Hornbill Core Services Version 3.1.3 Release Notes

Introduction

Welcome to the Core Services Version 3.1.3 maintenance release, which is a minor upgrade focussing on Web-server security. Whatever version of Supportworks ESP you may be running, you will benefit from the extra security advantages offered by an upgrade to this release of Core Services.

When upgrading this software package from any previous release, you simply install the new version directly over that previous version. Be aware that the upgrade will automatically back up your existing Apache configuration file (httpd.conf) and install a new one in its place. Therefore, if you have customised your configuration, you will need to migrate those changes from the backup into the new httpd.conf file. Remember that any changes you make to the httpd.conf file will require a restart of the SwHttpServer service.

As always, if you encounter any problems or would like to ask questions about your specific installation before or after upgrading, please contact Hornbill's Technical Support Team on +44 208 582 8228 or by e-mail at support@hornbill.com.

NOTE ABOUT MULTIPLE PHP INSTALLATIONS: Problems have been encountered with conflicts between Core Services and independent installations of PHP (PHP 5 in particular). In one case, this was because PHP 5 was in the directory path given by theĀ %path% environment variable, and therefore the Core Services version of PHP may have used some of the files in this path. For this reason, it is not recommended to have separate versions of PHP installed on the same server as Core Services. This should be a consideration when diagnosing problems relating to the display of PHP pages in Web browsers or the Supportworks client.

IMPORTANT NOTE ABOUT BACKUPS: Before applying any upgrade to your live system, please ensure that you have a full backup of your Core Services, complete with database.

WARNING ABOUT EX-CONTRACT UPGRADES: If you attempt to apply this upgrade to a system and you do not have a current Supportworks or Assetworks support/maintenance contract, the upgraded system may fail to operate after the installation is complete and it would be your responsibility to restore your previous installation from your backup. Check that you have a valid support/maintenance contract before applying this upgrade.

Important Windows Requirement Pertaining to this Release

In order to be able to run the SwHttpServer service (specifically, its php4apache2 module), the Microsoft Windows run-time "side-by-side" executable MSVCR80.dll is required. This has been shipped in most versions of the Windows operating system (and other Windows components since Windows 2000), but not in a minimal install of Windows 2003 R2.

You can check for the presence of this DLL either before you install/upgrade Core Services, or afterwards should you encounter an error that may be due to its absence. If you are upgrading from version 3.1.2, the DLL will already exist on your system.

To check for the DLL prior to installation or upgrade, you can search for "MSVCR80.dll" within the Windows\WinSxS folder. (Note that, depending on the Windows version and your installed software, it is possible for multiple instances/versions of the DLL to exist, but this would not matter - you only need to ensure that you have at least one.)

After the installation or upgrade, if SwHttpServer fails to start because of the DLL's absence, you would see an error entry in the Windows System event log whose description reads "Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system".

If you find that the DLL is not present, you should install it. The required Microsoft distribution package is located here:

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5638

It can be installed without the need for a reboot.

Further information on Windows side-by-side assemblies and WinSxS can be found at the following locations:

http://msdn.microsoft.com/en-us/library/aa376307%28VS.85%29.aspx
http://omnicognate.wordpress.com/2009/10/05/winsxs/

New and Improved in Version 3.1.3

Apache HTTP Server (SwHttpServer) Upgraded to Version 2.2.22 with OpenSSL Version 0.9.8t

This release of Core Services includes the latest compatible versions of Apache (2.2.22) and OpenSSL (0.9.8t) at the time of release. The versions of PHP and MySQL remain unchanged from Core Services 3.1.2.

Apache Version 2.2.22 is mainly a security and bug-fix update. For full details, please visit:

http://www.apache.org/dist/httpd/Announcement2.2.html

Fixed in Version 3.1.3

  • F86948 - The first 200 lines of php.ini (in C:\Program Files\Hornbill\Core Services\SwHttpServer\bin) were duplicated following the upgrade to Version 3.1.2 of Core Services. If you are upgrading to Version 3.1.3 from that version, you should delete that file before the upgrade, and you will then have an uncorrupted copy.

New and Improved in Version 3.1.2

Apache HTTP Server (SwHttpServer) Upgraded to Version 2.2.21 with OpenSSL Version 0.9.8r

This release of Core Services includes the latest compatible versions of Apache (2.2.21) and OpenSSL (0.9.8r) at the time of release. The versions of PHP and MySQL remain unchanged from Core Services 3.1.1.

Apache Version 2.2.21 is mainly a security and bug-fix update.

Apache HTTP Server Hardening Configuration Settings Applied

Certain elements of server hardening, from among those suggested in the FAQ entitled Apache Web Server Hardening, have been incorporated into the Apache server's configuration file (httpd.conf). The three elements concerned are as follows:

  • Limiting Disclosure of Header/Footer Information
  • Avoiding Disclosure of Internal IP Addresses
  • Disabling HTTP Track/Trace

We have included these security settings in the default configuration as they are universally applicable irrespective of your particular environment. If you wish to further harden your Apache server, you are advised to follow some of the other recommendations given in the FAQ mentioned above. This FAQ is available from the Hornbill SelfService website:

http://hsml.myservicedesk.com/selfservice/

For added security, you should consider replacing the self-certified certificate included in this release with one purchased from a recognised CA authority. In addition, you should use the Analyst Portal, Web SelfService (and Web Client, if you are on Supportworks 7.5 and above) over SSL.

Fixed in Version 3.1.2

Nothing.

New and Improved in Version 3.1.1

Nothing. The sole purpose of this patch release was to resolve some issues with Version 3.1.0 and with the installation of the software (as described below). However, please note the following component updates:

Apache HTTP Server (SwHttpServer) has been upgraded to Version 2.0.63

PHP has been upgraded to Version 4.4.9

Fixed in Version 3.1.1

  • F66198 - The system ID needed to license Core Services/Supportworks would be generated inconsistently on Windows Vista machines.
  • F71807 - An error would be displayed on installing Supportworks 7.3.7 on Windows 2000 SP 4.
  • F72507 - The Export Resultset function of the Supportworks SQL Query tool would fail to export columns correctly.
  • F72508 - Any queries, launched using the Supportworks SQL Query tool, that gave rise to very long result values would cause the tool to crash.

New and Improved in Version 3.1.0

Hornbill Core Services Admin Service

We have developed, as part of Core Services, a new Windows NT service called SwAdminService. In the future, this will replace a number of server-side utilities and their respective GUIs with a unified Web-browser-based server administration facility, thus simplifying the development cycles of any required server-side administration functions.

XSLT Functionality Enabled

On new installations only, php_xslt has been enabled, allowing XSLT to be used from within PHP. This will support server-side data transformations in the future, used for printing, document merging and other general data-transformation tasks.

PHP XML_DOM Support

We are now preconfiguring the supplied PHP extension DLL (php_domxml.dll) so that it is ready for use.

SSPI Support

We are now supplying, as part of Core Services, the module mod_auth_sspi, and have set up the Apache server to enable it. This module allows the configuration of pass-through logins in a Microsoft environment (NTLM authentication).

"Magic Quotes" PHP Directives Disabled

We have now disabled magic quotes by default in the php.ini file as follows:

magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

These settings turn off some rather undesirable behaviour in PHP. Any backslash escapes required in the PHP code should instead be implemented at the relevant points using addslashes(). The active pages in Supportworks that used to depend on the magic quotes directives being enabled have all since been modified and no longer need these settings to be on.

Fixed in Version 3.1.0

  • F53851 - The openssl.cnf file included in the Core Services Version 3.0.0/3.0.1 release had a default password specified, which meant that it did not initially request a password during the generation of new SSL keys. This would cause confusion when the password is requested later on in the process. The openssl.cnf file will NOT be overwritten as part of the Core Services upgrade from Version 3.0.0/3.0.1 to this version because you may have modified this and we do not want to overwrite your changes. If the fix needs to be applied to an existing installation of Version 3.0.0/3.0.1, the new openssl.cnf file can be obtained from the Hornbill forum in the Core Services section and used to overwrite the local copy. This fix will only be required if you need to generate your own SSL keys using the Core Services distribution.
  • F53909 - Chart Director was not getting properly upgraded as part of the Core Services upgrade process, which meant that graphs would not be displayed properly in reports and on the Supportworks active pages. Chart Director has now been upgraded to Version 4.1, which resolved the upgrade problems.

New and Improved in Version 3.0.1

Nothing. The sole purpose of this release was to resolve some issues with the installation of Version 3.0.0 (as described below).

Fixed in Version 3.0.1

Fixes have been implemented in Version 3.0.1 for the following problems:

  • There were some issues with SSL files not being correctly installed.
  • There were some problems where the Services page on the installer would hang depending upon differing states of the services it encountered. For example, it would hang if the HTTP service was not started when the upgrade was run.
  • The example SSL keys for the HTTP service lasted only ten days. These have been updated to last until 2010. Nevertheless, to maintain security, you should create your own keys as soon as possible after installing.
  • The SSL virtual host configuration was not preconfigured for use on a clean installation.
  • The configuration in the php.ini file for the Zend Optimiser was not getting properly upgraded, which resulted in jumbled active PHP pages appearing in the client.

New and Improved in Version 3.0.0

Apache HTTP Server (SwHttpServer) has been upgraded to Version 2.0.59
This is mainly a security update. For full details, please visit:
http://www.apache.org/dist/httpd/Announcement2.0.html

PHP has been upgraded to Version 4.4.4
This is mainly a security update. For full details, please visit:
http://www.php.net/ChangeLog-4.php

Zend Optimizer has been upgraded to Version 3.0.1
This was upgraded to fully support PHP Versions 4.4.x. For full details, please visit:
http://www.zend.com/products/zend_optimizer

OpenSSL Version 0.9.8d support has been added
This is now configured to work with Apache out of the box on a fresh installation but, because we do not want the upgrade to overwrite any modifications that you may have made to your existing installation, a small amount of manual modification will need to be done to the Apache configuration file to enable this support when you upgrade from previous versions of Core Services. Details of this manual modification can be found in an FAQ entitled "SSL Support" in the Hornbill Support Forum (under Hornbill Core Services).

The Supportworks PHP extension DLL
This has been extended to allow us to support formatted date/time fields for all internationalisations in the Supportworks active pages.

Hornbill Core Services Release History

Version Release Date
3.1.2 05 December 2011
3.1.1 16 February 2009
3.1.0 03 July 2007
3.0.1 23 January 2007
3.0.0 04 January 2007