About this document
This document details changes introduced by the 4.2.2 version for DenyAll rWeb.
This version follows version 4.2.1 of DenyAll rWeb. This version is an LTS (Long Term Support).
Reminder of the LTS/LVS concepts:
- Long term support (LTS): these releases are maintained and supported for at least 3 years. They include no new features. Bug fixes and security patches will be issued approximately once a quarter. They are thoroughly tested and should be used in production environments.
- Last version support (LVS): these versions include new features and improvements. Bug fixes and security patches issued approximately twice a year. While they go through our Quality Assurance process, they should be used in production environments with caution.
Official release date
July 20th, 2016.
Backup : Application restore
Restoring applications backup system has been simplified. It is no more required to stop all running applications before restoring. Instead all applications will be restored if possibe, and conflictual situation are smoothly handled by allowing administrator to review and edit them.
Applications are automatically imported either in Restored group or Conflict Restore group. In the latter case, the Incoming IP address is changed to a loopback address in order to avoid conflicts and Description field is updated with the former IP address as reminder.
Notice : To prevent unexpected behaviors, all restored applications have their 'start on boot' flag reset to false.
Authentication : LDAP Extended
A new Authentication scheme is available: LDAP Extended. This scheme provides severals improvements compared to standard one.
- Multiple providers: Each LDAP provider having its own settings. Allowing you to authenticate against different LDAP attributes inside a same Realm.
- UPN Stripping : Keep the username part of a User Principale Name (UserName@Example.Microsoft.com)
- Netbios Domain Stripping : Keep the username part of a Down-Level Logon Name (DOMAIN\UserName)
It is not required to move from old LDAP scheme into the Extended one if not necessary. Both scheme will be fully supported.
Certificate : creation with SubjectAltName field
The certificate creation panel has been updated to better handle subjectAltName X509 extension as described by
RFC 2818 22.214.171.124, 1. paragraph; subjectAltName must always be used. CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software.
Acceleration : cache dir levels and cache dir length settings
The Acceleration - Caching setting now allows to configure mod_cache_disk directory length and levels directives.
Notice : It is recommanded to keep these values small, lowering the amount of traversing needed on reads and writes. Length * levels must not exceed 20.
UX : Application overview layout light-persistency
Because the Application Overview panel is the main screen allowing you to browse and dig into your applications. It is sometime frustrating to have all searches being reset each time you come back to the overview screen. So from now, for the time of a user session, your latest layout and applied filtering are remembered.
UX : Security policy fast link
Subcategories in Global view panel are now clickable links allowing you to quickly jump onto the corresponding category.
[DA-934] - CPU monitoring incomplete when having equal or more than 10 CPUs
[DA-3070] - Share ip is not displayed on GUI of slave machine when the master down
[DA-3099] - Warning does not display when configure slb for an application which does not use Server Farm
[DA-3205] - Old description still displays after modify description of filter
[DA-3352] - Error when remove KDC server which is in used in Kerberos authentication policy
[DA-3402] - Error when using DAScript in report only
[DA-3416] - timeout when saving the Whitelist configuration
[DA-3419] - unset port 443 in Header location when using HTTP to HTTPS redirect
[DA-3952] - (CLI) Missing some values in IP reputation.
[DA-3988] - SSL is disabled after modify simple applications to linked to SSL application
[DA-4020] - "Enable traffic recording" is disabled after log out
[DA-4067] - Refresh button in app overview act like collapse all
[DA-4072] - backup files not cleared
[DA-4126] - Unexpected log in catalina.out file when click on "PDF" button on Monitor/Security panel
[DA-4205] - Error when starting restored applications using SSL onforce in special case
Certificate with empty CommonName
When listing certificates , the CommonName + description fields are still used as the certificate pretty name. It is recommanded to set the description field in order to recognize a certificate having empty CommonName.
In the following commands:
- <installation_path> is /opt/rweb on appliances and default installations.
- <patch_name> is the filename of the patch
Caution: if you have modified one of the following files (for performance tuning for example), you will need to keep track of your modifications in order to restore them manually after installing the patch:
cp <installation_path>/bin/init_rweb /tmp/init_rweb.old
cp <installation_path>/admin/conf/CoreManager.xml /tmp/CoreManager.xml.old
cp <installation_path>/admin/conf/httpd.conf /tmp/httpd.conf.old
Caution: if you have installed hotfixes on your current rWeb system, you must uninstall them before installing the cumulative patch. See the README notes of each hotfix for uninstallation instructions.
In order to retrieve which hotfixes have been installed on your system, you can display the following file (see knowledge base reference):
Before you install the patch, we recommend you perform a backup of your installation, as the patcher does not provide rollback.
To do so, you may either:
- Stop the VM and snapshot it (if you run rWeb in a virtualized environment), or
- Perform a backup of the software by logging in the software GUI, clicking "Tools/Admin" and generating a configuration backup. Note: this backup does not include any log (alerts or traffic).
In order for a patch to be applied, rWeb must be stopped.
As support user issue the command below:
sudo <installation_path>/bin/init_rweb stop
Operations are to be performed as support user.
Upload archive in /var/tmp/
Uncompress archive: # tar xzf <patch_name>.tar.gz
Go into patch directory: # cd <patch_name>
Find patch XML file: # ls *.xml
sudo python patcher.py -p <xml_file> -n <installation_path> -v
Restore custom modifications
Once the patch is installed, you may restore your custom modifications by comparing the old and new files using the 2 commands below:
diff <installation_path>/bin/init_rweb /tmp/init_rweb.old
diff <installation_path>/admin/conf/CoreManager.xml /tmp/CoreManager.xml.old
diff <installation_path>/admin/conf/httpd.confml /tmp/httpd.conf.old
and manually inserting your custom modifications in the new files introduced by the patch.
Caution: do not replace the new file by the old one! As each new version may also bring changes in these files, the custom modifications have to be inserted manually in the new files (of the new version).
For instance, if you added memory to tomcat (to boost GUI performance) before patching, by modifying the file /opt/rweb/bin/init_rweb and changing:
export JAVA_OPTS="$JAVA_OPTS -Xms128m -Xmx1024m -XX:MaxPermSize=128m"
export JAVA_OPTS="$JAVA_OPTS –Xms512m -Xmx1024m -XX:MaxPermSize=512m"
you will have to update the new export JAVA_OPTS command in the new /opt/rweb/bin/init_rweb file, which added a java.library.path directive in the new command. It will look like this:
export JAVA_OPTS="$JAVA_OPTS -Xms512m -Xmx1024m -XX:MaxPermSize=512m
Once rWeb has been patched and custom modifications are restored, rWeb can be started with the following command (with the support user):
sudo <installation_path>/bin/init_rweb start
Remove temporary files
Once rWeb has been patched, restarted and you checked everything works correctly, you can delete all temporary files created by this patcher by running the following command:
sudo rm –rf <installation_path>/patches/*