IBM Support

IV82700: DISABLE JAVA ATTACH API TO PREVENT CREATION OF /TMP/.COM_IBM_TOOLS_ATTACH AND CONTENT

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • For most UNIX and Linux platforms, Java creates a directory
    structure in /tmp whenever a new Java Virtual Machine (JVM) is
    created. The directory structure looks like this:
    
       PERM DIRNAME/FNAME
       ==== ======================================================
       1777 /tmp/.com_ibm_tools_attach
        666 /tmp/.com_ibm_tools_attach/_master
        666 /tmp/.com_ibm_tools_attach/_notifier
        666 /tmp/.com_ibm_tools_attach/_attachlock
       1711 /tmp/.com_ibm_tools_attach/<PID>
        666 /tmp/.com_ibm_tools_attach/<PID>/attachNotificationSync
        600 /tmp/.com_ibm_tools_attach/<PID>/attachInfo
    
    The entries in the <PID> subdirectory are specific to a given
    process identifier. They are removed when the process ends. The
    other entries persist. If they are removed, they are recreated
    by the next JVM.
    
    This structure is used as part of a communication mechanism
    between JVMs called the ATTACH API. It is documented here:
    
       http://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.
       ibm.java.aix.70.doc/user/attachapi.html
    
    Despite it's automatic creation, the core of IBM Tivoli
    Monitoring (ITM) does not use this mechanism. And some
    customers perceive the resulting file structure to be a security
    exposure.
    

Local fix

Problem summary

  • Disable Java Attach API.
    
    
    The Java Attach API is a mechanism provided by the Java Runtime
    Environment (JRE).  It is designed to allow applications to
    connect to a running Java Virtual Machine (JVM).  The interface
    is described here:
    
    http://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.
    java.zos.70.doc/user/attachapi.html
    
    By default, Java creates a directory and file structure like
    this the first time a JVM is started:
    
       drwxrwxrwt TMPDIR/.com_ibm_tools_attach
       -rw-rw-rw- TMPDIR/.com_ibm_tools_attach/_attachlock
       -rw-rw-rw- TMPDIR/.com_ibm_tools_attach/_master
       -rw-rw-rw- TMPDIR/.com_ibm_tools_attach/_notifier
    
    It also creates a directory and file structure like this for
    each running JVM:
    
       drwx--x--t TMPDIR/.com_ibm_tools_attach/<PID>
       -rw-rw-rw-
    TMPDIR/.com_ibm_tools_attach/<PID>/attachNotificationSync
       -rw------- TMPDIR/.com_ibm_tools_attach/<PID>/attachInfo
    
    Note: For AIX and Linux, TMPDIR is usually /tmp.  For Windows,
    TMPDIR is usually C:\Users\<userid>\AppData\Local\Temp or a
    subdirectory within.
    
    While no application data is stored here and the structure is
    recreated if it is ever destroyed, some perceive the permissions
    structure to be a security exposure.
    
    This behavior exists for IBM Tivoli Monitoring (ITM) on AIX,
    Linux, and Windows.  Neither HP-UX nor Solaris are affected.
    

Problem conclusion

  • The CANDLEHOME JRE package was modified to include a default
    option that disables the Java Attach API.  For IBM Tivoli
    Monitoring processes that use the CANDLEHOME JRE, this means the
     above directory and file structure is not generated.  Be aware
    that some ITM subcomponents do not use the CANDLEHOME JRE, which
     means their JVMs may continue to generate the structure.  There
     are two main areas that are untouched:
    
       1) The portal server uses the embedded Websphere Application
    Server and the IBM Help Server.  Both of these subcomponents
    have their own JRE independent of the CANDLEHOME JRE.  So,
    whenever the portal server is started, the structure is
    generated.  There is no workaround for this behavior.
    
       2) Some agents have their own JRE independent of the
    CANDLEHOME JRE.  So, whenever the agent creates a new JVM, the
    structure is generated.  Most agents (and the OS agents,
    specifically) do not do this.  For the ones that do, consult the
    support team responsible for the agent to pursue whether they
    can make changes to prevent the behavior.
    
    
    The fix for this APAR is contained in the following maintenance
    packages:
    
       | fix pack | 6.3.0-TIV-ITM-FP0007
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV82700

  • Reported component name

    OMEG DIST INSTA

  • Reported component ID

    5608A41CI

  • Reported release

    630

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-03-16

  • Closed date

    2017-01-06

  • Last modified date

    2017-01-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IV82880

Fix information

  • Fixed component name

    OMEG DIST INSTA

  • Fixed component ID

    5608A41CI

Applicable component levels

  • R630 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSCTLMD","label":"ITM Distributed Installer V6"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Edition":""}]

Document Information

Modified date:
06 January 2017