A Step-By-Step Guide to Symantec SiteMinder Access Gateway Apache Ghostcat Patch Procedures in UNIX/Linux

Article By: Tiffany Kongpachith

Per Symantec SiteMinder upgrades, in Release 12.8 through 12.8.03, Broadcom addresses fixes to the CVE-2020-1938 vulnerability (Ghostcat vulnerability) in Apache Tomcat latest SiteMinder patch related to the Access Gateway in your environment. This guide is designed to help users who will be implementing the Ghostcat vulnerability, provide the necessary steps to implement, and address verification factors in order for the Access Gateway to absorb these changes for your consumer’s environment.

For more information in regards to the CVE-2020-1938 vulnerability, refer to the Apache Tomcat documentation

Prerequisites:

  • Assumption that the Access Gateway is fully implemented and configured.
  • Assumption that SiteMinder components have been upgraded to the latest release 12.8.03.
  • Assumption that the Access Gateway has been upgraded to the latest release 12.8.03.
  • The user knows based on their implementation where the install directory for the Access Gateway is located. (i.e. ${sps-home}/)
  • The user knows based on their implementation where the ${JAVA_ROOT} directory is located.
  • Have a Linux “root” account to disable the ipv6 on the Access Gateway and verify that ipv6 has been disabled.

Step 1: Download the Ghostcat Vulnerability Solution

1. Please refer to the Broadcom Download Management site, select for Single Sign-On solution, then refer to the Solutions Downloads page to download the CVE-2020-1938 vulnerability (Ghostcat vulnerability).

Note: The patch solution contains the following twenty-one (21) .jar files for the Access Gateway embedded Tomcat:

  • proxyrt.jar
  • annotations-api.jar
  • catalina.jar
  • catalina-ant.jar
  • catalina-ha.jar
  • catalina-tribes.jar
  • ecj-4.4.2.jar
  • el-api.jar
  • jasper.jar
  • jasper-el.jar
  • jsp-api.jar
  • servlet-api.jar
  • tomcat-api.jar
  • tomcat-coyote.jar
  • tomcat-dbcp.jar
  • tomcat-i18n-es.jar
  • tomcat-i18n-fr.jar
  • tomcat-i18n-ja.jar
  • tomcat-i18n-ru.jar
  • tomcat-jdbc.jar
  • tomcat-util.jar

2. Save the patch solution (in ZIP folder format) to a designated directory to unzip or tar extract the contents, and be ready to copy over and replace in the ${sps_home}/Tomcat/lib directory.

For example:

“unzip [DownloadedPatch].zip” or “tar -xvf [DownloadedPatch].zip”

3. Verify that ipv6 has been DISABLED on the Access Gateway server before proceeding.

For example:

  • “ifconfig”, 
  • “ip -6 addr”
  • “sysctl -a 2>/dev/null | grep disable_ipv6”

If IPv6 is disabled via GRUB2 or kernel boot entries, then the output would be empty which would state that IPv6 is in disabled state.

4. Stop the Access Gateway.

Step 2: Create a Backup Directory for JAR Files

1. Log in to the server containing the SiteMinder Access Gateway with the associated service account for the environment.

2. Once the Access Gateway services have successfully stopped, navigate to the ${sps_home}/Tomcat/lib directory.

3. Important! 

Create a backup directory called “backup” to store the original version of the twenty-one (21) .jar files within the lib directory.

Note: Dependent on what method the user wants to store the old .jar files – the user may use a client such as WinSCP to create a new folder/directory or the user may execute the “mkdir” command to create a new directory.
For example:“mkdir backup”

4. Migrate or move the original twenty-one (21) .jar files into the newly created back up directory.

Note: Notice the date and time stamps between the previous and new .jar files as a precaution to migrating files over and are in need or reverting configurations.

For example: “mv ______.jar /backup”

5. After the ZIP folder has been extracted the user will see the same set of twenty-one (21) .jar files present. Copy the new .jar files into the ${sps_home}/Tomcat/lib directory.

Note: Again, notice the date and time stamps between the previous and new .jar files as a precaution to migrating files over and are in need or reverting configurations.

Step 3 – Edit the Server.Conf File

1. Log in to the server containing the SiteMinder Access Gateway with the associated service account for the environment.

2. Next, navigate to the ${sps_home}/proxy-engine/conf directory and edit the server.conf file.

3. At the top of the server.conf file, add the following lines of code in the #General Server Information section of the file:

Note: ajp_secret defines the shared secret or password that will be used between Tomcat and Access Gateway to prevent any unauthorized connections using AJP. The value must be specified without quotations.

For example:

4. Save the configuration changes in the server.conf file.

5. Restart the Access Gateway.

Important! 

It is recommended to review these initial steps in the Broadcom Techdocs for Access Gateway Troubleshooting page.

Step 4 – Access Gateway Ghostcat Patch Verifications 

Ensure SPS Environmental Script Contains the FIPSMode=COMPAT

1. Log in to the server containing the SiteMinder Access Gateway with the associated service account for the environment.

2. Navigate to the ${sps_home}/ directory.

3. Locate and view the ca_sps_env.sh environmental script.

Note: If transferring to Windows for editing, ensure the text editor tool maintains Linux carriage control and line feeds.

For example:

4. Locate the line, CA_SM_PS_FIPS140=, and ensure the line has COMPAT for the FIPS Mode. Since configuration with the SiteMinder Policy Server prompts for FIPS Mode and configurations are set to FIPS Compatibility. 

If the line is missing for the FIPS Mode, enter the value “CA_SM_PS_FIPS140=COMPAT”.

5. Save and exit the environmental script (ca_sps_env.sh).

Ensure SPS Apache SSL Properties File Contains Both the SSL Key and SSL Enabled

1. Log in to the server contain the SiteMinder Access Gateway with the associated service account for the environment.

2. Navigate to the ${sps_home}/httpd/conf directory.

3. Locate and view the spsapachessl.properties file.

Note: If transferring to Windows for editing, ensure the text editor tool maintains Linux carriage control and line feeds.

For example:

4. Ensure the spsapachessl.properties file contains the ssl.key.password and apache.ssl.enabled and is set as Y for Yes.

5. If the file does NOT have either of those entries, navigate to the secondary Access Gateway server (if present for high availability/fault tolerance) to the directory, ${sps_home}/httpd/conf, and locate the spsapachessl.properties file.

6. Copy the contents from the secondary file, Paste the contents on to the primary Access Gateway spsapachessl.properties file, then Save and exit the file.

7. Lastly once all is verified, Restart the Access Gateway to apply the changes made.

Summary of Symantec SiteMinder Access Gateway Apache Ghostcat Patch

The CVE-2020-1938 vulnerability targets its AJP when it is externally exposed and applying this vulnerability patch to your environment Access Gateway ensures trusting incoming connections to Apache Tomcat embedded in the SiteMinder solution.

Looking for additional help with Symantec SiteMinder Access Gateway Apache Ghostcat Patch procedures in UNIX/Linux? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including Symantec Siteminder management and governance. Take your interoperability to the next level, and contact an ISX consultant today.

ISXA Step-By-Step Guide to Symantec SiteMinder Access Gateway Apache Ghostcat Patch Procedures in UNIX/Linux

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *