A fix is available
APAR status
Closed as program error.
Error description
For most UNIX and Linux platforms, Java creates a directory structure in /tmp whenever a new Java Virtual Machine (JVM) is created. The directory structure looks like this: PERM DIRNAME/FNAME ==== ====================================================== 1777 /tmp/.com_ibm_tools_attach 666 /tmp/.com_ibm_tools_attach/_master 666 /tmp/.com_ibm_tools_attach/_notifier 666 /tmp/.com_ibm_tools_attach/_attachlock 1711 /tmp/.com_ibm_tools_attach/<PID> 666 /tmp/.com_ibm_tools_attach/<PID>/attachNotificationSync 600 /tmp/.com_ibm_tools_attach/<PID>/attachInfo The entries in the <PID> subdirectory are specific to a given process identifier. They are removed when the process ends. The other entries persist. If they are removed, they are recreated by the next JVM. This structure is used as part of a communication mechanism between JVMs called the ATTACH API. It is documented here: http://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com. ibm.java.aix.70.doc/user/attachapi.html Despite it's automatic creation, the core of IBM Tivoli Monitoring (ITM) does not use this mechanism. And some customers perceive the resulting file structure to be a security exposure.
Local fix
Problem summary
Disable Java Attach API. The Java Attach API is a mechanism provided by the Java Runtime Environment (JRE). It is designed to allow applications to connect to a running Java Virtual Machine (JVM). The interface is described here: http://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm. java.zos.70.doc/user/attachapi.html By default, Java creates a directory and file structure like this the first time a JVM is started: drwxrwxrwt TMPDIR/.com_ibm_tools_attach -rw-rw-rw- TMPDIR/.com_ibm_tools_attach/_attachlock -rw-rw-rw- TMPDIR/.com_ibm_tools_attach/_master -rw-rw-rw- TMPDIR/.com_ibm_tools_attach/_notifier It also creates a directory and file structure like this for each running JVM: drwx--x--t TMPDIR/.com_ibm_tools_attach/<PID> -rw-rw-rw- TMPDIR/.com_ibm_tools_attach/<PID>/attachNotificationSync -rw------- TMPDIR/.com_ibm_tools_attach/<PID>/attachInfo Note: For AIX and Linux, TMPDIR is usually /tmp. For Windows, TMPDIR is usually C:\Users\<userid>\AppData\Local\Temp or a subdirectory within. While no application data is stored here and the structure is recreated if it is ever destroyed, some perceive the permissions structure to be a security exposure. This behavior exists for IBM Tivoli Monitoring (ITM) on AIX, Linux, and Windows. Neither HP-UX nor Solaris are affected.
Problem conclusion
The CANDLEHOME JRE package was modified to include a default option that disables the Java Attach API. For IBM Tivoli Monitoring processes that use the CANDLEHOME JRE, this means the above directory and file structure is not generated. Be aware that some ITM subcomponents do not use the CANDLEHOME JRE, which means their JVMs may continue to generate the structure. There are two main areas that are untouched: 1) The portal server uses the embedded Websphere Application Server and the IBM Help Server. Both of these subcomponents have their own JRE independent of the CANDLEHOME JRE. So, whenever the portal server is started, the structure is generated. There is no workaround for this behavior. 2) Some agents have their own JRE independent of the CANDLEHOME JRE. So, whenever the agent creates a new JVM, the structure is generated. Most agents (and the OS agents, specifically) do not do this. For the ones that do, consult the support team responsible for the agent to pursue whether they can make changes to prevent the behavior. The fix for this APAR is contained in the following maintenance packages: | fix pack | 6.3.0-TIV-ITM-FP0007
Temporary fix
Comments
APAR Information
APAR number
IV82700
Reported component name
OMEG DIST INSTA
Reported component ID
5608A41CI
Reported release
630
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-03-16
Closed date
2017-01-06
Last modified date
2017-01-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
OMEG DIST INSTA
Fixed component ID
5608A41CI
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
08 March 2023