Security Patch: uPortal Framework and Academus Classifieds
Security Patch: uPortal Framework and Academus Classifieds
The following information describes an Academus security patch that has been released to address two items:
(1) A security vulnerability in the uPortal framework and
(2) Addition of SSL support for the Academus Classifieds channel.
The uPortal security hole discovered occurs only in installations where the portal authenticates against its portal database (where Simple Security Context is used in security.properties). The addition of SSL support for the Academus Classifieds channel was required to securely accommodate Academus clients who wish to implement Apache SSL for their portals.
Please read through all of the instructions before attempting any patches or updates to your system. If you have any questions about the patches or the instructions, please do not hesitate to contact Customer Support.
Release Notes:
(1) A security vulnerability in the uPortal framework and
(2) Addition of SSL support for the Academus Classifieds channel.
Patch Information:
Patch Number: 031023-000002
Patch File Name: 031023-000002.jar
Patch Type: Security
Patch Release Date: 10-03-2003
Files Affected:
{InstallDirectory}/unicon/Academus/portal-tomcat-a/webapps/portal/WEB-INF/classes/org/jasig/portal/security/provider/RDBMAccountStore.class
{InstallDirectory}/unicon/Academus/portal-tomcat-a/webapps/portal/WEB-INF/classes/org/jasig/portal/utils/URLUtil.class
Installation Instructions:
Important: Please read through the entire set of instructions before installing the patch
-
Copy 031023-000002.jar into the following directory:
{InstallDirectory}/unicon/Academus/portal-tomcat-a/webapps/portal/WEB-INF/classes -
Backup the files that are to be replaced.
-
Create the directory:
{InstallDirectory}/unicon/packages/patches/backups/031023-000002. -
Copy the 2 files listed in the "Files Affected" section above to this directory.
-
Un-Jar the patch:
{InstallDirectory}/unicon/tools/j2sdk/bin/jar xvf 031023-000002.jar -
Move the patch file to:
{InstallDirectory}/unicon/packages/patches
Restart:
UNIX:
{InstallDirectory}/unicon/bin/academusctl stop tomcat
{InstallDirectory}/unicon/bin/academusctl start tomcat
Windows:
{InstallDirectory}\unicon\bin\stop
{InstallDirectory}\unicon\bin\start
If your portal is configured for APACHE-SSL, PLEASE READ:
In order to use the classifieds channel with Apache-SSL you will need to add the server certificate to your tomcat certificate store. Follow the instructions below to accomplish this task. Certificate locations may differ between installs. If you cannot locate your certificate files please contact Academus Customer Support.
Run the following command from the "{InstallDir}/unicon/tools/j2sdk/bin" directory:
keytool -import -keystore ../jre/lib/security/cacerts -file {path to your server.crt file for apache: SEE Note:}
Note: The server.crt file is usually located in "{InstallDir}/unicon/Academus/portal-apache/config/ssl". Its name can vary from install to install but the file extension should be ".crt"
Additional Notes:
- Some commands may differ slightly between UNIX and Windows.
- Make sure that you have the j2sdk/bin directory in your path for Windows before unjarring the patch file.
- Note that the files that are installed must have the same permissions and ownership as the other files in the classes directory on UNIX.
- Older installations will have "unicon/Academus/portal-tomcat" instead of "unicon/Academus/portal-tomcat-a".
