IO07690: CM system administration client has a potential security issue
Closed as program error.
Background To login CM, two UserIDs are involved: (1) the DB connection ID - eg. icmconct, and (2) the actual user ID. For SSO to work, the actual user ID has to have AllowedTrustedLogin privilege and the DB connection ID has to be set to "Not Require Password for all users" In this case, the LS will not validate the actual user's password, and it relies on the client application (eg. eClient) to validate the user's credential (eg. via LTPA token). However, this user validation logic has not been implemented in SysAdmin client, nor other custom client applications that invoke CM API directly. So, for security reason, SysAdmin client should NOT use any DB connection ID that is set to "Not Require Password for all users". In the customer's system, both eClient and SysAdmin client are installed on the same machine. They both use the same DB connection ID - icmconct, and icmconct has been set to "Not Require Password for all users" for SSO of eClient. So, customer observed the behavior that a user (with AllowedTrustedLogin privilege) can login SysAdmin with "dummy" password. SysAdmin client will force the password validation for all users, even for those with AllowedTrustedLogin privilege. An APAR has be opened and it should be available in FP8.
Current workaround Create another DB connection ID. Set that new DB connection ID to "Require Password for all users". Use that new DB connection ID for SysAdmin client and all client applications other than eClient. The DB connection ID to use is specified in the cmbicmenv.ini file. Normally, there is only one cmbicmenv.ini file on each machine. So, all client applications running on the same machine will use the same DB connection ID. (This is the cause of the observed behavior in customer's environment.) One workaround for customer is to install SysAdmin and eClient on two different machines and configure them to use two different DB connection IDs. Another workaround allows both eClient and SysAdmin to be run on the same machine but requires some testing to validate. The client applications, eg. SysAdmin and eClient, find that cmbicmenv.ini file by first finding the cmbcmenv.properties file in the java classpath. Then, in the cmbcmenv.properties file, it looks for the value of variable CMCFGDIR, which is the folder that contains the cmbicmenv.ini file. So, customer can create 2 sets of cmbicmenv.ini and cmbcmenv.properties files and setup the java classpath of eClient and SysAdmin client correspondingly.
CM SA Potential SECURITY HOLE...NEEDS TO BE FIXED IN FP8
Fix in cm83 Fp8.
Reported component name
COMMON SYS ADMI
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
COMMON SYS ADMI
Fixed component ID
Applicable component levels