IBM Support

SI79582 - OSP-CERT-INCORROUT DCM ALLOWS ACTION REQUESTS FOR LOW AUTHOR

PTF Cover Letter


PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

OSP-CERT-INCORROUT DCM ALLOWS ACTION REQUESTS FOR LOW AUTHOR


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED           PTF/FIX  LEVEL

TYPE PROGRAM  RELEASE   NUMBER   MIN/MAX  OPTION
---- -------- --------- -------  -------  ------
PRE  5770SS1  V7R3M0    SI72323   00/00    0000
CO   5770SS1  V7R3M0    SI79618   NONE     0034
CO   5770SS1  V7R3M0    SI77118   NONE     0034
CO   5770SS1  V7R3M0    SI72542   NONE     0034
CO   5770SS1  V7R3M0    SI72421   NONE     0034
DIST 5770SS1  V7R3M0    SI77116   NONE     0035
DIST 5770999  V7R3M0    MF67593   00/00    0000



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.





APAR Error Description / Circumvention

-----------------------------------------------
When using a low authority user, it is possible to request the
DCM UI to display a screen intended for a system administrator
by setting the "isSecAdm" DCM flag to 'true' on the client.
With the full menu displayed, the low authority user is able to
click on buttons to send DCM action requests including the
ability to browse the file system for objects.

CORRECTION FOR APAR SE77713 :
-----------------------------
IBM Digital Certificate Manager for i is designed to be used by
low authority users to download CA certificates into their
browsers when the user has been given *RX access to the CA
certificate files.  As such, there are two menus to display
based on a user's authority.  The full menu is intended for
users with *ALLOBJ and *SECADM authority, a shorter menu is for
users without those special authorities.  Regardless of which
menu is presented, the actions that are requested are controlled
by authority checks on IBM i so only the authorized logged in
user can perform the intended requests via DCM UI.

The fix which is provided will ensure that users accessing DCM
are only able to request the actions they are expected to
perform via the DCM UI.  For users that do not have *ALLOBJ and
*SECADM special authority, any browsing of the file system via
DCM is prevented.  Attempting to get a list of existing
certificate stores returns an empty list.  Attempting to perform
actions such as creating a certificate store results in an
authority error.

These extra controls have been added to the DCM UI to reduce
actions for users before the authority checks are performed by
the IBM i operating system.

CIRCUMVENTION FOR APAR SE77713 :
--------------------------------
None.


Activation Instructions


None.




Special Instructions


********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI74389 :
=================================================

Restart HTTP Administration Server
ENDTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI72341 :
=================================================

After applying or removing this PTF,
end and restart the HTTP administration server.


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI78577      OSP-CERT RETRIEVE CRL LOCATION AND LDAP SERVER FOR CA
   SI77978      OSP-DCM INCORRECT CHARACTERS DISPLAYED FOR APP DESCRIPTION
   SI77121      OSP-CERT POPULATE STORE WITH CA CERTIFICATES NEEDS AN UPDATE
   SI77115      CRYPTO:  Native support for 4769 Cryptographic Co-processor
   SI77011      OSP-CERT-MSGCPF3CF2 QSYS2.CERTIFICATE_INFO WITH MANY CERTS
   SI75408      OSP-DCM CERTIFICATE STORE IN USE WHEN ASSIGNING CERTIFICATE
   SI75001      OSP-CERT-INCORROUT ADDING CLIENT OR SERVER APPLICATION ID IN
   SI74710      OSP-DCM ERROR GENERATING FIRST LOCAL CA CERTIFICATE
   SI74389      OSP DCM SUPPORT UNASSIGN DEFAULT CERTIFICATE FOR STORE
   SI73832      OSP USING EXPIRED CERTIFICATE CAUSES MEMORY CONSUMPTION
   SI72341      OSP-DCM SRVPGM ENHANCEMENT TO SUPPORT TLS 1.3
   SI64486      OSP-DCM UNABLE TO SET POLICY DATA FOR LOCAL CA
   SI63096      CRYPTO:  Native support for Sentry Cryptographic Co-processo
   SI66088      OSP-CERT INCORRECT WORDING OF SUBJECT ALTERNATIVE NAME FIELD
   SI60045      OSP-INCORROUT MISSING OPTION TO IMPORT CERTIFICATE FOR RENEW
   SI65751      OSP-DCM PROVIDE SAN FIELDS ON CERTIFICATE REQUEST
   SI62300      OSP-PERFM MUTEX LEAKS CAUSE MACHINE FAULTING DURING CLEANUP
   SI59437      OSP-CERT-INCORROUT VALIDITY DATE SHOWS YEAR AS 2 DIGITS
   SI64934      OSP-DCM APPLICATION DEFINITION CIPHER SPECIFICATION ORDER
   SI66303      OSP-DCM UNABLE TO REMOVE CERTIFICATE ASSIGNMENT WITH QYCDCUS
   SI66287      OSP-DCM UNABLE TO REMOVE CERTIFICATE ASSIGNMENT WITH QYCDCUS

Summary Information

System..............................  i
Models..............................  
Release.............................  V7R3M0
Licensed Program....................  5770SS1
APAR Fixed..........................  View details for APAR SE77713
Superseded by:......................  View fix details for PTF SI79927
Recompile...........................  N
Library.............................  QICSS
MRI Feature ........................  NONE
Cum Level...........................  C2335730


IBM i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0","Product":{"code":"SWG60","label":"IBM i"},"Component":"5770SS1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
07 December 2022