Installation instructions for hot fix V75010 on HP-UX IPF

Installation Instructions for Hot Fix V75010

HP-UX IPF

Hot fix V75010 addresses the issue(s) in SAS Web Server 9.42 as documented in the Issue(s) Addressed section of the hot fix download page:

http://ftp.sas.com/techsup/download/hotfix/HF2/V75.html#V75010

Before applying this hot fix, follow the instructions in SAS Note 35968 to generate a SAS Deployment Registry report, then verify that the appropriate product releases are installed on your system. The release number information in the Registry report should match the 'member' release number information provided above for the software components installed on each machine in your deployment.

The hot fix downloaded, V75010pt.zip, includes the updates required for all components listed above on all applicable operating systems. To apply this hot fix on multiple machines, you can either save V75010pt.zip on each machine or save it in a network location that is accessible to all machines.

Do NOT extract the contents of V75010pt.zip. The hot fix installation process will extract the contents as needed.

SPECIAL NOTE REGARDING SECURITY VULNERABILITY

This hot fix requires that your software must already be configured prior to installation. If no configuration directory exists at the time of installation, security updates built into this hot fix will not be completed, leaving your software in a vulnerable state.

IMPORTANT NOTES

Files delivered in this hot fix will be backed up during the installation process. However, it is good general practice to back up your system before applying updates to software.
You must have Administrator Privileges on your CLIENT or SERVER machine.
All currently active SAS sessions, daemons, spawners and servers must be terminated before applying this hot fix.
This hot fix should be installed using the same userid who performed the initial software installation.
CONFIGURATION: No automatic configuration scripting is included for this hot fix. If you have previously configured software installed, the SAS Deployment Manager may present a screen where you will see "Apply SAS Hot Fixes" and "Configure SAS Hot Fixes" options. On this screen, you must ensure that the "Configure SAS Hot Fix" option is *not* selected. If this option is automatically selected, please de-select it prior to proceeding with the SAS Deployment Manager Screens. Failure to do so could have unintended consequences when applying this hot fix.

INSTALLATION

Hot Fix V75010 must be installed on each machine where the updated components of the product, listed above, are installed. During the installation process you may see references to all operating systems for which updates are provided in the hot fix. The installation process will determine the operating system and which component(s) of SAS Web Server 9.42 require updating on the machine. See SAS Note 44810 for more details.

The hot fix will be applied using the SAS Deployment Manager. By default, the SAS Deployment Manager will search in the <SASHOME>/InstallMisc/HotFixes/New directory for hot fixes to be applied, but will also prompt for a location if you have downloaded hot fixes to a different directory.

After downloading V75010pt.zip, follow the instructions for applying hot fixes in the SAS Deployment Wizard and SAS Deployment Manager 9.4: User's Guide.

Please review the CONFIGURATION Important Note above concerning proper selection of the "Configure SAS Hot Fix" option in the SAS Deployment Manager.

The hot fix installation process generates the log file

<!SASHOME>/InstallMisc/InstallLogs/IT_date-and-time-stamp.log

for example, IT_2011-10-31-13.18.21.log. Each attempt to apply a hot fix results in the creation of a new log file giving detailed information regarding the installation process.

Postexec log files are created after the installation is completed and identifies the files that were added, backed up, changed and removed. These log files include the ‘member’ hot fix id in the name of the file and are also written to the <!SASHOME>/InstallMisc/InstallLogs directory. There is one postexec log for each ‘member’ hot fix applied (member hot fixes are listed at the top of these instructions).

POST-INSTALLATION INSTRUCTIONS

IMPORTANT NOTE Regarding FIPS:

When FIPS mode is enabled in the SAS Mid-Tier environment, the system will enforce an order of precedence by negotiating cipher suites with perfect forward secrecy (PFS) and then cipher suites without it for compatibility with legacy applications. If PFS needs to be strictly enforced then the SAS Web Application Server config file can be updated with the following changes.

Edit each SAS Web Application Server's /LevX/Web/WebAppServer/SASServerX_X/conf/server.xml file and make the following changes:

Replace the ciphers attribute in Connector element:
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
with the following line:
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"

IMPORTANT NOTE Regarding SSL/TLS:

If your SAS Web Server is configured for SSL/TLS, you will need to install the latest Java 7 Update on all hosts and tiers. Please visit the Updates for Java 7 download page for the latest available updates.

If you have configured SSL/TLS manually for SAS Web Server post-deployment, to use SAS Environment Manager to monitor SAS Web Server, complete the following steps:

Edit the <SASConfig>/LevX/Web/WebServer/conf/httpd.conf file and make the following changes:
Replace the line
Listen 80
with the following line:
Listen localhost:7980
IMPORTANT NOTE: If you use a non-default port, please enter that port number instead of the one listed above
Edit the <SASConfig>/LevX/Web/WebServer/conf/extra/httpd-ssl.conf file and make the following changes:
Locate the following lines for the certificate file and key file and enter the correct filenames: SSLCertificateFile "ssl/myhost.crt"
SSLCertificateKeyFile "ssl/myhost.key"
SSLCertificateChainFile "ssl/myhost.crt

If you manually configured SSL/TLS for SAS Web Application Server, complete the following step

Edit the <SASConfig>/LevX/Web/WebServer/conf/sas.conf file and add the following two lines:
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

If you configured SSL/TLS for SAS Web Server, SAS Environment Manager is not configured for SSL/TLS, and is also on the same machine as the Web Server, complete this step if applicable:

Edit the <SASConfig>/LevX/Web/WebServer/conf/sas.conf file and comment out the following directive:
Replace the line
Header set Strict-Transport-Security "max-age=31536000"
with the following line:
#Header set Strict-Transport-Security "max-age=31536000"

IMPORTANT NOTES Regarding hot fix updates:

This hot fix will create a backup configuration directory under <SASConfig>/LevX/Web/WebServerBackup. If you manually changed any configuration settings for SAS Web Server, you must manually merge these settings back into the new web server configuration.
This hot fix updates the Apache httpd server from version 2.2 to version 2.4. Any manually configured changes for SAS Web Server related to Apache 2.2 will need to be updated to reflect Apache 2.4.
For SiteMinder configuration using the updated Apache version, please review information in SAS® 9.4 Intelligence Platform: Middle-Tier Administration Guide, Fourth Edition
For the updated Apache version delivered in this hot fix, step 2 under "Configuring SAS Web Server for the Web Agent" should read as follows:

Edit the SAS-configuration-directory\Levn\Web\WebServer\conf\httpd.conf file. Add lines that are similar to the following at the beginning of the LoadModule directives:
LoadModule sm_module "C:/Program Files (x86)/CA/webagent/bin/mod_sm24.dll"
SmInitFile "C:/SAS/Config/Lev1/Web/WebServer/conf/WebAgent.conf"
For UNIX deployments, the name of the library is libmod_sm24.so instead of mod_sm24.dll.