Hot fix P90009 addresses the issue(s) in SAS Web Server 9.41 on HP-UX IPF as documented
in the Issue(s) Addressed section of the hot fix download page:
http://ftp.sas.com/techsup/download/hotfix/HF2/S47.html#P90009
The hot fix downloaded, P90009pt.zip, contains the updated files required to address
the documented issues.
Do NOT extract the contents of P90009pt.zip. The hot fix installation process will extract
the contents as needed.
This hot fix requires that your software must already be configured prior to installation. If no configuration directory exists at the time of installation, security updates built into this hot fix will not be completed, leaving your software in a vulnerable state.
After downloading P90009pt.zip, follow the instructions for applying hot fixes in the SAS Deployment Wizard and SAS Deployment Manager 9.4: User's Guide.
Please review the CONFIGURATION Important Note above concerning proper selection of the "Configure SAS Hot Fix" option in the SAS Deployment Manager.
The hot fix installation process generates the log file
<!SASHOME>/InstallMisc/InstallLogs/IT_date-and-time-stamp.logfor example, IT_2011-10-31-13.18.21.log. Each attempt to apply a hot fix results in the creation of a new log file giving detailed information regarding the installation process.
Postexec log files are created after the installation is completed and identifies the files that were added, backed up, changed and removed. These log files include the ‘member’ hot fix id in the name of the file and are also written to the <!SASHOME>/InstallMisc/InstallLogs directory. There is one postexec log for each ‘member’ hot fix applied (member hot fixes are listed at the top of these instructions).
When FIPS mode is enabled in the SAS Mid-Tier environment, that will enforce an order of precedence by negotiating cipher suites with perfect forward secrecy (PFS) and then cipher suites without it for compatibility with legacy applications. If PFS needs to be strictly enforced then the SAS Web Application Server config file can be updated with the following changes.
Edit each SAS Web Application Server's If your SAS Web Server is configured for SSL/TLS, you will need to install the latest Java 7 Update.
Please visit the Updates for Java 7 download page for the latest available
updates.
Replace the line
IMPORTANT NOTE: If you use a non-default port, please enter that port number instead of the one listed above
This completes the installation of hot fix P90009 on HP-UX IPF.
Replace the ciphers attribute in Connector element:
IMPORTANT NOTE Regarding SSL/TLS:
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
with the following line:
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
IMPORTANT NOTES Regarding hot fix updates:
Listen 80
with the following line:
Listen localhost:7980
Locate the following lines for the certificate file and key file and enter the correct filenames:
SSLCertificateFile "ssl/myhost.crt"
SSLCertificateKeyFile "ssl/myhost.key"
SSLCertificateChainFile "ssl/myhost.crt
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
Replace the line
Header set Strict-Transport-Security "max-age=31536000"
with the following line:
#Header set Strict-Transport-Security "max-age=31536000"
For the updated Apache version delivered in this hot fix, step 2 under "Configuring SAS Web Server for the Web Agent" should read as follows:
Edit the <SASConfig>/LevX/Web/WebServer/conf/httpd.conf file. Add lines that are similar to the following at the beginning of the LoadModule directives:
LoadModule sm_module "C:/Program Files (x86)/CA/webagent/bin/mod_sm24.dll"
For UNIX deployments, the name of the library is libmod_sm24.so instead of mod_sm24.dll.
SmInitFile "C:/SAS/Config/Lev1/Web/WebServer/conf/WebAgent.conf"
Copyright 2018 SAS Institute Inc. All Rights Reserved.