This content has been marked as final. Show 8 replies
The best approach would be to upgrade to the latest release of the webserver, ie 7.0 which meet all your security requirements.
1)Disable TLS Renegotiation - SP 17 takes care of thisWell, apply the patch then.
2)Add the HttpOnly to all cookiesThis is the default in 7.0.12 and later. A workaround is to ask your developers to include that option for all the cookies they generate.
3)Add the Secure flag to cookies sent over SSLAsk your developers to add the secure flag in all their web.xml files
4)Upgrade to latest SSL (I am assuming I can just download and install the latest openssl)The web server uses NSPR and it is updated in SP12+
Thank you very much, I appreciate it. How do I upgrade to 7.0?
Okay, got the steps.....
How do I find out if:
The server being migrated and the Web Server 7.0 Administration Server must reside on the same host.
I'd rather take the path of least changes, so applying SP 17 seems the best way to go. However, s there a backout procedure for applying this SP. Is it applied just like a Solaris patch?
It depends on whether you got a package or zip(file) installed version. For the file version, you just install it on top of your existing installation. It will detect that an older version is already installed and do an update instead. As for restore, a backup of the webserver directory should be sufficient which you can just restore. For the package based install, it will follow the Solaris patch management mechanism
Thank you for your response. I appreciate it. I am a newbie to SunOne webserver. So I'll ask this question. I know we have several instances running. How do I backup the webserver directory - how do I find out where it is and is a tar of it sufficient? Please help.
It is a zip file inside the patch - I think. We do not have s/w subscription - we can only download os/firmware/public patches - so I'm looking at pricing for s/w patches. I'll be sure once I get the patch. But i'm pretty confident that it's a zip file.
ok, when you installed the webserver, did you have to run the install as the root user or just any user? The package based installer requires root user privileges and puts the binaries under /opt/SUNWwebserver and the configuration under /var/opt/SUNWwebserver/https-instancename. The file/zip based installer lets you install anywhere and as any user and also puts the instances under the same directory structure.
So you have two things to worry about, the binaries and the instance configurations. The config is more important. Basically the directories starting https- are where the configurations for each instance is stored. There are additionally also the alias and httpacl directories for the SSL certificates and ACLs which you should also backup. If it is a file/zip based installation, all you need is to just zip/tar up the entire directory.