Messages

121

MP Server / Re: cache size limit

« on: January 12, 2022, 06:58:02 PM »

Nope, you can have as many cache filesystems as your operating system will permit.  However, there are problems as your cache gets larger - backup windows get longer, you can run out of inodes, etc. 

-JD.

122

Windows Client / Re: Duplicate ids

« on: January 12, 2022, 06:55:10 PM »

Can you show us some screen shots of the duplicate IDs?  Is there anything special about the IDs?  (Similar names, a high number of users, etc.?)

-JD.

123

Announcements & News / Re: SECURITY: Apache Log4j vulnerability

« on: December 22, 2021, 05:34:34 AM »

Yup, with more attention comes more scrutiny - there will likely be more announcements of new vulnerabilities found and fixed in log4j in the coming weeks and months.  Document the process so you can get good at upgrading your environment! 

-JD.

124

Announcements & News / Re: SECURITY: Apache Log4j vulnerability

« on: December 16, 2021, 02:11:07 PM »

Yes, the patch to Apache Log4j 2.16 is recommended. 

However, just so you know, there's a new "data exfiltration" bug for Log4j that has been reported to Apache, but in accordance with "responsible disclosure", there is no additional information, only that this means there will be another patch.

The best thing to do is get the process of rolling out these patches well documented and repeatable for the near future.

-JD.

125

MP Server / Re: Determine the active segment table being used

« on: December 16, 2021, 02:05:55 PM »

You have to tell it which Application Group you want the information for. 

-JD.

126

Announcements & News / Re: SECURITY: Apache Log4j vulnerability

« on: December 13, 2021, 07:32:07 AM »

Hey Ed.

I just checked, and CMOD v10.5 Fixpack 3, and it still includes a vulnerable version (v2.13) of log4j. 

Are you saying the included version was patched against the exploit, or will be an interim fix available shortly?  Or instructions on replacing log4j with v2.15+?

-JD.

127

Announcements & News / SECURITY: Apache Log4j vulnerability

« on: December 11, 2021, 10:10:30 AM »

Apache log4j version 2 is included as a requisite library for CMOD v10.1 and v10.5, and a serious vulnerability has been announced. 

ICN v3 uses log4j v1.2.x that is in 'End of Life' -- it will not receive security updates, so you must upgrade to v2.15.x or above to be protected.

CMOD v9.x does not use Apache log4j, so those versions are unaffected. 

More information on the Apache Log4j exploit is here:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228

There's an article on the Wiki with some more background and discussion of the impact:
https://cmod.wiki/index.php?title=Apache_Log4j_%26_CMOD_ODWEK_ICN

Please discuss / ask your questions here.

-JD.

UPDATES:
IBM Technote on CMOD v10.1:  https://www.ibm.com/support/pages/node/6525892
IBM Technote on CMOD v10.5:  https://www.ibm.com/support/pages/node/6525888
IBM TechNote on WebSphere & log4j:  https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-apache-log4j-affect-ibm-websphere-application-server-and-ibm-websphere-application-server-liberty-cve-2021-4104-cve-2021-45046

128

MP Server / Re: Best way to query system log using UTC date?

« on: December 02, 2021, 01:06:16 PM »

Make sure the date format you're sending to the SQL statement matches the date format that DB2 can easily recognize:  YYYY-MM-DD-HH.MM.SS.FFFFFF  (where FFFFFF is a six-digit fraction of a second).

You may want to investigate using SQL's built-in functions like current timestamp and days to create your

-JD.

129

MP Server / Re: How to remove vulnerable ciphers

« on: November 15, 2021, 09:14:22 AM »

As far as GSKit is concerned, there is no (documented?) way to pre-select which specific, individual ciphers are used for communications, but you can disable the old version of TLS with GSK_PROTOCOL_TLSV1=0.  I suspect this needs to be exported as an environment variable before you start the CMOD arssockd daemon.

Since 3DES-CBC-SHA1 is not a public key algorithm, your security folks are more likely concerned with protecting communications, and are probably confused about how the certificate factors into this.

The parameter you've set in the CMOD ars.ini file simply prevents insecure certificates from being used, it doesn't factor into the selection of ciphers - See:  https://cmod.wiki/index.php?title=ars.ini#Unlisted_CMOD_Configuration_Parameters

Your best bet is to open a new ticket, asking how to configure the ciphers that GSKit presents to clients, or for other recommended flags to set as environment variables to modify GSKit's behaviour.

-JD.

130

z/OS Server / Re: System Load table dates incorrect in ARSDOC Query

« on: November 09, 2021, 09:08:19 AM »

A few things...

First, I see that you're writing your own SQL - and this comes with some caveats...  The time stored in the database table is UTC, not your local time zone.  You need to adjust your queries for that.

Second, for dates, try using the 'between' operator for the dates, rather than multiple 'AND' operators.

Try those out and let us know how it goes. 

-JD.

131

MP Server / Re: LDAP SSL configuration, OnDemand wont start

« on: October 27, 2021, 10:39:46 AM »

Hi Andreas.

Not really - you want CMOD to run as a 'non-privileged' user (like archive or odadmin) instead of root.  However, it DOES indicate that your problem is likely related to permissions, since running as root provides the highest level of authorization.  Double check file and directory permissions and your path environment variables like PATH, LIBPATH, and LD_LIBRARY_PATH to ensure they're correct.

-JD.

132

MP Server / Re: MASK field in ARSSEG - bit meaning

« on: October 19, 2021, 10:26:58 AM »

Someone's digging down deep into the weeds!    What are you trying to do?

-JD.

133

OD/WEK & JAVA API / Re: ODWEK - Flow of returning document

« on: October 19, 2021, 10:17:23 AM »

Option 2 is how it's supposed to work.  The original concept for the object servers were that they were physically diverse.  Imagine an organization with offices in Boston, Miami, Denver, and Seattle.  The Library server is in Denver, but each office loads their data to their local object server.  The metadata gets sent to the library server, and the document data stays local to each office.  The design is supposed to be that the client pulls the documents from each object server, and not route them through the library server.

Hope that helps. 

-JD.

134

MP Server / Re: Issue implementing SSL

« on: October 19, 2021, 10:13:06 AM »

Return Code 2 is "does not exist".

Can you ls -l the path and see what you get back?

-JD.

135

MP Server / Re: Issue implementing SSL

« on: October 08, 2021, 05:37:11 AM »

If you have separate library and object servers, then you will need unique SSL certificates for each - you can't re-use server certificate from one server to the other.

For troubleshooting IBM CMOD SSL, use openssl s_client with the -showcerts option - that will show you which certificates are being presented by each server.
-JD.