cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Stay updated on what is happening on the PTC Community by subscribing to PTC Community Announcements. X

Updating to a more recent build of Tomcat

scurtis-2
1-Visitor

Updating to a more recent build of Tomcat

Hello,

We are running Windchill 9.1 M020. This build installs with version 6.0.18 of Tomcat. I need to install a build more recent than 6.0.20 to comply with security requirements. I have downloaded Tomcat 6.0.24 and run the installer over my current Tomcat loadpoint in my test environment. Tomcat starts with no problem and reports that it is build 6.0.24. The Windchill method server starts but reports that the "servlet engine is not responding" after starting. When I try to access Windchill I get a "Service Temporarily Unavailable" message in the web browser. Any thoughts an what additional steps are necessary to get the 6.0.24 build of Tomcat working with Windchill 9.1 M020?

Thanks,

Steve

9 REPLIES 9
jessh
12-Amethyst
(To:scurtis-2)

The only Tomcat supported with Windchill is that delivered with Windchill.

If you need a newer version of Tomcat, then you need to look for a newer
Tomcat version in a Windchill MOR -- or request a newer version of
Tomcat if a recent enough Tomcat is not available in an MOR.

R9.1 M050 (not yet released) contains Tomcat 6.0.20. I'm not sure if
any shipping MORs contain 6.0.20 -- but tech support should be able to
provide this information.

Tomcat 6.0.24 is quite new and has not yet been officially tested with
any version of Windchill.

--
Jess Holle

avillanueva
22-Sapphire II
(To:scurtis-2)

What's the security issue?


Steve,

Jesse Holle is correct. The only Tomcat PTC supports is whatever vesion comes with the ThirdParty application CDs when you download it from ptc.com. What PTC does is customize the Tomcat that comes with the Windchill MOR to work speciifcally with Windchill. So if you dwonload another version from somewhere else, it isn;t going to work as you have noticed.


Thanks


Alexius C. Chukwuka
IT Analyst, PDP Systems
John Deere Power Systems
Product Engineering Center
*Voice: 319-292-8575
*Mobile: 319-429-5336
*FaxFax:319-292-6282
*E-Mail: -

CONFIDENTIALITY. This electronic mail and any files transmitted with it may contain information proprietary to Deere & Company, or one of its subsidiaries or affiliates, and are intended solely for the use of the individual or entity to whom they are addressed, shall be maintained in confidence and not disclosed to third parties without the written consent of the sender. If you are not the intended recipient or the person responsible for delivering the electronic mail to the intended recipient, be advised that you have received this electronic mail in error and that any use, dissemination, forwarding, printing, or copying of this electronic mail is strictly prohibited. If you have received this electronic mail in error, please immediately notify the sender by return mail.


"Multiple Vulnerabilities in Apache Tomcat" - no specifics. Update is being mandated by HQ.

Steve,


I get dinged for this all time during security audits and they ask me to provide a business justification for the version of Apache/Tomcat running in Windchill. My business justification has always been that I can not install a vesion of Apache Tomcat that is not supported by the application vendor (PTC).


Thanks


Alexius C. Chukwuka
IT Analyst, PDP Systems
John Deere Power Systems
Product Engineering Center
*Voice: 319-292-8575
*Mobile: 319-429-5336
*FaxFax:319-292-6282
*E-Mail: -

CONFIDENTIALITY. This electronic mail and any files transmitted with it may contain information proprietary to Deere & Company, or one of its subsidiaries or affiliates, and are intended solely for the use of the individual or entity to whom they are addressed, shall be maintained in confidence and not disclosed to third parties without the written consent of the sender. If you are not the intended recipient or the person responsible for delivering the electronic mail to the intended recipient, be advised that you have received this electronic mail in error and that any use, dissemination, forwarding, printing, or copying of this electronic mail is strictly prohibited. If you have received this electronic mail in error, please immediately notify the sender by return mail.


jessh
12-Amethyst
(To:scurtis-2)

I did a little research.

R9.1 M030 and higher contain Tomcat 6.0.20.

Thanks for the feedback everyone. It looks like I will be sticking with this build of Tomcat. By the time build 6.0.21+ is supported there will probably be new vulnerabilities.....the never ending loop.

Unfortunately 6.0.20 is supposedly affected as well. It needs to be a more recent build than 6.0.20.
jessh
12-Amethyst
(To:scurtis-2)

I mis-read your original post. I had thought you were looking for
Tomcat 6.0.20 or higher rather than 6.0.21 or higher.

6.0.21 through 6.0.23 were never publicly released as these attempted
releases all had serious issues.

6.0.24 came out quite recently. If you are sufficiently concerned, then
the move to test and integrate Tomcat 6.0.24 could potentially be
expedited and given a higher priority. I am not aware of any
significant vulnerability that applies to Windchill's use of Tomcat that
is addressed by 6.0.24, though. The only issue I can find is
CVE-2009-3555, which only applies if one is using Tomcat to serve HTTPS
requests directly -- rather than using Apache to do so and having it
delegate to Tomcat. As PTC /only/ supports the Apache+Tomcat
deployment, this does not impact Windchill's use of Tomcat.

Announcements


Top Tags