Upgrade Guide for MD2 Update

• Introduction

• When to Use this Upgrade Guide

• Applying the MD2 Update to Existing Applications

  • Websydian Versions 3.1 and 3.0

  • Websydian Versions 2.0, 2.1, and 2.5

• Addressing the Problem with Passwords

Introduction

In Websydian 4.0 a bug in the Websydian MD2 implementation was discovered and corrected.  As the MD2 function in Websydian is used to sign passwords and HTML pages an update is also provided for Websydian versions back to 2.0.

There are two ways to upgrade an application to use the new and correct MD2 implementation:

1. Upgrade the entire application to Websydian 4.0. Please look here for upgrade instructions.
2. Apply the MD2 update to the Websydian version used in development (this document).

For a discussion on the severity of this bug please refer to Technical Bulletin #2.

When to Use this Upgrade Guide

This guide describes how to apply the MD2 update to applications developed with Websydian 2.0, 2.1, 2.5, 3.0, and 3.1.

Among other things the MD2 function in Websydian is used to sign passwords in the UserManagement pattern. As the MD2 implementation now is changed special care must be taken for existing applications using the UserManagement pattern when applying the MD2 update. Please refer to the section Addressing the Problem with Passwords for more information about this.

Applying the MD2 Update to Existing Applications

What actions to take depend on the Websydian version and the target platform of the application. Please consult the appropriate section below that fits the requirements of the application where the MD2 update should be applied.

Websydian Versions 3.0 and 3.1

In Websydian 4.0 the package objects to generate and build was replaced by subject areas. In that process the package objects where renamed. As object naming is level invariant in Plex this renaming also affects previous levels.

The table below shows how the package objects are named in the new group models and their old names.

So when the Websydian 3.0/3.1 documentation mentions the package object WSYBASE/ObjectsToGenerateAndBuild you should instead use the package object WSYBASE/UseAppropriateSubjectArea_3 after the MD2 update is applied.

Windows and iSeries

For applications developed using Websydian 3.0 or 3.1 the following steps should be followed both if the application is still under development or if the application is in production.

1. Take a backup of the application group model(s).
2. Install the Websydian group models distributed with Websydian 4.0 in a different location than the currently used Websydian group models.
3. Login to the application group model using the Websydian 4.0 group models.
4. Please see here for an overview of how to set the version/level for the attached Websydian library models.
5. Extract all information to the local model.
6. Generate and build the objects WSYINTEG/SignFields and WSYUSER/SignPassword.
7. If the application is in production the two above objects should be deployed to the application library replacing the old versions of these objects (if using the UserManagement pattern remember to address the problem with passwords).
8. Development can now continue as before.

Java

Some package objects have been renamed from Websydian 4.0 and since object naming is level invariant in Plex this also affects previous levels.

As Plex uses the package names to determine the location of the Java classes this change has the impact that the approach in the previous section can not be used. Instead follow the guidelines below.

1. Create a new empty group model and attach the libraries WsyInteg and WsyUser distributed with the MD2 update.
2. Set the level/version of the Websydian library models as described here.
3. Extract to a local model.
4. Create a package object named UserObjectsToGenerateAndBuild and include the function WSYUSER/SignPassword in the package.
5. Create a package object named IntegObjectsToGenerateAndBuild and include the function WSYINTEG/SignFields in the package.
6. Generate and build t he functions WSYINTEG/SignFields and WSYUSER/SignPassword.
7. Deploy the generated functions to the application library. If the objects are deployed to a development library then remember NOT to generate and build the two functions WSYINTEG/SignFields and WSYUSER/SignPassword in the development model.
8. If using the UserManagement pattern remember to address the problem with passwords.

Websydian Versions 2.0, 2.1, and 2.5

Windows

1. Create a new empty group model and attach the libraries WsyInteg and WsyUser distributed with the MD2 update.
2. Set the level/version of the Websydian library models as described here.
3. Extract to a local model.
4. Generate and build the functions WSYINTEG/SignFields, WSYUSER/SignPassword, and WSYBASE/GetFieldLength.
5. Deploy the two files WSYDF15.dll and sgnpas.dll to the application library. If the objects are deployed to a development library then remember NOT to generate and build the two functions WSYINTEG/SignFields and WSYUSER/SignPassword in the development model.

iSeries

1. Restore the save file Hotfix24489.savf found in the directory [Websydian installation directory]\EnterpriseWebDeveloper\Lib\iSeries to the iSeries in the library WSYDxxxPTF where the xxx indicates the version of Websydian you want to use. e.g. WSYD210PTF, or WSYD250PTF.
2. Add the PTF library to the job description library list used by the application in front of the Websydian runtime library.
3. Rename the object CRYPT to OLDMD2 in the WSYDxxxPTF library.
4. Rename the object MD2 to CRYPT in the WSYDxxxPTF library.

Addressing the Problem with Passwords

As the MD2 function is used by the UserManagement pattern to sign passwords the MD2 fix has the side effect that all password signatures in the user table created by the UserManagement pattern now are invalid when validated using the correct MD2 implementation.

Please look here for information on how to resolve this issue.