APAR status
Closed as documentation error.
Error description
The disable_inactive_users trigger can cause object server lock out in a multitier object server configuation. alerts.login_failures stores when users last logged into the local object server, as well as the login failures. By default disable_inactive_users is inactive and is part of the security_watch trigger group. In the event of users having been logged into the backup object server at some point and not logged in again for the period given in the disable_inactive_users trigger will deactivate the user[s]. The risk is that all users may of failed over to the backup object server, with the trigger disable_inactive_users made active in the backup object server. Now with the disable_inactive_users trigger active in the backup object server; users that were logged into the backup may become deactivated there, with this deactivation being propagated via the bi-directional gateway to the primary object server and up to the display object servers, causing the account to become completely locked. Possible multitier solution: Event list: Ensure that login failures are logged at the aggregation layer when the desktop is in dual write Display layer: disable triggers : disable_user and reset_user A2D and AGG Gateways: Add in replication of the table for the display and aggregation gateways DEF FILE: # Security Watch REPLICATE ALL FROM TABLE 'alerts.login_failures' USING MAP 'AlertsLoginFailuresMap' INTO 'alerts.login_failures'; MAP FILE: # Security Watch CREATE MAPPING AlertsLoginFailuresMap ( 'UserName' = '@UserName' ON INSERT ONLY, 'LastFailure' = '@LastFailure', 'LastGood' = '@LastGood', 'FailureCount' = '@FailureCount' );
Local fix
The recommended fix is to disable the disable_inactive_users trigger on the backup object server in a dual-resilient of multitier configuration. For a full fix, move the trigger disable_inactive_users to the primary_only trigger group so that it will be managed correctly.
Problem summary
**************************************************************** * USERS AFFECTED: * * All users of Tivoli Netcool/OMNIbus. * **************************************************************** * PROBLEM DESCRIPTION: * * In a multitier ObjectServer configuration, the * * disable_inactive_users trigger can cause the ObjectServers * * to be locked out. * **************************************************************** * RECOMMENDATION: * * The updated documentation will be published to the following * * URL, and in the Tivoli Netcool/OMNIbus Installation and * * Deployment Guide: * * http://publib.boulder.ibm.com/infocenter/tivihelp/v8r1/topic * * /com.ibm.netcool_OMNIbus.doc_7.3.1/omnibus/wip/install/refer * * ence/omn_esf_usertriggers.html * * * * Publication is planned for Q4, 2012. * ****************************************************************
Problem conclusion
The following new topic has been added to the documentation: User triggers in multitiered environments ----------------------------------------------- In a multitier ObjectServer configuration, the disable_inactive_users trigger can cause the ObjectServers to be locked out. The alerts.login_failures table stores details of when users last logged into the local object server, as well as login failures. By default, the disable_inactive_users trigger is inactive and is part of the security_watch trigger group. When the disable_inactive_users trigger is active, and a user logs into the backup ObjectServer and does not log in again for the period mandated by the trigger, the user is deactivated. In a situation where users have failed over to the backup ObjectServer, then failed back to the primary ObjectServer, users can become deactivated if the disable_inactive_users trigger is active in the backup ObjectServer. The deactivation can then be propagated in the system, through the bidirectional ObjectServer, to the primary ObjectServer and on to the display ObjectServers. The default disable_inactive_users trigger can affect all users, preventing any user from being able to log in to the system. If the disable_inactive_users trigger is required in a multitier environment, it is recommended that you move the trigger to the primary_only trigger group in the aggregation layer. To prevent all users from being disabled, in any situation, modify the disable_inactive_users trigger to exclude administrator users.
Temporary fix
Comments
APAR Information
APAR number
IV30580
Reported component name
NETCOOL/OMNIBUS
Reported component ID
5724O4800
Reported release
731
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-10-19
Closed date
2012-11-07
Last modified date
2012-11-07
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSSHTQ","label":"Tivoli Netcool\/OMNIbus"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"731","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
23 July 2021