Thursday, March 6, 2008

Having more fun with the tacmd

Most of the tacmd options require you to login into the TEMS machine using the tacmd login before you can run them. However, by default the TEMS server doesn't actually authenticate the userid specified in the tacmd login. (see more...)

For example, I can run the following command:

tacmd login -u blah -p blah

from my OS userid on the HUB TEMS and I can successfully login and can run all of the other tacmd options. At first I thought TEP Security: Validate User had to be turned on (i.e., force users to login to the TEPS with a valid OS userid and password). Unfortunately this had no effect on the tacmd login security. I read in the documentation that if no users are defined in the SOAP server then any user can access the SOAP server. Since, I was pretty sure that the tacmd uses the SOAP server to access the ITM 6 infrastructure I figured that I needed to configure the SOAP server on the HUB TEMS. I was hoping this would force authentication of the tacmd usage. By the way, the SOAP server by default is not configured to authenticate users. IMHO, this is a gapping security hole on many levels.

I proceeded to try and configure the SOAP server on my HUB TEMS. To my surprise there is no documentation on how to configure a SOAP server on a Unix system (only Windows). Heck, who would want to run their HUB TEMS on a Unix system anyway. So, like many things Tivoli I had to figure it out without the use of documentation. From the MTEMS on my HUB TEMS I could select right click Configure. After fishing around a little I found that if I select the SAVE button it brings up the SOAP configuration panel. I then proceeded to add a valid OS userid to the SOAP configuration for Query and Update. Then I saved the changes and recycled the TEMS server. I then brought back up the MTEMS configure option to check to see if the users were still configured in the SOAP configuration and they still were (see below about them disappearing after about 10 minutes).

After I confirmed the users were still defined from the MTEMS I tried to do the bogus tacmd login again a I again successfully authenticated to the non-existent blah account. Interestingly enough, when I went back to see the SOAP configuration after about 10 minutes the users were no longer defined. I searched the logs to see if there was anything I could find but I didn't find any thing obvious. At this point I decided to let IBM earn their money and have them explain how tacmd authentication works. I had the client open a PMR for this issue we will see what happens.

BTW: The default timeout for the tacmd login is 15 minutes. I have set the timeout to the max of 1440 in my .profile login script. This way I can stay logged in and not have to login everytime I need to do a tacmd option:

Here is a portion of code I added to my .profile script:

PATH=$PATH:/opt/IBM/ITM/bin
CANDLEHOME=/opt/IBM/ITM

export PATH CANDLEHOME

tacmd login -u blah -p blah -s `hostname` -t 1440

No comments: