IC79412: V6 TIVOLI STORAGE MANAGER SERVER INSTALLER DEPLOYMENT ENGINE SEC URITY REQUIRES DOCUMENTATION.

APAR status

• Closed as documentation error.

Error description

• The Deployment Engine (DE) installed with the Tivoli Storage
  Manager server is installed globally as a root user.  A
  globally installed DE allows for non-root users to be able to
  upgrade/install components installed by the DE and requires
  some files to be accessible by all system users.  Certain
  environments may require tighter restrictions on what users
  can access files.
  
  The DE provides the capability of controlling DE file
  permissions at 3 levels using the following command:
  
    /usr/ibm/common/acsi/bin/de_security.sh
  
    Usage: de_security (-singleUser | -group (groupname) |
           -global | -refreshDB )
  
    Single User - Only the user who installed DE will be allowed
                  write access
    Group - Only the current user and members of the specified
            group will be allowed write access to the DE.
    Global - All users will be allowed write access to DE
  
  Tivoli Storage Manager by default uses the Global DE.  It
  is possible for Tivoli Storage Manager users to change the
  DE access to single user or group after installation.  If
  the DE is changed to single user mode, it is important to
  note that installing the Administration Center component
  with a non-root user ID on the same system is not possible.
  
  The above information should be included in the installation
  documentation for Tivoli Storage Manager.
  
  Customer/L2 Diagnostics:
  None.
  
  Initial Impact:
  Low
  
  Tivoli Storage Manager Versions Affected:
  V6 Tivoli Storage Manager server/admin center on all UNIX platfo
  rms.
  
  Additional Keywords:
  ZZ62 TSM INSTALL INSTALLER DE WORLD WRITABLE WWF
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All Tivoli Storage Manager server users.     *
  ****************************************************************
  * PROBLEM DESCRIPTION: See error description.                  *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  *
  

Problem conclusion

• In the Tivoli Storage Manager server installation guides for
  AIX, HP-UX, Linux, and Solaris, the following topic was added:
  
  "Configuring access rights to Deployment Engine files
  
  When you install the Tivoli Storage Manager server, the
  Deployment Engine is installed automatically on the same
  system. The Deployment Engine is used to install Tivoli
  Storage Manager components.
  
  The Deployment Engine is installed globally as a root user.
  The globally installed Deployment Engine makes it possible for
  non-root users to upgrade and install the components that were
  installed by the Deployment Engine. The Deployment Engine also
  makes some files accessible to all system users.
  
  You can configure access rights to the files that are
  controlled by the Deployment Engine. The following table
  describes the access levels and the related commands. To view,
  set, or refresh the access level, issue the specified command
  on one line.
  
  Table 1. Commands for viewing and setting access rights to
  files controlled by the Deployment Engine
  
  Action: View
  Description: Displays the current access level.
  Command: /usr/ibm/common/acsi/bin/de_security.sh
  
  Action: Set access to single user
  Description: Only the user who installed the Deployment Engine
  has write access to the Deployment Engine files.
  Command: /usr/ibm/common/acsi/bin/de_security.sh -singleUser
  
  Action: Set access to group
  Description: Only the current user and members of the
  specified group have write access to the Deployment Engine
  files.
  Command: /usr/ibm/common/acsi/bin/de_security.sh -group
  groupname
  
  Action: Set access to global
  Description: All users have write access to the Deployment
  Engine files.
  Command: /usr/ibm/common/acsi/bin/de_security.sh -global
  
  Action: Refresh
  Description: After you change the access level, use this
  command to display the change.
  Command: /usr/ibm/common/acsi/bin/de_security.sh -refreshDB"
  
  In the topic "Installing the Administration Center," the
  following note was added:
  
  "<AIX, Linux, Solaris> Restriction: If access rights for
  Deployment Engine files are set to single user mode, you
  cannot install the Administration Center on the same system by
  using a non-root user ID. If single user mode is specified,
  install the Administration Center by logging in as the root
  user or modify the access rights for Deployment Engine files.
  For details, see Configuring access rights to Deployment
  Engine files."
  
  
  Affected platforms:  AIX, HP-UX, Solaris, and Linux.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels