APAR status
Closed as program error.
Error description
Background To login CM, two UserIDs are involved: (1) the DB connection ID - eg. icmconct, and (2) the actual user ID. For SSO to work, the actual user ID has to have AllowedTrustedLogin privilege and the DB connection ID has to be set to "Not Require Password for all users" In this case, the LS will not validate the actual user's password, and it relies on the client application (eg. eClient) to validate the user's credential (eg. via LTPA token). However, this user validation logic has not been implemented in SysAdmin client, nor other custom client applications that invoke CM API directly. So, for security reason, SysAdmin client should NOT use any DB connection ID that is set to "Not Require Password for all users". In the customer's system, both eClient and SysAdmin client are installed on the same machine. They both use the same DB connection ID - icmconct, and icmconct has been set to "Not Require Password for all users" for SSO of eClient. So, customer observed the behavior that a user (with AllowedTrustedLogin privilege) can login SysAdmin with "dummy" password. SysAdmin client will force the password validation for all users, even for those with AllowedTrustedLogin privilege. An APAR has be opened and it should be available in FP8.
Local fix
Current workaround Create another DB connection ID. Set that new DB connection ID to "Require Password for all users". Use that new DB connection ID for SysAdmin client and all client applications other than eClient. The DB connection ID to use is specified in the cmbicmenv.ini file. Normally, there is only one cmbicmenv.ini file on each machine. So, all client applications running on the same machine will use the same DB connection ID. (This is the cause of the observed behavior in customer's environment.) One workaround for customer is to install SysAdmin and eClient on two different machines and configure them to use two different DB connection IDs. Another workaround allows both eClient and SysAdmin to be run on the same machine but requires some testing to validate. The client applications, eg. SysAdmin and eClient, find that cmbicmenv.ini file by first finding the cmbcmenv.properties file in the java classpath. Then, in the cmbcmenv.properties file, it looks for the value of variable CMCFGDIR, which is the folder that contains the cmbicmenv.ini file. So, customer can create 2 sets of cmbicmenv.ini and cmbcmenv.properties files and setup the java classpath of eClient and SysAdmin client correspondingly.
Problem summary
CM SA Potential SECURITY HOLE...NEEDS TO BE FIXED IN FP8
Problem conclusion
Fix in cm83 Fp8.
Temporary fix
Comments
APAR Information
APAR number
IO07690
Reported component name
COMMON SYS ADMI
Reported component ID
5724B1900
Reported release
830
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2007-10-12
Closed date
2008-07-17
Last modified date
2008-07-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
COMMON SYS ADMI
Fixed component ID
5724B1900
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSRS7Z","label":"IBM Content Manager Enterprise Edition"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"830","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSAHQR","label":"IBM Z System Automation"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"830","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
17 July 2008