Environment
Sentinel Log Manager 1.1
Situation
Sentinel Log Manager 1.1 shipped with a version of Tomcat, 6.0.18, that has a known security vulnerability, CVE-2010-2227. To avoid issues with compliance within the SIEM environment it is necessary to download and update to Tomcat version 6.0.29. Sentinel Log manager 1.2 will include the updated tomcat version.
Resolution
Below are the steps to update Tomcat from the shipped version, 6.0.18, to the version which contains the fix for CVE-2010-2227, 6.0.29;
Step 1: Stop SLM server
Step 2: Extract downloaded apache-tomcat-6.0.29.tar.gz in {install_directory}/3rdparty/ so you'll get {install_directory}/3rdparty/apache-tomcat-6.0.29/
Step 3: Go to {install_directory}/3rdparty/apache-tomcat-6.0.29/ directory
Step 4: (Optional) Delete directories docs and examples from {install_directory}/3rdparty/apache-tomcat-6.0.29/webapps/
Step 5: (Optional) Delete directory logs from {install_directory}/3rdparty/apache-tomcat-6.0.29/
Step 6: Copy following lines from {install_directory}/3rdparty/apache-tomcat-6.0.29/conf/server.xml to {install_directory}/3rdparty/tomcat/conf/server.xml at an appropriate matching location
Step 9: Copy META-INF, WEB-INF, novellsiemdownloads, favicon.ico and index.html from {install_directory}/3rdparty/tomcat/webapps/ROOT/ directory to {install_directory}/3rdparty/apache-tomcat-6.0.29/webapps/ROOT/ directory overwriting existing ones
Step 10: Copy novelllogmanager, SentinelRESTServices, novelllogmanager.war and SentinelRESTServices.war from {install_directory}/3rdparty/tomcat/webapps/ directory to {install_directory}/3rdparty/apache-tomcat-6.0.29/webapps/ directory
Step 11: Copy last line (
Step 12: Change ownership and group of {install_directory}/3rdparty/apache-tomcat-6.0.29/ directory to novell:novell recursively
Step 13: Change permissions for {install_directory}/3rdparty/apache-tomcat-6.0.29/ directory to 700 recursively
Step 14: Rename {install_directory}/3rdparty/tomcat/ directory to {install_directory}/3rdparty/tomcat_old/
Step 15: Rename {install_directory}/3rdparty/apache-tomcat-6.0.29/ directory to {install_directory}/3rdparty/tomcat/
Step 16: Start SLM server
Step 1: Stop SLM server
Step 2: Extract downloaded apache-tomcat-6.0.29.tar.gz in {install_directory}/3rdparty/ so you'll get {install_directory}/3rdparty/apache-tomcat-6.0.29/
Step 3: Go to {install_directory}/3rdparty/apache-tomcat-6.0.29/ directory
Step 4: (Optional) Delete directories docs and examples from {install_directory}/3rdparty/apache-tomcat-6.0.29/webapps/
Step 5: (Optional) Delete directory logs from {install_directory}/3rdparty/apache-tomcat-6.0.29/
Step 6: Copy following lines from {install_directory}/3rdparty/apache-tomcat-6.0.29/conf/server.xml to {install_directory}/3rdparty/tomcat/conf/server.xml at an appropriate matching location
<!-- Prevent memory leaks due to use of particular java/javax APIs-->Step 7: Copy following lines from {install_directory}/3rdparty/tomcat/conf/web.xml to {install_directory}/3rdparty/apache-tomcat-6.0.29/conf/web.xml at an appropriate matching location
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<!-- This security-constraint constraint forces HTTPS to be used, even if the userStep 8: Copy server.xml and logging.properties from {install_directory}/3rdparty/tomcat/conf/ directory to {install_directory}/3rdparty/apache-tomcat-6.0.29/conf/ directory overwriting existing ones
attempts to connect to HTTP. -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Automatic SLL Forwarding</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Step 9: Copy META-INF, WEB-INF, novellsiemdownloads, favicon.ico and index.html from {install_directory}/3rdparty/tomcat/webapps/ROOT/ directory to {install_directory}/3rdparty/apache-tomcat-6.0.29/webapps/ROOT/ directory overwriting existing ones
Step 10: Copy novelllogmanager, SentinelRESTServices, novelllogmanager.war and SentinelRESTServices.war from {install_directory}/3rdparty/tomcat/webapps/ directory to {install_directory}/3rdparty/apache-tomcat-6.0.29/webapps/ directory
Step 11: Copy last line (
CLASSPATH="/opt/novell/sentinel_log_mgr/lib/sentinel-logging.jar${CLASSPATH:+:}${CLASSPATH}")
to add sentinel-logging.jar to CLASSPATH of tomcat from
{install_directory}/3rdparty/tomcat/bin/setclasspath.sh to end of
{install_directory}/3rdparty/apache-tomcat-6.0.29/bin/setclasspath.sh.Step 12: Change ownership and group of {install_directory}/3rdparty/apache-tomcat-6.0.29/ directory to novell:novell recursively
Step 13: Change permissions for {install_directory}/3rdparty/apache-tomcat-6.0.29/ directory to 700 recursively
Step 14: Rename {install_directory}/3rdparty/tomcat/ directory to {install_directory}/3rdparty/tomcat_old/
Step 15: Rename {install_directory}/3rdparty/apache-tomcat-6.0.29/ directory to {install_directory}/3rdparty/tomcat/
Step 16: Start SLM server