One might need to upgrade the Autosys Web Server's Tomcat engine to latest Tomcat 8.5.x release to address some vulnerabilities that are fixed in newer versions of Tomcat 8.5.x

Release : 11.3.6

Component : CA Workload Automation AE (AutoSys)

The below document provides the steps to upgrade Tomcat for Autosys 11.3.6 web server when Autosys is on Windows.  

(For 12.x, refer to appropriate 12.x documentation https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/autosys-workload-automation/12-0/installing/Install-AutoSys/upgrade-tomcat-version-for-autosys.html) 

Note: Default paths and notations used here: 
 %AUTOSYS% = C:\Program Files (x86)\CA\Workload Automation AE\autosys
 %AUTOUSER% = C:\Program Files (x86)\CA\Workload Automation AE\autouser.%AUTOSERV%

Note: old_webserver is the name used here below to avoid 8.3 folder name confusion (example:  if you rename  webserver to webserver_old,  it might still retain the old 8.3 name against the folder, there by leading to still use the original web server folder)

1) Create a temporary folder c:\temp on the Autosys Server
2) Download and Copy apache-tomcat-8.5.65-windows-x64.zip    to  c:\temp
 (You can Download newer (for example 8.5.61) tomcat ZIP file from http://tomcat.apache.org or obtain your inhouse supported tomcat ) 
3) Right click on the above zip file in Windows Explorer and select Extract All
4) This creates folders like this: C:\temp\apache-tomcat-8.5.65-windows-x64\apache-tomcat-8.5.65 

Now follow below steps for upgrade of Autosys Web Server.

Part 1:   %AUTOSYS%\..    folder  (parent folder for %AUTOSYS%)

 1) Open Autosys Command Prompt as Administrator and type: 
 2) cd %AUTOSYS%
 3) ren webserver old_webserver
 4) Copy below files from old to new
  
   dir 
   ## make sure you can see the old_webserver  folder 
   
   mkdir webserver
   xcopy /S C:\temp\apache-tomcat-8.5.65-windows-x64\apache-tomcat-8.5.65 webserver
   
   ## make sure you can see the new webserver folder  as well as the old old_webserver  folder 
   dir
   
   ## copy some binaries+wrapper from old_webserver to new webserver
   copy old_webserver\bin\*webserver*.bat webserver\bin\.
   copy old_webserver\lib\wrapper.* webserver\lib\.

   ## copy wrapper license and conf
   copy old_webserver\conf\Tomcat-wrapper-license.conf webserver\conf
   copy old_webserver\conf\wrapper.conf webserver\conf
 
 5) Compare original server.xml and the new one  and make appropriate modifications to the AEWS port (:8443),  example:
 
  a) New server.xml is in  webserver\conf\server.xml  and it usually looks like this for the SSL socket:
     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
          maxThreads="150" SSLEnabled="true">
      <SSLHostConfig>
       <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
           type="RSA" />
      </SSLHostConfig>
     </Connector>
     
  b)   Instead of the above lines,  copy the AEWS socket information from   old_webserver\conf\server.xml,  it looks like this:
  
   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" acceptCount="100"
        maxThreads="400" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS"
        ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
        keystoreFile="conf/.keystore" 
        keystorePass="changeit" />
        
  c) So the NEW server.xml in webserver\conf\server.xml  entry for :8443 should look like  5.b  above
  
    keystorePass might be different if you are using your own keystoreFile, port=”9443” needs to be adapted if you have choosen another port number
    
    
 6) Towards the bottom of the  NEW server.xml in webserver\conf\server.xml 
 
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
 
  Update it to look like
   
   <Valve className="org.apache.catalina.valves.AccessLogValve" directory="../out"
        prefix="waae_webservices_access_log" suffix=".log"
        pattern="%h %l %u %t &quot;%r&quot; %s %b" /> 

 7) Save the file

Part 2:  %AUTOUSER/webserver

 1) Open Autosys Command Prompt as Administrator and type: 
  cd %AUTOUSER%
  ren webserver old_webserver
 
 2) Copy below files from old to new
   dir 
   ## make sure you can see the old_webserver  folder 
   
   move C:\temp\apache-tomcat-8.5.65-windows-x64\apache-tomcat-8.5.65 webserver
   ## make sure you can see the new webserver folder  as well as the old old_webserver  folder 
   dir
   
   Cleanup directories & files so that it looks identical to old 
   del /Q /S webserver\bin\*
   del /Q /S webserver\lib\*
   del /Q webserver\BUILDING.txt webserver\CONTRIBUTING.md webserver\LICENSE webserver\NOTICE webserver\README.md webserver\RELEASE-NOTES webserver\RUNNING.txt
   rmdir /Q /s webserver\webapps
   mkdir webserver\webapps
    
    
   ## copy some binaries+wrapper from old_webserver to new webserver
   copy old_webserver\bin\*webserver*.bat webserver\bin\.
   copy old_webserver\lib\wrapper.* webserver\lib\.
   
   xcopy /S old_webserver\webapps webserver\webapps
   copy old_webserver\conf\wrapper.conf webserver\conf
   copy old_webserver\conf\Tomcat-wrapper-license.conf webserver\conf
   copy old_webserver\conf\.keystore webserver\conf
   copy old_webserver\conf\logon.conf webserver\conf

 
 
 
 
 3) Compare original server.xml and the new one  and make appropriate modifications to the AEWS port (:8443),  example:
 
  a) New server.xml is in  webserver\conf\server.xml  and it usually looks like this for the SSL socket:
     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
          maxThreads="150" SSLEnabled="true">
      <SSLHostConfig>
       <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
           type="RSA" />
      </SSLHostConfig>
     </Connector>
     
  b)  Instead of the above lines,  copy the AEWS socket information from   old_webserver\conf\server.xml,  it looks like this:
  
    <Connector port="19443" protocol="HTTP/1.1" SSLEnabled="true" acceptCount="100"
         maxThreads="400" scheme="https" secure="true"
         clientAuth="false" sslProtocol="TLS"
         ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
         keystoreFile="C:\PROGRA~2\CA\WORKLO~1\autouser.ACE\webserver\conf\.keystore" keystoreType="BCFKS" relaxedQueryChars="|&lt;&gt;"
         keystorePass="changeit" />

        
  c) So the NEW server.xml in webserver\conf\server.xml  entry for :8443 should look like  2.b  above
  
   Note: keystorePass might be different if you are using your own keystoreFile, port=”9443” needs to be adapted if you have choosen another port number
 

  d) webserver\conf\server.xml, you can comment out the AJP entry as it is normally not needed, so it looks like below:
  
      <!-- Define an AJP 1.3 Connector on port 8009 -->
   <!-- 
   <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
   -->
  
  e) webserver\conf\server.xml  compare with original old_webserver\conf\server.xml,  make sure the shutdown ports are the same. If not fix the webserver\conf\server.xml accordingly 
    <Server port="8005" shutdown="SHUTDOWN">

4) Save the file and restart