IBM Support

IJ44999: COULD NOT LOGIN TO TEPS AFTER APPLYING 6.3.0.7-TIV-ITM-SP0013

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • This problem is a Known Issue also found in TS011801394,
TS011062716.
Environment:    ITM

ITM version: 6.30fp7 SP13

Detailed Recreation Procedure:
Apply SP13 and attempt TEPS login

Related Files and Output: N/A

Local fix

  • So the issue is because in SP13 updates were made on AIX to
properly support PAM authentication on AIX. As part of that
change the current default for normal (non PAM) authentication
was updated to always include a check for user login
restrictions which hadn't been the case prior. That was a
security hole and the change is the correct behavior. However
the login restrictions check we use includes the remote login
attribute which isn't enabled by default for locally defined
users.

Problem summary

  • User authentication fails when the Hub TEMS runs on AIX and is
upgraded to SP13


SP13 changed the operation of authentication on AIX so that PAM,
(Pluggable Authentication Modules), could be exploited.  If PAM
is enabled on a server, a Hub TEMS can be configured to use it
by setting KDS_VALIDATE_EXT to Y.  But the code also changed the
authentication behaviour when KDS_VALIDATE_EXT is set to N, (the
default setting), by causing the code to call the
'loginrestrictions' API to verify that the user account is
authorised to perform a remote login; i.e.  the rlogin attribute
is "true"; (prior to SP13, this check was performed only when
KDS_VALIDATE_EXT was set to Y).  Consequently, after SP13 is
applied, for sites where KDS_VALIDATE_EXT is set to N, the
authentication of a user will fail if the rlogin attribute in
their user account is "false".

Problem conclusion

  • The code was changed to restore the original KDS_VALIDATE_EXT=N
behaviour; specifically, the rlogin attribute value is checked
only when KDS_VALIDATE_EXT is set to Y and only if PAM services
are unavailable.


The fix for this APAR is contained in the following maintenance
packages:

   | service pack | 6.3.0.7-TIV-ITM-SP0014

Temporary fix

  • Temporarily set the user's rlogin attribute to "true":

`chuser rlogin=true <userid>`

Comments

  • 



APAR Information




    

  • APAR number
    IJ44999
    • 

  • Reported component name
    TEPS
    • 

  • Reported component ID
    5724C04PS
    • 

  • Reported release
    630
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-01-18
    • 

  • Closed date
    2023-04-17
    • 

  • Last modified date
    2023-04-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TEPS
    • 

  • Fixed component ID
    5724C04PS
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSZ8F3","label":"IBM Tivoli Monitoring V6"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            18 April 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback