Best approach to upgrade WebSphere version to 9.0.5.15 and IBM JDK version to 8.0.8.0 If we observe the security vulnerabilities.
To remediate vulnerabilities, the customer's security team suggested upgrading the WebSphere version to 9.0.5.15 and IBM JDK version to 8.0.8.0.
In this use case scenario, the ASA agent currently installed is SP12.0 which needs to be upgraded to SP12.8.
The suggestion is to upgrade ASA agent to 12.8 release and then proceed with upgrading WebSphere and IBM JDK version.
Environment: SITEMINDER AGENT FOR IBM WEBSPHERE RELEASE 12.8
------ Broadcom Support Suggestions : (The assumption is that this is a working setup along with SiteMinder TAI getting initialized successfully)
------ Kindly make sure and test the below steps thoroughly in a lower TEST environment before executing the steps in your PROD environment.
Important! ASA Agent cannot be upgraded from a previous version. To install the current version, first uninstall the previous version of the ASA Agent.
1. Stop existing WebSphere 9.0.5.10.
2. Take a screenshot of siteminder jars present in WS_HOME\lib\ext (here WS_HOME is WebSphere Home path).
3. Take backup of siteminder jars present in WS_HOME\lib\ext (here WS_HOME is WebSphere Home path).
4. Take screenshot of siteminder jars present in WS_HOME/java/8.0/jre/lib/ext and WS_HOME/java/jre/lib/ext (here JAVA_HOME is the IBM SDK 8.0.3.20 which you are using.).
5. Take backup of siteminder jars present in WS_HOME/java/8.0/jre/lib/ext and WS_HOME/java/jre/lib/ext (here JAVA_HOME is the IBM SDK 8.0.3.20 which you are using.).
6. Uninstall Siteminder ASA R12 version.
7. Post uninstall, make sure all Siteminder ASA Agent jars are removed from above locations. You can compare the screenshots before and after uninstalling.
8. Once all SiteMinder jars are cleared, Install R12.8 version of ASA.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/SiteMinder-Agent-for-IBM-WebSphere-Release-12-8.html
9. Run smreghost.sh to re-register.
10. Perform mandatory steps of R12.8 mentioned in Tech docs for R12.8 (renaming jars in WAS_HOME/installedconnectors/wms... Please note here rename should not have .jar as extension)
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/SiteMinder-Agent-for-IBM-WebSphere-Release-12-8.html#concept.dita_33074219-31ed-4b63-b999-d504a7488f7a_mandatoryconfig
11. (Not mandatory) ONLY In case you have LogRollover ACO parameter set to yes, Please apply the smlogger.jar patch attached below. Before applying the patch please take backup of the original smlogger.jar installed as part of R12.8 ASA.
12. Now, start the WebSphere.
13. In case no issues are observed, please move ahead with your plan of upgrading WebSphere and java.