search cancel

Policy Server 12.8SP2 has no log4j.jar anymore

book

Article ID: 199900

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Policy Server 12.8SP2, what's the reason the file
log4j.jar is not present anymore in the Policy Server 12.8SP2, as it
was present in Policy Server 12.7SP2?

Comparing Policy Server 12.8SP2 with 12.7SP2, these results can be
found:

  [ps.training.com] root :: 09:44:47 : /opt/CA/siteminder $ Version
  [Version -  Version 12.7.0200.1609]

  [ps.training.com] root :: 15:48:36 : /opt/CA/siteminder $ find . -name "*log4j.jar*"
  ./bin/jars/log4j.jar

  --

  [ps128sp2.training.com] root :: 09:30:03 : /opt/CA/siteminder $ Version
  [Version -  Version 12.8.0200.1992]

  [ps128sp2.training.com] root :: 15:49:28 : /opt/CA/siteminder $ find . -name "*log4j.jar*"
  [ps128sp2.training.com] root :: 15:49:30 : /opt/CA/siteminder $

 

Environment

 

Policy Server 12.8SP2 on RedHat 6;

 

Resolution

 

Log4j 1.x has been EOLed quite some time back (August 2015) (1).

SiteMinder has started moving to use SLF4J using Log4j2 as
implementation for its Java components logging framework from 12.8
onwards.

From Log4j 2 FAQs it looks like both Log4j 1.x and 2.x libraries can't
be on the same classpath (2).

Log4j 2 provides compatibility with Log4j 1.x via Log4j 1.x
bridge. For more information refer to Apache documentation (3)(4).

For the majority of the components SiteMinder 12.8 uses now SLF4J:

  slf4j-api-1.7.xx.jar
  log4j-api-2.12.xx.jar
  log4j-core-2.12.xx.jar

as logging façade with underlying logging framework as Log4j 2. For a
smaller number of components SiteMinder uses Log4j 2 directly:

  log4j-api-2.12.xx.jar 
  log4j-core-2.12.xx.jar

Consult the FAQ diagram details on what jars to be used for different
logging frameworks (5).

Be aware of the log4j vulnerability and its resolution (6).

 

Additional Information

 

(1)

    Apache Logging Services Project Announces Log4j 1 End-Of-Life; Recommends Upgrade to Log4j 2
 

(2)

    How do I exclude conflicting dependencies?
 

(3)

    Log4j 2 Compatibility with Log4j 1
 

(4)

    Migrating from Log4j 1.x

(5)

    Which JAR files do I need?
 

(6)

    CVE-2021-44228: SiteMinder Resolution to the Log4j Vulnerability