ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Applications Manager (Appworx) Upgrade - Best Practices

book

Article ID: 222411

calendar_today

Updated On:

Products

CA Automic Applications Manager (AM)

Issue/Introduction

This article covers some of the Best Practices when upgrading Applications Manager / Appworx to version 9.4.0.

Environment

CA Automic Applications Manager 9.4.0

 

Resolution

APPLICATIONS MANAGER UPGRADE – BEST PRACTICES

 Upgrade from Version 9.x to 9.4.0

Download Latest Version (at this time: 9.4.0)

Sources:

Upgrade Documentation

Installation Media

Compatibility Matrix

Release Notes Tool

9.4.0 Release Notes

 

Requirements for installation:

  • Java installed - Running 'java -version' and 'which java' will give you the java version and directory where java is in
  • Oracle installed - Oracle should be installed and $ORACLE_HOME should be set
  • Sqlplus available - You should be able to run the sqlplus command and connect the the database instance using the AM Oracle username and password
  • The creation of the the AM oracle user and schema. The documentation for this is here
  • With 9.3 and higher, You must use a custom SSL certificate for connection authentication by creating user_keystore and user_keystore_config  files on the Automation Engine and client machines. Click Here For Details

Using Custom SSL Certificates for Connection Authentication

Last Updated July 15, 2021

An SSL certificate is now necessary to connect Automation Engine with Remote Agent and Clients. Using your own certificate prevents unauthorized connections between the connection endpoints.

The SSL certificate provided can be a self-signed certificate or issued by a CA (Certificate Authority).

To configure the SSL certificate on your server.

  1. Create a user_keystore  file.
    • With self-signed certificate:

keytool -keystore user_keystore -keyalg RSA -genkey -alias "AM" -storetype JKS -storepass <password>

The following is a sample location where the file gets generated: 

C:\Program Files\AdoptOpenJDK\jdk-11.0.6.10-hotspot\bin With CA issued certificate: 

A .CER file can be imported to a keystore using the following command:

keytool -importcert -file certificate.cer -keystore user_keystore -alias "AM" -storetype JKS -storepass <password> -trustcacerts

To encrypt the password, go to the AW_HOME/web/classes directory, ensure that AW variables are exported and run the following command:

java -DAW_HOME=${AW_HOME} -cp AppWorx.jar;uc4-ra.jar com.appworx.util.EncryptKeystoreFile <password>

 

The following is a sample location where the file gets generated: AW_HOME\data

CA Issued Certificate

From 9.3.5 and above, if the Certificate is CA Issued Certificate, copy the generated user_keystore  and 

user_keystore_config  files to the <install-dir>\data  directory present on the Automation Engine machine.

If the certificate is self-signed, user_keystore  and user_keystore_config  files need to copied to Remote Agents and Client machines.

On each user's client machine, create a C:\Users\<user name>\AppWorx\<master name>  folder for each master in the connections.properties

 file where <user name> is the actual user's name and <master name>  is the name of the master. Then place copies of the user_keystore  and user_keystore_config  files for each master in the sub-directory for that master.

This allows for different keystores to be used on each master.On each Remote Agent machine, the user_keystore  and user_keystore_config  files need to be copied to data directory of the Remote Agent installation directory.

 Installation instructions:

  1. Download the installation media to a directory outside of the installation home. For example: 

Install directory = /home/appworx/AMMaster

Install media directory = /home/appworx/media/Applications.Manager_AM.Image_SOLARIS.AIX.LINUX.WINDOWS_9_3_5+build.1.zip 

  1. From the install media directory, Unzip the installation media by running command: 

unzip Applications.Manager_AM.Image_SOLARIS.AIX.LINUX.WINDOWS_9_3_5+build.1.zip

3. After unzip, the installation script is located at:

/home/appworx/media/SOLARIS.AIX.LINUX.WINDOWS/V9/cdinsht.sh

4. As the AM OS user, to start the installation script, cd to home install directory /home/appworx/AMMaster and simply run the installation from this directory by typing the following and hitting enter:

/home/appworx/media/SOLARIS.AIX.LINUX.WINDOWS/V9/cdinsht.sh

5. Follow the on screen prompts and provide the necessary information requested. Below is a KE you can reference to see what prompts mean: 

https://knowledge.broadcom.com/external/article?articleId=90581

 6. Once you progress through the installation where you enter in the AM Oracle username password, you should select option 1 for install/upgrade.

7. This should be the bulk of the installation process and once this completes, the installation is complete minus the SSL certificate that you will need to generate (user_keystore) and the user_keystore_config. More information on this requirement at the link below:

8. For more information on opening the client please see the below links. The first link specifically talks about configuring and opening the client while the second link talks about where the user_keystore and user_keystore_config needs to be copied to to allow the client to successfully connect:

Opening the Applications Manager Client and Logging In

 

CVE-2021-44228 - log4j vulnerability and AppWorx / Automic Application Manager

Applications Manager ships Log4J library. This library is a transitive dependency required for Apache Commons Logging library (commons-logging-1.2.jar). We don't directly invoke classes from this library directly, instead we use in-house code for logging messages.
 
Applications Manager v9.3.x ships Log4j v1.2.8 which is not vulnerable to Zero-day exploit. Hence Applications Manager v9.3.x is NOT vulnerable.
 
Applications Manager v9.4.0 ships Log4j2 v2.14.1 library which has been marked as vulnerable. But one of the requirements of exploitations of the ZERO-DAY attack is to log the input using Log4J2, which we don't use, and hence there is minimal chance of exploitation.
 
Nevertheless, we would still request our customers to upgrade the vulnerable library.
 
Steps for mitigation for Applications Manager v9.4.0:
 
      Stop Applications Manager services.Delete the files $AW_HOME/web/classes/log4j-1.
      2-api-2.14.1.jar and $AW_HOME/web/classes/log4j-
    core-2.14.1.jar.Download the following files and copy them to $AW_HOME/web/classes folder.
    1. https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/log4j-core-2.15.0.jar
    2. https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-1.2-api/2.15.0/log4j-1.2-api-2.15.0.jar
    Start the Applications Manager services.
 
RA Banner ships Log4J v.1.2.x and hence the product is NOT vulnerable.
 

Additional Information

CVE-2021-44228 - log4j vulnerability and AppWorx / Automic Application Manager - https://knowledge.broadcom.com/external/article?articleId=230316

Additional Links: 

It is highly advisable to take a complete backup of the system including the database and test the upgrade on pre-production environment prior to production.

 

Did You know?

Broadcom support can help review your pre-upgrade plan! Please work with your accounts team  /open a support case vis support.broadcom.com with your plan.