IBM Support

IT06016: A NON-ROOT USER ON A TSM CLIENT MACHINE CAN RETRIEVE THE STORED ENCRYPTION KEY PASSWORD.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • By default, any non-root user on the TSM client machine can
    retrieve the stored encryption key password used to encrypt the
    node's data during backup and archive.  If a user also has
    access to the TSM server storage media, they could view
    encrypted files backed up by the client.
    

Local fix

  • It is important to separate the duties between client users and
    server administrators in case of mutual distrust.  Server
    administrators should not have user level access to the client
    systems.
    
    Restrict access to the stored password by removing or
    restricting access to the client Trusted Communications Agent
    (TCA) as described in the Tivoli Storage Manager Client User
    Guide section "Restricting Tivoli Storage Manager access to a
    user group".  This method has the administrator change the
    permissions on the Trusted Communications Agent (TCA) to
    restrict its access to a user group.  The administrator would
    then set up a group with a list of users that are allowed to use
    TSM and restrict access to the TCA module using that gorup.
    NOTE: After performing this procedure, users who are not
    included in the user group cannot use the client to perform
    backup or achive operations.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * Tivoli Storage Manager backup-archive clients running on all *
    * Linux/Unix platforms and using client side encryption.  The  *
    * following client versions are affected:                      *
    * - 7.1 clients below 7.1.2                                    *
    * - 6.4 clients below 6.4.3                                    *
    * - all clients 6.3 and below                                  *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See ERROR DESCRIPTION                                        *
    * For additional details, refer to the security bulletin       *
    * published here:                                              *
    * http://www.ibm.com/support/docview.wss?uid=swg21697022       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply fixing level when available. This problem is currently *
    * projected to be fixed in Tivoli Storage Manager Client       *
    * levels 6.4.3 and 7.1.2.  Note that this is subject to change *
    * at the discretion of IBM.                                    *
    ****************************************************************
    *
    

Problem conclusion

  • The new default behavior for all non-authorized users will be to
    block access to the stored encryption key password. The client
    administrator will have to perform steps to enable encryption
    for trusted users. These steps will be documented:
    - for 7.1.2, in the new section "Enabling encryption for trusted
    users" of the client user guide
    - for 6.4.3, in the following technote -
    http://www.ibm.com/support/docview.wss?uid=swg27035885
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT06016

  • Reported component name

    TSM CLIENT

  • Reported component ID

    5698ISMCL

  • Reported release

    63L

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2014-12-12

  • Closed date

    2015-02-18

  • Last modified date

    2016-08-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Modules/Macros

  • DSMTCA
    

Fix information

  • Fixed component name

    TSM CLIENT

  • Fixed component ID

    5698ISMCL

Applicable component levels

  • R64A PSY

       UP

  • R64H PSY

       UP

  • R64L PSY

       UP

  • R64M PSY

       UP

  • R64S PSY

       UP

  • R71A PSY

       UP

  • R71H PSY

       UP

  • R71L PSY

       UP

  • R71M PSY

       UP

  • R71S PSY

       UP



Document information

More support for: Tivoli Storage Manager

Software version: 63L

Reference #: IT06016

Modified date: 26 August 2016