• Spaces
  • People
  • Help
    • BMC Support Central BMC Communities BMC.com
    ×
    BMC TrueSight App Visibility Manager 2.6

    Page tree
    Skip to end of metadata
    Go to start of metadata

    This patch repairs the POODLE (Padding Oracle On Downgraded Legacy Encryption) security vulnerabilities for communication between Application Diagnostics Agents for Java and Application Diagnostics Server components.

    After installing the patch, you can no longer use SSL 3.0, and specifically the RC4 protocol.

    Do you need to install this patch?

    This patch is intended for Application Diagnostics version 2.6.10. For earlier versions of Application Diagnostics Server, first upgrade the Server components to 2.6.10. The Agents are upgraded with the patch scripts.

    If you have questions about whether to install this patch, contact BMC Customer Support.

    Warning

    After you upgrade the Application Diagnostics Server, the Agent for .NET can no longer monitor application servers running on Windows 2003.

    A workaround enables monitoring of Windows 2003 application servers, but the workaround does not remove the POODLE security vulnerability.

    This notification contains the following topics:

    Downloading the patch

    See Downloading the installation files for BMC Application Diagnostics and select the Patches tab.

    Patch contents

    File nameDescriptions
    readme.txtPatch description and installation instructions
    adops-agent-upgrade.batPatch upgrade script for the Agent for Java on Windows
    adops-agent-upgrade.shPatch upgrade script for the Agent for Java on Linux
    adops-agent-install.batInstallation script for version 2.6.10.15 of Agent for Java on Windows
    adops-agent-install.shInstallation script for version 2.6.10.15 of Agent for Java on Linux
    agentInstaller.jarUpgraded JAR file, used by the Agent for Java
    common-server.jarUpgraded JAR file to replace the file for each Application Diagnostics Server component
    portal.jarUpgraded JAR file to replace the file in the Application Diagnostics Portal

    Applying the Patch

    To apply the patch, first patch the Application Diagnostic Server components, then upgrade each Agent for Java, as instructed in the following sections.

    To apply the patch to the Application Diagnostic Server components

    Replace the required file on the Application Diagnostics Portal, Collector, and Proxy servers, and modify the property files as instructed.

    If the Portal, Collector, and APM Proxy are installed on the same computer, replace the file once, otherwise, replace it for each installation.

    1. Stop the service or services.
    2. In the server installation directory, under the common/lib directory, replace common-server.jar with the file in this patch.

      The following file paths show the default installation directory:

      • (Windows) C:\Program Files\BMC Software\BMC Application Diagnostics\common\lib

      • (Linux) /opt/bmc/BMC_Application_Diagnostics/common/lib

    3. In the Portal installation directory, under portal/lib directory, replace the portal.jar with the file in this patch.

      The following file paths show the default installation directory:

      (Windows) C:\Program Files\BMC Software\BMC Application Diagnostics\portal\lib

      (Linux) /opt/bmc/BMC_Application_Diagnostics/portal/lib

    4. Open the properties file for each component in a text editor:

      • Portal: installationDirectory\portal\properties\portal.properties

      • Collector: installationDirectory\collector\properties\collector.properties

      • APM Proxy: installationDirectory\apm-proxy\properties\apm-proxy.properties

    5. For each component properties file, add the following lines for the tomcat.ciphers and the tomcat.ssl.enabled.protocols properties:

      # A comma separated list of encryption ciphers to support for HTTPS connections. Spaces between list items are not allowed.
tomcat.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA

#The comma separated list of SSL protocols to support for HTTPS connections. Spaces between list items are not allowed.
#Default Value: TLSv1,TLSv1.1,TLSv1.2
tomcat.ssl.enabled.protocols=SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2
    6. Restart the service or services.

    To apply the patch to the Agent for Java

    On each computer with an Agent for Java, run the included adops-agent-upgrade file that is appropriate for your environment. Use the -skipVer option to upgrade the Agent, regardless of version:

    • Windows
      adops-agent-upgrade.bat -s -d installationDirectory -skipVer
    • Linux
      ./adops-agent-upgrade.sh -s -d installationDirectory -skipVer

    Replace installationDirectory with the full path to the existing Application Diagnostics Agent installation directory, which must include the ADOPsInstall directory. For example: c:\BMC Software\ADOPs\ADOPsInstall

    For complete upgrade instructions, see Upgrading the Diagnostics Agent for Java.

    To install a new Agent for Java

    You can install an Agent for Java on an application server where an agent is not installed. The following silent installation command uses the default values for Agent installation:

    • Windows
      adops-agent-install.bat -s -a application_display_name
    • Linux
      ./adops-agent-install.sh -s -a application_display_name


    Replace application_display_name with the display name of the application that the Agent monitors. The value is required and can include up to 255 alphanumeric Latin characters, and the following special characters: ~ ` ! @ # $ % ^ & * ( ) - _ + = ? . , ; /

    For complete installation instructions, see Installing the Diagnostics Agent for Java.

    Workaround for Windows 2003 application servers

    Warning

    The following workaround enables the Application Diagnostics Agent for .NET to monitor application servers, but the servers are open to the POODLE vulnerability.

    Follow the instructions To apply the patch to the Application Diagnostic Server components. For the portal.properties and collector.properties, add the item "SSL_RSA_WITH_RC4_128_SHA" to the beginning of the tomcat.ciphers property:

    # A comma separated list of encryption ciphers to support for HTTPS connections. Spaces between list items are not allowed.
tomcat.ciphers=SSL_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA

    If a problem occurs

    If you encountered problems during the installation of the patch or if you could not access the internet to run the installation, contact BMC Customer Support. 

    Related topics

    Release notes and notices

    Known and corrected issues

     

    © Copyright 2005-2020 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.