IV30580: V731:MULTITIER:ALERTS.LOGIN_FAILURES IS NOT REPLICATED AND CAN CAUSE OBJECT SERVER LOCKOUT

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as documentation error.

Error description

  • The disable_inactive_users trigger can cause object server lock
    out in a multitier object server configuation.
    
    
    alerts.login_failures stores when users last logged into the
    local object server, as well as the login failures.
    
    By default disable_inactive_users is inactive and is part of the
    security_watch trigger group.
    
    In the event of users having been logged into the backup object
    server at some point and not logged in again for the period
    given in the disable_inactive_users trigger will deactivate the
    user[s].
    
    The risk is that all users may of failed over to the backup
    object server, with the trigger disable_inactive_users made
    active in the backup object server.
    
    Now with the disable_inactive_users trigger active in the backup
    object server; users that were logged into the backup may become
    deactivated there, with this deactivation being propagated via
    the bi-directional gateway to the primary object server and up
    to the display object servers, causing the account to become
    completely locked.
    
    
    Possible multitier solution:
    
    Event list:
    Ensure that login failures are logged at the aggregation layer
    when the desktop is in dual write
    
    
    Display layer:
    disable triggers : disable_user and reset_user
    
    A2D and AGG Gateways:
    Add in replication of the table for the display and aggregation
    gateways
    
    
    DEF FILE:
    
    # Security Watch
    REPLICATE ALL FROM TABLE 'alerts.login_failures'
           USING MAP 'AlertsLoginFailuresMap'
           INTO 'alerts.login_failures';
    
    MAP FILE:
    # Security Watch
    CREATE MAPPING AlertsLoginFailuresMap
    (
           'UserName'            =       '@UserName'           ON
    INSERT ONLY,
           'LastFailure'         =       '@LastFailure',
           'LastGood'            =       '@LastGood',
           'FailureCount'        =       '@FailureCount'
    );
    

Local fix

  • The recommended fix is to disable the
    disable_inactive_users trigger on the backup object server in
    a dual-resilient of multitier configuration.
    
    For a full fix, move the trigger
    disable_inactive_users to the primary_only trigger group so that
    it will be managed correctly.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All users of Tivoli Netcool/OMNIbus.                         *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * In a multitier ObjectServer configuration, the               *
    * disable_inactive_users trigger can cause the ObjectServers   *
    * to be locked out.                                            *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * The updated documentation will be published to the following *
    * URL, and in the Tivoli Netcool/OMNIbus Installation and      *
    * Deployment Guide:                                            *
    * http://publib.boulder.ibm.com/infocenter/tivihelp/v8r1/topic *
    * /com.ibm.netcool_OMNIbus.doc_7.3.1/omnibus/wip/install/refer *
    * ence/omn_esf_usertriggers.html                               *
    *                                                              *
    * Publication is planned for Q4, 2012.                         *
    ****************************************************************
    

Problem conclusion

  • The following new topic has been added to the documentation:
    
    User triggers in multitiered environments
    -----------------------------------------------
    In a multitier ObjectServer configuration, the
    disable_inactive_users trigger can cause the ObjectServers to be
    locked out.
    
    The alerts.login_failures table stores details of when users
    last logged into the local object server, as well as login
    failures. By default, the disable_inactive_users trigger is
    inactive and is part of the security_watch trigger group.
    
    When the disable_inactive_users trigger is active, and a user
    logs into the backup ObjectServer and does not log in again for
    the period mandated by the trigger, the user is deactivated.
    
    In a situation where users have failed over to the backup
    ObjectServer, then failed back to the primary ObjectServer,
    users can become deactivated if the disable_inactive_users
    trigger is active in the backup ObjectServer. The deactivation
    can then be propagated in the system, through the bidirectional
    ObjectServer, to the primary ObjectServer and on to the display
    ObjectServers.
    
    The default disable_inactive_users trigger can affect all users,
    preventing any user from being able to log in to the system.
    
    If the disable_inactive_users trigger is required in a multitier
    environment, it is recommended that you move the trigger to the
    primary_only trigger group in the aggregation layer.
    
    To prevent all users from being disabled, in any situation,
    modify the disable_inactive_users trigger to exclude
    administrator users.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV30580

  • Reported component name

    NETCOOL/OMNIBUS

  • Reported component ID

    5724O4800

  • Reported release

    731

  • Status

    CLOSED DOC

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-10-19

  • Closed date

    2012-11-07

  • Last modified date

    2012-11-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels



Rate this page:

(0 users)Average rating

Document information


More support for:

Tivoli Netcool/OMNIbus
Netcool/OMNIbus

Software version:

731

Reference #:

IV30580

Modified date:

2012-11-07

Translate my page

Machine Translation

Content navigation