Applications Manager (Appworx) Upgrade

Products

CA Automic Applications Manager (AM)

Issue/Introduction

This article covers some of the Best Practices when upgrading Applications Manager / Appworx to version 9.5.0.

Environment

CA Automic Applications Manager 9.5.1

Resolution

APPLICATIONS MANAGER UPGRADE – BEST PRACTICES

Upgrade from Version 9.x to 9.5.1

Download Latest Version (at this time: 9.5.1)

Sources:

Upgrade Documentation

Requirements for installation:

Java installed - Running 'java -version' and 'which java' will give you the java version and directory where java is in
Oracle installed - Oracle should be installed and $ORACLE_HOME should be set
Sqlplus available - You should be able to run the sqlplus command and connect the the database instance using the AM Oracle username and password
The creation of the the AM oracle user and schema. The documentation for this is here
With 9.3 and higher, You must use a custom SSL certificate for connection authentication by creating user_keystore and user_keystore_config files on the Automation Engine and client machines. Click Here For Details

Using Custom SSL Certificates for Connection Authentication

Last Updated July 15, 2021

An SSL certificate is now necessary to connect Automation Engine with Remote Agent and Clients. Using your own certificate prevents unauthorized connections between the connection endpoints.

The SSL certificate provided can be a self-signed certificate or issued by a CA (Certificate Authority).

To configure the SSL certificate on your server.

Create a user_keystore file.

With self-signed certificate:

keytool -keystore user_keystore -keyalg RSA -genkey -alias "AM" -storetype JKS -storepass <password>

The following is a sample location where the file gets generated:

C:\Program Files\AdoptOpenJDK\jdk-11.0.6.10-hotspot\bin With CA issued certificate:

A .CER file can be imported to a keystore using the following command:

keytool -importcert -file certificate.cer -keystore user_keystore -alias "AM" -storetype JKS -storepass <password> -trustcacerts

To encrypt the password, go to the AW_HOME/web/classes directory, ensure that AW variables are exported and run the following command:

java -DAW_HOME=${AW_HOME} -cp AppWorx.jar;uc4-ra.jar com.appworx.util.EncryptKeystoreFile <password>

The following is a sample location where the file gets generated: AW_HOME\data

CA Issued Certificate

From 9.3.5 and above, if the Certificate is CA Issued Certificate, copy the generated user_keystore and

user_keystore_config files to the <install-dir>\data directory present on the Automation Engine machine.

If the certificate is self-signed, user_keystore and user_keystore_config files need to copied to Remote Agents and Client machines.

On each user's client machine, create a C:\Users\<user name>\AppWorx\<master name> folder for each master in the connections.properties

file where <user name> is the actual user's name and <master name> is the name of the master. Then place copies of the user_keystore and user_keystore_config files for each master in the sub-directory for that master.

This allows for different keystores to be used on each master.On each Remote Agent machine, the user_keystore and user_keystore_config files need to be copied to data directory of the Remote Agent installation directory.

Installation instructions:

Download the installation media to a directory outside of the installation home. For example:

Install directory = /home/appworx/AMMaster

Install media directory = /home/appworx/media/Applications.Manager_AM.Image_SOLARIS.AIX.LINUX.WINDOWS_9_3_5+build.1.zip

From the install media directory, Unzip the installation media by running command:

unzip Applications.Manager_AM.Image_SOLARIS.AIX.LINUX.WINDOWS_9_3_5+build.1.zip

3. After unzip, the installation script is located at:

/home/appworx/media/SOLARIS.AIX.LINUX.WINDOWS/V9/cdinst.sh

4. As the AM OS user, to start the installation script, cd to home install directory /home/appworx/AMMaster and simply run the installation from this directory by typing the following and hitting enter:

/home/appworx/media/SOLARIS.AIX.LINUX.WINDOWS/V9/cdinst.sh

5. Follow the on screen prompts and provide the necessary information requested. Below is a KE you can reference to see what prompts mean:

https://knowledge.broadcom.com/external/article?articleId=90581

6. Once you progress through the installation where you enter in the AM Oracle username password, you should select option 1 for install/upgrade.

7. This should be the bulk of the installation process and once this completes, the installation is complete minus the SSL certificate that you will need to generate (user_keystore) and the user_keystore_config. More information on this requirement at the link below:

8. For more information on opening the client please see the below links. The first link specifically talks about configuring and opening the client while the second link talks about where the user_keystore and user_keystore_config needs to be copied to to allow the client to successfully connect:

Opening the Applications Manager Client and Logging In

Additional Information:

CVE-2021-44228 - log4j vulnerability and AppWorx / Automic Application Manager

Applications Manager ships Log4J library. This library is a transitive dependency required for Apache Commons Logging library (commons-logging-1.2.jar). We don't directly invoke classes from this library directly, instead we use in-house code for logging messages.

For AM 9.3.0:

Applications Manager v9.3.x ships Log4j v1.2.8 which is not vulnerable to Zero-day exploit. Hence Applications Manager v9.3.x is NOT vulnerable.

RA Banner 4.0 or older ships Log4J v.1.2.x and hence the product is NOT vulnerable.

For AM 9.4.0:

Please find 9.4.0 Hotfixes for Zero vulnerability issues as below:

Applications Manager: AM v9.4.0.HF1

RA Banner: RA Banner 4.1.1

Note: Applications Manager v9.4.0 ships Log4j2 v2.14.1 library which has been marked as vulnerable. One of the requirements of exploitations of the ZERO-DAY attack is to log the input using Log4J2, which we don't use, and hence there is minimal chance of exploitation. Nevertheless, we would still request our customers to upgrade the vulnerable library to our hotfixes above.

Additional Information

1) CVE-2021-44228 - log4j vulnerability and AppWorx / Automic Application Manager - https://knowledge.broadcom.com/external/article?articleId=230316

Additional Links:

It is highly advisable to take a complete backup of the system including the database and test the upgrade on pre-production environment prior to production.

3) Advance OAE queuing was introduced in 9.2.0. If you are running an earlier 9.x OAE agent , you will need to perform the additonal steps to upgrade the OAE agent documented here:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/applications-manager/9-4-1/Release-Information/Release-Notes.html

Did You know?

Broadcom support can help review your pre-upgrade plan! Please work with your accounts team /open a support case vis support.broadcom.com with your plan.