APAR status
Closed as documentation error.
Error description
Interactive jobs now fail if the streamlogon user is different to the user runing the active desktop. This must be documented. Below is explained the reason for this. On 8.6 FP2 and 8.5.1 FP4 we fixed a TWS problem when running interactive jobs on Windows system as Vista and Windows 2008. Windows 2008 changed the behaviour for the Session0. Windows Vista introduced us to the concept of Session 0 Isolation. This was in response to the need to isolate highly privileged service applications from malicious applications running in user space. These malicious applications would attempt to inject arbitrary code via into the service application via the application s message loop. These attacks are classified as shatter attacks. The net effect of this is that interactive Windows services are only available on Session o (or the Console session). When you log on to your Vista, 2008 or Windows 7 machine you now no longer login to Session 0 but into Session 1. On TWS there was a bug :- This has been fixed with defect 56503 on 851 fp4 and 67329 on 86 fp2. Basically what happened is that TWS when running interactive job for the user "tws00" (for example) tried to open the desktop on Session0 instead of using an active desktop session for the user tws00. This was a security exposure since if into the machine another user as "tws001" was logged in then the TWS was opening the interactive desktop session on the "session0" or into the session of "tws001" user. There were the need to have TWS opening and using the "interactive " session for the "streamlogon" user that were running the TWS interactive job. So the user that was specified into streamlogon user should have on Vista and WIndows 2008 a Desktop session on the machine thus should be logged into the machine itself.
Local fix
Use correct streamlogon
Problem summary
See apar description.
Problem conclusion
In the TWS 8.5.1 readme please specify that there is a feature : 56503 on 851 fp4 Interactive Job on Windows 7, Windows 2008 and Windows vista needs to have the "streamlogon" user logged on the machine where the interactive job needs to be executed. This because it is needed to have a "desktop" session already opened on the machine for the streamlogon user before launching the job and this will occurs only when the user is already logged-in. In the TWS 8.6 FP2 67329 introduce this feature so the same behaviour will occurs.
Temporary fix
Comments
APAR Information
APAR number
IV37787
Reported component name
TIV WKLD SCHDL
Reported component ID
5698WKB84
Reported release
8A5
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-03-11
Closed date
2013-03-25
Last modified date
2013-03-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIV WKLD SCHDL
Fixed component ID
5698WKB85
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSGSPN","label":"IBM Workload Scheduler"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8A5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
25 March 2013