Installation Instructions for Hot Fix S48012

Solaris for x64


Hot fix S48012 addresses the issue(s) in SAS Web Server 9.4_M1 as documented in the Issue(s) Addressed section of the hot fix download page:

http://ftp.sas.com/techsup/download/hotfix/HF2/S48.html#S48012


S48012 is a "container" hot fix that contains the following "member" hot fixes which will update the software components as needed.

S44012  updates  SAS Environment Manager 2.1_M1
N48011  updates  SAS Web Server 9.4

See What is a container hot fix? in the Hot Fix FAQ for more information about container hot fixes.


Before applying this hot fix, follow the instructions in SAS Note 35968 to generate a SAS Deployment Registry report, then verify that the appropriate product releases are installed on your system. The release number information in the Registry report should match the 'member' release number information provided above for the software components installed on each machine in your deployment.

The hot fix downloaded, S48012pt.zip, includes the updates required for all components listed above on all applicable operating systems. To apply this hot fix on multiple machines, you can either save S48012pt.zip on each machine or save it in a network location that is accessible to all machines.

Do NOT extract the contents of S48012pt.zip. The hot fix installation process will extract the contents as needed.

SPECIAL NOTE REGARDING SECURITY VULNERABILITY

This hot fix requires that your software must already be configured prior to installation. If no configuration directory exists at the time of installation, security updates built into this hot fix will not be completed, leaving your software in a vulnerable state.

IMPORTANT NOTES

  1. Files delivered in this hot fix will be backed up during the installation process. However, it is good general practice to back up your system before applying updates to software.

  2. You must have Administrator Privileges on your CLIENT or SERVER machine.

  3. All currently active SAS sessions, daemons, spawners and servers must be terminated before applying this hot fix.

  4. This hot fix should be installed using the same userid who performed the initial software installation.

  5. CONFIGURATION: No automatic configuration scripting is included for this hot fix. If you have previously configured software installed, the SAS Deployment Manager may present a screen where you will see "Apply SAS Hot Fixes" and "Configure SAS Hot Fixes" options. On this screen, you must ensure that the "Configure SAS Hot Fix" option is *not* selected. If this option is automatically selected, please de-select it prior to proceeding with the SAS Deployment Manager Screens. Failure to do so could have unintended consequences when applying this hot fix.


INSTALLATION

Hot Fix S48012 must be installed on each machine where the updated components of the product, listed above, are installed. During the installation process you may see references to all operating systems for which updates are provided in the hot fix. The installation process will determine the operating system and which component(s) of SAS Web Server 9.4 require updating on the machine. See SAS Note 44810 for more details.

The hot fix will be applied using the SAS Deployment Manager. By default, the SAS Deployment Manager will search in the <SASHOME>/InstallMisc/HotFixes/New directory for hot fixes to be applied, but will also prompt for a location if you have downloaded hot fixes to a different directory.

After downloading S48012pt.zip, follow the instructions for applying hot fixes in the SAS Deployment Wizard and SAS Deployment Manager 9.4: User's Guide.

Please review the CONFIGURATION Important Note above concerning proper selection of the "Configure SAS Hot Fix" option in the SAS Deployment Manager.


The hot fix installation process generates the log file

<!SASHOME>/InstallMisc/InstallLogs/IT_date-and-time-stamp.log
for example, IT_2011-10-31-13.18.21.log. Each attempt to apply a hot fix results in the creation of a new log file giving detailed information regarding the installation process.

Postexec log files are created after the installation is completed and identifies the files that were added, backed up, changed and removed. These log files include the ‘member’ hot fix id in the name of the file and are also written to the <!SASHOME>/InstallMisc/InstallLogs directory. There is one postexec log for each ‘member’ hot fix applied (member hot fixes are listed at the top of these instructions).


IMPORTANT NOTE Regarding SSL/TLS:

If your SAS Web Server is configured for SSL/TLS, you will need to install the latest Java 7 Update. Please visit the Updates for Java 7 download page for the latest available updates.

POST-INSTALLATION INSTRUCTIONS

  1. Navigate to <SASHome>/SASWebServer/9.4/hotfix

    1. Execute the following command:

      sasws_jarfix-sax.sh <SASHome location>

      where <SASHome location> is the full path to SASHome

    2. Examine sasws_jarfix_<datetimestamp>.log located in the directory where the tool was executed. The log will contain the configuration directories the tool found specified with the text (SASCONFIG: ). If you have an installation where there are multiple configuration directories and one or more are missing from the log, re-execute the sasws_jarfix tool and specify both SASHome and the SAS Configuration directory.

      For example:

      sasws_jarfix-sax.sh <SASHome location> <SAS Configuration location>
      Note: The tool can safely be run multiple times.

    3. Any errors that are found will be written to the error log located in the same directory that the code is executed from.

  2. Edit the sas.conf file under <SASConfig>/LevX/Web/WebServer/conf as follows (where LevX is equivalent to Lev1, Lev2, etc.):
    Change:
    CustomLog "|<SASHome>/SASWebServer/9.4/httpd-2.2/bin/rotatelogs
    <SASConfig>/LevX/Web/WebServer/logs/access.log 50M" common
    to
    CustomLog "|<SASHome>/SASWebServer/9.4/httpd-2.4/bin/rotatelogs
    <SASConfig>/LevX/Web/WebServer/logs/access.log 50M" common

  3. If you have configured SSL/TLS manually for SAS Web Server post-deployment, to use SAS Environment Manager to monitor SAS Web Server, complete the following steps:

    1. Edit the <SASConfig>/LevX/Web/WebServer/conf/httpd.conf file and make the following changes:

      Replace the line

      Listen 80
      with the following line:
      Listen localhost:7980

      IMPORTANT NOTE:  If you use a non-default port, please enter that port number instead of the one listed above

    2. Edit the <SASConfig>/LevX/Web/WebServer/conf/extra/httpd-ssl.conf file and make the following changes:
      Locate the following lines for the certificate file and key file and enter the correct filenames:

      SSLCertificateFile "ssl/myhost.crt"
      SSLCertificateKeyFile "ssl/myhost.key"
      SSLCertificateChainFile "ssl/myhost.crt

  4. If you manually configured SSL/TLS for SAS Web Application Server, complete the following step

    1. Edit the <SASConfig>/LevX/Web/WebServer/conf/sas.conf file and add the following two lines:
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
  5. If you configured SSL/TLS for SAS Web Server, SAS Environment Manager is not configured for SSL/TLS, and is also on the same machine as the Web Server, complete this step if applicable:

    1. Edit the <SASConfig>/LevX/Web/WebServer/conf/sas.conf file and comment out the following directive:
      Replace the line
      Header set Strict-Transport-Security "max-age=31536000"
      with the following line:
      #Header set Strict-Transport-Security "max-age=31536000"
  6. If you have configured the Web Server to use the secure sockets HTTPS protocol then the following steps can be skipped.

    After applying this hot fix, the Pivotal Web Server has been updated to version 6.2. In order for SAS Environment Manager to discover Pivotal Web Server 6.2, please complete the steps below to activate the new plugin.

    Note: You must restart all servers and web applications prior to executing the steps below:

    For more information on the proper order for starting servers, go to SAS® 9.4 Intelligence Platform: System Administration Guide, Fourth Edition and review the section entitled "Starting, Stopping and Checking the Status of Servers".

    1. Log into the SAS Environment Manager console.

    2. Select Resources -> Browse from the Resources dropdown. Then click the Servers link. A list of servers will be displayed.

    3. If there is a Web Server in the discovered server list, click its checkbox. The discovered Web Server name may look like "xxxxxxxx Pivotal Web Server 6.x WebServer" or "xxxxxxxx vFabric Web Server 6.x".

    4. Click the Delete button at the bottom of the webpage to remove this Web Server instance. Then click OK in the confirmation dialog.

    5. Select Dashboard in the webpage toolbar. If there is a Pivotal Web Server 6.2 in Auto-Discovery section, then check the resource and click the Add Into Inventory link. After you add the resource into inventory, please skip the following steps. Otherwise, complete the remaining steps to add the new Web Server to the inventory.

    6. Select Resources -> Browse again, and click the Platforms link. Then click on the machine platform where the Web Server is installed.

    7. Select New Auto-Discovery from the Tools Menu dropdown to request that a new discovery process run.

    8. On the New Auto-Discovery page, click on the Pivotal Web Server 6.2 checkbox. Then click the OK button near the bottom of the webpage.

    9. Select Dashboard in the webpage toolbar. Refresh the dashboard page repeatedly until the newly discovered Web Server appears in the webpage's Auto-Discovery section. Then check the resource and click the Add Into Inventory link.

      Note: If you cannot find the new Pivotal Web Server 6.2 resource in Resources -> Servers page after you clicked the Add Into Inventory link, login to the machine where the Pivotal Web Server 6.2 is installed, stop the Environment Manager Agent on this machine, re-name the data directory under <SASConfig>/LevX/Web/SASEnvironmentManager/agent-5.8.0-EE/ to data_backup, and then restart the Environment Manager Agent. Restarting the Agent must be done by using the hq-agent script with the ‘restart’ option. The new Pivotal Web Server 6.2 resource should appear on the Auto-Discovery section. Select and click the Add Into Inventory link to add this new resource into inventory.

  7. If your SAS Web Server is configured for SSL/TLS and also have any configured LASR Servers running on the system,you will need to apply the follow steps.

    1. Modify the \LevX\Web\WebServer\conf\extra\httpd-ssl.conf file.

      1. Replace the SSLProtocol directive:
        From

        SSLProtocol all -SSLv2 -SSLv3

        To

        SSLProtocol all

      2. Replace the SSLCipherSuite directive:
        From

        SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM -SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128 -SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128 -GCM-SHA256:AES256-SHA256:AES128-SHA256

        To

        SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5

    2. Modify the \LevX\Web\WebAppServer\SASServerX_X\conf\server.xml file for each SAS Web App Server instances on every midtier machine.

      Remove the following two attributes inside <Connector> element in this server.xml:

      ciphers="TLS_ECDHE_ECDSA_W..................."
      sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

    3. Restart web server and all web app servers.

IMPORTANT NOTES Regarding hot fix updates:

  1. This hot fix will create a backup configuration directory under <SASConfig>/LevX/Web/WebServerBackup. If you manually changed any configuration settings for SAS Web Server, you must manually merge these settings back into the new web server configuration.

  2. This hot fix updates the Apache httpd server from version 2.2 to version 2.4. Any manually configured changes for SAS Web Server related to Apache 2.2 will need to be updated to reflect Apache 2.4.

  3. For SiteMinder configuration using the updated Apache version, please review information in SAS® 9.4 Intelligence Platform: Middle-Tier Administration Guide, Fourth Edition
    For the updated Apache version delivered in this hot fix, step 2 under "Configuring SAS Web Server for the Web Agent" should read as follows:

    Edit the <SASConfig>/LevX/Web/WebServer/conf/httpd.conf file. Add lines that are similar to the following at the beginning of the LoadModule directives:
    LoadModule sm_module "C:/Program Files (x86)/CA/webagent/bin/mod_sm24.dll"
    SmInitFile "C:/SAS/Config/Lev1/Web/WebServer/conf/WebAgent.conf"
    For UNIX deployments, the name of the library is libmod_sm24.so instead of mod_sm24.dll.



CONFIGURING THIS HOT FIX ON A HORIZONTAL MID-TIER CLUSTER

For initial mid-tier cluster configuration, follow the information provide in SAS Note 59810

Additional manual steps are required to successfully configure these updates on a horizontal mid-tier cluster. See SAS Note SAS Note 60103 for further instructons.



This completes the installation of hot fix S48012 on Solaris for x64.


Copyright 2018 SAS Institute Inc. All Rights Reserved.