Questions asked by Alex Suter

Ghostcat vulnerability in Tomcat (CVE-2020-1938)

Alex Suter — Tue, 17 Mar 2020 10:00:35 -0400

IMPORTANT NOTE FROM 2020-05-12 Tomcat had a bug with AJP and IIS over HTTPS. Ivy 7.0.17 and 8.0.4/8.0.5 are affected by this bug. You will need to upgrade to 7.0.18 and 8.0.6.

The Axon.ivy Digital Business Platform is using Tomcat as web server. Ghostcat 👻😼 (CVE-2020-1938) is a security vulnerability in Tomcat and is related to the AJP protocol. AJP is a binary protocol and is used in conjunction with a reverse proxy like IIS or Apache httpd. A secure Axon.ivy Engine setup always includes a reverse proxy, like the following example:

Browser --> (HTTP, HTTPS) --> Reverse Proxy (IIS, Apache, ...) --> (AJP) --> Axon.ivy Engine

HTTP or HTTPS is also possible as communication protocol between the reverse proxy and the Axon.ivy Engine, but AJP is the most used setup, especially in Windows environments.

Are you affected by this vulnerability?

8.0 You are affected by this issue if you have explicitly enabled the AJP port and have not explicitly protected access to the Axon.ivy engine for example with a firewall.
7.0 You are affected by this issue if you not have explicitly disabled the AJP port and have not explicitly protected access to the Axon.ivy engine for example with a firewall.

How to fix this without updating?

Is your reverse proxy running on the same host as the Axon.ivy Engine?

Yes. You need to bind the AJP port only to localhost by setting the property Connector.AJP.Address to localhost in ivy.yaml and restart the Axon.ivy Engine. The AJP port is now only available on the host itself. For Axon.ivy 7.0 you need to set the system property WebServer.AJP.Address to localhost.
No. Configure your network to ensure exclusive access between the reverse proxy and the Axon.ivy Engine. If this is not possible, you will need to setup a firewall on the host where the Axon.ivy Engine is running. Only requests from the reverse proxy must be allowed.

What will change in Axon.ivy 7.0.17 and 8.0.6?

Axon.ivy will come with the latest Tomcat version:

Axon.ivy 8.0.6 comes with Tomcat 9.0.35
Axon.ivy 7.0.18 comes with Tomcat 8.5.55

Tomcat has changed the default behavior of the AJP port. AJP is now bound by default to localhost and not anymore to every network interface (nic). This means nobody can access the Axon.ivy Engine from another host via AJP. Furthermore the AJP port is now also disabled by default in Axon.ivy 7.0.18.

What do you have to do when upgrading to 7.0.18?

Is your reverse proxy running on the same host as the Axon.ivy Engine?

Yes. Just make sure that the system property WebServer.AJP.Address is empty after the upgrade. So we take the Tomcat default and the AJP port is only available locally.
No. You need to bind the AJP port to the public network address by setting the system property WebServer.AJP.Address to YOUR_AXON_IVY_ENGINE_IP_ADDRESS. Additionally, you need to configure your network to ensure exclusive access between the reverse proxy and the Axon.ivy Engine. If this is not possible, you will need to setup a firewall on the host where the Axon.ivy Engine is running. Only requests from the reverse proxy must be allowed.

If you don't use a reverse proxy at all, then you need to disable the AJP port by setting the system property WebServer.AJP.Enabled to false.

What do you have to do when upgrading to 8.0.6?

Is your reverse proxy running on the same host as the Axon.ivy Engine?

Yes. Just make sure that Connector.AJP.Address in ivy.yaml is empty after the upgrade. So we take the Tomcat default and the AJP port is only available locally.
No. You need to bind the AJP port to the public network address by setting the property Connector.AJP.Address to YOUR_AXON_IVY_ENGINE_IP_ADDRESS in ivy.yaml. Additionally, you need to configure your network to ensure exclusive access between the reverse proxy and the Axon.ivy Engine. If this is not possible, you will need to setup a firewall on the host where the Axon.ivy Engine is running. Only requests from the reverse proxy must be allowed.

isapi.dll and mod_jk.so upgrades

We also bundle with the upcoming release the latest version of isapi.dll and mod_jk.so. They are needed by the reverse proxy (IIS, Apache httpd). We recommend to upgrade them on the reverse proxy as described in the migration guide.

What about secret and secretRequired?

You may have read something about secret or secretRequired. This is an alternative way to protect the communication between the reverse proxy and Axon.ivy Engine. We believe that a secure communication between the reverse proxy and the Axon.ivy Engine should be protected by firewall rules even in trusted networks and therefore this is not needed.

If you don't have the same opinion, we would love to hear 👂 why!

If you really want to use secret and secretRequired, you can define them in ivy.yaml (see configuration). Furthermore you need to define the secret itself in the [worker.properties][5] as part of the reverse proxy installation.

Security is important to us 💯 %

We, the platform development team, take security very seriously. If you have any questions or find other weaknesses, please do not hesitate to contact us.

AXIS web service client calls LinkageError with Policy

Alex Suter — Thu, 12 Mar 2020 01:45:20 -0400

Since Axon.ivy 8.0 you may have problems with AXIS web service client calls, which you will notice in the log as follows:

LinkageError: loader constraint violation: loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @4797c3e2 wants to load class org.apache.neethi.Policy. A different class with the same name was previously loaded by org.eclipse.osgi.internal.loader.EquinoxClassLoader @59b5251d. (org.apache.neethi.Policy is in unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @59b5251d, parent loader 'platform')

This problem occurs in combination with web service policies. To fix this issue, you need to migrate to the CXF Web Service Client technology - the AXIS stack is deprecated.

We have invested heavily in the new CXF technology in the Web Service Call Stack . If you have any problems with CXF, please contact us. We will take our time and make the CXF stack even better 💪!

CXF Web Service Client improvements in 8.0.3

Alex Suter — Thu, 05 Mar 2020 02:33:11 -0500

By default CXF Web Service Calls runs by default with HttpUrlConnection of Java. HttpUrlConnection is limited when it comes to authenticate against a NTML web service.

CXF provides the ability to change the implementation of the connection itself to org.apache.http.nio.client.HttpAsyncClient. Besides the full support of NTML it also provides better performance. Due that fact we changed the default connection to HttpAsyncClient of CXF Web Service Calls.

There are no known compatibility issues between these to implementations. If you face one, please contact us. And you are always still able to fallback by setting the use.async.http.conduit to false on the Web Service Client.

How to use WS-Addressing in a webservice call?

Alex Suter — Wed, 21 Feb 2018 10:36:38 -0500

I need to use web service standard WS-Addressing to call a web service. How can I use it?

JSF View Scope can lead to memory leak

Alex Suter — Wed, 18 Oct 2017 10:52:04 -0400

JSF stores the View Scope (@ViewScope) in the session store. Can this lead to memory issues?

How to install and use the Linux Designer

Alex Suter — Fri, 08 Sep 2017 03:06:14 -0400

We release since version 6.7.0 the Axon.ivy Designer for Linux. Basically, it runs very well.

Simple automated installation

Download and unpack the Designer to a location of your choice. E.g. ~/opt/Designer7
run the install-ivy-dependencies.sh script in the root of the designer.
run Axon.ivy Designer

Manual Dependency Installation

The manual installation process on a Debain based Linux is as follows:

Install libwebkitgtk-1.0.0 that the internal browser works correctly. A simple APT command should be sufficient:
- sudo apt install libwebkitgtk-1.0.0
- if this browser library is not installed: the web browser will fail with an error such as this in the screen
Install a Java Runtime Environment (JRE). sudo apt install openjdk-8-jdk sudo apt install openjfx
For the fast JNI SVN Team connector the libraries must be made accessible
- sudo apt-get install libsvn-java
Download and unpack the Linux Designer. E.g. into ~/Downloads/Designer7
Run the eclipse binary in the unpacked Designer directory. Enjoy!

Only for versions older than 7.0.0

Windows tools.jar included instead of Linux tools.jar (configuration/org.eclipse.osgi/107/0/.cp/lib/tools.jar)
- Could lead to serious problems (e.g. jmockit). Replacing existing Windows tools.jar with a Linux tools.jar solved it.

Other Fixes

https://answers.axonivy.com/questions/3410/error-uncaught-exception-in-thread-awt-eventqueue-1-linux-mint-19

This Q&A entry is a community wiki. Share your experiences with us!

How to create cancel or park button in my Html Dialog?

Alex Suter — Fri, 08 Sep 2017 01:43:30 -0400

On what should I pay attention when I want to create a cancel or a park button in my Html Dialog?

Can't sign up to Axon.ivy Q&A

Alex Suter — Mon, 29 May 2017 05:01:50 -0400

I can't sign up to Axon.ivy Q&A because I do not receive a confirmation mail.

Reserved request parameters

Alex Suter — Fri, 21 Apr 2017 15:47:27 -0400

Hi Ivy.team,

I have a concern when trying to attach a param names "lang" to an URL. Ex: http://localhost:8081/ivy/pro/designer/abc/15A6EF8EF2C5F61B/start.ivp?lang=EN

And it returns null when extract by using ivy.request.getFirstParameter("lang").

Then, I change it to "language" as below. http://localhost:8081/ivy/pro/designer/abc/15A6EF8EF2C5F61B/start.ivp?language=EN Now it returns value EN with ivy.request.getFirstParameter("language") as I expect.

Is lang a keywork or something which couldn't use for url param?

Asked by @thienqh

Portal deployment

Alex Suter — Tue, 28 Mar 2017 16:16:56 -0400

I use the portal for my business processes. There is already a portal deployed as part of the engine. How should I deploy my projects which depends on the portal projects?

Variant 1 - One Application: All projects in one application (Portal Projects / Custom Projects).

Variant 2 - Multiple Applications: One Application for the portal and one or multiple custom applications for my custom projects? How does the user mangement works in this case?

Aspose "Evaluation only" message

Alex Suter — Fri, 24 Mar 2017 10:02:34 -0400

I create documents with Aspose, which is offically part of IvyAddOns. Why is on each generated document an "evaluation only" message?

This code generates the document:

import com.aspose.words.Document;
Document doc = new Document("C:\\temp\\test.docx");
doc.save("C:\\temp\\test.pdf");

I can't import java.util.Date in script step, why?

Alex Suter — Mon, 13 Mar 2017 08:13:25 -0400

I can't import java.util.Date, why?