Updating Verastream Host Integrator 7.7 to use Open JDK

  • 7023289
  • 20-Aug-2018
  • 11-Oct-2018

Environment

Verastream Host Integrator 7.7 and later

Situation

This article describes how to modify Verastream Host Integrator (VHI) version 7.7 or higher to support Open JDK. Industry trends now favor the use of the Open JDK. 

Micro Focus plans to release a VHI Service Pack that will include a version of Open JDK, but there may be VHI installations by customers who would prefer not to upgrade to the latest service pack at this time. This may also apply to customers who wish to install a new JDK due to an emergency security fix, before we are able to respond with a new service pack.

Resolution

Upgrade Steps

Install Java

Install the desired version of the JDK that you intend to use, into the desired directory, for example, in

install-dir\Attachmate\Verastream\HostIntegrator\Java\

Alongside the OEM version of Java that shipped with VHI.

Note: VHI has been tested with JDK8 binaries from AdoptOpenJDK and Azul Zulu. We do not advise moving to JDK9 or higher at this time. JDK8 is in long term support (LTS), and should be fully supported until October 2020. For stability, we recommend enterprise customers staying with LTS releases. A future version of VHI will be designed for JDK11, which is the next planned LTS release for OpenJDK.

Note: The .../jre/lib/security/cacerts file provided with AdoptOpenJDK JDK8 is empty; thus, the trust store is empty. The cacerts file must be replaced with one containing root certificates in order for VHI to operate. If necessary, you can copy cacerts from a recent version of JDK9 or JDK10 from AdoptOpenJDK, which contains a non-empty file. Compare the file size, or use keytool to look inside using the command:

keytool -list -v –keystore cacerts

(hit enter when prompted for a password).

Configure Java serialization filters

The following changes to the serialization filters must be configured to adhere to security guidelines.

Open in a text editor:

install-dir\attachmate\verastream\java\new-jdk\jre\lib\security\java.security

(where new-jdk corresponds to the directory containing your newly installed JDK)

Copy and paste the following text at the end of the document (insert a linefeed before and after):

jdk.serialFilter=!org.apache.commons.collections.functors.InvokerTransformer;*

sun.rmi.registry.registryFilter=!org.apache.commons.collections.functors.InvokerTransformer;*

sun.rmi.transport.dgcFilter=\

java.rmi.server.ObjID;\

java.rmi.server.UID;\

java.rmi.dgc.VMID;\

java.rmi.dgc.Lease;\

maxdepth=2147483647;\

maxarray=2147483647;\

maxrefs=2147483647;\

maxbytes=2147483647

Note: Current JDK versions contain security fixes that address long-standing Java object serialization vulnerabilities. There are serious side-effects to those changes which are described here:

https://dzone.com/articles/a-first-look-into-javas-new-serialization-filterin

As the article states, creating a whitelist, while theoretically possible, is extremely time-consuming and failure-prone, whereas creating a blacklist is prone to zero-day attacks (although it may be beneficial to add new threats to the blacklist as we learn of them - as virus scanners do).

org.apache.commons.collections.functors.InvokerTransformer is a known serialization attack vector. Research into finding additional classes to include in the blacklist for this filter is ongoing. Research is also continuing on the creation of a reliable and secure whitelist for this filter. This technical note will be updated when this information is available.

Point VHI at your new JDK

Stop all VHI services

        Verastream Host Emulator

        Verastream Host Integrator Log Manager

        Verastream Host Integrator Session Server

        Verastream Host Integrator Web Server

        Verastream Management Server

See Starting and Stopping Services in the VHI documentation: http://docs2.attachmate.com/verastream/vhi/7.7/en/index.jsp?topic=%2Fcom.attachmate.vhi.help%2Fhtml%2Fgettingstarted%2Fvhi_start_stop_services.xhtml

Create a symbolic link

Rename the directory containing the OEM JDK that shipped with VHI, e.g.,

Install-dir\Attachmate\Verastream\java\jdk1.8.0_162-64

To

Install-dir\Attachmate\Verastream\java\jdk1.8.0_162-64.bkp

Next, create a symbolic link (directory junction) that points to your newly installed JDK. Name this link jdk1.8.0_162-64 (or the name of the directory of the OEM JDK you are replacing) (Note: future versions of VHI will improve the directory naming scheme to help reduce confusion.)

Open a console in the …\Attachmate\Verastream\java\ directory, and use the command,

        Windows Console: mklink /j old-jdk new-jdk (/j creates a directory junction)

        Windows Power Shell: New-Item -ItemType Junction -Path old-jdk -Value new-jdk

        Linux: ln -sn new-jdk old-jdk (-s := symbolic link; -n := no-dereference)

Where

        new-jdk refers to the name of the directory containing your newly installed JDK.

        old-jdk refers to the name of the directory containing the originally installed JDK.

The symbolic link should point to the directory containing the bin, jre and lib directories.

Start all VHI services

        Verastream Host Emulator

        Verastream Host Integrator Log Manager

        Verastream Host Integrator Session Server

        Verastream Host Integrator Web Server

        Verastream Management Server

Verify all services are running, and VHI operation is normal.