Administration

Added Security for Webroot Folder Data

Before this release, storing an HTML page in the webroot folder could make the contents of that folder vulnerable to someone without proper credentials. For example, if you store index.html in the webroot folder, an unauthorized person could gain access to CAPA information without logging in. All the user needs is the server and port number: http://<servername>:<portnumber>/niku/index.html.

To resolve this issue, a new servlet filter (ClarityContentFilter) was introduced. The filter is registered in the following file: <installfolder>/tomcat-app-deploy/conf/web.xml. This servlet prevents users from accessing a page, image, script, or any other file without logging in to the product.

Note the following points about ClarityContentFilter:

You can exclude webroot files from the filter using a ClarityContentFilter parameter named allowedList. This parameter allows some items to be excluded from the filter. If you want the webroot folder to be excluded, you can append it to the allowedList parameter separated from other items by a comma. Redeploy the app service when you change the allowedList parameter.
You can disable the filter by adding the following value to the Java VM parameters of the app server:
-DdisableContentFilter=true.

Upgrade Action: None

Apache Tomcat Log Analysis

The following jobs have been added to create and manage data that you can use to analyze performance in an Apache Tomcat environment. You can add custom portlets, queries, or externally available content to provide details regarding system performance. Although the job runs for application servers other than Tomcat, no data is created.

Tomcat Access Log Import/Analyze Job
This job imports and analyzes Tomcat access log files from the local CA Clarity PPM environment (all app services). The job stores and summarizes the data in the following designated tables:
- LOG_DETAILS
- LOG_SUMMARY
- LOG_FILES
- LOG_REPORTDEFS
Delete Log Analysis Data Job
This job removes the analysis-related data that is stored in CA Clarity PPM. The criteria for removing the data is the LOG_DATE on each of the log analysis tables.

The job is scheduled to run automatically at 1:00 A.M. each day.

Upgrade Action: None

Character Limit for Audited Multi-Valued Lookups Increased

Before Release 13.2.0.1, ODF_AUD_VALUE_FCT returned a value of type Varchar2. With the release of 13.2.0.1, the returned value type was changed to CLOB. This change increases the number of characters that are allowed for auditing multivalued lookups from 4,000 to an unlimited number of characters.

Upgrade Action: Update any reports or portlets that use ODF_AUD_VALUE_FCT.

Limit the Number of Rows for Export to Excel

System administrators can limit the maximum number of rows that can be exported to Excel. A new field in Clarity System Administration provides a safeguard against the export of unlimited or large amounts of data which can affect system performance.

An individual user with the appropriate access rights can control the number of rows that are exported to Excel using a setting in CA Clarity PPM. However, the setting in CA Clarity PPM does not override the setting in Clarity System Administration. From CA Clarity PPM, the number of rows that are exported is managed by entering a value in the Maximum rows for Export to Excel field. The field is available from Administration, General Settings, System Options. Previously, if no value was entered in the field, an unlimited number of rows could be exported to Excel.

Note: If you are a new customer, the default setting for the number of rows that can be exported is 25,000.

Upgrade Action: Place a practical limit on the number of rows of Excel data that can be exported.

Log in to Clarity System Administration.
Click Servers in the left pane, and click the name of the server.
On the Properties tab, click the Application subtab.
Enter a value in the Maximum rows for Export to Excel field and click Save.
To place the changes in effect, restart the services.

Remove Session IDs from Log Files

As a security measure, you can configure CA Clarity PPM to prevent session ID values from appearing in your log files. To prevent these values from appearing, edit the logger.xml file. Replace the log pattern (%u:%s:%a) with the pattern (%U:%a).

The following examples show the results of using both log patterns in the logger.xml file.

Example: (%u:%s:%a)

This line of code shows how the pattern to display the session ID value appears in the logger.xml file.

<param name="ConversionPattern" value="%-5p %d{ISO8601} [%t] %c{2} (%u:%s:%a) %m\r\n"/>

This pattern produces records in a log file with the session ID value. The following record from the app-ca.log that shows the session ID value (bolded):

DEBUG 2014-08-18 19:52:02,949 [http-bio-80-exec-3] odf.view (clarity:admin:5077018__8DF3B2A0-F398-4A4B-BC35-E9A012065CE0:npt.overview) Adding view FILTER_VIEW_LOADER::USER:NIKU.ROOT to transient cache

Example: (%U:%a)

This line of code shows how the pattern to prevent the session ID value appears in the logger.xml file.

<param name="ConversionPattern" value="%-5p %d{ISO8601} [%t] %c{2} (%U:%a) %m\r\n"/>

This pattern produces a record in a log file without the session ID value. The following example is a record from the app-ca-service.log that shows no session ID value.

DEBUG 2014-08-18 19:52:02,494 [http-bio-80-exec-3] in.service (admin:npt.overview)

CA Clarity PPM supports additional logging patterns if the layout is set to NikuLayout in the logger.xml for an appender.

Pattern Option	Purpose
u	Creates the user ID with the tenant ID in the log. Example: (%u) creates the output (clarity:admin) in the log.
U	Creates the user ID in the log. Example: (%U) creates the output (admin) in the log.
s	Creates the session ID in the log. Example: (%s) creates the output (5077018__8DF3B2A0-F398-4A4B-BC35-E9A012065CE0) in the log.
a	Creates the action ID in the log. Example: (%a) creates the output (npt.overview) in the log.

Note: For more information about log4j version 1.2 supported patterns, see the API documentation for Class PatternLayout at https://logging.apache.org.

Set Options for Cross-Site Scripting (XSS) Vulnerability

Cross-Site Scripting (XSS) attacks insert malicious scripts into otherwise trusted web sites. A cross-site scripting attacker uses a web application to send malicious code, generally in the form of a browser side script, to an end user. These attacks succeed when a web application uses input from a user in the output it generates without validating or encoding the input.

You can set options to validate user input. With input validation, CA Clarity PPM compares the user input to a set of commonly used XSS string patterns. If any part of the user input matches one of the common patterns, CA Clarity PPM restricts the XSS string in the user input. The product restricts the XSS string by placing escape characters before and after the string.

The escape characters are visible to the end user. The characters instruct the browser to ignore any script or HTML tag that is attached to the user input. This output encoding ensures that the user input is treated as text and not active content that can be executed. This action helps ensure user input that is returned to the browser is safe from XSS.

Set Up User Input Validation

The XSS options let you manage the escaping of user input values in the application, URL attributes, and site links. You can also add extra patterns to be escaped.

Important! The XSS detection is turned on by default; however, site links and URL attributes are exempted from this detection. To turn on XSS detection for site links and URL attributes, modify the options that are described in the following section.

To change the setting for any option, you execute database SQL statements.

Follow these steps:

Access the CMN_OPTION_VALUES database table.
Update the table entry for the particular option. For information about each option, see the option descriptions.
Flush the cache.

Cross-Site Scripting Options

The following options apply to user input validation.

RESTRICT.APP.XSS (XSS Restriction Option)

Restricts the XSS string in the user input when the string matches a pattern in the CMN.XSS.PATTERNS option. This system option applies to the entire application, except the URL attributes and site links. You can set restrictions for URL attributes and site links through separate options.

Values: True (restrictions are on), False (restrictions are off)

Default: True

Note: The HtmlPortlet content is not restricted (escaped). The HTML portlets execute any script in HTML content, which is the expected behavior.

To change the RESTRICT.APP.XSS option, update the CMN_OPTION_VALUES database table using the following SQL statement:

update cmn_option_values set value='false|true' where option_id = (select id from cmn_options where option_code=' RESTRICT.APP.XSS')

RESTRICT.URL.ATTR.XSS (URL Attribute Value Option)

Restricts the URL attribute value (that you created with Studio) when the value matches a pattern in the CMN.XSS.PATTERNS option.

Values: True (restrictions are on), False (restrictions are off)

Default: False

To change the RESTRICT.URL.ATTR.XSS option, update the CMN_OPTION_VALUES database table using the following SQL statement:

update cmn_option_values set value='false|true' where option_id = (select id from cmn_options where option_code=' RESTRICT.URL.ATTR.XSS')

RESTRICT.SITE.LINKS.XSS (Site Links Option)

Restricts the site links entry value when the value matches a pattern in the CMN.XSS.PATTERNS option.

Values: True (restrictions are on), False (restrictions are off)

Default: False

To change the RESTRICT.SITE.LINKS.XSS option, update the CMN_OPTION_VALUES database table using the following SQL statement:

update cmn_option_values set value='false|true' where option_id = (select id from cmn_options where option_code=' RESTRICT.SITE.LINKS.XSS')

CMN.XSS.PATTERNS (Common XSS Patterns Option)

Defines the string patterns that are commonly used for XSS. You can modify this option to add more string patterns.

To add patterns, access the CMN_OPTION_VALUES database table and include the new patterns in the CMN.XSS.PATTERNS option.

String patterns =

</script>

<script(.*?)>

alert(.*?)

eval\\((.*?)\\)

expression\\((.*?)\\)

javascript:

onerror(.*?)=

onload(.*?)=

src[\r\n]*=[\r\n]*\\\"(.*?)\\\"

src[\r\n]*=[\r\n]*\\\'(.*?)\\\'

Example: Adding a new pattern

The following example statements add the new pattern onfocus to the CMN.XSS.PATTERNS option:

Oracle:

CMN_OPTION_VALUES_INS_SP('CMN.XSS.PATTERNS','true','true','onfocus(.*?)=',1);

MSSQL:

EXEC CMN_OPTION_VALUES_INS_SP 'CMN.XSS.PATTERNS','true','true','onfocus(.*?)=',1

Upgrade Action: None

Action Item Localization

You can translate action item names and descriptions that are associated with processes. The advantage is that recipients see the action item in the language set for them.

For example, as the process creator, you translate an action item into all CA Clarity PPM supported languages. When the process is executed, the user working in CA Clarity PPM in French sees the action item in French. The user working in CA Clarity PPM in Turkish sees the action item in that language. This change improves the user experience because the action item is seen in the appropriate language.

You can translate an action item by using the translation icon that appears next to the Action Item Name field. The icon appears after the page for the action item is saved. Clicking the icon opens a dialog that lets you specify different language translations for the Action Item Name and Description fields.

Note: The Action Item translation icon is intended as an administrative tool and appears only for action items that are related to processes. The icon is not available to action item operations that end users perform from the Home menu.

Upgrade Action: None