Pharos Blueprint 5.3 - Update 7 Security Patch Release Notes

Note: This update can only be applied to existing installations of Blueprint 5.3 Update 7 Analyst or Collector.
 Blueprint 5.3 Update 7 Security Patch includes a security update to address a known security issue and must be applied to the Analyst and all Collectors. Please note:

• This update will upgrade your Pharos API from version 5.4.1.61 to 5.4.2.1

• This update requires MobilePrint version 2.5.0 or later (if used). Refer to the MobilePrint section below for more information.

• Site Security Utility. A new utility is available to use with 5.4.2.1 or later Print Center/Pharos API. This optional but recommended tool adds further protection to credentials used by the Pharos API for communication between Pharos API instances and for MobilePrint communication with Pharos API. The tool and instructions are in the \Integrations\SiteSecurityUtility folder of the BP 5.3 Update 7 Security Patch download.

How to apply this Update

Updating Analyst or Collector

Installation Steps

1. If updating Analyst, make sure you have an up to date backup of the psbprint database.

2. Close the Window's Printers window (if it is open). Close any Pharos applications (e.g. Troubleshooter, Blueprint Administrator) that are open.
    Note: you do not need to stop the Pharos Services. The update installer will do this automatically.

3. Open an elevated Windows command prompt and run Patcher.exefrom the command line. No additional parameters are necessary.

   • The update installer does not create a log file. It is recommended that you run DebugView (http://technet.microsoft.com/en-us/sysinternals/bb896647) to capture the output of the installer. This output will include error messages if the installer fails.

   • Also, the existing Blueprint files will be backed up to BP53 in the Temp directory, before they're replaced with the updated versions.

   • If the update installer fails, you can correct the cause of the error and run Patcher.exe again.

   • At completion, the Patcher may automatically force a restart. Follow the remaining instructions after the restart.

   • To log the installation of MSI files associated with the update, edit <MsiLogFileDirectory> in the Patcher.xml file with a folder path.

   • If Site Monitor with a lite license is installed and the logged on user does not have permissions to remove the Site Monitor database, the DbAdminUser and EncryptedDbAdminPasswordelements can be populated in the patcher.xml to allow full uninstallation of Site Monitor.

     • Open an elevated command prompt and type in patcher /encrypt:MySecretPassword to retrieve the encrypted version of the Db Admin Password.

4. On Analyst, open the Blueprint Analyst, go to Reporting -> Publications and click on "Publish to Data Warehouse" on the toolbar.

Automated Server Deployment

Customers with a large number of Blueprint Servers may want to deploy this update using an automated software deployment tool (e.g. IBM's Tivoli).
To help with this process, the Patcher can be configured to send an e-mail at the end of the patching process indicating the patching attempt's success or failure. The configuration is held in the file Patcher.xml. Modify the file as follows:

1. Change the <automated> element from "false" to "true".

2. Set "to" to the e-mail address you want the notification sent to.

3. Set "from" to the e-mail address you want the notification to claim it was sent from.

4. Set smtpServerHost to the FQDN of the mail server.

5. Leave smtpServerPort alone, unless the mail server is using a non-standard port. Or you want the communication encrypted using SSL.

6. If the mail server and its Host are configured to support SSL, you can change useSSL to "true" and smtpServerPort to the SSL port (usually 465).

7. Set smtpUserName and smtpPassword to the user and password needed to use the mail server.

8. If you do not want to put an unencrypted password in the Patcher.xml file, you can put the password as encrypted text into smtpEncryptedPassword. You can encrypt the password by calling Patcher.exe from the command line with the flag "/encrypt:". e.g. Assume your mail server's password is "MySecretPassword".

   1. Open an elevated command prompt and type in patcher /encrypt:MySecretPassword

   2. Patcher.exe will return EncryptedPassword:L9EMZX9r1CkvI8rNybP/dikf09zwBPLMfl6OMk7/nXOCgZQpaePQDoGDULN3eAbe"

   3. Set smtpEncryptedPassword="L9EMZX9r1CkvI8rNybP/dikf09zwBPLMfl6OMk7/nXOCgZQpaePQDoGDULN3eAbe"

9. If your deployment tool will run the patcher under an account that has permission to send e-mails, then you can set useDefaultCredentials to "true" and leave smtpUserName, smtpEncryptedPassword and smtpPassword blank.

Integrations

MobilePrint

The MobilePrint application has been updated to work with the updated security measures implemented in the Print Center. Ensure that your MobilePrint is updated to version 2.5.0 (if used).
 MobilePrint won't be able to retrieve changes to its configuration until it is updated because it won't be able to establish communication with the Pharos API. Failing to update to the latest version might also lead to a situation where multiple logon requests are generated by MobilePrint. These logon requests do not present a substantial risk. Standard MobilePrint operations, such as file uploads and print release will continue to work.