TPS-5178 (cumulative patch) - 7.2

Version
7.2
Language
English (United States)
Product
Talend Big Data
Talend Big Data Platform
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
Module
Talend Identity and Access Management

TPS-5178 (cumulative patch)

Info Value
Patch Name Patch_20220408_TPS-5178_v1
Release Date 2022-04-08
Target Verson 20220408_1-V7.2.1
Product affected IAM

Introduction

This patch is cumulative. It includes all previous generally available patches for Talend IAM 7.2.1.

NOTE: For information on how to obtain this patch, reach out to your Support contact at Talend.

Fixed issues

This patch contains the following fixes:

  • TPS-3326: [7.2.1] Remove hard coded keys used for encryption from sts-tac
  • TPS-4184: [7.2.1] TDS - ORA-00904: "SERVERAUTHORIZATIONCODEGRANT_CODE": invalid identifier (TPSVC-14824)
  • TPS-5056: [7.2.1] Patch log4j CVE in Syncope
  • TPS-5178: [7.2.1] Patch Spring4Shell CVE-2022-22965

Prerequisites

Consider the following requirements for your system:

  • Talend IAM 7.2.1 must be installed.

Installation

  1. Stop IAM.
  2. Create a backup directory 
    $ mkdir -p <backup_dir>
  3. Copy original sts.war, sts-tac.war, idp.war,oidc.war,syncope.war,syncope-enduser.war,syncope-console.war and scim.war to backup dir 
    $ cp <TALEND>/iam/apache-tomcat/webapps/sts.war <backup_dir>
$ cp <TALEND>/iam/apache-tomcat/webapps/sts-tac.war <backup_dir>
$ cp <TALEND>/iam/apache-tomcat/webapps/idp.war <backup_dir>
$ cp <TALEND>/iam/apache-tomcat/webapps/oidc.war <backup_dir>
$ cp <TALEND>/iam/apache-tomcat/webapps/scim.war <backup_dir>
$ cp <TALEND>/iam/apache-tomcat/webapps/syncope.war <backup_dir>
$ cp <TALEND>/iam/apache-tomcat/webapps/syncope-enduser.war <backup_dir>
$ cp <TALEND>/iam/apache-tomcat/webapps/syncope-console.war <backup_dir>
    Note: if you made any changes in extracted services apps before don't forget to backup them too.
  4. Remove original sts, sts-tac, idp, oidc,syncope,syncope-enduser,syncope-console and scim webapp directories 
    $ rm -rf <TALEND>/iam/apache-tomcat/webapps/sts
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/sts-tac
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/idp
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/oidc
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/scim
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/syncope
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/syncope-enduser
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/syncope-console
  5. Copy patched war-s to webapps directory replacing original ones 
    $ cp sts.war <TALEND>/iam/apache-tomcat/webapps/
$ cp sts-tac.war <TALEND>/iam/apache-tomcat/webapps/
$ cp idp.war <TALEND>/iam/apache-tomcat/webapps/
$ cp oidc.war <TALEND>/iam/apache-tomcat/webapps/
$ cp scim.war <TALEND>/iam/apache-tomcat/webapps/
$ cp syncope.war <TALEND>/iam/apache-tomcat/webapps/syncope
$ cp syncope-enduser.war <TALEND>/iam/apache-tomcat/webapps/syncope-enduser
$ cp syncope-console.war <TALEND>/iam/apache-tomcat/webapps/syncope-console
  6. Save setenv.bat and setenv.sh from <TALEND>/iam/apache-tomcat/bin/ in backup dir 
    $ cp <TALEND>/iam/apache-tomcat/bin/setenv.bat <backup_dir>
$ cp <TALEND>/iam/apache-tomcat/bin/setenv.sh <backup_dir>
  7. Replace setenv.bat and setenv.sh in <TALEND>/iam/apache-tomcat/bin/ with file setenv.bat and setenv.sh from patch 
    $ cp setenv.bat <TALEND>/iam/apache-tomcat/bin/
$ cp setenv.sh <TALEND>/iam/apache-tomcat/bin/
  8. Copy keys.properties from patch in<TALEND>/iam/apache-tomcat/conf/ 
    $ cp keys.properties <TALEND>/iam/apache-tomcat/conf/
  9. Save <TALEND>/iam/apache-tomcat/conf/iam.properties 
    $ cp <TALEND>/iam/apache-tomcat/conf/iam.properties <backup_dir>
  10. Replace encrypted values with plain text in <TALEND>/iam/apache-tomcat/conf/iam.properties. Those values will be encrypted with the new key when starting IAM.
  11. (Only on Windows and only if IAM is started as a service) Run tomcat9w.exe as shown below, it will open a dialog window. In this window go to "Java" tab, then add -Dencryption.keys.file=<TALEND>\iam\apache-tomcat\conf\keys.properties to "Java Options" list. 
    <TALEND>\iam\apache-tomcat\bin\tomcat9w.exe //ES//talend-iam-7.2.1
  12. Start IAM.

Uninstallation

  1. Stop IAM.
  2. Remove original sts, sts-tac, idp, oidc,syncope,syncope-enduser,syncope-console and scim webapp directories 
    $ rm -rf <TALEND>/iam/apache-tomcat/webapps/sts
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/sts-tac
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/idp
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/oidc
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/scim
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/syncope
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/syncope-enduser
$ rm -rf <TALEND>/iam/apache-tomcat/webapps/syncope-console
  3. Copy saved sts.war, sts-tac.war, idp.war,oidc.war,syncope.war,syncope-enduser.war,syncope-console.war and scim.war from backup dir 
    $ cp <backup_dir>/sts.war <TALEND>/iam/apache-tomcat/webapps/
$ cp <backup_dir>/sts-tac.war <TALEND>/iam/apache-tomcat/webapps/
$ cp <backup_dir>/idp.war <TALEND>/iam/apache-tomcat/webapps/
$ cp <backup_dir>/oidc.war <TALEND>/iam/apache-tomcat/webapps/
$ cp <backup_dir>/scim.war <TALEND>/iam/apache-tomcat/webapps/
$ cp <backup_dir>/syncope.war <TALEND>/iam/apache-tomcat/webapps/
$ cp <backup_dir>/syncope-enduser.war <TALEND>/iam/apache-tomcat/webapps/
$ cp <backup_dir>/syncope-console.war <TALEND>/iam/apache-tomcat/webapps/
  4. Replace setenv.bat and setenv.sh in <TALEND>/iam/apache-tomcat/bin/ with file setenv.bat and setenv.sh from backup dir 
    $ rm -rf <TALEND>/iam/apache-tomcat/bin/setenv.bat 
$ rm -rf <TALEND>/iam/apache-tomcat/bin/setenv.sh 
$ cp <backup_dir>/setenv.sh <TALEND>/iam/apache-tomcat/bin/
$ cp <backup_dir>/setenv.bat <TALEND>/iam/apache-tomcat/bin/
  5. Remove keys.properties from <TALEND>/iam/apache-tomcat/conf/ 
    $ rm <TALEND>/iam/apache-tomcat/conf/keys.properties
  6. Restore <TALEND>/iam/apache-tomcat/conf/iam.properties 
    $ rm -rf <TALEND>/iam/apache-tomcat/conf/iam.properties
$ cp <backup_dir>/iam.properties <TALEND>/iam/apache-tomcat/conf/
  7. Start IAM

Affected files for this patch

The following files are installed by this patch: - sts.war - sts-tac.war - idp.war - oidc.war - scim.war - syncope.war - syncope-enduser.war - syncope-console.war

Notes:

When starting IAM, not encrypted password settings ( /iam/apache-tomcat/conf/iam.properties ) and client secrets in the application client settings ( json files in /iam/apache-tomcat/clients ) will automatically be encrypted and saved. In case you change the value of aes.key in keys.properties, you need to replace the encrypted passwords and secrets with plaintext values before restarting IAM with the new encryption key(s). Please refer to the documentation "Installing and configuring Talend Identity and Access Management" ( https://help.talend.com/reader/2~mlhPhrG6zeV9Ccrky5Ig/o0Ou1pAi3d5WIbcrfz_XpA ) to locate the settings ( commonly entries ending with '.password' or named 'client_secret') that need to be changed for the Talend applications accessed via IAM.