Currently, TIBCO Fulfillment Provisioning (FP) ex30 located (SW_HOME/distrib/kabira/kpsasample/samples/ex30) provides a sample how to integrate TIBCO FP within TIBCO Fulfillment Order Management. 
This sample also includes a OSSJ Webservice that has a dependency on log4j 1.2.17. 

The aim of this article is to provide all the steps to upgrade this log4j dependency to log4j 2.17.1. 

ex30 is a FP example including :
  * FOM Client Adpater
  * OSS/J JMS-Profile Client Adapter (EMS)
  * OSS/J WS-Profile Client Adapter
  * FPOMS
  
***********
Environment
***********
In order to deploy OSS/J OrderManagement WS-Profile, the user must export the following variables :
    SAMPLE_JAVA_HOME: a directory where to find JAVA >= 1.6 (uses $JAVA_HOME/bin/java)
    MAVEN_HOME: a directory where to find Maven (uses $MAVEN_HOME/bin/mvn)
    EMS_HOME: a directory where to find TIBCO EMS (uses $EMS_HOME/lib/tibjms*.jar)
    GNU_TAR: a path to the GNU tar command (used to extract Jetty and Symphony)
    USER_WGET: a path the wget command

Linux x86_64

The instructions below explain how to upgrade log4j dependency.

Step 1)
Due to Maven HTTPS restriction, the MAVEN_HOME variable must point to at least maven 3.6.3 version. 

Step2)
The log4j dependency to 1.2.17 is located under the pom_dl_deps.xml. This file is delivered within the ossjomws client adapter. You will find it in SW_HOME/distrib/kabira/kpsa/samples/ca/ossjomws.
The pom_dl_deps.xml is a maven POM file which is used to download the war dependencies from public Maven repository

Here are the steps to be done.
The 3 dependencies "slf4j-api, slf4j-log4j12, and log4j" need to be replaced by "log4j-slf4j-impl and log4j-core". We also recommend to add the javax.jms-api.

remove from pom_dl_deps.xml:
    <dependency>
      <groupId>org.slf4j</groupId>
      <artifactId>slf4j-api</artifactId>
      <version>${slf4j-version}</version>
    </dependency>
    <dependency>
      <groupId>org.slf4j</groupId>
      <artifactId>slf4j-log4j12</artifactId>
      <version>${slf4j-version}</version>
    </dependency>
    <dependency>
      <groupId>log4j</groupId>
      <artifactId>log4j</artifactId>
      <version>1.2.17</version>
    </dependency>


add in pom_dl_deps.xml:
<dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-slf4j-impl</artifactId>
        <version>2.17.1</version>
</dependency>
    <dependency>
      <groupId>org.apache.logging.log4j</groupId>
      <artifactId>log4j-core</artifactId>
      <version>2.17.1</version>
    </dependency>
<dependency>
    <groupId>javax.jms</groupId>
    <artifactId>javax.jms-api</artifactId>
    <version>2.0</version>
</dependency>

Once modified, the pom_dl_deps.xml should look like the once in attachment.

This article contains resolution and mitigation steps how to upgrade Apache Log4J 1.2.x to Log4j 2.17.x in TIBCO Fulfillment Provisioning sample ex30.