IBM Support

IO07690: CM system administration client has a potential security issue

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Background
    To login CM, two UserIDs are involved: (1) the DB connection ID
    - eg. icmconct, and (2) the actual user ID.
    For SSO to work, the actual user ID has to have
    AllowedTrustedLogin privilege and the DB connection ID has to be
    set to "Not Require Password for all users"
    In this case, the LS will not validate the actual user's
    password, and it relies on the client application (eg. eClient)
    to validate the user's credential (eg. via LTPA token).
    However, this user validation logic has not been implemented in
    SysAdmin client, nor other custom client applications that
    invoke CM API directly.
    So, for security reason, SysAdmin client should NOT use any DB
    connection ID that is set to "Not Require Password for all
    users".
    In the customer's system, both eClient and
    SysAdmin client are installed on the same machine.
    They both use the same DB connection ID - icmconct, and icmconct
    has been set to "Not Require Password for all users" for SSO of
    eClient.
    So, customer observed the behavior that a user (with
    AllowedTrustedLogin privilege) can login SysAdmin with "dummy"
    password.
    
    SysAdmin client will force the password validation for all
    users, even for those with AllowedTrustedLogin privilege.
    An APAR has be opened and it should be available in FP8.
    

Local fix

  • Current workaround
    Create another DB connection ID. Set that new DB connection ID
    to "Require Password for all users".
    Use that new DB connection ID for SysAdmin client and all client
    applications other than eClient.
    The DB connection ID to use is specified in the cmbicmenv.ini
    file.
    Normally, there is only one cmbicmenv.ini file on each machine.
    So, all client applications running on the same machine will use
    the same DB connection ID. (This is the cause of the observed
    behavior in customer's environment.)
    One workaround for customer is to install SysAdmin and
    eClient on two different machines and configure them to use two
    different DB connection IDs.
    Another workaround allows both eClient and SysAdmin to be run on
    the same machine but requires some testing to validate.
    The client applications, eg. SysAdmin and eClient, find that
    cmbicmenv.ini file by first finding the cmbcmenv.properties file
    in the java classpath.
    Then, in the cmbcmenv.properties file, it looks for the value of
    variable CMCFGDIR, which is the folder that contains the
    cmbicmenv.ini file.
    So, customer can create 2 sets of cmbicmenv.ini and
    cmbcmenv.properties files and setup the java classpath of
    eClient and SysAdmin client correspondingly.
    

Problem summary

  • CM SA Potential SECURITY HOLE...NEEDS TO BE FIXED IN FP8
    

Problem conclusion

  •  Fix in cm83 Fp8.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IO07690

  • Reported component name

    COMMON SYS ADMI

  • Reported component ID

    5724B1900

  • Reported release

    830

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2007-10-12

  • Closed date

    2008-07-17

  • Last modified date

    2008-07-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    COMMON SYS ADMI

  • Fixed component ID

    5724B1900

Applicable component levels

  • R830 PSY

       UP



Document information

More support for: Content Manager

Software version: 830

Reference #: IO07690

Modified date: 17 July 2008