Fix (APAR): PK43169 Status: Fix Release: 6.1.0.7,6.0.2.9,6.0.2.7,6.0.2.5,6.0.2.3,6.0.2.21,6.0.2.19,6.0.2.17,6.0.2.15,6.0.2.13,6.0.2.11,6.0.2.1,6.0.2 Operating System: AIX,HP-UX,i5/OS,Linux,Linux pSeries,Linux zSeries,OS/400,Solaris,Windows Supersedes Fixes: CMVC Defect: PK43169 Byte size of APAR: 52212 Date: 2007-08-02 Abstract: The enterprise beans which provide access to the service data objects repository allow full access to any authenticated user. Description/symptom of problem: PK43169 resolves the following problem: ERROR DESCRIPTION: Incorrect authorization on a remote interface to the service data object repository. The enterprise bean which provides access to the service data object repository does not require authorization to gain access. LOCAL FIX: PROBLEM SUMMARY USERS AFFECTED: Users of the service data objects repository component in WebSphere Application Server PROBLEM DESCRIPTION: The enterprise beans which provide access to the service data objects repository allow full access to any authenticated user. RECOMMENDATION: None The service data objects repository uses an enterprise bean to provide access to its data. The service data objects repository is used by the Web Services Gateway component. The data can be created, edited and destroyed using the enterprise bean. There are no user restrictions on the use of the enterprise bean, exposing a security risk of malicious use from any authenticated user. PROBLEM CONCLUSION: This fix updates the service data objects repository so only callers with the administrator role can execute methods on the enterprise bean. Callers from system code will now use the server identity which has the administrator role. Directions to apply fix: Fix applies to Editions: Release 6.0 x_ Application Server (Express or BASE) x_ Network Deployment (ND) x_ WebSphere Business Integration Server Foundation (WBISF) x_ Edge Components x_ Developer x_ Extended Deployment (XD) Install Fix to: Method: x_ Application Server Nodes __ Deployment Manager Nodes __ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V6.0.2.2 or newer of the Update Installer. This can be checked by reviewing the level of the Update Installer in file /updateinstaller/version.txt. The Update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991 For detailed instructions to Extract the Update Installer see the following Technote: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg21205400 1) Copy PKxxxxx.pak file directly to the maintenance directory 2) Shutdown WebSphere Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that maintenance is being applied to. 3) Launch Update Installer 4) Enter the installation location of the WebSphere product you want to update. 5) Select the "Install maintenance package" operation. 6) Enter the file name of the maintenance package to install (PKxxxxx.pak file which was copied in the maintenance directory). 7) Install the maintenance package. 8) Restart WebSphere Directions to remove fix: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED * YOU MAY REAPPLY ANY REMOVED FIX Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that uninstall is being run against. 2) Start Update Installer 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select "Uninstall maintenance package" operation. 5) Enter the file name of the maintenance package to uninstall (PKxxxxx.pak). 6) UnInstall maintenance package. 7) Restart WebSphere Directions to re-apply fix: 1) Shutdown WebSphere. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere. Additional Information: