IBM Spectrum LSF License Scheduler 10.1 Fix 564673 Readme File
Abstract
P103959. This fix prevents the user from using LSF as arbitrary users by replacing the eauth key in the data packet that is used for the authentication mechanism.
Description
Readme documentation for IBM Spectrum LSF License Scheduler 10.1 Fix 564673 including installation-related instructions, prerequisites and co-requisites, and list of fixes.
This fix addresses the following issue:
By default LSF uses eauth for its authentication mechanism, which uses a hardcoded key. This key is generated from an external authentication framework named eauth to secure user credentials for the data stream between LSF clients and servers. However, users can use the eauth in the Community Edition to generate the auth key for any specified user name. Since LSF uses exactly the same key that is available for download in the Community Edition of LSF, anyone can obtain this key and use it to send requests as arbitrary users in an LSF installation.
This fix adds a checksum for each authorization request. Any data packet that is sent to LSF can be identified if it has been modified. This fix can prevent users from changing either the user credential or the content of LSF requests.
A new configuration that this fix introduces for the security communication:
LSF_STRICT_CHECKING=ENHANCED
Note: All daemons and commands need to set LSF_STRICT_CHECKING=ENHANCED to enable security communication. For now, only requests that have LSF authentication contain checksum. Readme File for: IBM® Spectrum LSF License Scheduler Product/Component Release: 10.1 Update Name: Fix 564673 Fix ID: LS-10.1-build564673 Publication Date: 17 Dec 2020 Last Modified Date: 17 Dec 2020 Contents 1. List of Fixes 2. Download Location 3. Product or Components Affected 4. System Requirements 5. Installation and Configuration 6. List of Files 7. Product Notifications 8. Copyright and Trademark Information 1. List of Fixes P103959 2. Download Locations Download Fix 564673 from the following location: http://www.ibm.com/eserver/support/fixes/ 3. Product or Components Affected Affected product or components include: LSF/bladmin LSF/bld LSF/blcollect LSF/blcstat LSF/blhosts LSF/blinfo LSF/blkill LSF/blparams LSF/blstartup LSF/blstat LSF/bltasks LSF/blusers LSF/taskman LSF/libglb.a LSF/libglb.so LSF/liblic.so 4. System Requirements lsf10.1_licsched_lnx310-ppc64le lsf10.1_licsched_lnx310-x64 lsf10.1_licsched_x86-64-sol10 lsf10.1_licsched_lnx26-x64 lsf10.1_licsched_sparc-sol10-64 5. Installation and Configuration 5.1 Before installation (LSF_TOP=Full path to the top-level installation directory of LSF.) 1) Log on to the License Scheduler master host as the root 2) Set your environment: - For csh or tcsh: % source LSF_TOP/conf/cshrc.lsf - For sh, ksh, or bash: $ . LSF_TOP/conf/profile.lsf 3) Run bladmin shutdown all 4) Make sure LSF PSIRT patch (Fix ID: lsf-10.1-build564668) installed appropriately.
5.2 Installation steps
1) Go to the patch install directory: cd $LSF_ENVDIR/../10.1/install/
2) Copy the patch file to the install directory $LSF_ENVDIR/../10.1/install/
3) Run patchinstall: ./patchinstall <patch>
5.3 After installation
1) Log on to the License Scheduler master host as the License Scheduler primary administrator
2) Setting LSF_STRICT_CHECKING=ENHANCED in lsf.conf
3) Run blstartup
5.4 Uninstallation
1) Log on to the License Scheduler master host as root
2) Set your environment:
- For csh or tcsh: % source LSF_TOP/conf/cshrc.lsf
- For sh, ksh, or bash: $ . LSF_TOP/conf/profile.lsf
3) Run bladmin shutdown all
4) Go to the patch install directory: cd $LSF_ENVDIR/../10.1/install/
5) Run ./patchinstall -r <patch>
6) Run blstartup
6. List of Files
bladmin
bld
blcollect
blcstat
blhosts
blinfo
blkill
blparams
blstartup
blstat
bltasks
blusers
taskman
libglb.a
libglb.so
liblic.so
7. Product Notifications
To receive information about product solution and patch updates automatically, subscribe to product notifications on the My notifications page ( www.ibm.com/support/mynotifications) on the IBM Support website (support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.
8. Copyright and Trademark Information
©Copyright IBM Corporation 2020
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.