Skip to Content
author's profile photo Former Member
Former Member

Upgrading Apache Axis2 component of Tomcat in SAP BO???


this is my first post, I'm a newbie with SAP BO and therefore not even sure if this is the right place for the question. If not, feel free to step on my toes and point me to the correct location.

I have done my first SAP BO 4.0 installation with default settings using all on-board-technology as possible, meaning I am using the BO-installed SQL Server 2008 Express and the BO-installed Tomcat 6.0.24. This Tomcat features Apache Axis2 1.3.

My problem is that the corporate security identified a security issue with Apache Axis2 and wants me to upgrade to at least 1.5 (current is 1.6) within the next few days or they'll disconnect the system no matter what. I've read stuff on the Apache-site and usually, Axis2 is deployed via a WAR-file and is like any other web application within the Tomcat. The normal way would be to undeploy the old app, deploy the new one and update your files that use Axis2.

Now, BO seems to behave slightly differently here. There is no real Axis2-web application, there are in fact 2 (folders "BusinessProcessBI" and "dswsbobje"). In the BOE-folder you can find many Axis2-files with "1.3" in the name as well, so it's not as simple as killing off these 2 webapps and replace it with a new one.

Updating BO to SP4 didn't change anything about this. I hoped it would upgrade the Axis2-component as well, but it didn't. I doubt that simply replacing the old Axis2-files with new ones manually will do anything besides breaking the system.

Does anyone have any idea what I can do right now? Thanks in advance!

Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • Posted on Dec 05, 2013 at 08:29 PM

    Hi Aaron,

    I was researching similar issue which you faced last year with BI 4.0 about security scan.
    We are on BOXI 4.0 SP5 . Can you please let us know what exactly you did to fix this.
    Thanks and Appreciate your response.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jun 22, 2012 at 09:47 PM

    Hi Aaron.

    Could you provide additional information as to which specific security issues your team is concerned about?

    We have in the past made some updates to the Axis components with respect to security so that their use would not be exploitable in the BO application's context.

    Simply swapping the libraries out would not be supported and have a high risk of incompatibilities.

    If you have no need to use web services, you can undeploy the dswsbobje application to minimize the attack surface area. Turning off services which you do not require is always a first step of best security practice. If you do not plan to use applications like LiveOffice or CrystalReports for Enterprise, you should be able to remove this. BusinessProcessBI is basically an API which is not used by the default BI client tools, so you can also undeploy this without breaking anything.



    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Greg Wcislo

      Hi, Greg.

      So, if I installed SP4, that would be it? That would be great, because this has been done and I was really worried it wasn't enough.

      I'll go talk to our corporate IT. I may require further assistance if they persist, but then I will contact you directly.

      THANKS A LOT! 😊

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.