Steps to upgrade to TOMCAT 4.1.39 to avoid vulnerabilities with the out of box Tomcat version of Service Desk r11.2

book

Article ID: 53129

calendar_today

Updated On:

Products

CA IT Asset Manager CA Software Asset Manager (CA SAM) ASSET PORTFOLIO MGMT- SERVER SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service KNOWLEDGE TOOLS CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager

Issue/Introduction

Description:

Tomcat needs to be at version 4.1.39 to avoid multiple vulnerabilities with which are present with the out-of-the-box version of Tomcat that comes with Service Desk r11.2 or below. This solution applies to both Windows and UNIX variant platforms.

Hyper PIB RI08615 has been published to the CA Service Desk Manager client base.

Solution:

Installing Tomcat 4.1.39 for Service Desk

The following instructions outline how to install and configure Tomcat 4.1.39 for use with Service Desk r11.x. If the Service Desk Server is running on a Windows server follow the instructions noted in the Windows subsection. If the Service Desk Server is UNIX then follow the instructions noted in the UNIX subsection.

This document can also be used to implement 4.1.40. Tomcat 4.1.40 is not officially certified with CA Service Desk. It should work without inicident, however, CA Support retains the right to recommend that Tomcat 4.1.40 be downgraded to 4.1.39 if there is a suspected issue with this version of Tomcat, for testing purposes.

Windows

  • Create a new directory called:

    • C:\Program Files\CA\SharedComponents\Tomcat\4.1.39

  • Please ensure you have WINZIP or a similar program installed on the Service Desk server.

  • Stop the Service Desk service.

  • Unzip Tomcat 4.1.39 from the following website into the above directory:

  • Double click on the "zip (md5, pgp)" link and then click on the "Open" button when the following screen appears:

    <Please see attached file for image>

    Figure 2

  • If using WINZIP, then click on the "Extract" button in the WINZIP tool bar:

    <Please see attached file for image>

    Figure 3

  • Drill down to the directory created above (C:\Program Files\CA\SharedComponents\Tomcat\4.1.39) and highlight it as shown below and then click on the "Extract" button:

    <Please see attached file for image>

    Figure 4

    • Due to the fact that the zip file for Tomcat 4.1.39 contains a directory at the top called "apache-tomcat-4.1.39" and we need all of the directories beneath this to be directly under the C:\Program Files\CA\SharedComponents\Tomcat\4.1.39 (as seen below), please copy everything under the "apache-tomcat-4.1.39" to directory mentioned above and then delete the "apache-tomcat-4.1.39" directory.

      <Please see attached file for image>

      Figure 5

  • Once the above has been completed the c:\Program Files\CA\SharedComponents\Tomcat\4.1.39 directory should look like the following:

    <Please see attached file for image>

    Figure 6

  • Make a copy of the NX.env located in C:\Program Files\CA\Service Desk\

  • Modify NX.env located in C:\Program Files\CA\Service Desk\ as follows:

    • @NX_TOMCAT_INSTALL_DIR = C:\Program Files\CA\SharedComponents\tomcat\4.1.39

      <Please see attached file for image>

      Figure 7

  • Make a copy of the directory

    • C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\conf\

  • Copy all files in C:\Program Files\CA\SharedComponents\tomcat\4.1.39\conf\ to

    • C:\Progam Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\conf \

      • The "C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\conf" directory should now look like the following:

        <Please see attached file for image>

        Figure 8

  • Make a copy of config.properties located in C\Program Files\CA\Service Desk\site\

    <Please see attached file for image>

    Figure 9

  • Modify config.properties located in C\Program Files\CA\Service Desk\site\ as follows:

    • web.tomcat_home=c\:\\Program Files\\CA\\SharedComponents\\tomcat\\4.1.39

    • web.tomcat.service_name=Apache Tomcat 4.1

    • web.tomcat.version=4.1.39

      <Please see attached file for image>

      Figure 10

  • Copy

    • C:\Program Files\CA\SharedComponents\Tomcat\4.1.39\webapps\Examples to:

    • C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\webapps\

      • Note: This will create a new "Examples"directory in the "C:\Program Files\CA\Service Desk\bopcfg\CATALINA_BASE\webapps" directory and it should look like the following after performing the copy:

        <Please see attached file for image>

        Figure 11

  • Copy epbc.jar from:

    • C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\common\lib to:

    • C:\Program Files\CA\SharedComponents\Tomcat\4.1.39\common\lib

      • The C:\Program Files\CA\SharedComponents\Tomcat\4.1.39\lib should look like the following after the move:

        <Please see attached file for image>

        Figure 12

    • Make a copy of the wl.xml file found in the C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\webapps directory and alter the file extension to ". xml_orig".

      • : The extension CANNOT be ".xml" this will cause issues if it is not altered.

    • Add the following line to the wl.xml file found in the C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\webapps directory:

      • <Environment name="CookieLevel" override="true" type="java.lang.Integer"value="2"/>

      • The wl.xml file and the C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\webapps directory should look like the following after the rename and the modification:

        <Please see attached file for image>

        Figure 13

    • Rename the ".jar" files in the "C:\Program Files\CA\SharedComponents\Tomcat\4.1.39\common\endorsed" directory so that their extension is ".jar_39".

      • NOTE: The extension CANNOT be ".jar" this will cause issues if it is not altered.

    • Copy the ".jar" files from the

      • C:\Program Files\CA\SharedComponents\Tomcat\4.1.31\common\endorsed directory to

      • The C:\Program Files\CA\SharedComponents\Tomcat\4.1.39\common\endorsed directory.

      • The C:\Program Files\CA\SharedComponents\Tomcat\4.1.39\common\endorsed directory should look like the following after the move:

        <Please see attached file for image>

        Figure 14

    • Restart the Service Desk service

    • Users of the Service Desk Web interface will need to delete their "cookies" after the restart of the Service Desk service.

      • This is accomplished by opening IEXPLORER and clicking on Tools -> Internet Options .

      • This will cause the "Internet Options" form to open. Go to the "General" tab and click on the "Delete Cookies..." button.

      • Another form is then opened with the following question:

        • "Delete all cookies in the Temporary Internet Files folder?"

        • Please click on the "OK" button in this form.

      • Then click on the "OK" button back on the "General" tab in the "Internet Options" form.

Unix

  • Please ensure you have GZIP installed on the Service Desk server.

  • Stop the Service Desk service.

  • Unzip Tomcat 4.1.39 from the following website into the above directory:

    • http://tomcat.apache.org/download-41.cgi

    • Please choose the "tar.gz (md5, pgp)" file for "Full distributions for JDK 1.2 or later:" as seen in the screen below.

    • Note that the "Other Mirrors" dropdown may need to be changed in order to find a mirror with the file available for download.

      <Please see attached file for image>

      Figure 15

  • Click on the "tar.gz (md5, pgp)" link and then click on the "Save" option. Save the file to a location appropriate for extraction, such as /opt/temp.

  • Once the file has completed download, open a terminal and change directory to /opt/temp or where the file has been saved.

  • Run GZIP. The following command unzips the file into the same directory:

    • gzip -d apache-tomcat-4.1.39.tar.gz

  • Untar the file. The following command untars the file into the same directory:

    • tar -xvf apache-tomcat-4.1.39.tar

  • This creates a new directory called "apache-tomcat-4.1.39" in the current working directory ("/opt/temp" in the current example).

  • Copy this directory to "/opt/CA/SharedComponents/tomcat" and rename it to 4.1.39

    • cp -r apache-tomcat-4.1.39 /opt/CA/SharedComponents/tomcat/4.1.39

    • The directory "/opt/CA/SharedComponents/tomcat" should now look like the following:

      <Please see attached file for image>

      Figure 16

  • Make a copy of the NX.env located in /opt/CA/ServiceDesk/

  • Modify NX.env located in /opt/CA/ServiceDesk/ as follows:

    • @NX_TOMCAT_INSTALL_DIR=/opt/CA/SharedComponents/tomcat/4/1/39

      <Please see attached file for image>

      Figure 17br>
  • Make a copy of /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/conf/

  • Copy all files in /opt/CA/SharedComponents/tomcat4.1.39/conf/ to

    • /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/conf/

    • The conf directory should now look like the following:

      <Please see attached file for image>

      Figure 18

  • Make a copy of config.properties which is located in "/opt/CA/ServiceDesk/site/"

  • Modify config.properties as follows:

    • web.tomcat_home=/opt/CA/SharedComponents/tomcat/4.1.39

    • web.tomcat.service_name=Apache Tomcat 4.1

    • web.tomcat.version=4.1.39

      <Please see attached file for image>

      Figure 19

      <Please see attached file for image>

      Figure 20

  • Copy /opt/CA/SharedComponents/tomcat/4.1.39/webapps/examples to

    • /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/webapps/

    • Note: This will create a new "examples" directory in /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/webapps/

      <Please see attached file for image>

      Figure 21

  • Copy epbc.jar from /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/common/lib to

    • /opt/CA/SharedComponents/tomcat/4.1.39/common/lib

  • Make a copy of the wl.xml found in /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/webapps and alter the file extension to be ".xml_orig"

    • The extension CANNOT be ".xml" as this will cause issues if it is not altered

  • Add the following line to the wl.xml file found in /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/webapps:

    • <Environment name="CookieLevel" override="true" type="java.lang.Integer"value="2"/>

      <Please see attached file for image>

      Figure 22

  • Restart the Service Desk service

  • Users of the Service Desk Web interface will need to delete their "cookies" after the restart of the Service Desk service.

    • This is accomplished by opening IEXPLORER and clicking on Tools -> Internet Options.

    • This will cause the "Internet Options" form to open. Go to the "General" tab and click on the "Delete Cookies..." button.

    • Another form is then opened with the following question:

      • "Delete all cookies in the Temporary Internet Files folder?"

      • Please click on the "OK" button in this form.

    • Then click on the "OK" button back on the "General" tab in the "Internet Options" form.

Update: March, 2010. Tomcat 4.1.40 Support Statement

A new version of Tomcat 4.1.40 is now available that addresses additional potential security issues:

Important: Information Disclosure CVE-2008-5515
Important: Denial of Service CVE-2009-0033
Low: Information disclosure CVE-2009-0580
Low: Cross-site scripting CVE-2009-0781
Low: Information disclosure CVE-2009-0783

Although the latest certified version of Tomcat with CA Service Desk and Workflow is 4.1.39, Tomcat 4.1.40 should also work with CA Service Desk if it is desired to go to this release. Note that this release is not officially certified with CA Service Desk. It should work without incident; however CA Support retains the right to recommend that this be downgraded to 4.1.39 if there is a suspected issue with this version of Tomcat, for testing purposes.

CA Workflow is not certified for use with Tomcat 4.1.40 at this time and it is not recommended to move to Tomcat 4.1.40 at this time if this component is in use.

Environment

Release:
Component: ARGIS

Attachments

1558720828632000053129_sktwi1f5rjvs16vtp.gif get_app
1558720826662000053129_sktwi1f5rjvs16vto.gif get_app
1558720824784000053129_sktwi1f5rjvs16vtn.gif get_app
1558720822887000053129_sktwi1f5rjvs16vtm.gif get_app
1558720820969000053129_sktwi1f5rjvs16vtl.gif get_app
1558720819103000053129_sktwi1f5rjvs16vtk.gif get_app
1558720817365000053129_sktwi1f5rjvs16vtj.gif get_app
1558720815470000053129_sktwi1f5rjvs16vti.gif get_app
1558720813678000053129_sktwi1f5rjvs16vth.gif get_app
1558720811719000053129_sktwi1f5rjvs16vtg.gif get_app
1558720809989000053129_sktwi1f5rjvs16vtf.gif get_app
1558720808124000053129_sktwi1f5rjvs16vte.gif get_app
1558720806234000053129_sktwi1f5rjvs16vtd.gif get_app
1558720804477000053129_sktwi1f5rjvs16vtc.gif get_app
1558720802609000053129_sktwi1f5rjvs16vtb.gif get_app
1558720800609000053129_sktwi1f5rjvs16vta.gif get_app
1558720798540000053129_sktwi1f5rjvs16vt9.gif get_app
1558720796670000053129_sktwi1f5rjvs16vt8.gif get_app
1558720794900000053129_sktwi1f5rjvs16vt7.gif get_app
1558720793048000053129_sktwi1f5rjvs16vt6.gif get_app
1558720791165000053129_sktwi1f5rjvs16vt5.gif get_app
1558720789237000053129_sktwi1f5rjvs16vt4.gif get_app