Policy Server 12.8SP2 has no log4j.jar anymore
search cancel

Policy Server 12.8SP2 has no log4j.jar anymore


Article ID: 199900


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



When running a Policy Server 12.8SP2, what's the reason the file
log4j.jar is not present anymore in the Policy Server 12.8SP2, as it
was present in Policy Server 12.7SP2?

Comparing Policy Server 12.8SP2 with 12.7SP2, these results can be

  [ps.training.com] root :: 09:44:47 : /opt/CA/siteminder $ Version
  [Version -  Version 12.7.0200.1609]

  [ps.training.com] root :: 15:48:36 : /opt/CA/siteminder $ find . -name "*log4j.jar*"


  [ps128sp2.training.com] root :: 09:30:03 : /opt/CA/siteminder $ Version
  [Version -  Version 12.8.0200.1992]

  [ps128sp2.training.com] root :: 15:49:28 : /opt/CA/siteminder $ find . -name "*log4j.jar*"
  [ps128sp2.training.com] root :: 15:49:30 : /opt/CA/siteminder $




Policy Server 12.8SP2 on RedHat 6;




Log4j 1.x has been EOLed quite some time back (August 2015) (1).

SiteMinder has started moving to use SLF4J using Log4j2 as
implementation for its Java components logging framework from 12.8

From Log4j 2 FAQs it looks like both Log4j 1.x and 2.x libraries can't
be on the same classpath (2).

Log4j 2 provides compatibility with Log4j 1.x via Log4j 1.x
bridge. For more information refer to Apache documentation (3)(4).

For the majority of the components SiteMinder 12.8 uses now SLF4J:


as logging façade with underlying logging framework as Log4j 2. For a
smaller number of components SiteMinder uses Log4j 2 directly:


Consult the FAQ diagram details on what jars to be used for different
logging frameworks (5).

Be aware of the log4j vulnerability and its resolution (6).


Additional Information



    Apache Logging Services Project Announces Log4j 1 End-Of-Life; Recommends Upgrade to Log4j 2


    How do I exclude conflicting dependencies?


    Log4j 2 Compatibility with Log4j 1


    Migrating from Log4j 1.x


    Which JAR files do I need?


    CVE-2021-44228: SiteMinder Resolution to the Log4j Vulnerability