IBM Spectrum LSF License Scheduler 10.1 Fix 564673 Readme File 

Abstract

P103959. This fix prevents the user from using LSF as arbitrary users by replacing the eauth key in the data packet that is used for the authentication mechanism.

Description

Readme documentation for IBM Spectrum LSF License Scheduler 10.1 Fix 564673 including installation-related instructions, prerequisites and co-requisites, and list of fixes.

This fix addresses the following issue:

By default LSF uses eauth for its authentication mechanism, which uses a hardcoded key. This key is generated from an external authentication framework named eauth to secure  user credentials for the data stream between LSF clients and servers. However, users can use the eauth in the Community Edition to generate the auth key for any specified user name. Since LSF uses exactly the same key that is available for download in the Community Edition of LSF, anyone can obtain this key and use it to send requests as arbitrary users in an LSF installation.

This fix adds a checksum for each authorization request. Any data packet that is sent to LSF can be identified if it has been modified. This fix can prevent users from changing either the user credential or the content of LSF requests.

A new configuration that this fix introduces for the security communication:

LSF_STRICT_CHECKING=ENHANCED

Note:

All daemons and commands need to set LSF_STRICT_CHECKING=ENHANCED to enable security communication. For now, only requests that have LSF authentication contain checksum.


Readme File for: IBM® Spectrum LSF License Scheduler

Product/Component Release: 10.1

Update Name: Fix 564673

Fix ID: LS-10.1-build564673

Publication Date: 17 Dec 2020

Last Modified Date: 17 Dec 2020


Contents

1. List of Fixes

2. Download Location

3. Product or Components Affected

4. System Requirements

5. Installation and Configuration

6. List of Files

7. Product Notifications

8. Copyright and Trademark Information


1. List of Fixes

P103959


2. Download Locations

Download Fix 564673 from the following location: http://www.ibm.com/eserver/support/fixes/


3. Product or Components Affected

Affected product or components include:

LSF/bladmin

LSF/bld

LSF/blcollect

LSF/blcstat

LSF/blhosts

LSF/blinfo

LSF/blkill

LSF/blparams

LSF/blstartup

LSF/blstat

LSF/bltasks

LSF/blusers

LSF/taskman

LSF/libglb.a

LSF/libglb.so

LSF/liblic.so


4. System Requirements

lsf10.1_licsched_lnx310-ppc64le

lsf10.1_licsched_lnx310-x64

lsf10.1_licsched_x86-64-sol10

lsf10.1_licsched_lnx26-x64

lsf10.1_licsched_sparc-sol10-64


5. Installation and Configuration

5.1 Before installation

(LSF_TOP=Full path to the top-level installation directory of LSF.) 

1) Log on to the License Scheduler master host as the root 

2) Set your environment: 

- For csh or tcsh: % source LSF_TOP/conf/cshrc.lsf 

- For sh, ksh, or bash: $ . LSF_TOP/conf/profile.lsf

3) Run bladmin shutdown all 

4) Make sure LSF PSIRT patch (Fix ID: lsf-10.1-build564668) installed appropriately. 

5.2 Installation steps

1) Go to the patch install directory: cd $LSF_ENVDIR/../10.1/install/ 

2) Copy the patch file to the install directory $LSF_ENVDIR/../10.1/install/ 

3) Run patchinstall: ./patchinstall <patch> 


5.3 After installation

1) Log on to the License Scheduler master host as the License Scheduler primary administrator 

2) Setting LSF_STRICT_CHECKING=ENHANCED in lsf.conf

3) Run blstartup


5.4 Uninstallation

1) Log on to the License Scheduler master host as root

2) Set your environment: 

- For csh or tcsh: % source LSF_TOP/conf/cshrc.lsf 

- For sh, ksh, or bash: $ . LSF_TOP/conf/profile.lsf 

3) Run bladmin shutdown all

4) Go to the patch install directory: cd $LSF_ENVDIR/../10.1/install/ 

5) Run ./patchinstall -r <patch> 

6) Run blstartup



6. List of Files

bladmin

bld

blcollect

blcstat

blhosts

blinfo

blkill

blparams

blstartup

blstat

bltasks

blusers

taskman

libglb.a

libglb.so

liblic.so


7. Product Notifications

To receive information about product solution and patch updates automatically, subscribe to product notifications on the My notifications page ( www.ibm.com/support/mynotifications) on the IBM Support website (support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.



8. Copyright and Trademark Information

©Copyright IBM Corporation 2020


U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.