Howto Update a Windows Access Gateway Service host with the latest OpenSSL builds

  • 7017582
  • 06-May-2016
  • 06-Jul-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
NetIQ Access Gateway Service on Windows

Situation

The OpenSSL open source project team regularly releases updates to known OpenSSL vulnerabilities (https://www.openssl.org/news/openssl-1.0.1-notes.html). The Access Gateway component of Access Manager uses this library for cryptographic functions. It is recommended that all the Access Gateways be updated with this latest OpenSSL patch.

To update the OpenSSL libraries on Access Gateway Services running on Windows, follow the instructions below.

Resolution

For those administrators running the Access Gateway Service (AGS) on Windows, the following procedure will need to be followed:

a) Open the powershell command line (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) with admin privilege.

b) create and save a 'patch_update.ps1' file on the Windows system with exactly the lines defined in the "Additional Information" section of this TID below.

c) run patch_update.ps1 with three command line arguments.

1. username
2. password
3. rpmfilename (RPM file name should not contain .rpm at last)

where the username and password your NCC credentials where you registered the Access Manager product, and the filename is the version of OpenSSL you are upgrading to. This version is typically documented in TIDs and includes the OpenSSL version in the string eg. for OpenSSL 1.0.1t update, the filename is Openssl_Win_101t

e.g:- patch_update.ps1 <myusername> <mypassword> <Openssl_Win_101t>

The local download location for the OpenSSL update will be C:\Program Files\Novell\apache\novell_patch.

Additional Information

The patch_update.ps1 file should contain the following:


param (
    [Parameter(Mandatory=$true)][string]$username,
    [Parameter(Mandatory=$true)][string]$password,
    [Parameter(Mandatory=$true)][string]$filename
 )

$MyPassword =  ConvertTo-SecureString $password -asplaintext -force;
$MyCredentials = new-object `
-typename System.Management.Automation.PSCredential `
-argumentlist $username,$MyPassword;

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

$User_Path = "C:\Program Files\Novell\apache\novell_patch";
Remove-Item $User_Path -Force -Recurse
new-item $User_Path -itemtype directory
import-module bitstransfer
gcm *bits* | ? {$_.Commandtype -eq "cmdlet"}

Start-BitsTransfer `
-ProxyUsage AutoDetect `
-Authentication Basic `
-Credential $MyCredentials `
-Source "https://nu.novell.com/repo/%24RCE/NAM42-APP-Updates/sle-11-x86_64/rpm/x86_64/$filename.rpm" `
-Destination $User_Path;

Rename-Item $User_Path\$filename.rpm $User_Path\$filename.zip

$path = $User_Path
$destination = $User_Path
$shell_app= New-Object -com shell.application
$files = Get-ChildItem -Path $path -filter *.zip -recurse
foreach($file in $files) {
  $zip_file = $shell_app.namespace($file.FullName)
  $copyHere = $shell_app.namespace($destination)
  $copyHere.Copyhere($zip_file.items())
}
cd $User_Path\$filename
cmd.exe /c Openssl_update.bat

Feedback service temporarily unavailable. For content questions or problems, please contact Support.