search cancel

Apache upgrade for SPS instance on RHEL6.10 or RHEL 7.8

book

Article ID: 199552

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a CA Access Gateway (SPS) and we've discovered
vulnerabilities. We'd like to know how to upgrade the embedded Apache
server to version equal or higher of 2.4.42 ?

We run at the moment :

  CA Access Gateway (SPS) 12.52SP1CR01

 

Resolution

 

At first glance, SPS 12.52SP1CR01 is out of support as per EOL-EOS notice :

  CA Single Sign-On r12.52 End of Service Announcement
  https://techdocs.broadcom.com/us/product-content/status/announcement-documents/2017/ca-single-sign-on-r12-52-end-of-service-announcement.html?r=2

More, in order to get CA Access Gateway (SPS) you need to upgrade the
version to 12.8SP4 which runs Apache 2.4.43 as per our Release Notes :

Defects Fixed in 12.8.04

  20068805, 31819372, 20243712, 31789696, 31790096, 31799363, 31821485
  DE432477, DE444233, DE451026, DE451486 Apache is upgraded to Apache
  2.4.43, OpenSSL is upgraded to OpenSSL 1.0.2u, and Tomcat is upgraded
  to 7.0.104.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/release-notes/service-packs/Defects-Fixed-in-12_8_04.html#concept.dita_94165a57-6b0d-4105-91d3-53d482bf212b_smsps

Finally, CA Access Gateway (SPS) 12.8SP4 is supported on RedHat 7 as
per our Support Matrix :

  Symantec SiteMinder (previously CA Single Sign-On) 12.8

  2.1 Operating System for Policy Server, SDK & Access Gateway

    The following table lists SiteMinder server components and Access
    Gateway support for Operating Systems

      | SiteMinder     | Red Hat |
      | Component      |         |
      |----------------+---------|
      | Access Gateway | 7       |
      | 64 bit         | 6       |

      p.2

  https://ftpdocs.broadcom.com/phpdocs/7/5262/5262-12-8-platform-support-matrix.pdf

Note that :

- SPS 12.8SP4 is compatible with other Web Agent version;
- SPS 12.8SP4 is not compatible with the Policy Server 12.8SP2, as
  stated by our Support Matrix :

  4.1 Policy Server and Agents Compatibility

    All other usage patterns (e.g. reverse proxy, federation, Rest
    interface, session linking) are supported with the 12.8 Policy
    Server in combination with earlier versions of the Access Gateway.

  https://ftpdocs.broadcom.com/cadocs/0/contentimages/Symantec%20SiteMinder_12_8_Platform%20Support%20Matrix_24August2020.pdf

  We strongly suggest you to run SPS version being the same as Policy
  Server in order to have the new or changed functionality aligned
  with SPS as this following among the others :

  OIDC endpoint URLs
  https://knowledge.broadcom.com/external/article?articleId=193287