Environment
Situation
This technical note describes how to modify Verastream Host Integrator (VHI) version 7.7 or higher to support Java 8.
Resolution
Service pack 1 for Verastream Host Integrator 7.7 was released in March, 2018, and this service pack includes a private copy of Java 1.8 for use by Verastream components. Please download and install this service pack to enable security updates provided in Java 1.8.
The following instructions should be considered obsolete, and are retained here just in case there is an unusual reason not to immediately apply the service pack.
Before you start
Note: Due to changes required of third party libraries, this article does not apply to VHI systems using clustered management. Do not follow these instructions to upgrade to Java 8 if multiple servers in your VHI environment are configured in a management cluster for load distribution/fail-over purposes. This procedure applies to single, stand-alone VHI installations. See KB 7021541 for information on third party load balancing.
Install-dir here refers to the default install directory for both Windows and UNIX platforms:
- Windows: C:\Program Files\Attachmate\Verastream\HostIntegrator
- UNIX: /opt/attachmate/verastream
If you have installed VHI to a different location, you must make the necessary adjustments.
- Backup your entire VHI install directory, so in the unlikely event of difficulties you can revert to the previous installation configuration.
- Install Java Developer Kit 8.x (JDK) from Oracle: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html At this time the latest version available is jdk1.8.0_121, which is the version used in the steps below. If you install a different version, you will have to make the necessary adjustments.
- Download the latest 64-bit version from Oracle: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
- Create a new directory named jdk1.8.0_121 in this location:
install-dir/Attachmate/Verastream/java
- Install the downloaded JDK to the new directory:
install-dir/Attachmate/Verastream/java/jdk1.8.0_121
- Install Unlimited Crypto Policy Files.
- Download Java Cryptography Extension (JCE) Unlimited Strength Jursidiction Policy Files 8: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
- Follow the instructions in the readme that is included in the downloaded zip file.
- Open:
install-dir\Attachmate\Verastream\java\jdk1.8.0_121\jre\lib\security
…and replace local_policy.jar and US_export_policy.jar with the downloaded versions.
Notes:
- The Windows Java installation program may copy the JRE to Program Files. This isn’t a problem as the JDK has its own JRE in the VHI Java directory. You can delete the JRE in Program Files.
- The Linux RPM installation program copies the JDK in /usr/java/jdk1.8.0_121. Copy the JDK to install-dir/attachmate/verastream/java/jdk1.8.0_121.
Upgrade Steps
Configure Java serialization filters
To make VHI compatible with Java 8 build 121, and presumably later builds, newly introduced serialization filters must be loosely configured to adhere to security guidelines.
- Open in a text editor:
install-dir\attachmate\verastream\java\jdk1.8.0_121\jre\lib\security\java.security
- Set the following properties:
jdk.serialFilter=!org.apache.commons.collections.functors.InvokerTransformer;*
sun.rmi.registry.registryFilter=!org.apache.commons.collections.functors.InvokerTransformer;*
sun.rmi.transport.dgcFilter=\
java.rmi.server.ObjID;\
java.rmi.server.UID;\
java.rmi.dgc.VMID;\
java.rmi.dgc.Lease;\
maxdepth=2147483647;\
maxarray=2147483647;\
maxrefs=2147483647;\
maxbytes=2147483647
Note: JDK 1.8.0_121 contains security fixes needed to address long-standing Java object serialization vulnerabilities. There are serious side-effects to those changes which are described here: https://dzone.com/articles/a-first-look-into-javas-new-serialization-filterin
As the article states, creating a whitelist, while theoretically possible, is extremely time-consuming and failure-prone, whereas creating a blacklist is prone to zero-day attacks (although it may be beneficial to add new threats to the blacklist as we learn of them - as virus scanners do).
org.apache.commons.collections.functors.InvokerTransformer is a known serialization attack vector. Research into finding additional classes to include in the blacklist for this filter is ongoing. Research is also continuing on the creation of a reliable and secure whitelist for this filter. This technical note will be updated when this information is available.
Update VHI configuration files
Modify the following files to point to the new Java JDK folder. In the path install-dir\Attachmate\Verastream\ :
- AdministrativeConsole\Administrative Console.ini
- HostIntegrator\bin\activatemodel.bat
- HostIntegrator\bin\activatemodel.sh
- HostIntegrator\bin\buildeventhandlers.bat
- HostIntegrator\bin\cleaneventhandlers.bat
- HostIntegrator\bin\deactivatemodel.bat
- HostIntegrator\bin\deactivatemodel.sh
- HostIntegrator\bin\iisdeploy.bat
- HostIntegrator\bin\iisundeploy.bat
- HostIntegrator\bin\iisvsedit.bat
- HostIntegrator\bin\logexport.bat
- HostIntegrator\bin\packagemodel.bat
- HostIntegrator\bin\packagemodel.sh
- HostIntegrator\bin\resetsessionserver.bat
- HostIntegrator\bin\resetsessionserver.sh
- HostIntegrator\bin\updatemodelversion.bat
- HostIntegrator\etc\vhi.conf
- HostIntegrator\Help\help.ini
- HostIntegrator\hostemulator\bin\jconsole.bat
- HostIntegrator\hostemulator\bin\jconsole.sh
- HostIntegrator\hostemulator\conf\container.conf
- HostIntegrator\lib\webbuilder\common\runWSClient.bat
- HostIntegrator\lib\webbuilder\common\wardeploy.bat
- HostIntegrator\servletengine\conf\container.conf
- ManagementServer\bin\jconsole.bat
- ManagementServer\bin\jconsole.sh
- ManagementServer\conf\container.conf
Using a text editor or a script, replace all occurrences of:
jdk1.7.0_75-64
with:
jdk1.8.0_121
You do not need to modify the .sh shell scripts on Windows platforms or on Linux, the .ini and .bat files. All .conf files need modification.
Restart all VHI services
- Verastream Host Emulator
- Verastream Host Integrator Log Manager
- Verastream Host Integrator Session Server
- Verastream Host Integrator Web Server
- Verastream Management Server
See Starting and Stopping Services in the VHI documentation: http://docs2.attachmate.com/verastream/vhi/7.7/en/index.jsp?topic=%2Fcom.attachmate.vhi.help%2Fhtml%2Fgettingstarted%2Fvhi_start_stop_services.xhtml