IBM Support

IV82700: DISABLE JAVA ATTACH API TO PREVENT CREATION OF /TMP/.COM_IBM_TOOLS_ATTACH AND CONTENT

A fix is available

IBM Tivoli Monitoring 6.3.0 Fix Pack 7 (6.3.0-TIV-ITM-FP0007)

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • For most UNIX and Linux platforms, Java creates a directory
structure in /tmp whenever a new Java Virtual Machine (JVM) is
created. The directory structure looks like this:

   PERM DIRNAME/FNAME
   ==== ======================================================
   1777 /tmp/.com_ibm_tools_attach
    666 /tmp/.com_ibm_tools_attach/_master
    666 /tmp/.com_ibm_tools_attach/_notifier
    666 /tmp/.com_ibm_tools_attach/_attachlock
   1711 /tmp/.com_ibm_tools_attach/<PID>
    666 /tmp/.com_ibm_tools_attach/<PID>/attachNotificationSync
    600 /tmp/.com_ibm_tools_attach/<PID>/attachInfo

The entries in the <PID> subdirectory are specific to a given
process identifier. They are removed when the process ends. The
other entries persist. If they are removed, they are recreated
by the next JVM.

This structure is used as part of a communication mechanism
between JVMs called the ATTACH API. It is documented here:

   http://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.
   ibm.java.aix.70.doc/user/attachapi.html

Despite it's automatic creation, the core of IBM Tivoli
Monitoring (ITM) does not use this mechanism. And some
customers perceive the resulting file structure to be a security
exposure.

Local fix

  • 



Problem summary


    

  • Disable Java Attach API.


The Java Attach API is a mechanism provided by the Java Runtime
Environment (JRE).  It is designed to allow applications to
connect to a running Java Virtual Machine (JVM).  The interface
is described here:

http://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.
java.zos.70.doc/user/attachapi.html

By default, Java creates a directory and file structure like
this the first time a JVM is started:

   drwxrwxrwt TMPDIR/.com_ibm_tools_attach
   -rw-rw-rw- TMPDIR/.com_ibm_tools_attach/_attachlock
   -rw-rw-rw- TMPDIR/.com_ibm_tools_attach/_master
   -rw-rw-rw- TMPDIR/.com_ibm_tools_attach/_notifier

It also creates a directory and file structure like this for
each running JVM:

   drwx--x--t TMPDIR/.com_ibm_tools_attach/<PID>
   -rw-rw-rw-
TMPDIR/.com_ibm_tools_attach/<PID>/attachNotificationSync
   -rw------- TMPDIR/.com_ibm_tools_attach/<PID>/attachInfo

Note: For AIX and Linux, TMPDIR is usually /tmp.  For Windows,
TMPDIR is usually C:\Users\<userid>\AppData\Local\Temp or a
subdirectory within.

While no application data is stored here and the structure is
recreated if it is ever destroyed, some perceive the permissions
structure to be a security exposure.

This behavior exists for IBM Tivoli Monitoring (ITM) on AIX,
Linux, and Windows.  Neither HP-UX nor Solaris are affected.

    



Problem conclusion


    

  • The CANDLEHOME JRE package was modified to include a default
option that disables the Java Attach API.  For IBM Tivoli
Monitoring processes that use the CANDLEHOME JRE, this means the
 above directory and file structure is not generated.  Be aware
that some ITM subcomponents do not use the CANDLEHOME JRE, which
 means their JVMs may continue to generate the structure.  There
 are two main areas that are untouched:

   1) The portal server uses the embedded Websphere Application
Server and the IBM Help Server.  Both of these subcomponents
have their own JRE independent of the CANDLEHOME JRE.  So,
whenever the portal server is started, the structure is
generated.  There is no workaround for this behavior.

   2) Some agents have their own JRE independent of the
CANDLEHOME JRE.  So, whenever the agent creates a new JVM, the
structure is generated.  Most agents (and the OS agents,
specifically) do not do this.  For the ones that do, consult the
support team responsible for the agent to pursue whether they
can make changes to prevent the behavior.


The fix for this APAR is contained in the following maintenance
packages:

   | fix pack | 6.3.0-TIV-ITM-FP0007

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV82700
    • 

  • Reported component name
    OMEG DIST INSTA
    • 

  • Reported component ID
    5608A41CI
    • 

  • Reported release
    630
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-03-16
    • 

  • Closed date
    2017-01-06
    • 

  • Last modified date
    2017-01-06
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    OMEG DIST INSTA
    • 

  • Fixed component ID
    5608A41CI
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            08 March 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback