JCE Cryptography Expired Patch

shoulderslyricalAI and Robotics

Nov 21, 2013 (3 years and 11 months ago)

81 views


1

J
CE

Cryptography

Expired Patch


Sun file jce1_2_1.jar
,

which OA uses for signing certificate for reports and admin client
,

expired on 27 July 2005. Th
is

readme
describes how

to replace this with
jce1_2_
2
.jar
and
its supporting file
for Solaris
, Windows
,
and

AIX.

This fix only addresses the issue with
the JCE cryptography expiring; therefore, it is not cumulative. The JCE cryptography patch
can be applied in conjunction with the latest OA patch for any supported release.


OA Versions Affected: 6.0.X,
6.1, 6.1.X , and 7.0


IMPACT:
Affects

the functionality of OA Admin Client, OA TRW and Graphical Reports,
and OA
Authentication

Server.


OA Real
-
Time is not affected by this jce file. Real
-
Time will only be change if it co
-
exists
with either Historica
l or Reporting Subsystems. If Real
-
Time exists by itself or OA Event
Collector no action is required.


The common errors have been

seen reports.log and adminclient.log
:



1. + 1122650988.896 UTC; altTZ(360); 1672
-
PlayerEventHandler:l10:

Reason: com.avaya
.cc.cvx.security.AuthenticationService$CantProceedException:
Could not authenticate aut server:
AUTHENTICATION SERVER NOT LEGIT


2. 1122574930.859 UTC; altTZ(360); 3280
-
main:l10:

ALARM
-

emergency: CRM
-
BI/OA stumbras 0=ClientID:StartupService|Error
initial
izing

service: com.avaya.stumbras.services.dbpool.DbPoolService

java.lang.ExceptionInInitializerError: java.lang.SecurityException:
Cannot set up
certs for trusted CAs



at javax.crypto.b.<clinit>([DashoPro
-
V1.2
-
120198])



at javax.cryp
to.SecretKeyFactory.getInstance([DashoPro
-
V1.2
-
120198])



at
com.avaya.cc.cvx.security.CryptoServices.initialize(CryptoServices.java:249)



at
com.avaya.cc.cvx.security.CryptoServices.<init>(CryptoServices.java:234)



at
com.a
vaya.cc.cvx.security.CryptoServices.getInstance(CryptoServices.java:69)



NOTE: For this operation you will need to bring down all OA process and application
s

and
thus disrupt data flow for the time it is down. Plan this work for a low usage time of day.
Also, please review this readme before attempting to apply this patch






2



Procedure for Windows and Solaris Version (6.0
,

6.0.X
,

6.1, 6.1.X)


St
op All OA Systems

To stop each system, follow the instructions outlined in the
Avaya Operational Analyst
Main
tenance and Troubleshooting

Guide
, section

“Starting and Stopping OA
-
Related
Processes”. In general, the following steps will work:


As OA Administrator
:


1.


On each Solaris system, from a terminal window, type “pa stop all”.

Also, stop iplanet,
initsrv
,
n
amesrv

and TimesTen

.

Order of shutdown is important and must be in a
certain order
.


a.

To stop web server on Solaris

Sun
O
ne:

i. Older SunOne

6.0

Solaris: cd /usr/iplanet/server/https
-
stumbras


./st
op

ii.

Newer SunOne
6.1
Solaris: cd /

o
pt/SUNWwbsvr/https
-
stumbras


./st
op

As Root
:


b.

Edit the /etc/inittab file and change respawn next to nm and in to off; exec
ute

init q
.

This will stop the name service and the init service.

c.

To stop TimesTen you will enter this command, if you used the d
efault
TimesTen settings: /etc/init.d/tt_avaya_bi stop


As OA Administrator
:


2.

On each Windows system, from a command window, type “pa stop all” to stop OA
processes.
Order of shutdown is important and must be in a certain order
.


a.

G
o to
Microsoft
Window Se
rvices

i.

Stop ORBacus Naming Service

ii.

Stop
Avaya Business Intelligence Service

iii.

Stop Stumbras
-
Tomcat (Reporting Subsystem)

iv.

Stop TimesTen


3.

Use ICManager to stop all running instances of ECServer and ECBridge.











3


The Jce 1.2.2
patch
consist of the follow
ing jars

listed below. You will need to backup the
current version
of these files
on your
Windows
and
Solaris
system.



jce1_2_2.jar

local_policy.jar

sunjce_provider.jar

US
_export_policy.jar



Note
: The back
-
up copy of these jar should
not be l
ocated anywhere

within the BI




directory. They

should be move
d

to another location.


If the files are left within


the BI directory, web servers

w
ill attempt to use the older

jars.





4


Patch for
Windows OA
Historical and
Reporting
Subsytem

(6.X.X)


1.

Copy the four jars to %PABASE%
\
jars.

2.

Copy the four jars to %JAVA_HOME%
\
jre
\
lib
\
ext (ie. Default location:
C:
\
Program Files
\
JavaSoft
\
JRE
\
1.3.1_06
\
lib
\
ext
)

Note: Check path by running in command prompt: echo $PATH

in a command
window

3.

Edi
t %PABASE%
\
stumbras
\
tomcat
\
conf
\
nt_service.properties, change the
jce1_2_1.jar to read jce1_2_2.jar instead.

4.

Edit environment variable system classpath, change the jce1_2_1.jar to read
jce1_2_2.jar instead.


Patch for

Windows OA Admin Client

(6.X.X)


1.


Copy the four jars to %PABASE%
\
jars.

2.


Copy the four jars to %JAVA_HOME%
\
jre
\
lib
\
ext (ie. Default location:
C:
\
Program Files
\
JavaSoft
\
JRE
\
1.3.1_06
\
lib
\
ext
)

3.

Edit %PABASE%
\
cfg
\
java.policy, change the jce1_2_1.jar to read jce1_2_2.jar
instead.


Note:
If you are still having problems bringing up the admin client, you will need to edit
the AdminPol.html

located at

%PABASE% using notepad. The
change
will be done
twice, replace
the jce1_2_1.jar to read jce1_2_2.jar instead.



Patch for
Solaris OA
Histo
rcial and
Reporting Subsytem

(6.X.X)


1.

Copy the four jars to %PABASE%
\
jars.

a.

Perform chmod 750 to the four jars

b.

Perform chown with proper
user and group (ie

chown biadmin:oaadmin
sunjce_provider.jar)

2.

Copy the four jars to %JAVA_HOME%
\
jre
\
lib
\
ext (ie. Defa
ult location:
/usr/java/jre/lib/ext)

3.

Edit %IPLANET_HOME%/con
fig
/jvm12.conf, change the jce1_2_1 to read jce1_2_2
instead.

4.

Edit classpath

%PABASE%/.p
ro
file AOA_CP
,


change the jce1_2_1 to read jce1_2_2
instead.

R
e
-
execute the .profile to update current e
nvironment variables
.


Note: If you are running with Solaris 6.1 SunOne on JDK 1.4 then step
s

2

and
3

are
not
required. You also will not find jvm12.conf because it was replaced by server.xml.



5


Procedure fo
r Windows and Solaris Version (7
.0
)


Patch for

Windows OA Historical and
Reporting Subsytem

(7.0)


1.

Copy the four jars to %PABASE%
\
jars.

2.

Edit environment variable system classpath, change the jce1_2_1.jar to read
jce1_2_2.jar instead.


Patch for

Solaris OA Historcial and
Reporting Subsytem

(7.0)


1.

C
opy the four jars to %PABASE%
\
jars.

a.

Perform chmod 750 to the four jars

b.

Perform chown with proper user and group (ie chown biadmin:oaadmin
sunjce_provider.jar)

2.

Edit classpath %PABASE%/.profile AOA_CP, change the jce1_2_1 to read
jce1_2_2 instead.

Re
-
ex
ecute the .profile to update current environment variables.


Patch for

Windows OA Admin Client

(7.0)


1.

Copy the four jars to %PABASE%
\
jars.

2.

Edit %PABASE%
\
cfg
\
java.policy, change the jce1_2_1.jar to read jce1_2_2.jar
instead.


Note: If you are still havi
ng problems bringing up the admin client, you will need to edit
the AdminPol.html located at %PABASE% using notepad. The change will be done
twice, replace the jce1_2_1.jar to read jce1_2_2.jar instead.




6

OA Start
-
UP Procedures

Windows and Solaris


S
t
art Systems Up


To start up each system, follow the instructions outlined in the
Avaya Operational Analyst
Maintenance and Troubleshooting

Guide
, section

“Starting and Stopping OA
-
Related
Processes”. In general, the following steps will work:


1.

Ensure histo
rical server, initsrv
, namesrv, TimesTen

for Solaris are running or
TimesTen,
Avaya BI, and ORBacus Naming Service

for Windows
.


For Solaris:

(Order of startup is important and must be in a certain order)

As Root:

a.

Edit the /etc/inittab file and change
o
ff

next to nm and in to respawn;
exec
ute

init q
.

This will stop the name service and the init service.

b.

To
start

TimesTen you will enter this command, if you used the default
TimesTen settings: /etc/init.d/tt_avaya_bi st
art


As OA Administrator
:


c.

To
start

web server on Solaris

Sun
O
ne:

i. Older SunOne

6.0

Solaris: cd /usr/iplanet/server/https
-
stumbras


./st
art


ii.

Newer SunOne

6.1
Solaris: cd /

opt/SUNWwbsvr/https
-
stumbras


./st
art


As OA Administrator
:




For Windows:
(
Order

of startup is important and must be in a certain order
)


Go to Microsoft Window Services

i.

St
art TimesTen

ii.

Start
ORBacus Naming Service

iii.

St
art

Avaya Business Intelligence Service

iv.

St
art

Stumbras
-
Tomcat (Reporting Subsystem)


2.

If a non
-
historical server
ensure
the OA service
s

have started. (Refer to the
startup above for Solaris or Windows)
.

3.

Run “pa start all” on the historical server

as an OA Administrator.

4.

Verify the system started cleanly by using the pa list and amui list commands.

5.

Run “pa start all” on all

of the non
-
historical servers

as an OA Administrator.

6.

Verify the system started cleanly by using the pa list and amui list commands.

7.

Start up ICManager and start the ECB process(es). Ensure they are up and have
assigned to MSMQ before proceeding. The stat
us line at the bottom of
ICManager will alert you that they have assigned.

8.

For each non
-
historical server, from the ICManager, start EC for each non
-
historical subsystem.


7


Procedure fo
r AIX (6.1.X , 7
.0
)



St
op All OA Systems


To stop each system, follow
the instructions outlined in the
Avaya Operational Analyst
Maintenance and Troubleshooting

Guide
, section

“Starting and Stopping OA
-
Related
Processes”. In general, the following steps will work:


On each
AIX

system, from a terminal window, type “pa stop a
ll”. Also, stop
WebSphere,
httpd,

initsrv, namesrv and TimesTen .


a.

To stop WebSphere, cd to $PABASE/bin and execute stopWebSphere server1

b.

To stop httpd on 6.1.x, cd to where you have your IHS installed and execute
./apachectl stop On 6.1.x, this will be i
n /usr/IBMHttpServer/bin. For 7.0, the
default location is /usr/IBMIHS/bin

c.

Edit the /etc/inittab file and change respawn next to nm and in to off; exec init q
This will stop the name service and the init service.

d.

To stop TimesTen you will enter this comma
nd, if you used the default
TimesTen settings:
/usr/bin/stopsrc

s tt_avaya_bi


Patch for

AIX OA Historcial and
Reporting Subsytem

(6.1.X
, 7.0
)


1.

Copy the four jars to
$
PABASE
\
jars.

a.

Perform chmod 750 to the four jars

b.

Perform chown with proper user and
group (ie chown biadmin:oaadmin
sunjce_provider.jar)


Note
: The back
-
up copy of these jar should
not be located anywhere

within the BI




directory. They

should be move
d

to another location.


If the files are left within


the BI direc
tory, Websphere

w
ill attempt to use the older

jars.



2.

Edit classpath
$P
ABASE/.profile, change the jce1_2_1 to read jce1_2_2 instead.

Re
-
execute the .profile to update the environment variables.




8


OA Start
-
UP Procedures

AIX



S
tart Systems Up


To start

up each system, follow the instructions outlined in the
Avaya Operational Analyst
Maintenance and Troubleshooting

Guide
, section

“Starting and Stopping OA
-
Related
Processes”. In general, the following steps will work:


1.

Ensure historical server, initsrv an
d namesrv
and TimesTen

for AIX are running

a.

Edit the /etc/inittab file and change
off

next to nm and in to respawn;
exec init q This will stop the name service and the init service.

b.

To
start

TimesTen you will enter this command, if you used the default
Ti
mesTen settings:
/usr/bin/startsrc

s tt
_avaya_bi

c.

Verify TimesTen startup with
lssrc
-
s tt_avaya_bi

2.

Run “pa start all” on the historical server.

3.

Verify the system started cleanly by using the pa list and amui list commands.

4.

Run “pa start all” on all of t
he non
-
historical servers

5.

Verify the system started cleanly by using the pa list and amui list commands.

6.

Start up ICManager and start the ECB process(es). Ensure they are up and have
assigned to MSMQ before proceeding. The status line at the bottom of ICMa
nager
will alert you that they have assigned.

7.

For each non
-
historical server, from the ICManager, start EC for each non
-
historical
subsystem.

8.

Ensure that web service is started on each reporting subsystem .To start web
service, cd $PABASE/bin and execute
startWebSphere This will start both the
Websphere Application Service and httpd processes.


TECHNICAL SUPPORT

==================


Customers in the U.S. can contact Avaya Operational Analyst Technical Support via the
WWW, email and telephone:


-

WWW (WebQ
Support Knowledgebase):

http://www.avaya.com/support/qq

-

Email:



crmsupport@avaya.com

-

Phone (U.S.):



1
-
888
-
TECH
-
SPT (1
-
888
-
832
-
4778)

-

Phone (Direct):



1
-
512
-
425
-
2201


International

customers should contact their regional Avaya Center of Excellence (CoE)

for assistance.