A fix is available
APAR status
Closed as program error.
Error description
By default, any non-root user on the TSM client machine can retrieve the stored encryption key password used to encrypt the node's data during backup and archive. If a user also has access to the TSM server storage media, they could view encrypted files backed up by the client.
Local fix
It is important to separate the duties between client users and server administrators in case of mutual distrust. Server administrators should not have user level access to the client systems. Restrict access to the stored password by removing or restricting access to the client Trusted Communications Agent (TCA) as described in the Tivoli Storage Manager Client User Guide section "Restricting Tivoli Storage Manager access to a user group". This method has the administrator change the permissions on the Trusted Communications Agent (TCA) to restrict its access to a user group. The administrator would then set up a group with a list of users that are allowed to use TSM and restrict access to the TCA module using that gorup. NOTE: After performing this procedure, users who are not included in the user group cannot use the client to perform backup or achive operations.
Problem summary
**************************************************************** * USERS AFFECTED: * * Tivoli Storage Manager backup-archive clients running on all * * Linux/Unix platforms and using client side encryption. The * * following client versions are affected: * * - 7.1 clients below 7.1.2 * * - 6.4 clients below 6.4.3 * * - all clients 6.3 and below * **************************************************************** * PROBLEM DESCRIPTION: * * See ERROR DESCRIPTION * * For additional details, refer to the security bulletin * * published here: * * http://www.ibm.com/support/docview.wss?uid=swg21697022 * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is currently * * projected to be fixed in Tivoli Storage Manager Client * * levels 6.4.3 and 7.1.2. Note that this is subject to change * * at the discretion of IBM. * **************************************************************** *
Problem conclusion
The new default behavior for all non-authorized users will be to block access to the stored encryption key password. The client administrator will have to perform steps to enable encryption for trusted users. These steps will be documented: - for 7.1.2, in the new section "Enabling encryption for trusted users" of the client user guide - for 6.4.3, in the following technote - http://www.ibm.com/support/docview.wss?uid=swg27035885
Temporary fix
Comments
APAR Information
APAR number
IT06016
Reported component name
TSM CLIENT
Reported component ID
5698ISMCL
Reported release
63L
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2014-12-12
Closed date
2015-02-18
Last modified date
2016-08-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
DSMTCA
Fix information
Fixed component name
TSM CLIENT
Fixed component ID
5698ISMCL
Applicable component levels
R64A PSY
UP
R64H PSY
UP
R64L PSY
UP
R64M PSY
UP
R64S PSY
UP
R71A PSY
UP
R71H PSY
UP
R71L PSY
UP
R71M PSY
UP
R71S PSY
UP
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"63L","Line of Business":{"code":"LOB26","label":"Storage"}}]
Document Information
Modified date:
07 January 2022