Virtuallinks vs character encoding vs ESAPI

Alvaro de Andres2 Comments

One has to wonder what is EMC thinking when they take some decisions: In Webtop 6.8 EMC introduced a “new” library in order to improve protection against XSS vulnerabilities. They decided to use OWASP’s ESAPI library, a project that hasn’t been updated in over 2 years (check ESAPI/esapi-java-legacy · GitHub and ESAPI/esapi-java · GitHub) and doesn’t show any sign of being currently developed (quite the contrary: Off-the-Wall Security)

Anyway, with the introduction of this library they have broken the virtuallinks component, at least for everyone that uses non ASCII characters. To sum up what has been discussed in Webtop 6.8 Download Servlet Escaped Umlaut Problem:

In a “standard” environment:

  • Tomcat running with -Dfile.encoding=UTF-8
  • Default ESAPI.properties
  • Webtop version: 6.8 SP6

Any “weird” character (in spanish: áéíóúñ) will break the virtuallinks functionality in two cases:

1. The user is logged in webtop:
VirtualLink404Handler.getServletErrorRequestUri method has an url conversion

virtualLinkPath = URLDecoder.decode(virtualLinkPath, "UTF-8");

that has the following behaviour (in Chrome and Firefox, IE seems to work just fine):

BEFORE URLDecoder: /folder%20name/%C3%A1%C3%A9%C3%AD%C3%B3%C3%BA
AFTER URLDecoder: /folder name/áéíóú
BEFORE URLDecoder: /folder%20name/%C3%A1%C3%A9%C3%AD%C3%B3%C3%BA
AFTER URLDecoder: /folder name/áéíóú
BEFORE URLDecoder: /folder%20name/%E1%E9%ED%F3%FA
AFTER URLDecoder: /folder name/?????

that “????” string will return “?????” or a sequence of square icons or simply a blank depending of the character encoding. In order to fix it, you need to rewrite the class changing that method to something like:

    String vLink=URLDecoder.decode(virtualLinkPath, "UTF-8");
    if (vLink.indexOf("?")!=-1){//broken UTF-8 encoding
        virtualLinkPath = URLDecoder.decode(virtualLinkPath, "ISO-8859-1");
    }else{
        virtualLinkPath = URLDecoder.decode(virtualLinkPath, "UTF-8");
    }

This will make virtuallinks that have special characters to be correctly opened from any browser.

2. The user hasn’t logged in webtop:
Virtuallink component will redirect to the login component (check url-addressable-components & virtuallinkconnect first) and then you’ll get a popup saying

“There’s been an error. Contact with your administrator”

without any additional info or stacktrace in the logs.

What is happening is that ESAPI is forbidding the redirection to the login compoenent due to the presence of “unsafe” characters as you can see in a the following phantom exception:

HTTP header value: Header Manipulation: FormProcessor: Invalid input. Please conform to regex ^[a-zA-Z0-9()\-=\*\.\?;,+\/:&_ ]*$ with a maximum length of 1024

Obviously, your next step would be adding the special characters to the Validator.HTTPHeaderValue regular expression in ESAPI.properties:

Validator.HTTPHeaderValue=^[%a-zA-Z0-9áéíóúÁÉÍÓÚñÑ()\\-=\\*\\.\\?;,+\\/:&_ ]*$

Restart the server, retry the virtuallink url and:

HTTP header value: Header Manipulation: FormProcessor: Invalid input. Please conform to regex ^[%a-zA-Z0-9áéÃóúÁÉÍÓÚñÑ()\-=\*\.\?;,+\/:&_ ]*$ with a maximum length of 1024

WTF!!?? ESAPI reads the properties file as a stream and doesn’t care about the encoding

You can fix this by overwriting WDKESAPIValidator.getValidHeader (check Re: Webtop 6.8 Download Servlet Escaped Umlaut Problem) or you can do it in a nicer way (considering it is unlikely that the ESAPI jar will be ever updated):

1. Download ESAPI 2.1.0 source
2. Modify org\owasp\esapi\reference\DefaultSecurityConfiguration.java:

protected String getESAPIProperty( String key, String def ) {
  String value = properties.getProperty(key);

with

    String value=null;
    try {
      value = new String(((String)properties.get(key)).getBytes("ISO-8859-1"), "UTF-8");
    } catch (UnsupportedEncodingException e) {
      e.printStackTrace();
    }

And

protected boolean getESAPIProperty( String key, boolean def ) {
  String property = properties.getProperty(key);

with

    String property=null;
    try {
      property = new String(((String)properties.get(key)).getBytes("ISO-8859-1"), "UTF-8");
    } catch (UnsupportedEncodingException e) {
      e.printStackTrace();
    }

3. Replace the class in webtop/WEB-INF/lib/esapi-2.1.0.jar

And now your special characters in ESAPI.properties will be read correctly and you can use again the virtuallink component.

Video streaming from Webtop

Alvaro de Andres1 Comment

We have stored in our repository some video tutorials to help users. Usually they double click on them, the UCF applet/http download launches and they’ll open them with some video player than may or may not have the rigth codecs to play the video.

So in order to improve the “user experience” we decided to try using some HTML5 video player to play the content from the browser.

In this case we are using MediaElements.js (mediaelementjs.com), but any player will do.

1. Create a hidden cabinet with mp4/webm videos.
2. Add a menu action to load the hidden cabinet in an objectlist (I’m simulating a click on the browsertree):

      <actionmenuitem dynamic="generic" name="videohelp"  
           nlsid="MSG_VIDEOHELP" action="videohelp_action"  
           showifinvalid="false" showifdisabled="true" />  

        @Override  
        public boolean execute(String paramString, IConfigElement paramIConfigElement,  
              ArgumentList paramArgumentList, Context paramContext, Component paramComponent,  
              Map paramMap) {  
            String pathIds=FolderUtil.getFolderIdsFromPath("/VIDEOS");  
          
            ArgumentList args=new ArgumentList();  
            args.add("objectId",pathIds);  
          
            ClientSessionState.setAttribute("customlocation", "/VIDEOS");  
          
            return ActionService.execute("view", args, paramContext, paramComponent, this);  
        }

NOTE: I’m using a custom scope that allows to scope by folder, that’s why I’m setting the customlocation attribute.

3. Create a new objectlist component which:

  • Overrides the default action when double clicking a document so it launches the video player instead of opening.
  • Generates a virtual link for the video content.
    private String getVideoUrl(IDfDocument video) throws DfException, IOException{  
            String url="";  
      
            IDfFolder fold=(IDfFolder)getDfSession().getObject(video.getFolderId(0));      
            url=url+getPageContext().getRequest().getServerName()+":"  
                   +getPageContext().getRequest().getServerPort()  
                   +getPageContext().getServletContext().getContextPath();  
            url=url+fold.getFolderPath(0)+"/"+video.getObjectName();  
          
            return url;  
    }

objectlist_videos.jsp:

    //add javascript to show/hide player in a cool way.  
    //Add the parameter passed in the click event to the src attribute of the video tag.  
  
       <dmf:form>  
          <video width="640" height="360" src="" type="video/mp4"  
            id="player1" controls="controls" preload="none"></video>  
          
         <%@ include file='/custom/jsp/objectlist/doclist_body_videos.jsp' %>  
      </dmf:form>

doclist_body_videos.jsp:

        //modify object id celltemplate:  
      
         <dmf:datagridRowEvent eventname="dblclick">  
             <dmf:link onclick='show' name='objectLink'  
                    runatclient='true' datafield='title'>  
                    <dmf:argument name='id' datafield='r_object_id' />  
                    <dmf:argument name='type' datafield='r_object_type' />  
                    <dmf:argument name='isFolder' datafield='isfolder' />  
                    <dmf:argument name="isVirtualDoc" datafield='r_is_virtual_doc' />  
                    <dmf:argument name='assembledFromId' datafield='r_assembled_from_id' />  
                    <dmf:argument name="linkCount" datafield='r_link_cnt' />  
                    <% String url=form.getVideoUrl(dataProvider.getDataField("r_object_id")); %>  
                    <dmf:argument name="url" value="<%=url %>" />  
             </dmf:link>

This works, but is not really streaming, as it first downloads the video, and then plays it. But (I never though I would say this) ACS comes to rescue!

ACS links allow content streaming, so instead of getting the virtual url link to the video, we’ll get the ACS url:

    try{  
        IDfClientX clientx = new DfClientX();  
        IDfDocument video=(IDfDocument)getDfSession().getObject(new DfId(objectId));  
      
        IDfAcsTransferPreferences atp = clientx.getAcsTransferPreferences();  
        atp.preferAcsTransfer(true);  
      
        IDfExportOperation exportOp = clientx.getExportOperation();  
        exportOp.setAcsTransferPreferences(atp);  
        IDfExportNode exportNode = (IDfExportNode) exportOp.add(video);  
        boolean result = exportOp.execute();  
      
        if (result) {  
            IDfList nodes = exportOp.getNodes();  
            for (int i = 0, size = nodes.getCount(); i < size; i++) {  
                IDfExportNode node = (IDfExportNode) nodes.get(i);  
                IDfEnumeration acsRequests = node.getAcsRequests();  
                while (acsRequests.hasMoreElements()) {  
                    IDfAcsRequest acsRequest = (IDfAcsRequest) acsRequests.nextElement();  
                    String docURL = acsRequest.makeURL();  
                    return docURL;                    
                }  
            }  
        }    
    }catch(DfException e){  
        e.printStackTrace();  
    }

And the result:

videoplayer.png

Note: Fullscreen is disabled due to frameset architechture that Webtop uses makes html5 full screen work like: Put browser in full screen mode, play video in full frame (instead of full screen).

url-addressable-components & virtuallinkconnect

Alvaro de AndresLeave a comment

In recent Webtop versions EMC introduced a new secutiry feature that forbid components to be invoked through an URL:

The following configuration has been added to enable or disable components that are invoked through a URL.

<url-addressable-components>

<enabled>false</enabled>

</url-addressable-components>

Set <enabled> to true to invoke all the components through the URL.

Specific components can also be configuredforURLaddressability. This can be done by adding the <url-addressable-enabled/> tag in the corresponding component configuration file.

For example, add the following configuration file, <Web-app-root>\wdk\config\errormessage_component.xml, where <url-addressable-enabled/> enables URL addressability.

Note: EMC recommends that administrators add <url-addressable-enabled/> in the specific URL addressable-component instead of choosing to set <enabled> to true.

So when I’m getting a “401: The URL is unauthorized in WDK” when trying to use a virtual link I check app.xml:

<url-addressable-components>
<enabled>false</enabled>
</url-addressable-components>

Ok, default configuration is set, so components without <url-addressable-enabled/> cannot be invoked through an URL. Let’s check virtuallinkconnect component default configuration:

<!–XSRF component whitelisting change–>
<url-addressable-enabled/>

Ok, so if the component is whitelisted by default, why it is being blocked? Well, what does any component do when you invoke it through an URL? Yes, it redirects to the login component, which ,of course, it’s not whitelisted by default.

So by adding <url-addressable-enabled/> to the login definition, the virtuallinkconnect component will work with the component blocking enabled.

What happens when you don’t configure OOTB Jobs (DCTM/xCP)

Alvaro de AndresLeave a comment

Environment: DCTM 7.2 + PE 2.2, 2 months running an empty test repository:

  • …/dba/logs/…/agentexec: +150k files
  • …/dba/logs/…/dmadmin: +150k files
  • /Temp/Jobs/…/: +60k objects in several folders (dm_document objects)
  • /System/Sysadmin/Reports/…: +60k versions of some objects (dm_document objects)
  • dm_audittrail: +1.5 million objects
  • Database File Size: ~ 5GB

Be specially careful with the methods that by default run every minute:

  • bpm_XCPAutoTaskMgmt
  • Iniatilizae_WQ

And those that run every hour:

  • QmPriorityAging
  • QmThresholdNotification
  • WfmsTimer
  • WFSuspendTimer

If you’re not using those features you should really disable them. Or run logpurge+audittrail+dmclean as often as possible.

End of Life Announcement for Documentum WebPublisher

Alvaro de AndresLeave a comment

From EMC newsletter:

Users of the Documentum WebPublisher product line are advised that End of Life has been initiated for this product.

EMC has partnered with Hippo to offer best of breed WCM that integrates and synchronizes content with Documentum. Hippo CMS, which is EMC Select Partner offering, offers modern, next-generation Web Experience Management capabilities.

Important dates related to the Documentum WebPublisher v 6.5 SP 6 and v 6.5 SP 7 are:

  • End of Primary Support is October 31, 2015
  • End of Extended Support / End of Service Life is April 30, 2018

Best Practices – Review before releasing

Alvaro de Andres1 Comment

I’ve already said before (Certificate-based SSL Documentum 7.1 with xCP 2.1) that EMC (any company for this matter) should be more careful when releasing products with the comments left in files and/or the scripts done for Windows environments that doesn’t work on *nix even if they are supposed to. This doesn’t break anything, but it really does look bad. Well, here we go again:

If you’re using Webtop 6.8 (by the way, this is still not fixed: sortablelistbox bug) you’d probably noticed the ESAPI messages thrown in your application server log when webtop is deployed OOTB or following the deployment guide:

Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Not found in ‘org.owasp.esapi.resources’ directory or file not readable: C:\blablablablablablabla\Tomcat v7.0 Server at localhost-config\ESAPI.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\ESAPI.properties
Not found in ‘user.home’ (C:\Users\blablablablablablabla) directory: C:\Users\blablablablablablabla\esapi\ESAPI.properties
Loading ESAPI.properties via file I/O failed. Exception was: java.io.FileNotFoundException
Attempting to load ESAPI.properties via the classpath.
SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from ‘/ (root)’ using current thread context class loader!
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Not found in ‘org.owasp.esapi.resources’ directory or file not readable: C:\blablablablablablabla\Tomcat v7.0 Server at localhost-config\validation.properties
Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties
Not found in ‘user.home’ (C:\Users\blablablablablablabla) directory: C:\Users\blablablablablablabla\esapi\validation.properties
Loading validation.properties via file I/O failed.
Attempting to load validation.properties via the classpath.
SUCCESSFULLY LOADED validation.properties via the CLASSPATH from ‘/ (root)’ using current thread context class loader!

So I decided to investigate this to see if it can be removed. Long story sort:

You can add “-Dorg.owasp.esapi.resources=”C:\blablabla\webtop\WEB-INF\classes” to the JVM parameters to reduce the messages thrown to:

Attempting to load ESAPI.properties via file I/O.
Attempting to load ESAPI.properties as resource file via file I/O.
Found in ‘org.owasp.esapi.resources’ directory: C:\blablabla\webtop\WEB-INF\classes\ESAPI.properties
Loaded ‘ESAPI.properties’ properties file
Attempting to load validation.properties via file I/O.
Attempting to load validation.properties as resource file via file I/O.
Found in ‘org.owasp.esapi.resources’ directory: C:\blablabla\webtop\WEB-INF\classes\validation.properties
Loaded ‘validation.properties’ properties file

but you can’t get rid of the messages as those are thrown with System.out.println (ouch)

However, this “investigation” led me to webtop/WEB-INF/classes/ESAPI.properties. This file is the ESAPI configuration file where we can find some funny/sad comments:

# Default file upload location (remember to escape backslashes with \\)
HttpUtilities.UploadDir=C:\\ESAPI\\testUpload
# let this default to java.io.tmpdir for testing
#HttpUtilities.UploadTempDir=C:\\temp

Yes, let’s default this to java.io.tmpdir… in next version maybe…

# ESAPI Executor
# CHECKME – Not sure what this is used for, but surely it should be made OS independent.
Executor.WorkingDirectory=C:\\Windows\\Temp
Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe

Umm, not sure what it is used for? Let’s check the original bundled ESAPI.properties:

# ESAPI Executor
# CHECKME – This should be made OS independent. Don’t use unsafe defaults.
# # Examples only — do NOT blindly copy!
# For Windows:
# Executor.WorkingDirectory=C:\\Windows\\Temp
# Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe
# For *nux, MacOS:
# Executor.WorkingDirectory=/tmp
# Executor.ApprovedExecutables=/bin/bash
Executor.WorkingDirectory=
Executor.ApprovedExecutables=

Well, we still don’t know what this is used for but remember, do NOT blindly copy!

Chrome dropping NPAPI (Java) support and UCF

Alvaro de AndresLeave a comment

Since Chrome 42 was released, NPAPI plugins are disabled by default and the support for these plugins will be completely removed in Chrome 45 (expected to be released in September). This means no more UCF in Chrome. So, what will EMC do?

Considering that in the latest Webtop release (6.8) only 3 browsers are supported (IE 10/11, Firefox 24.6 and Safari 6.1.4/7.0.4) most likely nothing. Besides, this move from Google can “help” EMC to keep pushing D2/xCP to customers and reinforce the “Webtop won’t be developed anymore” message. But, what does this move means for current users?

I think sooner or later Java will be removed from every browser. Spartan/Edge won’t even support Microsoft’s own ActiveX, and considering I don’t see Oracle developing a new plugin based on PPAPI (which by the way is not a standard protocol and it’s only supported by Chrome and Opera), so it wouldn’t surprise me to see Mozilla announcing they’re dropping support for NPAPI in future releases.

This means that by the end of this year, there will be most likely 6 browsers (Chrome, IE, Spartan/Edge, Firefox, Opera, Safari) and EMC will provide support only for 3 of them (2 being “obsolete”, IE and Firefox 24.x). And even though we know that (until now) even without being officialy supported webtop (mostly) works with any browser, this won’t be the case much longer (as long as you need to transfer content).

In the end, we’ll have to deal with angry users that like Chrome because it’s cool and because they don’t want to use the corporative IE6/7/8 (not supported also) or the company-branded browser they’ve come to hate through the years.

Until know, my “usual” hack for matching IE/Firefox performance with Chrome’s was mainly disabling the ucfinvoker in the main component and any plugin not used in app.xml. This makes webtop to load the ucf libraries only when needed instead of doing it every time the user login so it seems that the main component loads faster (yes, I’m cheating :D). And I’m also considering disabling UCF transfer for view action and leaving UCF enabled only for edition, so read-only users won’t be disturbed with error messages/warnings when using Webtop.

However, there’s still the problem of dealing with the users that cannot use their preferred browser to do their job and convincing them that is not Documentum’s fault…

Edit: Even better solution (removing UCF in chrome)

Extend the evaluator class defined in the action (LaunchViewEvaluator, LaunchEditEvaluator, ContentTransferLaunchComponentEvaluator, etc.) with:

    public class ContentTransferLaunchComponentEvaluator extends com.documentum.web.contentxfer.ContentTransferLaunchComponentEvaluator {
        public String evaluate(String strName, String strAction, IConfigElement config, ArgumentList arg, Context context, Component component){
            HttpServletRequest request = (HttpServletRequest)component.getPageContext().getRequest();
            String userAgent = request.getHeader("User-Agent");  

            if (userAgent!=null && userAgent.length()>0 && userAgent.indexOf("Chrome")>=0) {
                    return "http";
            }
            return super.evaluate(strName, strAction, config, arg, context, component);
        }
    }

Edit v2: The best solution:

1. Check PanfilovAB post about Component Qualifiers and check the request listener class: Component qualifier

2. Create the following class:

    public class CustomContentTransferConfig extends com.documentum.web.contentxfer.ContentTransferConfig {
        @Override
        public String getContentTransferMechanism(){
            String userAgent=ComponentRequestListener.getBrowserUserAgent();  

            if (userAgent!=null && userAgent.length()>0 && userAgent.indexOf("Chrome")>=0) {
                return "http";
            }
            return super.getContentTransferMechanism();
        }
    }

3. Modify webtop\WEB-INF\classes\com\documentum\web\contentxfer\ContentTransferConfig.properties with:

configReaderClass=CustomContentTransferConfig

Done!

Customizing/Extending REST services (II)

Alvaro de AndresLeave a comment

This is an improved version of the “hack” posted in the previous post (Customizing/Extending REST services)

  • Decompile com.emc.documentum.rest.controller.QueryController
  • Look for method executeQuery and modify the following line as you wish:

Preconditions.checkArgument(DQLChecker.isSafeQuery(dql), MessageBundle.INSTANCE.get(“E_UNSAFE_QUERY_DQL”, new Object[] { dql }));

You can use something like:

Preconditions.checkArgument(true, MessageBundle.INSTANCE.get(“E_UNSAFE_QUERY_DQL”, new Object[] { dql }));

if you want everyone to be able to run write queries or you can allow these queries to be executed only by some user(s) with something like:

if (RepositoryContextHolder.getLoginName().equalsIgnoreCase(“dmadmin”)){
//skip DQLChecker check for select statements
}

  • Finally place the new class in dctm-rest/WEB-INF/classes/com/emc/documentum/rest/controller.

Migrating from Documentum 6.6 to 7.2

Alvaro de AndresLeave a comment

I’m currently finishing a migration from documentum 6.6 to 7.2, Webtop 6.8 and xCP 1.6 (mixed mode installation as ECD calls it), these are some of my thoughts/tips/warnings on the migration process

  • There’s this legend about my ability to come across bugs in every product/project I’m involved. I’m glad to say that this migration hasn’t been an exception, thanks JBOSS.
  • I wonder if EMC will ever sort the downloads/subscribenet out. They keep trying to hide the new stuff but (luckily) we keep find it. With every Documentum release we get a new way to sort the stack. I think it’s currently easier to find non supported versions (cs 5.3) than some products from recent versions…
  • I hate w2k8 action centre and I always forget to edit files with a program ran as administrator, so I’m always getting the “the file cannot be saved” message. Running some preoducts without administrator privileges shows some funny error messages, such as Process Builder 6.7 SP2 failing because “Process Builder 6.6 can’t work with versions newer than 6.5”
  • I hate w2k8 and ipv6. The ACS log will go crazy complaining about ipv6 related errors unless you completely disable ipv6 in windows registry.
  • Do we really need a JBOSS in order to run ServerApps and acs? If we’ve already ditched DFS from the JMS (see my previous post about DFS 7.2) and considering that besides those who are in a distributed environment, everyone I know first thing they do right after finishing the installation is to disable the acs/bocs stuff to avoid content transfer problems, why can’t we go back to Tomcat? Soon JMS will have higher requierments than CS
  • I hate having to “patch” dmldap.jar with every new version or patch. Please EMC add more LDAP support (ie: openLDAP) OOTB (I’m sure most of the community can provide you the code :D)
  • Presets still don’t work if you name them with blanks (ie: “preset one”) with no warning/error whatsoever. My bad for not remembering how long it took us to realise this the first time we used them.
  • Why doesn’t EMC attach a list of modified WDK components (options added to configuration files, modified jsps) since the last release to the release notes? Instead we have to check component by component what/if something has changed
  • Webtop 6.8 feels slower to me. Not measured (yet), just have the feeling that I spend more time watching a white browser tab while something loads. It could be due to the new development environment not having enough resources to run smoothly though. We’ll see what happens when we move to the production servers.
  • Most stuff from the 7.2 stack works just fine with Java 8, except (that I now of) JMS (not big problem as it uses internal jre7) and Rest Services (There’s some problem with a spring library not working at all with Java 8)
  • Everytime I use a dump, I forgot something that it gets moved to the new Repo when it shouldn’t. I have to check more carefully the dump conditions
  • Installing Documentum 7.2 with xCP 1.x mixed mode is an adventure due to the lack of information (What you can find in 7.2 release notes/requirements/supported versions is about 7.1/xCP2.1). I’ve just installed PE from xCP 2.2 and pb/fb from 6.7SP2 and it seems to be working. For now.

DCTM 7.2/CTS 7.2 Unhandled DM_INFINITE_LOOP_EXCEPTION

Alvaro de Andres1 Comment

Q/A with boss:

Q: I need to know if customer X can install CTS 7.2 with their purchased licenses or if I should install CTS 6.7SP2

A: I’ll ask EMC sales rep.

(Later) They told me you should open a SR as CTS has changed in 7.2 and they’re not sure

Q: Opening a SR for this? Ok…

Q/A with EMC Support:

Q: I need to know if customer X, that has purchased the following licenses can install CTS 7.2 or should stick to 6.7SP2

A: CTS doesn’t use Adlib anymore, if that is the licenses you’re referring to. For more info you can contact EMC licensing.

 

Q/A with EMC licensing:

Q: I need to know if customer X, that has purchased the following licenses can install CTS 7.2 or should stick to 6.7SP2

A: You should contact your sales rep about this matter

I’m going to save these emails for the next support survey…