Tag: Apache Solr

Categories
Knowledge Support Support exacqVision Enterprise

Reverting to Apache Solr After Updating to ElasticSearch (Windows and LINUX)

IMPORTANT: It is advised to update to 22.3.0 so the customer have the capability of doing a backup, then proceed with the update to the version which uses elastic search.

Prefix: It is not advised to revert back to a version using Apache Solr unless necessary. It is safer to do a fresh install if possible.

WARNING: You must revert back to the SAME EXACT VERSION this is due to the fact that enterprise-holodeck has the same front-end files for that version!


WINDOW:

1.) Stop services before proceeding.
net stop enterprise-apache
net stop enterprise-elasticsearch
net stop enterprise-datarolloff
net stop enterprise-sendemail
net stop enterprise-importer
net stop enterprise-webservice

2.) Remove Elasticsearch.
In PS cd “C:\Program Files\exacqVision\EnterpriseManager\elasticsearch\bin\”

PS C:\Program Files\exacqVision\EnterpriseManager\elasticsearch\bin> Type: .\elasticsearch-service-enterprise-remove.bat
WARNING: CHECK THAT THE SERVICE ‘enterprise-elasticsearch’ HAS BEEN REMOVED BEFORE PROCEEDING.**
PS Type:
Get-Service -Name enterprise-elasticsearch
You should see output ‘Get-Service : Cannot find any service with service name ‘enterprise-elasticsearch’.’.

cd “C:\Program Files\exacqVision\EnterpriseManager”
PS C:\Program Files\exacqVision\EnterpriseManager> rm elasticsearch

3.) Uninstall Apache.
In PowerShell as admin go to:
C:\Program Files\exacqVision\EnterpriseManager\apache\bin>
Type: .\httpd.exe -k uninstall -n enterprise-apache
Check that the service ‘enterprise-apache’ has been removed before proceeding.

4.) Backup Apache.

In PowerShell go to:
C:\Program Files\exacqVision\EnterpriseManager>
Type: mv apache ..\es_apache.old

5.) Revert MediaRoot and StaticRoot with the following.

In PowerShell CD into .\EnterpriseSystemManger\
Type: .\installer.exe decrypt

To edit the file with notepad run the following commands:
From EnerpriseSystemManger Type:
notepad.exe EnerpriseSystemManger.tmp

You will see something similar in notepad at first.

ONLY CHANGE THE FOLLOWING ITEMS with a text editor.
WARNING: Make sure the paths MATCH EXACTLY including forward and backward slashes MediaRoot=C:\Program Files\exacqVision\EnterpriseManager/apache_solr/apache2/htdocs/media
StaticRoot=C:\Program Files\exacqVision\EnterpriseManager/apache_solr/apache2/htdocs/static.

Example:

In Power Shell Type
 .\installer.exe encrypt

Now Type:
del EnterpriseSystemManager.tmp




6.) Rename apache_solr-<timestamp>.old.
In PowerShell as Admin go to:
C:\Program Files\exacqVision\EnterpriseManager>
Type: Rename-Item .\apache_solr-20220405160617.old\ .\apache_solr

7.) Remove EM_Documentation.txt.
CD into C:\Program Files\exacqVision\EnterpriseManager>
Type: del.\EM_Documentation.txt

8.) Run an update to the old version.
IMPORTANT: At this point we will run the SAME EXACT VERSION of the installer we migrated from!
WARNING: Make sure folders, shells, notepad.exe etc. are closed that are referencing anything inside the EM install directory!
WARNING: You must NOT have an ‘apache_solr.old’ folder in the directory. CRITICAL: Run the installer outside of EM when prompted YOU MUST CHECK optional update ‘Apache Solr 7.5.0’ !

9.) Restore all htdocs installers.
PowerShell into:
cd “C:\Program Files\exacqVision”
PS C:\Program Files\exacqVision> cp .\es_apache.old\htdocs\media\installers\*.exe .\EnterpriseManager\apache_solr\apache2\htdocs\media\installers\
Note: This will load the files from step 4. to make sure everything matches.

10.) Clean up firewall rules.
Delete inbound firewall rule with name ‘exacqVision Enterprise Manager Apache’.

11.) Confirm downgrade is functional.
a.) Navigate to 127.0.0.1:8983 it should open up Apache Solr management portal.
b.) Confirm the following rules exist.
solrApache
solrJetty
c.) Navigate to {EM_HOST}:{EM_PORT} and login to EM.

12.) Load domain users into Apache Solr.
Navigate to {EM_HOST}:{EM_PORT} and login to EM.
Go to the sidebar and click ‘Domain’.
If a domain is being used click ‘refresh now’ this will load domain users back into Apache Solr.


LINUX:
RESTORE ELASTICSEARCH -> APACHE SOLR (Ubuntu):

Prefix: It is not advised to revert back to a version using Apache Solr unless necessary.
WARNING: You must revert back to the SAME EXACT VERSION this is due to the fact that enterprise-holodeck has the same front-end for that version!

1.) Stop services before proceeding.
sudo systemctl stop enterprise-elasticsearch
sudo systemctl stop enterprise-datarolloff
sudo systemctl stop enterprise-sendemail
sudo systemctl stop enterprise-importer
sudo systemctl stop enterprise-webservice
Note: Stopping enterprise-webservice will also stop the Apache service as well.

2.) Remove Elasticsearch.
sudo update-rc.d enterprise-elasticsearch remove
sudo rm /etc/init.d/enterprise-elasticsearch
exacqu@ubuntu:/usr/local/exacq/esm$ sudo rm -rf ./elasticsearch

3.) Backup Apache.
Note: Apache in Ubuntu does not have any files configured outside of the Apache directory.
Create a manual backup of Apache for later and move it outside of the esm directory.
sudo mv /usr/local/exacq/esm/apache /usr/local/exacq/es_apache.old

4.) Reload services for systemctl.
sudo systemctl daemon-reload
sudo systemctl status enterprise-elasticsearch
You should see output ‘Unit enterprise-elasticsearch.service could not be found’.


5.) Revert MediaRoot and StaticRoot.
cd /usr/local/exacq/esm
exacqu@ubuntu:/usr/local/exacq/esm$ ./installer decrypt

exacqu@ubuntu:/usr/local/exacq/esm$ sudo gedit EnterpriseSystemManager.tmp
WARNING: Make sure the paths use forward slashes only!
MediaRoot=/usr/local/exacq/esm/apache_solr/apache2/htdocs/media
StaticRoot=/usr/local/exacq/esm/apache_solr/apache2/htdocs/static
exacqu@ubuntu:/usr/local/exacq/esm$ ./installer.exe encrypt
exacqu@ubuntu:/usr/local/exacq/esm$ sudo rm EnterpriseSystemManager.tmp

6.) Rename apache_solr-<timestamp>.old.
cd /usr/local/exacq/esm
exacqu@ubuntu:/usr/local/exacq/esm$ sudo mv apache_solr-<timestamp>.old apache_solr

7.) Run an update to the old version.

IMPORTANT: At this point we will run the SAME EXACT VERSION of the installer we migrated from!
WARNING: You must NOT have an ‘apache_solr.old’ folder in the directory.

CRITICAL: The installer MUST NOT BE run in silent mode since silent mode WILL NOT PROMPT for the optional updates!
CRITICAL: Run the installer outside of EM when prompted YOU MUST CHECK optional update ‘Apache Solr 7.5.0’!

sudo dpkg -i exacqVisionEnterpriseManager_XX.XX.X_x64.deb

8.) Restore all htdocs installers.
sudo cp /usr/local/exacq/es_apache.old/htdocs/media/installers/*.deb /usr/local/exacq/esm/apache_solr/apache2/media/installers/

9.) Confirm downgrade is functional.
a.) Navigate to 127.0.0.1:8983 it should open up Apache Solr management portal.
b.) Firewall rules must be applied for Apache Solr management portal.
sudo iptables -S

Confirm the following rules exist:
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp –dport 8983 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 8983 -j DROP

c.) Navigate to {EM_HOST}:{EM_PORT} and login to EM.

10.) Load domain users into Apache Solr.
Navigate to {EM_HOST}:{EM_PORT} and login to EM.
Go to the sidebar and click ‘Domain’.
If a domain is being used click ‘refresh now’ this will load domain users back into Apache Solr.


https://trac.exacq.com/DVR/ticket/21185

Categories
Knowledge Support Support exacqVision Enterprise

Updating Apache and Apache Solr on exacqVision Enterprise Manager – Windows

To mitigate currently known vulnerabilities, the following updates are recommended. Apache to 2.4.51, Apache Solr to 7.5.0 and exacqVision Enterprise Manager (EM) to 21.12.1 or higher.

Note: Updates for both Apache and Apache Solr are available as part of the EM install package for version 21.09 and higher.  However, updating to EM versions 21.12 or higher is recommended as this will also address the Log4j vulnerability.

WARNING:  You must update EM manually i.e. download from our site and then launch the installer directly.  The optional updates will not be prompted for if any other update method is used. Once the updates are in place future updates can be launched from the dashboard.

ALERT:  If previous modifications have been made to the default configuration settings such as adding a certificate and key for SSL they will need to be reapplied. See Recover custom settings section below.

Determine the current version of Apache

  • Open and administrative Command Prompt
  • Navigate to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\bin
  • Run the command httpd.exe -v
  • Make note of the Server Version

Determine the current version of Apache Solr

Determine the current version of exacqVision Enterprise Manager

  • From the EM dashboard
  • Click the Information icon in the upper right-hand corner
  • Select About
  • Make note of the Version

Install exacqVision Enterprise Manager

  • Download the 64-bit Enterprise Manager installer for Windows from our site at  https://exacq.com/support/downloads.phpNote: 32-bit updates are not supported.
  • Launch the installer
  • During the install you will be prompted to update Apache Solr 7.5.0 and/or Apache 2.4.51 it is recommended that you check both.
  • A backup folder is created for folders being replaced by each update.
  • By default, the newly created backup folders will be located at:
    C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old
    C:\Program Files\exacqVision\EnterpriseManager\apache2.old
  • Using the instructions provided earlier verify the versions of Apache, Apache-Solr and Enterprise Manager have changed to confirm the updates.

Note:  Resource utilization may be high for a period of time after the update as reindexing is performed.

Recover custom settings (Optional)

As previously mentioned, the updates will overwrite any previous configuration changes. However, those settings were backed up as part of the update. By default, they are located at C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old

  • Copy the file httpd-ssl.conf
    from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\extra\
    to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\extra
  • Copy httpd.conf
    from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\
    to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\
  • Copy server.crt
    from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\
    to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\
  • Copy server.key
    from C:\Program Files\exacqVision\EnterpriseManager\apache_solr.old\apache2\conf\
    to C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache2\conf\
  • Restart the solrApache Service

RESTORE (SPECIAL CASE)

When restoring EM to a previous version that used Apache Solr 6.6.0 or earlier it is necessary to manually restore an Apache Solr backup containing the targeted version of Apache Solr for that install.  Note: If a backup does not exist a restore cannot be performed.  

  • To perform a restore first determine the version of the apache_solr backup which is appropriate.
  • Stop all exacqVision Enterprise Manager service including solrApache and solrJetty.
  • Copy the existing C:\Program Files\exacqVision\EnterpriseManager\apache_solr  folder to a safe location renaming it as appropriate
  • Replace with the apache_solr backup folder
  • Start all exacqVision Enterprise Manager service including solrApache and solrJetty.

Notes

The presence of Log4j files in C:\Program Files\exacqVision\EnterpriseManager\apache_solr\apache-solr\server\resources does not mean there is a vulnerability ensure the version of apache is either 2.4.51 or 7.5.0.

Related Trac Tickets

Categories
Knowledge Support Support exacqVision Enterprise Categories Products Uncategorized

Can not log into EM after updating to 21.03

Customers report that on Windows 10 units updated to 21.03 they experience an issue when they browse to the localhost to log into EM, it fails with an error that shows: This site can’t be reached.

Microsoft link found here detailing other issues similar.

HERE

If you check the services the Apache service will be in a stopped state.
Also check the System Logs for an error:

Error in System Logs show:
The Apache service reported the following error:
httpd.exe: Could not open configuration file C:/Program Files/exacqVision/EnterpriseManager/apache_solr/apache2/conf/httpd.confN: The system cannot find the file specified.

To resolve this on the EM server go to
Windows: C:/Program Files/exacqVision/EnterpriseManager/apache_solr/apache2/conf/
There is a file called httpd.conf
Copy this file and paste it back into the same folder and rename the file to httpd.confN .

Once this is done go to the services and start the solr apache service.
Now log into the localhost.

Categories
Knowledge Support Support exacqVision Enterprise Categories Products

Solr vulnerability – CVE-2017-12629

Enterprise Manager

Enterprise Manager (formerly ESM) includes a version of Apache Solr which is vulnerable to attack allowing remote code execution.  Further information can be found here: https://nvd.nist.gov/vuln/detail/CVE-2017-12629

<br>

Mitigation: It is recommended that you follow the steps below appropriate for your Operating System.

For Windows

Note: File paths vary depending on installation, 64-bit or 32-bit.

<br>

  1. Launch services, then stop ‘solrJetty’
  2. Click the ‘Start’ button and type ‘Notepad.exe’.  Right-click notepad and select ‘Run as administrator’.
  3. Click ‘File’, then ‘Open’, and navigate to the following file based on your install location:
    • For 64-bit:”C:\exacqVisionESM\apache_solr\apache-solr\server\solr\collection1\conf\solrconfig.xml”
    • For 32-bit:”C:\exacqVisionESM\apache_solr\apache-solr\solr\collection1\conf\solrconfig.xml”
  4. Add the following highlighted section just above the “Function Parsers” line:
  5. If 64-bit, click ‘File’, then ‘Open’, and navigate to the following file: “C:\exacqVisionESM\apache_solr\apache-solr\bin\solr.cmd”
    • Find the line: set START_OPTS=%START_OPTS% !GC_TUNE! %GC_LOG_OPTS%
    • Below this line, add the following: set “START_OPTS=%START_OPTS% -Ddisable.configEdit=%true%”
  6. Save the file.
  7. Click ‘File’, then ‘Open’, and navigate to the following file based on your install location:
    • For 64-bit: Launch ‘regedit’ from start menu.
      • Go to HKEY_LOCAL_MACHINE->SYSTEM->ControlSet001->Services->solrJetty
      • Double click ImagePath
      • In value data put double quotes around C:\PROGRA~1\EXACQV~1\ENTERP~1\apache_solr/apache-solr\scripts\prunsrv.exe
    • For 32-bit: “C:\exacqVisionESM\apache_solr\apache-solr\scripts\serviceinstall.bat”
      • Find the entry:  ++JvmOptions=-XX:MaxPermSize=128M
      • Add a space after this entry and add: ++JvmOptions=-Ddisable.configEdit=true
      • Fine the quoted text: –Install=”C:\exacqVisionEsm\apache_solr/apache-solr\scripts\prunsrv.exe\”
      • Replace it with: –Install='”C:\exacqVisionEsm\apache_solr/apache-solr\scripts\prunsrv.exe\”‘
    • Note: Ensure there is a space after this entry.
  8. Save the file and close Notepad.
  9. Click the Windows ‘Start’ button and type ‘cmd’.  Right-click on “Command Prompt’ and select ‘Run as administrator’.
  10. Run the following two commands sequentially:
    • C:\exacqVisionEsm\apache_solr\apache-solr\scripts\serviceinstall.bat
    • C:\exacqVisionEsm\apache_solr\apache-solr\scripts\serviceinstall.bat INSTALL
  11. Launch services, then start ‘solrJetty’

<br>

For Linux

Note: File paths vary depending on installation, 64-bit or 32-bit.

  1. Open a Terminal.
  2. Stop ESMWebservice with the following command:
    • sudo /usr/local/exacq/esm/scripts/ESMWebservice stop
    • Enter your password and press “Enter”
  3. Open ‘gedit’ (or your preferred text editor) with ‘sudo’ privileges with the following command: sudo gedit
  4. Click ‘File’, then ‘Open’, and navigate to the following file based on your install location:
    • For 64bit: “/usr/local/exacq/esm/apache_solr/apache-solr/server/solr/collection1/conf/solrconfig.xml”
    • For 32bit: “/usr/local/exacq/esm/apache_solr/apache-solr/solr/collection1/conf/solrconfig.xml”
  5. Add the following highlighted section just above the “Function Parsers” line:
  6. Save the file.
  7. Click ‘File’, then ‘Open’, and navigate to the following file based on your install location:
    • For 64-bit: “/usr/local/exacq/esm/apache_solr/apache-solr/bin/solr”
      • Before the line that reads: SOLR_START_OPTS
      • Add the line: DISABLE_CONFIG_EDIT=”true”
      • Find the line with “${SOLR_HOST_ARG[@]}” “-Duser.timezone=$SOLR_TIMEZONE” \
      • Change the line to:
        “${SOLR_HOST_ARG[@]}” “-Duser.timezone=$SOLR_TIMEZONE” “-Ddisable.configEdit=$DISABLE_CONFIG_EDIT” \
    • For 32-bit:  “/usr/local/exacq/esm/apache_solr/apache-solr/scripts/ctl.sh”
      • After the line: SOLR_PID=””
      • Add a new line: DISABLE_CONFIG_EDIT=”true”
      • Change the line: SOLR=
      • To: SOLR=”$JAVABIN -Dsolr.solr.home=$SOLR_HOME -Djetty.logs=$INSTALL_PATH/logs/ -Djetty.home=$INSTALL_PATH/ -jar $INSTALL_PATH/start.jar $INSTALL_PATH/etc/jetty.xml -Ddisable.configEdit=$DISABLE_CONFIG_EDIT”
  8. Save the file and close gedit.
  9. Back in the terminal, run the following command
    • sudo /usr/local/exacq/esm/apache_solr/ctlscript.sh restart
  10. Restart ESMWebservice with the following command:
    • sudo /usr/local/exacq/esm/scripts/ESMWebservice start

<br>

Solr-vulnerability-CVE-2017-12629.pdf