IBM Support

SI79619 - OSP-CERT FILE SYSTEM ACCESS IN DCM WITH LOW AUTHORITY USER

PTF Cover Letter


PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

OSP-CERT FILE SYSTEM ACCESS IN DCM WITH LOW AUTHORITY USER


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED           PTF/FIX  LEVEL

TYPE PROGRAM  RELEASE   NUMBER   MIN/MAX  OPTION
---- -------- --------- -------  -------  ------
CO   5770SS1  V7R4M0    SI79583   NONE     0034
DIST 5770SS1  V7R4M0    SI69579   NONE     0003



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.





APAR Error Description / Circumvention

-----------------------------------------------
When using a low authority user, it is possible to request the
DCM UI to display a screen intended for a system administrator
by setting the "isSecAdm" DCM flag to 'true' on the client.
With the full menu displayed, the low authority user is able to
click on buttons to send DCM action requests including the
ability to browse the file system for objects.

CORRECTION FOR APAR SE77758 :
-----------------------------
IBM Digital Certificate Manager for i is designed to be used by
low authority users to download CA certificates into their
browsers when the user has been given *RX access to the CA
certificate files.  As such, there are two menus to display
based on a user's authority.  The full menu is intended for
users with *ALLOBJ and *SECADM authority, a shorter menu is for
users without those special authorities.  Regardless of which
menu is presented, the actions that are requested are controlled
by authority checks on IBM i so only the authorized logged in
user can perform the intended requests via DCM UI.

The fix which is provided will ensure that users accessing DCM
are only able to request the actions they are expected to
perform via the DCM UI.  For users that do not have *ALLOBJ and
*SECADM special authority, any browsing of the file system via
DCM is prevented.  Attempting to get a list of existing
certificate stores returns an empty list.  Attempting to perform
actions such as creating a certificate store results in an
authority error.

These extra controls have been added to the DCM UI to reduce
actions for users before the authority checks are performed by
the IBM i operating system.

CIRCUMVENTION FOR APAR SE77758 :
--------------------------------
None.


Activation Instructions


None.




Special Instructions


Restart the ADMIN3 Server Instance.

********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI77987 :
=================================================

Restart Admin3 server instance.

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI76505 :
=================================================

Restart the Admin3 server instance.
ENDTCPSVR SERVER(*IAS) INSTANCE(ADMIN3)
STRTCPSVR SERVER(*IAS) INSTANCE(ADMIN3)

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI75192 :
=================================================

Restart Admin3 server instance.
ENDTCPSVR SERVER(*IAS) INSTANCE(ADMIN3)
STRTCPSVR SERVER(*IAS) INSTANCE(ADMIN3)

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI74432 :
=================================================

Restart the ADMIN3 server instance.
ENDTCPSVR SERVER(*IAS) INSTANCE(ADMIN3)
STRTCPSVR SERVER(*IAS) INSTANCE(ADMIN3)


After applying or removing this PTF, restart the ADMIN3 server
instance.
ENDTCPSVR SERVER(*IAS) INSTANCE(ADMIN3)
STRTCPSVR SERVER(*IAS) INSTANCE(ADMIN3)

Restart admin 3 server instance:
ENDTCPSVR *IAS INSTANCE(ADMIN3)
STRTCPSVR *IAS INSTANCE(ADMIN3)


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI78882      OSP-UPDATE OPEN-SOURCE PACKAGE LIBRARIES FOR DCM
   SI77987      OSP-DCM ENHANCEMENTS
   SI76679      OSP-DCM THREADSAFE ATTRIBUTE OF EXIT PROGRAM SET AS NO
   SI76505      OSP-DCM LOOPS ON CERTIFICATE RENEW WHEN NO LOCAL CA EXISTS
   SI76118      OSP-DCM VERSION UPDATE
   SI75746      OSP-DCM SHOWS EMPTY CERTIFICATE LIST WHEN ASSIGNING
   SI75192      OSP-DCM INCREMENTAL UPDATE
   SI74432      OSP-DCM INCREMENTAL UPDATE
   SI73491      OSP-DCM FAILS TO DOWNLOAD CERT WITH A SPACE IN THE FILE NAME
   SI73217      OSP-DCM GUI NOT DISPLAYING THE CORRECT ERROR MESSAGE
   SI71936      OSP-ENHANCED DCM UI SUPPORT
   SI71756      Enhanced DCM with Object Signing (GUI)
   SI71406      OSP-DCM UI WITH ERROR MESSAGES AND HELP TEXT
   SI70715      DCM GUI Update
   SI70432      DCM ITERATIVE UPDATE
   SI69767      ENHANCEMENT

Summary Information

System..............................  i
Models..............................  
Release.............................  V7R4M0
Licensed Program....................  5770SS1
APAR Fixed..........................  View details for APAR SE77758
Superseded by:......................  
Recompile...........................  N
Library.............................  QICSS
MRI Feature ........................  NONE
Cum Level...........................  


IBM i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.4.0","Product":{"code":"SWG60","label":"IBM i"},"Component":"5770SS1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
10 May 2022