In what rhythm do you update the embedded Tomcat - currently outdated

Stefan Hall shared this idea 19 months ago
Idea Logged

Hi,

with the 9.8.0 release, I was happy to see that the embedded Tomcat was almost up to date (9.0.68). Our security team was very excited.
However, that has since changed. 6 months later, it is still the now outdated version 9.0.68. Security-wise, this is no longer permissible for us and we have a problem.

You don't support an own Tomcat, but you don't manage to keep the Tomcat halfway up to date - lose-lose for us as customers.

I have set up YF with my own Tomcat, actually no big deal and it works fine. You only have to put the war file into your own Tomcat and YF installs itself and works. Unfortunately your update idea doesn't fit to the war-file idea. Because during the update you replace single files instead of delivering a new war-file.

What can I do to meet the security requirements or when is a new TC coming from you?

;) Stefan

Best Answer
photo

Hi Stefan,

That's certainly a good idea! I'll raise it as an enhancement request with the development team. We could see some changes due to your feedback and either include a Tomcat updater or ship new WAR files.

Kind regards,

Chris

Replies (2)

photo
1

Hi Stefan,

Thanks for your question. Tomcat releases do come with full installs of Yellowfin but Yellowfin upgrades don't patch the currently installed version of Tomcat.

I'm glad you were able to set up Yellowfin with your own Tomcat. If you want to upgrade your current install, we have a KB article on upgrading Tomcat here:

https://community.yellowfinbi.com/knowledge-base/article/how-to-upgrade-tomcat

If you'd like to ensure that a new version of Tomcat comes with the next version of Yellowfin, I can put in a request with the developer team look into it.

Kind regards,

Chris

photo
1

Hi Stefan,

Let me know if there's anything else on this topic you'd like to cover. I'll keep this open for a few more days until I hear from you.

Kind regards,

Chris

photo
1

Hi Chris,
that's ... strange.
You deliver an embedded Tomcat at the first installation, ignore the basic design and change oob files instead of using e.g. the configuration via the setenv file, work with tomcat_home instead of tomcat_base and then don't care about the TC updates...!

If you set up and use TC as designed you can change the TC version up and down in less than 1 minute. With YF it is kind of tinkered. Sorry for my assessment, but I don't know such a procedure yet.

Either a separate Tomcat or the publisher takes care of the updates. Elsewhere you wrote: an own Tomcat is not supported.

Let's set up a clean installation, where every customer can update his TC in less than 1 minute. I think everyone would benefit from that. Alternatively, you could simply deliver new war-files with your updates and there would be no discussion at all.

What do you think?

;) Stefan

photo
2

Hi Stefan,

That's certainly a good idea! I'll raise it as an enhancement request with the development team. We could see some changes due to your feedback and either include a Tomcat updater or ship new WAR files.

Kind regards,

Chris

photo
1

Hi Chris,

I don't have any experience with enhancements yet. I hope that these will also be implemented in a timely manner, especially if they have an impact on safety aspects and contribute greatly to process reliability.

Thanks for your support

;) Stefan

photo
1

Hi Stefan,

No problem at all, I'll pass your feedback on to the dev team. In the meantime, I'll move this ticket to Idea Logged.

Also, just to let you know, Tomcat will go from 9.0.68 to 9.0.73 in Yellowfin 9.9.

Kind regards,

Chris

photo
Leave a Comment
 
Attach a file