APAR status
Closed as program error.
Error description
This problem is a Known Issue also found in TS011801394, TS011062716. Environment: ITM ITM version: 6.30fp7 SP13 Detailed Recreation Procedure: Apply SP13 and attempt TEPS login Related Files and Output: N/A
Local fix
So the issue is because in SP13 updates were made on AIX to properly support PAM authentication on AIX. As part of that change the current default for normal (non PAM) authentication was updated to always include a check for user login restrictions which hadn't been the case prior. That was a security hole and the change is the correct behavior. However the login restrictions check we use includes the remote login attribute which isn't enabled by default for locally defined users.
Problem summary
User authentication fails when the Hub TEMS runs on AIX and is upgraded to SP13 SP13 changed the operation of authentication on AIX so that PAM, (Pluggable Authentication Modules), could be exploited. If PAM is enabled on a server, a Hub TEMS can be configured to use it by setting KDS_VALIDATE_EXT to Y. But the code also changed the authentication behaviour when KDS_VALIDATE_EXT is set to N, (the default setting), by causing the code to call the 'loginrestrictions' API to verify that the user account is authorised to perform a remote login; i.e. the rlogin attribute is "true"; (prior to SP13, this check was performed only when KDS_VALIDATE_EXT was set to Y). Consequently, after SP13 is applied, for sites where KDS_VALIDATE_EXT is set to N, the authentication of a user will fail if the rlogin attribute in their user account is "false".
Problem conclusion
The code was changed to restore the original KDS_VALIDATE_EXT=N behaviour; specifically, the rlogin attribute value is checked only when KDS_VALIDATE_EXT is set to Y and only if PAM services are unavailable. The fix for this APAR is contained in the following maintenance packages: | service pack | 6.3.0.7-TIV-ITM-SP0014
Temporary fix
Temporarily set the user's rlogin attribute to "true": `chuser rlogin=true <userid>`
Comments
APAR Information
APAR number
IJ44999
Reported component name
TEPS
Reported component ID
5724C04PS
Reported release
630
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-01-18
Closed date
2023-04-17
Last modified date
2023-04-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TEPS
Fixed component ID
5724C04PS
Applicable component levels
[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSZ8F3","label":"IBM Tivoli Monitoring V6"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630"}]
Document Information
Modified date:
18 April 2023