IBM Support

SI79620 - OSP-CERT FILE SYSTEM ACCESS IN DCM WITH LOW AUTHORITY USER

PTF Cover Letter


PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

OSP-CERT FILE SYSTEM ACCESS IN DCM WITH LOW AUTHORITY USER


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED           PTF/FIX  LEVEL

TYPE PROGRAM  RELEASE   NUMBER   MIN/MAX  OPTION
---- -------- --------- -------  -------  ------
PRE  5770SS1  V7R5M0    SI77994   NONE     0034
CO   5770SS1  V7R5M0    SI79585   NONE     0034



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.





APAR Error Description / Circumvention

-----------------------------------------------
When using a low authority user, it is possible to request the
DCM UI to display a screen intended for a system administrator
by setting the "isSecAdm" DCM flag to 'true' on the client.
With the full menu displayed, the low authority user is able to
click on buttons to send DCM action requests including the
ability to browse the file system for objects.

CORRECTION FOR APAR SE77758 :
-----------------------------
IBM Digital Certificate Manager for i is designed to be used by
low authority users to download CA certificates into their
browsers when the user has been given *RX access to the CA
certificate files.  As such, there are two menus to display
based on a user's authority.  The full menu is intended for
users with *ALLOBJ and *SECADM authority, a shorter menu is for
users without those special authorities.  Regardless of which
menu is presented, the actions that are requested are controlled
by authority checks on IBM i so only the authorized logged in
user can perform the intended requests via DCM UI.

The fix which is provided will ensure that users accessing DCM
are only able to request the actions they are expected to
perform via the DCM UI.  For users that do not have *ALLOBJ and
*SECADM special authority, any browsing of the file system via
DCM is prevented.  Attempting to get a list of existing
certificate stores returns an empty list.  Attempting to perform
actions such as creating a certificate store results in an
authority error.

These extra controls have been added to the DCM UI to reduce
actions for users before the authority checks are performed by
the IBM i operating system.

CIRCUMVENTION FOR APAR SE77758 :
--------------------------------
None.


Activation Instructions


None.




Special Instructions


Restart the ADMIN3 server instance.
ENDTCPSVR SERVER(*IAS) INSTANCE(ADMIN3)
STRTCPSVR SERVER(*IAS) INSTANCE(ADMIN3)

********************************************************************
THE FOLLOWING ARE SUPERSEDED SPECIAL INSTRUCTIONS. IF THE SUPERSEDED
PTF HAS ALREADY BEEN APPLIED AND ITS SPECIAL INSTRUCTION FOLLOWED,
IT IS NOT NECESSARY TO FOLLOW THAT SPECIAL INSTRUCTION AGAIN.
********************************************************************

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI78883 :
=================================================

Restart Admin3 server instance.

SPECIAL INSTRUCTIONS FOR SUPERSEDED PTF SI77998 :
=================================================

Restart the Admin3 server instance.


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI78883      OSP-UPDATE OPEN-SOURCE PACKAGE LIBRARIES FOR DCM
   SI77998      OSP-DCM ENHANCEMENTS

Summary Information

System..............................  i
Models..............................  
Release.............................  V7R5M0
Licensed Program....................  5770SS1
APAR Fixed..........................  View details for APAR SE77758
Superseded by:......................  View fix details for PTF SI85844
Recompile...........................  N
Library.............................  QICSS
MRI Feature ........................  NONE
Cum Level...........................  C2321750


IBM i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.5.0","Product":{"code":"SWG60","label":"IBM i"},"Component":"5770SS1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
21 February 2024