Installing Sun Patch 4 on a Mobility XE Warehouse

Technical Note 2195

Last Reviewed 21-Mar-2008
Applies to:
Mobility XE server 6.x
Sun Java™ System Directory Server 5.2
 Printer-friendly version

Summary

The Mobility warehouse, which stores Mobility XE configuration settings and client policies, is a Sun Java™ System Directory Server that the Mobility server setup program installs and configures for this purpose. Sun Java™ System Directory Server 5.2 contains a security flaw that can permit an unauthenticated attacker to remotely compromise the Directory server. This security flaw is fixed in "Patch 4" of the directory server; this patch also contains a number of other important fixes by Sun. NetMotion Wireless strongly recommends that customers running Mobility XE server 6.0 and higher apply this patch to all of their Primary and Standby warehouses.

This tech note explains how to apply Patch 4 to the Mobility XE warehouse.

Important: If Patch 4 has already been applied, you should not apply it again. The warehouse that ships with Mobility XE version 7.0 and higher has already had Patch 4 applied.

To determine if Patch 4 has been applied to your warehouse, do the following:

1. Open the Sun ONE Directory Server console: on the Start menu, click Programs | Sun ONE Server Products (or Sun Java™) System Server Products) | Sun ONE Server Console 5.2 (or Sun Java™ System Server Console 5.2). Log on with the user ID and password you created during warehouse setup. The default user ID is admin.

2. On the Servers and Applications tab, expand the tree in the lefthand pane until you see the Directory Server listing.

3. Select (highlight) Directory Server.

4. In the righthand pane, look at the Version: line.

5. A warehouse that has had Sun Patch 4 applied will read "Version:  5.2_Patch_4".

Note: If you are running version 7.20 or higher of the Mobility server, you can determine if your primary warehouse has been patched by clicking on the Warehouse link on the Server Status page of the Mobility Console. To determine if any standby warehouses have been patched, follow the guidelines above.

Planning the Warehouse Patch Process

Depending on the number of Mobility XE servers and warehouses in your pool, applying the warehouse patch may require some user downtime. Use these guidelines to help plan when you will apply the patch. Specific instructions are included in the next section on applying the patch.

Single-Server Mobility Installations

• On machines that are hosting both the Mobility XE server and the warehouse, both of these services must be stopped while applying the warehouse patch, and the machine must be rebooted afterwards. This will disconnect all clients until the patch process is complete.

Multiple-Server Mobility Pools

• If a Mobility XE server is running on the same machine as a Mobility XE warehouse, the Mobility XE service must be stopped during the upgrade process. This will disconnect any users who are currently connected to that server. If you have more than one Mobility XE server in your pool you may want to take the colocated server offline a day or so before you apply the patch, to give users time to migrate to the other server. See the Server Status page of the Mobility Console for taking a server offline.
• If you have one or more Standby warehouses in addition to your Primary warehouse, you should patch the Standby(s) first, then the Primary. While you are patching the Primary warehouse, any Mobility XE servers that are still online will failover to the Standby warehouse as needed.
• If you only have a Primary warehouse, any non-colocated Mobility XE servers in your pool will be unable to accept new client connections during the patching process (because the warehouse service will be stopped), but existing client connections will continue to operate normally.

Patching the Warehouse

Follow these instructions closely, as an incorrectly patched warehouse may cease to function properly.

1. Download the patch

Patch 4 for the Sun Java™ Directory Server is available from the NetMotion Wireless web site, to registered users only. To download the patch, point your browser to the Downloads page and log in with your registered email address. Locate the NetMotion Mobility XE 6.70 section of the page, and check the box marked "For Windows 2000/2003 Server - Important: Sun Patch 4 on a Mobility Warehouse". Click "Submit" and follow the instructions to download 117667-03.zip.

2. Back up your Mobility Data

Before you apply the Sun patch you must back up the warehouse data by following tech note 2129.

3. Modify the Registry on your Mobility XE Servers

A small modification must be made in the registry of each of your Mobility XE server(s), to enable them to communicate with the patched warehouse. This change does not need to be made on the Mobility warehouse machine unless it is colocated with a Mobility XE server. This change does not require the Mobility servers to be rebooted, and it will not affect currently connected clients. The modified value is backwards-compatible with the unpatched warehouse, so you will not need to back out this change if for some reason you decide not to proceed with patching the warehouse at this time.

The steps for manually making the registry change are below, or you can just download and apply this reg file: nms_Sun_LDAP.reg

1. Run the Windows Registry Editor (RegEdit.exe or RegEdt32.exe) and open the following subkey:

   HKEY_LOCAL_MACHINE\SOFTWARE\NetMotion\Mobility Server\MMS\Settings

2. Create a new String value named CompatibleLDAPDirectory with a value of Sun.

4. Apply the patch to the warehouse

Follow these instructions exactly and completely for each of your Mobility warehouses. See the Sample Output and Troubleshooting sections at the end of this technote if you run into problems.

1. Log in to Windows on the Mobility warehouse as an administrator.

2. Close all Sun administrative consoles, if any are currently open.

3. If a Mobility XE server is running on this machine, stop the service NetMotion Control (Control Panel -> Administrative Tools -> Services -> select NetMotion Control -> select Stop). This will disconnect any clients that are currently connected to this Mobility server.

4. Create the directory c:\SUNPATCH (this directory cannot have a space in its path name or the scripts will fail).

5. Copy the 117667-03.zip file into c:\SUNPATCH and unzip it. A folder called 117667-03 will be created.

6. In the 117667-03 folder, unzip the file patchzip-d52diu.zip.

7. Open a DOS box and change to the folder:

   CD C:\SUNPATCH\117667-03\

8. Verify the directory the warehouse is installed in by looking on your warehouse for the directory containing the file startconsole.exe. The default is "C:\Program Files\Sun\MPS". This directory will be used in the next step as the parameter <sun_install_path>. It is important that this parameter be correct.

   Here are further instructions for determining the Sun install directory if you are unable to locate startconsole.exe.

9. From the C:\SUNPATCH\117667-03\ folder, enter this command:

   lib\nsPerl5.005_03\bin\MSWin32-x86\perl.exe upgrade.pl <sun_install_path> <sun_admin_username> <sun_admin_password>

   where

   • Any of the above parameters containing a space must be enclosed in quotes (e.g. "C:\Program Files\Sun\MPS")
   • <sun_install_path> is the value from step 8 above.
   • <sun_admin_username> and <sun_admin_password> are the warehouse credentials that were entered when you originally installed the warehouse. The default username is "admin". If you do not know the username or password do not proceed with the patch. If you are unsure of the username or password you can attempt to log into the "Sun ONE Server console" (under Start -> Programs -> Sun ONE Server Products) until you figure them out, but remember to shut down the Sun console before proceeding with the patch.

   For example:

   lib\nsPerl5.005_03\bin\MSWin32-x86\perl.exe upgrade.pl "C:\Program Files\SUN\MPS" Admin 70CreEK

   The Sun services should stop, the patch will be applied, and the Sun services should be automatically restarted. If you see any errors, or if your output differs dramatically from that in the Sample Output, see Troubleshooting.

10. Once the patch is applied, reboot the Mobility warehouse. You may delete the c:\SUNPATCH\ folder if desired.

11. Perform the procedure in tech note 2209 to repair a memory leak in the warehouse.

12. Perform the procedure in tech note 2224 to optimize warehouse performance.

Sample Output - Expected Results

Below is example output from successfully installing the patch.

Troubleshooting

When applying the patch you might see one of the following problems:

• "error: cannot delete old filename"

  If you see a large number of these errors, look for a message towards the beginning of the script output about whether or not the "stop-admin" file was found ("'.\stop-admin' is not recognized as an internal or external command"). If so, see the appropriate bullet below for troubleshooting that error.

  If the script found the Sun services and stopped them, and you just see one or two errors about not being able to delete a dll, it typically means that another service or process has the dll in use. You will need to identify the problem service using a 3rd-party tool such as Process Explorer (or see the table of known conflicts below), then stop the offending service. You may then immediately re-run the Sun patch script to continue (it may say that it can't stop the Sun services because they're already stopped, but that's ok).

  See below for sample output of this error.

  Services that have been seen to prevent dlls from being removed are:

  Cannot delete this file...	Check this service...
  nsldap32v50.dll or sasl32.dll	NetMotion Control
  ns-ldapagt.dll	SNMP
  messages.dll	Windows Management Instrumentation (WMI)

• "'.\stop-admin' is not recognized as an internal or external command"

  This message, followed by a number of errors about deleting dlls, is typically caused by an incorrect path to the Sun install directory being entered on the command line in step 9. Verify the Sun install location and run the script again with the correct path.

  See below for sample output of this error.

• "Server has detected a disorderly shutdown or a change in cache size.
Recovery phase is starting, this may take a while..."

  This message can be ignored, as long as the rest of the patch process completes without errors.

• "The Sun ONE Directory Server 5.2 (ericm-2003) service is not started."

  This message can be ignored, as long as the rest of the patch process completes without errors. Its common to see this message when rerunning the patch after an error, since the service is already stopped.

Sample Output - Errors

Following are some common error situations and the script output associated with them.

DLL in use

For this problem, the SNMP Service was the process with ns-ldapagt.dll in use. After stopping SNMP the script was rerun without problems.

Incorrect path to Sun install directory

In this case, the script was looking for the file stop-admin.bat, but it wasn't found because the Warehouse wasn't installed in the given directory.

Related Information

Please comment on this technical note.