IV76877: IP.SPIPE IS NOT INITIALIZED FOR KUXAGENT ON HP-UX WITH SUID

IBM Tivoli Monitoring 6.3.0 Fix Pack 7 (6.3.0-TIV-ITM-FP0007)

APAR status

• Closed as program error.

Error description

• IP.SPIPE or any ssl based protocol is not initialized on HP-UX
  when the agent binary is owned by root with the SUID bit turned
  on and the agent is launched from a non-root ID.
  
  In the agent RAS1 log you see entries like the following in the
  log header when you are launching the agent in this way:
  
  +55EA18D8.0000     Program Name: kuxagent          User Name:
  itmuser
  +55EA18D8.0000 Effective User Name: root
  
  The GSKit has failed to initialize when you can find the
  following string: "Active Shared Libraries".
  
  The GSKit has successfully initialized when you find the
  following string: "GSKit Environment"
  
  RECREATE INSTRUCTIONS:
  itmuser will be used as the non-root user in these instructions.
  
  1) As itmuser, install the ITM 6.30.XX OS agent on an HP-UX
  system.
  2) As itmuser, configure the OS agent to connect using ip.spipe.
  2) As root, run "$CANDLEHOME/bin/SetPerm -a".
  3) As itmuser, launch the OS agent
  4) Notice entries like the following in the OS agent RAS1 log:
  +55EA18D8.0000     Program Name: kuxagent          User Name:
  itmuser
  +55EA18D8.0000 Effective User Name: root
  +55DF7065.001B              Active Shared Libraries:
  

Local fix

• Determine the path to the local GSKit libraries by adding "/lib"
   for a 32 bit path or "/lib64" for a 64 bit path to the entries
  listed in $CANDLEHOME/config/gskit.conf.
  
  If gskit.conf contained the following:
  GskitInstallDir_64=/opt/IBM/ITM/hpi116/gs
  the library path would be:
  /opt/IBM/ITM/hpi116/gs/lib64
  
  If gskit.conf contained the following:
  GskitInstallDir=/opt/IBM/ITM/hpi113/gs
  the library path would be:
  /opt/IBM/ITM/hpi113/gs/lib
  
  Add the appropriate library paths, one per line, to
  /etc/dld.sl.conf.
  Create /etc/dld.sl.conf if it does not exist.
  

Problem summary

• IP.SPIPE is not initialized for kuxagent on HP-UX with SUID
  
  
  The OS agent will not connect using IP.SPIPE after running
  "SetPerm -a" or "secureMain lock" on HP-UX. IP.SPIPE or any ssl
  based protocol is not initialized on HP-UX when the agent binary
  is owned by root with the SUID bit turned on and the agent is
  launched from a non-root ID.
  
  In the agent RAS1 log you see entries like the following in the
  log header when you are launching the agent in this way:
  
  +55EA18D8.0000     Program Name: kuxagent          User Name:
  itmuser
  +55EA18D8.0000 Effective User Name: root
  The GSKit has failed to initialize when you can find the
  following string:
  "Active Shared Libraries".
  The GSKit has successfully initialized when you find the
  following string:
  "GSKit Environment"
  

Problem conclusion

• The code was changed to allow the OS agent to connect using
  IP.SPIPE after running "SetPerm -a" or "secureMain lock"
  
  The fix for this APAR is contained in the following maintenance
  packages:
  
    | fix pack | 6.3.0-TIV-ITM-FP0007
  

Temporary fix

• Determine the path to the local GSKit libraries by adding "/lib"
   for a 32 bit path or "/lib64" for a 64 bit path to the entries
  listed in $CANDLEHOME/config/gsKit.config.
  
  If gsKit.config contained the following
  "GskitInstallDir_64=/opt/IBM/ITM/hpi116/gs", then the library
  path would be "/opt/IBM/ITM/hpi116/gs/lib64".
  If gsKit.config contained the following
  "GskitInstallDir=/opt/IBM/ITM/hpi113/gs", then the library path
  would be "/opt/IBM/ITM/hpi113/gs/lib".
  
  You must be the root user to create or modify /etc/dld.sl.conf.
  Add the appropriate library paths, one per line, to
  /etc/dld.sl.conf. Create /etc/dld.sl.conf if it does not exist.
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  OMEG DIST INSTA

• Fixed component ID

  5608A41CI

Applicable component levels

• R630 PSY

     UP