Introduction
FME Flow (formerly FME Server) uses a third-party application, Apache Tomcat, to run the FME Flow Web Services*. Occasionally, your organization's penetration tests may identify new security vulnerabilities reported against the version provided with the default installation. If this happens, please contact Safe Software Support for more information on whether FME Flow can be exploited by this vulnerability.
If it is, it will be necessary to upgrade Tomcat to a version for which the vulnerability does not apply.
To upgrade FME Flow to point to another version of Tomcat we’d recommend taking a backup and then re-performing the installation using the distributed install option, where you can then opt not to install the FME Flow Web Application in favor of providing your own.
However, in some cases a reinstall is not desirable. The steps documented below are intended to allow you to upgrade Tomcat without taking your existing FME Flow system down.
*For more information on the version of Tomcat used by default in your FME Flow installation, see this article.
Key References
<FMEFlowDir> refers to the location of the FME Flow installation folder, specified during installation. By default on Windows, this is C:\Program Files\FMEFlow\.
<TomcatDir> refers to the location of the Tomcat installation folder. By default on Windows, this is C:\Program Files\Apache Software Foundation\Tomcat 9.0\.
<JREDir> refers to the location of your JRE installation folder. This will vary depending on where you downloaded JRE from.
Requirements
- FME Flow Core and Application Server are installed on the same host.
- Java Runtime Environment (We recommend running the web application server on the same version of the Java Runtime Environment as FME Flow runs. To determine this version, use a text editor to open <FMEServerDir>\Utilities\jre\release) [Download]**.
- Apache Tomcat version 9.0.x [Download]**.
**The following are not supported: Java Runtime Environment 9 -16, 18 or later; Apache Tomcat version 10.x.
Step-by-Step Instructions
Disclaimer
- The following steps were identified through trial and error by the support team. They have been tested on 2022.2 where FME Flow Core and Application Server are both installed locally. We anticipate these steps should work for other versions but they have not undergone any QA process. If something does not work, a complete reinstall is the recommended option.
- FME Flow is only tested with the version of Tomcat it is shipped with, we do perform incremental upgrades in reaction to reported security vulnerabilities, as opposed to leveraging any new features, so we do not anticipate any problems but we recommend testing before pushing changes to a production environment.
1. Backup FME Flow
Before any changes are made, backup the existing installation as a precaution. From the FME Flow Web UI go to Admin > Backup & Restore > Backup and download a backup file.
2. Shutdown FME Server Application Server Service
On the host where FME Flow is installed, open Services and stop the FME Server Application Server Service.
3. Install Apache Tomcat Version 9.0.x [Download]
- Verify the installation was successful by navigating to http://localhost
Note: the Tomcat installer will prompt you to specify a port, if you used a value other than 80 this needs to be specified in the URL e.g. http://localhost:8080. The default port in the installer is 8080. - Open Services and stop the Apache Tomcat 9.0 Service
4. Copy Files from FME Flow’s Tomcat to the New Tomcat
- Copy all .war files from <FMEFlowDir>\Utilities\tomcat\webapps\ to <TomcatDir>\webapps\.
- Copy all the .jar files in from <FMEFlowDir>\Utilities\tomcat\lib\ to <TomcatDir>\lib\. You will be prompted to ‘Replace or Skip Files’. Choose the option ‘Skip these files’.
5. Start Apache Tomcat
Wait a few minutes to allow Tomcat to unpack the contents of the .war and .jar files. Then:
- Confirm you can access Tomcat by going to http://localhost
- Confirm you can access FME Flow by going to http://localhost/fmeserver
6. Update the Service Startup Types
Once your testing is complete and you are satisfied the Tomcat installation is working properly, we recommend disabling the FME Server Application Server Service to prevent it from automatically starting up in the future.
- Go to Services and find the FME Server Application Server Service.
- Right-click and select Properties.
- Under General > Startup type select Disabled.
Second, by default, the Apache Tomcat Service Startup Type = Manual. This means that if your host is shut down, you'll need to manually restart this service to access FME Flow. Instead, you can update this service to start automatically whenever the host machine comes online. Repeat the steps above, but this time edit the properties of the Apache Tomcat Sevice and set the Startup Type = Automatic.
Optional Configurations
Reconfigure HTTPS
If FME Flow was previously configured for HTTPS you’ll need to partially redo this configuration.
Windows
- For a PFX certificate, follow steps 1-4, 6 & 7.
- Replace references to <FMEFlowDir> with <TomcatDir>
- In step 6f, replace the file path for the Keystore parameter with <JREDir>\lib\security\cacerts.
- If you are using WebSockets or single sign-on you’ll also follow steps 9 and 10, respectively.
- For a CA-issued certificate, follow steps 6-10 and 12.
- Replace references to <FMEFlowDir> with <TomcatDir>
- Before completing these steps fetch the value for the keystoreFile parameter in <FMEFlowDir>\Utilities\tomcat\conf\server.xml. Copy this file to your new Tomcat folder and use this as your Keystore.
- For step 6, replace the file path for the Keystore parameter with <JREDir>\lib\security\cacerts.
- If you are using WebSockets or single sign-on you’ll also follow steps 14 and 15, respectively.
If you encounter any issues, run through the steps in full to make sure nothing was missed.
Linux
- In FME Flow 2022.0 and newer, the HTTPS configuration is on NGINX so no re-configuration is necessary.
- In FME Flow 2021.2 and older follow the same steps as under the Windows heading.
URL Redirect
When FME Flow is installed with the default FME Server Application Server Service, if you navigate to http://locahost:<port> or http://<hostname>:<port> you’ll be redirected to FME Flow. You can set this up on your own Tomcat installation by:
- In a notepad open <TomcatDir>\webapps\ROOT\index.jsp
- Find the line
<!DOCTYPE html> <html lang="en">
and in the head element add<meta HTTP-EQUIV="REFRESH" content="0; url=fmeserver">
- Restart the Apache Tomcat 9.0 Service to apply the change.
- Open a Web browser and go to http://localhost to confirm the redirection.
Troubleshooting
The Tomcat Logs will no longer be stored in the FME Flow System Share. Instead, if you encounter issues start by reviewing the files in <TomcatDir>\logs\ for SEVERE messages.
Comments
0 comments
Please sign in to leave a comment.