapps
- Copy below files from old to new:
cp -R $AUTOUSER/webserver.old/webapps $AUTOUSER/webserver
cp -p $AUTOUSER/webserver.old/conf/Tomcat-wrapper-license.conf $AUTOUSER/webserver/conf
cp -p $AUTOUSER/webserver.old/conf/wrapper.conf $AUTOUSER/webserver/conf
cp -p $AUTOUSER/webserver.old/conf/.keystore $AUTOUSER/webserver/conf
cp -p $AUTOUSER/webserver.old/conf/logon.conf $AUTOUSER/webserver/conf
- Make following modifications to $AUTOUSER/webserver/conf/server.xml
-
- ORIGINAL
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" acceptCount="100"
maxThreads="400" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" relaxedQueryChars="|<>"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
UPDATED
<Connector port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" acceptCount="100"
keystoreType="BCFKS"
keystoreFile="/opt/CA/WorkloadAutomationAE/autouser.MUN/webserver/conf/.keystore"
keystoreFile="/opt/CA/WorkloadAutomationAE/autouser.MUN/webserver/conf/.keystore"
keystorePass="changeit"
maxThreads="400" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" relaxedQueryChars="|<>"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />
Remarks:
-
-
-
-
keystorePass might be different if you are using your own keystoreFile
-
port=”9443” needs to be adapted if you have choosen another port number
-
-
-
-
- ORIGINAL
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
-->
UPDATED
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3"
redirectPort="8443" secretRequired="false"/>
-
- ORIGINAL
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
UPDATED
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="../out"
prefix="waae_webservices_access_log" suffix=".log"
pattern="%h %l %u %t "%r" %s %b" />
- Change the owner and permissions of webserver similar to old
chmod 700 $AUTOUSER/webserver/conf/.keystore
chown -R <install_owner>:<install_group> $AUTOUSER/webserver
Additional Information
You can find more information on tomcat vulnerabilities on following url
Feedback
Yes
No
Powered by
