ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ADSM-L] 7.1.8/8.1.3 Security Upgrade Install Issues

2017-10-05 22:11:38
Subject: [ADSM-L] 7.1.8/8.1.3 Security Upgrade Install Issues
From: Roger Deschner <rogerd AT UIC DOT EDU>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Thu, 5 Oct 2017 21:07:19 -0500 
Versions 7.1.8 and 8.1.3 of WDSF/ADSM/TSM/SP have now been made
available containing substantial security upgrades. A bunch of security
advisories were sent this week containing details of the vulnerabilities
patched. Some are serious; our security folks are pushing to get patches
applied.

For the sake of discussion, I will simply call versions 7.1.7 and before
and 8.1.1 "Old", and I'll call 7.1.8 and 8.1.3 "New". (Not really sure
where 8.1.2 falls, because some of the security issues are only fixed in
8.1.3.)

There are some totally unclear details outlined in
http://www-01.ibm.com/support/docview.wss?uid=swg22004844. What's most
unclear is how to upgrade a complex, multi-server, library-manager
configuration. It appears from this document, that you must jump all in
at once, and upgrade all servers and clients from Old to New at the same
time. That is simply impractical. There is extensive discussion of the
new SESSIONSECURITY parameter, but no discussion of what happens when
connecting to an Old client or server that does not even have the
SESSIONSECURITY parameter.

We have 4 TSM servers. One is a library manager. Two of them are clients
of the manager. The 4th server manages its tapes by itself, though it
still communicates with all the other servers. That 4th server, the
independent one, is what I'm going to upgrade first, because it is the
easiest. All our clients are Old.

The question is, what's going to happen next? Will this one New server
still be able communicate with the other Old servers?

Once my administrator id connects to a New server, this document says
that my admin id can no longer connect to Old servers. (SESSIONSECURITY
is automatically changed to STRICT.) Or does that restriction only apply
if I connect from a New client? This could be an issue since I regularly
connect to all servers in a normal day's work. We also have automated
scripts driven by cron that fetch information from each of the servers.
The bypass of creating another administrator ID is also not practical,
because that would involve tracking down and changing all of these
cron-driven scripts. So, the question here is, at the intermediate phase
where some servers are Old and some New, can I circumvent this Old/New
administrator ID issue by only connecting using dsmadmc on Old clients?

This has also got to have an impact on users of software like
Servergraph.

There's also the issue of having to manually configure certificates
between our library managers and library clients, but at least the steps
to do that are listed in that document. (Comments? Circumventions?)

We're plunging ahead regardless, because of a general policy to apply
patches quickly for all published security issues. (Like Equifax didn't
do for Apache.) I'm trying to figure this out fast, because we're doing
it this coming weekend. I'm sure there are parts of this I don't
understand. I'm trying to figure out how ugly it's going to be.

Roger Deschner      University of Illinois at Chicago     rogerd AT uic DOT edu
======I have not lost my mind -- it is backed up on tape somewhere.=====
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] Windows script for DR, Jacques Van Den Ende
Next by Date:  Re: [ADSM-L] 7.1.8/8.1.3 Security Upgrade Install Issues, Stefan Folkerts
Previous by Thread:  [ADSM-L] SharePoint, Kizzire, Chris
Next by Thread:  Re: [ADSM-L] 7.1.8/8.1.3 Security Upgrade Install Issues, Stefan Folkerts
Indexes:  [Date] [Thread] [Top] [All Lists]
ADSM.ORG Privacy and Data Security by KimLaw, PLLC