Description:

Tomcat needs to be at version 4.1.39 to avoid multiple vulnerabilities with which are present with the out-of-the-box version of Tomcat that comes with Service Desk r11.2 or below. This solution applies to both Windows and UNIX variant platforms.

Hyper PIB RI08615 has been published to the CA Service Desk Manager client base.

Solution:

Installing Tomcat 4.1.39 for Service Desk

The following instructions outline how to install and configure Tomcat 4.1.39 for use with Service Desk r11.x. If the Service Desk Server is running on a Windows server follow the instructions noted in the Windows subsection. If the Service Desk Server is UNIX then follow the instructions noted in the UNIX subsection.

This document can also be used to implement 4.1.40. Tomcat 4.1.40 is not officially certified with CA Service Desk. It should work without inicident, however, CA Support retains the right to recommend that Tomcat 4.1.40 be downgraded to 4.1.39 if there is a suspected issue with this version of Tomcat, for testing purposes.

Windows

• Create a new directory called:
  
  
  • C:\Program Files\CA\SharedComponents\Tomcat\4.1.39
    
    
• Please ensure you have WINZIP or a similar program installed on the Service Desk server.
  
  
• Stop the Service Desk service.
  
  
• Unzip Tomcat 4.1.39 from the following website into the above directory:
  
  
  • http://tomcat.apache.org/download-41.cgi
    
    
  • Please choose the "zip (md5, pgp)" file for "Full distributions for JDK 1.2 or later:" as seen in the screen below:
    
    

    <Please see attached file for image>

    e
    
    
• Double click on the "zip (md5, pgp)" link and then click on the "Open" button when the following screen appears:
  
  

  <Please see attached file for image>

  
  
  
• If using WINZIP, then click on the "Extract" button in the WINZIP tool bar:
  
  

  <Please see attached file for image>

  
  
  
• Drill down to the directory created above (C:\Program Files\CA\SharedComponents\Tomcat\4.1.39) and highlight it as shown below and then click on the "Extract" button:
  
  

  <Please see attached file for image>

  
  
  
  • Due to the fact that the zip file for Tomcat 4.1.39 contains a directory at the top called "apache-tomcat-4.1.39" and we need all of the directories beneath this to be directly under the C:\Program Files\CA\SharedComponents\Tomcat\4.1.39 (as seen below), please copy everything under the "apache-tomcat-4.1.39" to directory mentioned above and then delete the "apache-tomcat-4.1.39" directory.
    
    

    <Please see attached file for image>

    
    
    
• Once the above has been completed the c:\Program Files\CA\SharedComponents\Tomcat\4.1.39 directory should look like the following:
  
  

  <Please see attached file for image>

  
  
  
• Make a copy of the NX.env located in C:\Program Files\CA\Service Desk\
  
  
• Modify NX.env located in C:\Program Files\CA\Service Desk\ as follows:
  
  
  • @NX_TOMCAT_INSTALL_DIR = C:\Program Files\CA\SharedComponents\tomcat\4.1.39
    
    

    <Please see attached file for image>

    
    
    
• Make a copy of the directory
  
  
  • C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\conf\
    
    
• Copy all files in C:\Program Files\CA\SharedComponents\tomcat\4.1.39\conf\ to
  
  
  • C:\Progam Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\conf \
    
    
    • The "C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\conf" directory should now look like the following:
      
      

      <Please see attached file for image>

      
      
      
• Make a copy of config.properties located in C\Program Files\CA\Service Desk\site\
  
  

  <Please see attached file for image>

  
  
  
• Modify config.properties located in C\Program Files\CA\Service Desk\site\ as follows:
  
  
  • web.tomcat_home=c\:\\Program Files\\CA\\SharedComponents\\tomcat\\4.1.39
    
    
  • web.tomcat.service_name=Apache Tomcat 4.1
    
    
  • web.tomcat.version=4.1.39
    
    

    <Please see attached file for image>

    
    
    
• Copy
  
  
  • C:\Program Files\CA\SharedComponents\Tomcat\4.1.39\webapps\Examples to:
    
    
  • C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\webapps\
    
    
    • Note: This will create a new "Examples"directory in the "C:\Program Files\CA\Service Desk\bopcfg\CATALINA_BASE\webapps" directory and it should look like the following after performing the copy:
      
      

      <Please see attached file for image>

      
      
      
• Copy epbc.jar from:
  
  
• C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\common\lib to:
  
  
• C:\Program Files\CA\SharedComponents\Tomcat\4.1.39\common\lib
  
  
  • The C:\Program Files\CA\SharedComponents\Tomcat\4.1.39\lib should look like the following after the move:
    
    

    <Please see attached file for image>

    
    
    
• Make a copy of the wl.xml file found in the C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\webapps directory and alter the file extension to ". xml_orig".
  
  
  • : The extension CANNOT be ".xml" this will cause issues if it is not altered.
    
    
• Add the following line to the wl.xml file found in the C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\webapps directory:
  
  
  • <Environment name="CookieLevel" override="true" type="java.lang.Integer"value="2"/>
    
    
  • The wl.xml file and the C:\Program Files\CA\Service Desk\bopcfg\www\CATALINA_BASE\webapps directory should look like the following after the rename and the modification:
    
    

    <Please see attached file for image>

    
    
    
• Rename the ".jar" files in the "C:\Program Files\CA\SharedComponents\Tomcat\4.1.39\common\endorsed" directory so that their extension is ".jar_39".
  
  
  • NOTE: The extension CANNOT be ".jar" this will cause issues if it is not altered.
    
    
• Copy the ".jar" files from the
  
  
  • C:\Program Files\CA\SharedComponents\Tomcat\4.1.31\common\endorsed directory to
    
    
• The C:\Program Files\CA\SharedComponents\Tomcat\4.1.39\common\endorsed directory.
  
  
• The C:\Program Files\CA\SharedComponents\Tomcat\4.1.39\common\endorsed directory should look like the following after the move:
  
  

  <Please see attached file for image>

  
  
  
• Restart the Service Desk service
  
  
• Users of the Service Desk Web interface will need to delete their "cookies" after the restart of the Service Desk service.
  
  
  • This is accomplished by opening IEXPLORER and clicking on Tools -> Internet Options .
    
    
  • This will cause the "Internet Options" form to open. Go to the "General" tab and click on the "Delete Cookies..." button.
    
    
  • Another form is then opened with the following question:
    
    
    • "Delete all cookies in the Temporary Internet Files folder?"
      
      
    • Please click on the "OK" button in this form.
      
      
  • Then click on the "OK" button back on the "General" tab in the "Internet Options" form.

Unix

• Please ensure you have GZIP installed on the Service Desk server.
  
  
• Stop the Service Desk service.
  
  
• Unzip Tomcat 4.1.39 from the following website into the above directory:
  
  
  • http://tomcat.apache.org/download-41.cgi
    
    
  • Please choose the "tar.gz (md5, pgp)" file for "Full distributions for JDK 1.2 or later:" as seen in the screen below.
    
    
  • Note that the "Other Mirrors" dropdown may need to be changed in order to find a mirror with the file available for download.
    
    

    <Please see attached file for image>

    
    
    
• Click on the "tar.gz (md5, pgp)" link and then click on the "Save" option. Save the file to a location appropriate for extraction, such as /opt/temp.
  
  
• Once the file has completed download, open a terminal and change directory to /opt/temp or where the file has been saved.
  
  
• Run GZIP. The following command unzips the file into the same directory:
  
  
  • gzip -d apache-tomcat-4.1.39.tar.gz
    
    
• Untar the file. The following command untars the file into the same directory:
  
  
  • tar -xvf apache-tomcat-4.1.39.tar
    
    
• This creates a new directory called "apache-tomcat-4.1.39" in the current working directory ("/opt/temp" in the current example).
  
  
• Copy this directory to "/opt/CA/SharedComponents/tomcat" and rename it to 4.1.39
  
  
  • cp -r apache-tomcat-4.1.39 /opt/CA/SharedComponents/tomcat/4.1.39
    
    
  • The directory "/opt/CA/SharedComponents/tomcat" should now look like the following:
    
    

    <Please see attached file for image>

    
    
    
• Make a copy of the NX.env located in /opt/CA/ServiceDesk/
  
  
• Modify NX.env located in /opt/CA/ServiceDesk/ as follows:
  
  
  • @NX_TOMCAT_INSTALL_DIR=/opt/CA/SharedComponents/tomcat/4/1/39
    
    

    <Please see attached file for image>

    br>
    
• Make a copy of /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/conf/
  
  
• Copy all files in /opt/CA/SharedComponents/tomcat4.1.39/conf/ to
  
  
  • /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/conf/
    
    
  • The conf directory should now look like the following:
    
    

    <Please see attached file for image>

    
    
    
• Make a copy of config.properties which is located in "/opt/CA/ServiceDesk/site/"
  
  
• Modify config.properties as follows:
  
  
  • web.tomcat_home=/opt/CA/SharedComponents/tomcat/4.1.39
    
    
  • web.tomcat.service_name=Apache Tomcat 4.1
    
    
  • web.tomcat.version=4.1.39
    
    

    <Please see attached file for image>

    
    
    

    <Please see attached file for image>

    
    
    
• Copy /opt/CA/SharedComponents/tomcat/4.1.39/webapps/examples to
  
  
  • /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/webapps/
    
    
  • Note: This will create a new "examples" directory in /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/webapps/
    
    

    <Please see attached file for image>

    
    
    
• Copy epbc.jar from /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/common/lib to
  
  
  • /opt/CA/SharedComponents/tomcat/4.1.39/common/lib
    
    
• Make a copy of the wl.xml found in /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/webapps and alter the file extension to be ".xml_orig"
  
  
  • The extension CANNOT be ".xml" as this will cause issues if it is not altered
    
    
• Add the following line to the wl.xml file found in /opt/CA/ServiceDesk/bopcfg/www/CATALINA_BASE/webapps:
  
  
  • <Environment name="CookieLevel" override="true" type="java.lang.Integer"value="2"/>
    
    

    <Please see attached file for image>

    
    
    
• Restart the Service Desk service
  
  
• Users of the Service Desk Web interface will need to delete their "cookies" after the restart of the Service Desk service.
  
  
  • This is accomplished by opening IEXPLORER and clicking on Tools -> Internet Options.
    
    
  • This will cause the "Internet Options" form to open. Go to the "General" tab and click on the "Delete Cookies..." button.
    
    
  • Another form is then opened with the following question:
    
    
    • "Delete all cookies in the Temporary Internet Files folder?"
      
      
    • Please click on the "OK" button in this form.
      
      
  • Then click on the "OK" button back on the "General" tab in the "Internet Options" form.

Update: March, 2010. Tomcat 4.1.40 Support Statement

A new version of Tomcat 4.1.40 is now available that addresses additional potential security issues:

Important: Information Disclosure CVE-2008-5515
Important: Denial of Service CVE-2009-0033
Low: Information disclosure CVE-2009-0580
Low: Cross-site scripting CVE-2009-0781
Low: Information disclosure CVE-2009-0783

Although the latest certified version of Tomcat with CA Service Desk and Workflow is 4.1.39, Tomcat 4.1.40 should also work with CA Service Desk if it is desired to go to this release. Note that this release is not officially certified with CA Service Desk. It should work without incident; however CA Support retains the right to recommend that this be downgraded to 4.1.39 if there is a suspected issue with this version of Tomcat, for testing purposes.

CA Workflow is not certified for use with Tomcat 4.1.40 at this time and it is not recommended to move to Tomcat 4.1.40 at this time if this component is in use.