Hello there and welcome to today's blog post. We'd like to inform our customer base and my fellow technical staff on something that perhaps lacks clarity to some extent.
I'll break the points I need to get across in three sections.
1. Atrium Single Sign ON (ASSO) installation on a bundled tomcat.
Historically we've always recommended to use the bundled tomcat when installing BMC products. My personal understanding of this is that we have coded the features using that instance with a specific version of java and hence trying to maintain that set together as one deployment makes sense. 10 years ago that would have been OK and somewhat expected. But things are changing rapidly and the software community has grown to a sizable workforce.
Having more people collaborate on a platform also helps us to find more vulnerabilities more quickly. Over the last 10 years we, the software community, have identified more sensitive areas than in the previous decades. That means that software vendors have to keep up with these flaws and correct the code and hence release fixes and patches more often. This of course means that our approach to installing with bundled software packages has been met with new challenges of compatibilities. The bundle become obsolete if new fixes can not be applied to it.
ASSO is one of the products where external (also known as existing) Apache Tomcat can be utilized. This gives our customers the ability to maintain fixes and adhere to their IT Department's security policies by subscribing to patches provided directly with the vendor. It should be implied that vulnerabilities of Tomcat are not vulnerabilities of our products and maintaining up to date fixes really is best handled by the software vendor.
2. Remedy Single Sign On (RSSO) installation on an existing tomcat.
RSSO does not even consider bundling the Tomcat with the installer. Based on what is true in section 1. we've already realized that this is the way to do it. Although you will still see Tomcat bundled with Atrium Web Services (AWS), the future of our product installers will likely follow a separate path and hence give the control of installing it back in the hands of IT Departments.
In doing so, IT Departments can maintain a Product Catalog and predict deployments by a controlled version release and patch maintenance. This is ideal.
3. Authentication of products using SSO
The above two points outline the differences between two SSO technologies and what platform they would run on. However, there is a third aspect of this topic and that is the compatibility between the two. ASSO is now becoming a interim legacy product and BMC's future for SSO is in RSSO. That is a clear path forward. However, we're not ready to cut to it just yet.
Some of our products are taking a position in line to get integrated with RSSO while operating under the ASSO flag. These products are getting attention to integrate with RSSO.
One of these products is True Sight 10. As of now TS10 can only get authenticated by ASSO, but the future is already laid out for this product. It will integrate with RSSO and when that happens ASSO will likely become an obsolete product.
A) For RSSO, this means for you is that for now the cut over can be planned, but not realized until RSSO agent is built. Meanwhile as new threats and vulnerabilities are discovered, and you are using RSSO your already installed Tomcat, then please make sure that your Tomcat software is updated as recommended by the Apache Tomcat software vendor. There is no impact on RSSO as of now, Aug 2017. Oracle's Java is already applying Java updates via agents installed on the hosted endpoints. We're not sure how Apache will solve their future updates, so that means that your IT Department is your best line of defense. RSSO provides and hopefully meets your needs for user authentication, but when it comes to patching Tomcat please make sure to keep up with the software vendor.
B) For ASSO bundled Apache Tomcat patching questions please check with BMC support for compatibility issues with new Tomcat releases. For now do not upgrade ASSO Tomcat. Instead ask the BMC AtriumCore support to create an escalation with development.