------------------------------------------------------------------------------- Fix Number: FJSVfsep-WAD-16-1601-0.s15.x86_64 Product Names and Versions: Fujitsu Enterprise Postgres WebAdmin 16 Creation date: 02.10.2024 ------------------------------------------------------------------------------- [High Risk Activity] The Customer acknowledges and agrees that the Product is designed, developed and manufactured as contemplated for general use, including without limitation, general office use, personal use, household use, and ordinary industrial use, but is not designed, developed and manufactured as contemplated for use accompanying fatal risks or dangers that, unless extremely high safety is secured, could lead directly to death, personal injury, severe physical damage or other loss (hereinafter "High Safety Required Use"), including without limitation, nuclear reaction control in nuclear facility, aircraft flight control, air traffic control, mass transport control, medical life support system, missile launch control in weapon system. The Customer, shall not use the Product without securing the sufficient safety required for the High Safety Required Use. In addition, Fujitsu (or other affiliate's name) shall not be liable against the Customer and/or any third party for any claims or damages arising in connection with the High Safety Required Use of the Product. Product and company names mentioned in this manual are the trademarks or registered trademarks of their respective owners. Copyright 2024 FUJITSU LIMITED ------------------------------------------------------------------------------- [Notes] - This is the readme for SUSE 15. - This patch can be applied only to the WebAdmin. - Apply the following patches at the same time. - FJSVfsep-WAD-16-1601-0.s15.x86_64.rpm - FJSVfsep-WAD-OPJ-16-1601-0.s15.x86_64.rpm - Back up the configuration file if secure communication is using in the current environment. Otherwise, this step can be skipped. webAdminInstallDir/tomcat/conf/server.xml - Please stop WebAdmin and the instance before applying or removing the patch. - Please set up WebAdmin after applying or removing the patch. - If backup was performed for the secure communication environment, please restore the previous configuration by updating the server.xml file. webAdminInstallDir/tomcat/conf/server.xml - Please start WebAdmin and the instance after applying or removing the patch. - If secure communication is selected during the setup phase, default certificate will be generated in the Tomcat installation directory. These certificates are for testing purposes only and must be replaced with proper CA-signed certificates. webAdminInstallDir/tomcat/keystore/ _______________________________________________________________ | Tomcat installation directory | | изибиб bin | | изибиб Building.txt | | изибиб conf | | изибиб CONTRIBUTING.md | | изибиб keystore | | ив изибиб keystore.p12 вк For HTTPS | | ив изибиб clientbrowser.p12 вк For client authentication | | ив изибиб clientkeystore.p12 вк For client authentication | | ив изибиб truststore.p12 вк For client authentication | | ив изибиб clientkeystore.conf вк For client authentication | | изибиб б─ | |_______________________________________________________________| - Please perform the following steps to configure certificates. [Certificate configuration procedure] 1) Prepare CA-signed certificates 1) keystore.p12 (private and public keys included) - One server certificate for HTTPS - Used for data encryption 2) clientbrowser.p12 (private key included) - One client certificate for browser-server authentication. - It will be used to register in user's browser - The number of certificates generated corresponds to the number of client(browsers) accessing WebAdmin. 3) clientkeystore.p12 (private key included) - One client certificate for server-to-server authentication, which will be used by WebAdmin internally. 4) truststore.p12 (clientbrowser.p12 and clientkeystore.p12) - Imported public keys of all client certificates 2) Place certificates in keystore directory [Single-server configuration] 1) Place keystore.p12, truststore.p12 and clientkeystore.p12 files in the "keystore" directory 2) Import clientbrowser.p12 into your browser. If you use multiple clients (browsers), import the certificate into each browser. [How to import a .p12 certificate into Microsoft Edge] 1) [Settings] - [Privacy, search, and services] 2) [Security] - [Manage Certificates] 3) [Personal] 4) [Import] => Start the wizard 5) Select the certificate you want to import (.p12 will not be displayed unless you select the file format) 6) Enter the private key password (It should have been specified when creating the .p12 certificate) For the default test certificate clientbrowser.p12, enter the "password". 7) Restart Edge Import procedure may vary depending on the browser. [Multi-server configuration] 1) Place keystore.p12, truststore.p12 and clientkeystore.p12 files in the "keystore" directory 2) Import clientbrowser.p12 into your browser. If you use multiple clients (browsers), import the certificate into each browser. 3) Import the public key corresponding to the private key in clientkeystore.p12(local) into truststore.p12(remote) on the other server you want to connect to. 3) Update certificate information in server.xml and clientkeystore.conf files 1) Populate server.xml with the information from keystore.p12 and truststore.p12. The server.xml file is located under webAdminInstallDir/tomcat/conf. - In case of HTTPS, - Set the "keystorePass" and "keyAlias" attributes to the password and alias for keystore.p12. - In case of HTTPS with client authentication, - Set the "keystorePass" and "keyAlias" attributes to the password and alias for keystore.p12. - Set the truststorePass attribute to the password for truststore.p12. 2) Populate clientkeystore.conf with the information from clientkeystore.p12. The clientkeystore.conf file is generated by WebAdmin and its filename cannot be modified. - In case of HTTPS with client authentication, - Set the password for the private key imported into clientkeystore.p12 and the password and alias for clientkeystore.p12. 4) Restart WebAdmin. - After configuring certificates, please access the WebAdmin GUI using the following URL. https://: ------------------------------------------------------------------------------- [Patch Description] The following fixes are included in this patch: Fix Number: FJSVfsep-WAD-16-1601-0.s15.x86_64 01 PH24015 [ ]Security failure [ ]Serious failure ([ ]Degradation) [ ]Incompatibility does not exist / [*]Incompatibility exists - Frequency ([ ]Always / [ ]Rarely / [*]Irregularly) - Description Even if the number of login failures in WebAdmin exceeds the OS limit, it is not locked. - Requirements to reproduce this issue [Environment] The following OS is used. - Linux [Occurrence Condition] This error may occur when the following conditions are met: 1) The OS is set to limit the number of login failures. and 2) The user used by WebAdmin is not locked by the OS. and 3) An OS user same as 2) and an incorrect password attempt to log in more than the limit. 2. To WebAdmin using login information of user locked in OS Login allowed. [Environment] The following OS is used. - Linux [Occurrence Condition] This error may occur when the following conditions are met: 1) The user used by WebAdmin is locked by the OS. and 2) An attempt is made to log in to WebAdmin by using the login information of a locked OS user. - Action Fix the authentication process for WebAdmin on the Linux server. - Compatibility Information - Summary In WebAdmin, repeated login failures with the same user may lock that user. - Environment 1) Apply emergency amendments including PH24015. and 2) For Linux OS. and 3) The maximum number of failures is set as the OS security policy. - Products combination of this compatibility problem If an emergency amendment including PH24015 is applied and the conditions specified in Occurrence Conditions apply. - Reason of conflictions The specification was modified to perform login authentication according to the OS security policy. - Impacts If login attempts continue to fail, the user may be locked. - Functional items (Summary, Before/After of migration) The behavior is different if login fails continuously. [Before] This can be repeated as many times as necessary, even if the login continues to fail. [After] If you have set a limit on the number of failed attempts, the user will be locked and will not be able to log in from anyone other than WebAdmin. - Preventive Method If your account is locked due to an authentication failure, ask your system administrator to unlock it. - Back out method of the functions None. - User action It is the same as the Preventive Method. 02 PH24026 [ ]Security failure [ ]Serious failure ([ ]Degradation) [ ]Incompatibility does not exist / [*]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description There was a problem that the communication between browser and WebAdmin, and between WebAdmin could not be encrypted and client authentication by TLS. - Requirements to reproduce this issue 1) When using WebAdmin - Action Implement HTTPS and client authentication in WebAdmin. - Compatibility Information 1)HTTPS and client authentication setup questions are added to the WebAdminSetup command. 2)HTTPS and client authentication settings must be the same in multi-server configuration. 3)The following data need to be backup when uninstalling WebAdmin. webAdminInstallDir/tomcat/keystore webAdminInstallDir/tomcat/conf/server.xml 03 PH24027 [*]Security failure [ ]Serious failure ([ ]Degradation) [*]Incompatibility does not exist / [ ]Incompatibility exists - Frequency ([*]Always / [ ]Rarely / [ ]Irregularly) - Description This fix applies Apache Tomcat changes to the product. - Requirements to reproduce this issue This fix applies Apache Tomcat 9.0.93 changes to the product. Please also refer the changelog for the Apache Tomcat to check the details. https://tomcat.apache.org/tomcat-9.0-doc/changelog.html - Action Apply Apache Tomcat changes to the product. - Compatibility Information None. ------------------------------------------------------------------------------- [List of fixed files] Files replaced by the patch: $INS_DIR/cmd/checkdisk $INS_DIR/cmd/checkpgpid $INS_DIR/cmd/fsep_certify $INS_DIR/cmd/fsep_check $INS_DIR/cmd/fsep_cmd $INS_DIR/cmd/fsep_fchk $INS_DIR/cmd/fsep_services $INS_DIR/cmd/getdiskinf $INS_DIR/cmd/pspa_cirtify $INS_DIR/cmd/pspa_cmd $INS_DIR/cmd/pspa_fr $INS_DIR/cmd/pspa_fw $INS_DIR/cmd/pspa_pgctl $INS_DIR/cmd/tunekernel $INS_DIR/etc/template/ROOT/css/style.css $INS_DIR/etc/template/ROOT/images/favicon.ico $INS_DIR/etc/template/ROOT/images/logo.svg $INS_DIR/etc/template/ROOT/images/product-name.svg $INS_DIR/etc/template/ROOT/images/sprite.svg $INS_DIR/etc/template/ROOT/index.jsp $INS_DIR/etc/template/ROOT/js/script.js $INS_DIR/etc/template/server.xml.default $INS_DIR/lib/postgresql-jdbc42.jar $INS_DIR/sbin/WebAdminSetup $INS_DIR/tomcat/BUILDING.txt $INS_DIR/tomcat/CONTRIBUTING.md $INS_DIR/tomcat/LICENSE $INS_DIR/tomcat/NOTICE $INS_DIR/tomcat/README.md $INS_DIR/tomcat/RELEASE-NOTES $INS_DIR/tomcat/RUNNING.txt $INS_DIR/tomcat/bin/bootstrap.jar $INS_DIR/tomcat/bin/catalina-tasks.xml $INS_DIR/tomcat/bin/catalina.bat $INS_DIR/tomcat/bin/catalina.sh $INS_DIR/tomcat/bin/ciphers.bat $INS_DIR/tomcat/bin/ciphers.sh $INS_DIR/tomcat/bin/commons-daemon-native.tar.gz $INS_DIR/tomcat/bin/commons-daemon.jar $INS_DIR/tomcat/bin/configtest.bat $INS_DIR/tomcat/bin/configtest.sh $INS_DIR/tomcat/bin/daemon.sh $INS_DIR/tomcat/bin/digest.bat $INS_DIR/tomcat/bin/digest.sh $INS_DIR/tomcat/bin/makebase.bat $INS_DIR/tomcat/bin/makebase.sh $INS_DIR/tomcat/bin/setclasspath.bat $INS_DIR/tomcat/bin/setclasspath.sh $INS_DIR/tomcat/bin/shutdown.bat $INS_DIR/tomcat/bin/shutdown.sh $INS_DIR/tomcat/bin/startup.bat $INS_DIR/tomcat/bin/startup.sh $INS_DIR/tomcat/bin/tomcat-juli.jar $INS_DIR/tomcat/bin/tomcat-native.tar.gz $INS_DIR/tomcat/bin/tool-wrapper.bat $INS_DIR/tomcat/bin/tool-wrapper.sh $INS_DIR/tomcat/bin/version.bat $INS_DIR/tomcat/bin/version.sh $INS_DIR/tomcat/conf/catalina.policy $INS_DIR/tomcat/conf/catalina.properties $INS_DIR/tomcat/conf/context.xml $INS_DIR/tomcat/conf/jaspic-providers.xml $INS_DIR/tomcat/conf/jaspic-providers.xsd $INS_DIR/tomcat/conf/logging.properties $INS_DIR/tomcat/conf/server.xml $INS_DIR/tomcat/conf/tomcat-users.xml $INS_DIR/tomcat/conf/tomcat-users.xsd $INS_DIR/tomcat/conf/web.xml $INS_DIR/tomcat/lib/annotations-api.jar $INS_DIR/tomcat/lib/catalina-ant.jar $INS_DIR/tomcat/lib/catalina-ha.jar $INS_DIR/tomcat/lib/catalina-ssi.jar $INS_DIR/tomcat/lib/catalina-storeconfig.jar $INS_DIR/tomcat/lib/catalina-tribes.jar $INS_DIR/tomcat/lib/catalina.jar $INS_DIR/tomcat/lib/ecj-4.20.jar $INS_DIR/tomcat/lib/el-api.jar $INS_DIR/tomcat/lib/fepwa-security-0.0.1-SNAPSHOT.jar $INS_DIR/tomcat/lib/jasper-el.jar $INS_DIR/tomcat/lib/jasper.jar $INS_DIR/tomcat/lib/jaspic-api.jar $INS_DIR/tomcat/lib/jsp-api.jar $INS_DIR/tomcat/lib/servlet-api.jar $INS_DIR/tomcat/lib/tomcat-api.jar $INS_DIR/tomcat/lib/tomcat-coyote-ffm.jar $INS_DIR/tomcat/lib/tomcat-coyote.jar $INS_DIR/tomcat/lib/tomcat-dbcp.jar $INS_DIR/tomcat/lib/tomcat-i18n-cs.jar $INS_DIR/tomcat/lib/tomcat-i18n-de.jar $INS_DIR/tomcat/lib/tomcat-i18n-es.jar $INS_DIR/tomcat/lib/tomcat-i18n-fr.jar $INS_DIR/tomcat/lib/tomcat-i18n-ja.jar $INS_DIR/tomcat/lib/tomcat-i18n-ko.jar $INS_DIR/tomcat/lib/tomcat-i18n-pt-BR.jar $INS_DIR/tomcat/lib/tomcat-i18n-ru.jar $INS_DIR/tomcat/lib/tomcat-i18n-zh-CN.jar $INS_DIR/tomcat/lib/tomcat-jdbc.jar $INS_DIR/tomcat/lib/tomcat-jni.jar $INS_DIR/tomcat/lib/tomcat-util-scan.jar $INS_DIR/tomcat/lib/tomcat-util.jar $INS_DIR/tomcat/lib/tomcat-websocket.jar $INS_DIR/tomcat/lib/websocket-api.jar $INS_DIR/tomcat/temp/safeToDelete.tmp $INS_DIR/tomcat/webapps/ROOT/css/style.css $INS_DIR/tomcat/webapps/ROOT/images/favicon.ico $INS_DIR/tomcat/webapps/ROOT/images/logo.svg $INS_DIR/tomcat/webapps/ROOT/images/product-name.svg $INS_DIR/tomcat/webapps/ROOT/images/sprite.svg $INS_DIR/tomcat/webapps/ROOT/index.jsp $INS_DIR/tomcat/webapps/ROOT/js/script.js $INS_DIR/tomcat/webapps/fepwa-webagent.war $INS_DIR/tomcat/webapps/fepwa-webcontroller.war $INS_DIR/tools/instanceSetup.sh $INS_DIR/tools/makeconf.sh -------------------------------------------------------------------------------