Installation Instructions for Hot Fix B7Q004
64-bit Enabled AIX
Hot fix B7Q004 addresses the issue(s) in SAS Web Server 9.44 on 64-bit Enabled AIX as documented
in the Issue(s) Addressed section of the hot fix download page:
http://ftp.sas.com/techsup/download/hotfix/HF2/B7Q.html#B7Q004
The hot fix downloaded, B7Q004pt.zip, contains the updated files required to address
the documented issues.
Do NOT extract the contents of B7Q004pt.zip. The hot fix installation process will extract
the contents as needed.
SPECIAL NOTE REGARDING SECURITY VULNERABILITY
This hot fix requires that your software must already be configured prior to installation. If no configuration directory exists
at the time of installation, security updates built into this hot fix will not be completed, leaving your software in a vulnerable state.
IMPORTANT NOTES
-
This hotfix requires SAS Web Server 9.44 to not be configured for SSL/TLS. Please don't apply it if SAS Web Server 9.44 is
configured for SSL/TLS.
-
This updates the version of OpenSSL to 1.0.2o which support FIPS 140-2 compliance.
- Special Note regarding AIX 7.1:
If you are running on AIX 7.1 operating systems, you will need to upgrade the AIX technology level to TL3 or above. Please visit
https://www.ibm.com/developerworks/aix/library/au-aixtlupdate/
from IBM for more information on AIX technology level update.
-
You must have SAS Web Server 9.44 installed on your system before applying this hot fix.
Refer to SN-35968 for instructions on how to determine which product releases you have installed.
-
This hot fix updates the Apache httpd server from version 2.2 to version 2.4. Any manually configured changes for SAS Web Server related to
Apache 2.2 will need to be updated to reflect Apache 2.4.
-
Files delivered in this hot fix will be backed up during the installation process.
However, it is good general practice to back up your system before applying updates
to software.
-
You must have Administrator Privileges on your CLIENT or SERVER machine.
-
All currently active SAS sessions, daemons, spawners and servers must be terminated
before applying this hot fix.
- This hot fix should be installed using the same userid who performed the initial
software installation.
-
CONFIGURATION: No automatic configuration scripting is included for this hot fix. If you have previously configured software installed,
the SAS Deployment Manager may present a screen where you will see "Apply SAS Hot Fixes" and "Configure SAS Hot Fixes" options.
On this screen, you must ensure that the "Configure SAS Hot Fix" option is *not* selected. If this option is automatically
selected, please de-select it prior to proceeding with the SAS Deployment Manager Screens. Failure to do so could have unintended
consequences when applying this hot fix.
INSTALLATION
The B7Q004 hot fix for SAS Web Server 9.44 will be installed using the SAS Deployment Manager.
By default, the SAS Deployment Manager will search in the <SASHOME>/InstallMisc/HotFixes/New directory for hot
fixes to be applied, but will also prompt for a location if you have downloaded hot fixes to a different
directory.
After downloading B7Q004pt.zip, follow the instructions for applying hot fixes in the
SAS Deployment Wizard and SAS Deployment Manager 9.4: User's Guide.
Please review the CONFIGURATION Important Note above concerning proper selection of the "Configure SAS Hot Fix" option in the SAS Deployment Manager.
POST-INSTALLATION INSTRUCTIONS
IMPORTANT NOTES Regarding hot fix updates:
-
This hot fix will create a backup configuration directory under <SASConfig>/LevX/Web/WebServerBackup. If you manually changed any
configuration settings for SAS Web Server, you must manually merge these settings back into the new web server configuration.
-
For SiteMinder configuration using the updated Apache version, please review information in SASŪ 9.4
Intelligence Platform: Middle-Tier Administration Guide, Fourth Edition
For the updated Apache version delivered in this hot fix, step 2 under "Configuring SAS Web Server for the Web Agent" should read as follows:
Edit the SAS-configuration-directory\Levn\Web\WebServer\conf\httpd.conf file. Add lines that are similar to the following at the beginning of the LoadModule directives:
LoadModule sm_module "C:/Program Files (x86)/CA/webagent/bin/mod_sm24.dll"
SmInitFile "C:/SAS/Config/Lev1/Web/WebServer/conf/WebAgent.conf"
For UNIX deployments, the name of the library is libmod_sm24.so instead of mod_sm24.dll.
-
If you have configured SSL/TLS manually for SAS Web Server post-deployment, to use SAS Environment Manager to monitor SAS Web Server, complete the following steps:
-
Edit the <SASConfig>/LevX/Web/WebServer/conf/httpd.conf file and make the following changes:
Replace the line
Listen 80
with the following line:
Listen localhost:7980
IMPORTANT NOTE: If you use a non-default port, please enter that port number instead of the one listed above
-
Edit the <SASConfig>/LevX/Web/WebServer/conf/extra/httpd-ssl.conf file and make the following changes:
Locate the following lines for the certificate file and key file and enter the correct filenames:
SSLCertificateFile "ssl/myhost.crt"
SSLCertificateKeyFile "ssl/myhost.key"
SSLCertificateChainFile "ssl/myhost.crt
-
If you manually configured SSL/TLS for SAS Web Application Server, complete the following step
-
Edit the <SASConfig>/LevX/Web/WebServer/conf/sas.conf file and add the following two lines:
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
-
Edit each SAS Web Application Server's
<SASConfig>/LevX/Web/WebAppServer/SASServerX_X/conf/server.xml file and make the
following changes:
Replace the ciphers attribute in Connector element:
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
with the following line:
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
-
If you configured SSL/TLS for SAS Web Server and SAS Environment Manager is not configured for SSL/TLS and is also
on the same machine as the Web Server, then complete this step if applicable:
-
Edit the <SASConfig>/LevX/Web/WebServer/conf/sas.conf file and comment out the following directive:
Replace the line
Header set Strict-Transport-Security "max-age=31536000"
with the following line:
#Header set Strict-Transport-Security "max-age=31536000"
-
(Optional) When FIPS mode is enabled in the SAS Mid-Tier environment the system will enforce an order of precedence by negotiating cipher suites with
perfect forward secrecy (PFS) and then cipher suites without it for compatibility with legacy applications. If PFS needs to be strictly
enforced then the SAS Web Application Server config file can be updated with the following changes.
Edit each SAS Web Application Server's <SASConfig>/LevX/Web/WebAppServer/SASServerX_X/conf/server.xml file and make the following changes:
Replace the ciphers attribute in Connector element:
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
with the following line:
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
This completes the installation of hot fix B7Q004 on 64-bit Enabled AIX.
Copyright 2018 SAS Institute Inc. All Rights Reserved.