My Random Access Memory

Content Server 6.7 Patch 4 automatic deployer (RedHat/Linux)

kevinyeandel — Fri, 04 Nov 2011 13:47:46 +0000

Patching anything can be boring. Patching a content server is no exception. Here is a 2-part script which makes life easier. If anyone knows how to upload shell scripts and properly format them in wordpress please let me know. However, PM me if you want the shell scripts mailed to you. If you have improvements please let me know.

This applies to Linux Content Server 6.7 Patch04 and requires a secure shell, access as the installation owner and access to a user with root or root access.

1. Login as the installation owner and copy up the patch04 “gz” file to $DOCUMENTUM
2. Stop Java Method Server and Content server
3. In the shell, execute patch04_step1.sh
4. su root (not su -) or ask root user to execute the script run_as_root.sh which is automatically generated
5. exit back or otherwise log back in as installation owner.
6. execute patch04_step2.sh

Done.

I take no responsibility for anything so run at own risk

patch04_step1.sh


#!/bin/bash
# Patch deployment script version 1.0 for Content Server CS_6.7.0040.0238 Patch 4 - Script part 1
# Kevin Yeandel. Use at own risk. No responsibility taken by me.
# Prerequisits - Steps 1 to 4 of DocumentumContentServer_6.7_P04 have been completed.
if [[ -z $DOCUMENTUM ]] ; then
echo "\$DOCUMENTUM NOT SET" ;
exit 1;
else
echo "\$DOCUMENTUM set - OK";
fi

if [[ -z $DOCUMENTUM_SHARED ]] ; then
echo "\$DOCUMENTUM_SHARED NOT SET" ;
exit 1;
else
echo "\$DOCUMENTUM_SHARED set - OK";
fi

if [[ "$1" == "" ]] ; then
echo "USAGE $0 "
exit 1
fi

REPO=$1

if [[ ! -f "$DOCUMENTUM/dba/dm_start_$REPO" ]] ; then
echo "REPOSITORY $REPO does not seem to exist. Please check repository name"
exit 1
fi

#Define the patch file here (located in $DOCUMENTUM)
INITFILE=""
XML_STORE="N"
FAST="N"
XPLORE="Y"
PATCH=CS_6.7.0040.0238_linux_ora.tar
GUIDE="DocumentumContentServer_6.7_P04.pdf"
SIGNATURE="b7e8940dd6b129f5e0634d43c4bd204e"

# patch 03 was CS_6.7.0030.0232_linux_ora.tar
echo "Press enter to confirm the following 3 items or ctrl+c to abort"
echo "Item 1. FAST is installed:$FAST"
echo "Item 2. XPLORE is installed:$XPLORE"
echo "Item 3. XML_STORE is installed:$XML_STORE"
echo "(Where Y is Yes and N is No)"
read n

I_OWNER=`ls -l install.log | awk '{ print $3 }'`
GROUP=`ls -l install.log | awk '{ print $4 }'`
echo "GROUP is $GROUP"

if [[ $I_OWNER == `whoami` ]] ; then
echo "Patch execution by installation owner"
else
echo "You are not logged in as the installation owner. Quitting"
exit 1
fi

if [[ -f $DOCUMENTUM/$PATCH.gz ]] ; then
echo "file $PATCH exists"
else
echo "$PATCH.gz does not exit"
exit 1
fi

SUM=`md5sum $DOCUMENTUM/$PATCH.gz`

if [[ `md5sum $PATCH.gz | awk '{ print $1 }'` = $SIGNATURE ]] ; then
echo "SIGNATURE OK" ;
else
echo "The SIGNATURE ($SUM) does not match the patch (should be $SIGNATURE). Please validate your downloaded file"
exit 1
fi

#check step 1
INITFILE=`ps -fel | grep \./[j]boss `
if [[ $INITFILE = *$DOCUMENTUM_SHARED* ]] ; then
echo "Step 1 has not been completed. Please refer to $GUIDE. The Java Method Server is running. Please shut it down before running this patch install. Aborting."
exit 1
fi

#check step 2
INITFILE=`ps -fel | grep "\./[d]ocumentum -docbase_name $REPO" | awk {'print $21'} | awk 'NR>0 && NRif [[ $INITFILE = *$REPO* ]] ; then
echo "Step 2 has not been completed. Please refer to $GUIDE. The Repository is running. Please shut it down before running this patch install. Aborting."
exit 1
fi
gunzip $DOCUMENTUM/$PATCH.gz
if [[ -f $DOCUMENTUM/$PATCH ]] ; then
echo "file $PATCH exists"
else
echo "patch tar file, $PATCH does not exit. Please check it gunzip'ed correctly before running this script again."
exit 1
fi

if [[ $XPLORE="Y" ]] ; then
echo "Step 3. Please ensure you have stopped the Index Agent and Index Server. If not do it now. Pressing ENTER confirms your agreement. Otherwise ctrl+c to abort to rerun this script again later."
read x
fi

echo "Step 4. If you have not backed up \$DOCUMENTUM please press ctrl+c to abort to rerun this script later, otherwise press ENTER to continue";
read x

echo "Step 5a. Prerequisit for running script is that the gz patch file has been gunzip'ed. Untarring files"

tar xvf $DOCUMENTUM/$PATCH
echo "Unpacked tar. "
echo "Step 5b. Moving and copying files"
echo "Step 5b. -1. Deployment of dmldap.jar"
mv $DOCUMENTUM/dmldap.jar $DOCUMENTUM_SHARED/jboss4.3.0/server/DctmServer_MethodServer/deploy/ServerApps.ear/APP-INF/lib/dmldap.jar
echo "Step 5b. -2. Deployment of server-impl.jar"
cp $DOCUMENTUM/server-impl.jar $DOCUMENTUM_SHARED/jboss4.3.0/server/DctmServer_MethodServer/deploy/ServerApps.ear/APP-INF/lib/server-impl.jar
echo "Step 5b. -3. Deployment of mthdservlet.jar"
mv $DOCUMENTUM/mthdservlet.jar $DOCUMENTUM_SHARED/jboss4.3.0/server/DctmServer_MethodServer/deploy/ServerApps.ear/DmMethods.war/WEB-INF/lib/mthdservlet.jar

#if xmlstore is configured
if [[ XML_STORE == "Y" ]] ; then
echo "Step 5c - xhiveconnector.jar"
cp $DOCUMENTUM/xhiveconnector.jar $DOCUMENTUM_SHARED/jboss4.3.0/server/DctmServer_MethodServer/deploy/XhiveConnector.ear/XhiveConnector.war/WEB-INF/lib/xhiveconnector.jar
fi

rm $DOCUMENTUM/xhiveconnector.jar

#Step 5(d) FAST is not deployed by this script but the files will be removed.
rm $DOCUMENTUM/adminagent.jar
rm $DOCUMENTUM/server-impl.jar
rm $DOCUMENTUM/libFastQueryPlugin.so
if [[ $XPLORE == "Y" ]] ; then
echo "Step 5e - deploying files for XPLORE - serverapps.ear to two locations"
cp -r $DOCUMENTUM/jboss4.3.0/server/DctmServer_MethodServer/deploy/ServerApps.ear/APP-INF/lib/* $DOCUMENTUM_SHARED/jboss4.3.0/server/DctmServer_MethodServer/deploy/ServerApps.ear/APP-INF/lib
cp -r $DOCUMENTUM/jboss4.3.0/server/DctmServer_MethodServer/deploy/ServerApps.ear/DmMethods.war/WEB-INF/lib/* $DOCUMENTUM_SHARED/jboss4.3.0/server/DctmServer_MethodServer/deploy/ServerApps.ear/DmMethods.war/WEB-INF/lib
fi
echo "Creating a root file for root user to execute which will execute Step 5g"
cat << EOF >$DOCUMENTUM/run_as_root.sh
if [ "\$(id -u)" != "0" ]; then
echo "ERROR - Script should be run as root"
exit 1
fi
cp $DOCUMENTUM/product/6.7/install/external_apps/checkpass/dm_check_password $DOCUMENTUM/dba
cp $DOCUMENTUM/product/6.7/install/external_apps/assumeuser/dm_assume_user $DOCUMENTUM/dba
cp $DOCUMENTUM/product/6.7/install/external_apps/checkpass/dm_check_password $DOCUMENTUM/dba
#note the following commented out file does not exist in the bundle on page 8 of the P03 ReadMe.
#echo "cp $DOCUMENTUM/product/6.7/install/external_apps/changepass/dm_change_password $DOCUMENTUM/dba"
cp $DOCUMENTUM/product/6.7/install/external_apps/assumeuser/dm_assume_user $DOCUMENTUM/dba
$DOCUMENTUM/dba/dm_root_task << xEOF
$GROUP
o
o
o
o
o
xEOF
EOF
chmod +x $DOCUMENTUM/run_as_root.sh
cp $DOCUMENTUM/shared/dfc.jar $DOCUMENTUM_SHARED
echo "Please execute $DOCUMENTUM/run_as_root.sh as a root user before running part 2 of this script."

patch04_step2.sh

#!/bin/bash
# Patch deployment script version 1.0 for Content Server CS_6.7.0030.0232 Patch 3 - Script part 2
if [[ -z $DOCUMENTUM ]] ; then
echo "\$DOCUMENTUM NOT SET" ;
exit 1;
else
echo "\$DOCUMENTUM set";
fi

if [[ -z $DOCUMENTUM_SHARED ]] ; then
echo "\$DOCUMENTUM_SHARED NOT SET" ;
exit 1;
else
echo "\$DOCUMENTUM_SHARED set";
fi

REPO=$1
PASS=$2

if [[ "$1" == "" ]] ; then
echo "USAGE $0  "
exit 1
fi

if [[ "$2" == "" ]] ; then
echo "USAGE $0  "
exit 1
fi

REPO=$1

if [[ ! -f "$DOCUMENTUM/dba/dm_start_$REPO" ]] ; then
echo "REPOSITORY $REPO does not seem to exist. Please check repository name"
exit 1
fi

ROOT_TASK=`ls -l $DOCUMENTUM/dba/dm_check_password | awk '{ print $3 }'`
I_OWNER=`ls -l $DOCUMENTUM/install.log | awk '{ print $3 }'`

echo "root task: $ROOT_TASK"
if [[ $ROOT_TASK == "root" ]] ; then
echo "dm_check_password is owned by root (OK)"
else
echo "Looks like part 1 of this script was executed but root task step has not been executed. Quitting"
exit 1
fi

if [[ $I_OWNER == `whoami` ]] ; then
echo "patch execution by installation owner"
else
echo "You are not logged in as the installation owner. Quitting"
exit 1
fi

echo "Step 8. Starting docbroker (if required)"
$DOCUMENTUM/dba/dm_launch_Docbroker
sleep 5
echo "Step 8a. Starting docbase (if required) and waiting 60 seconds"
$DOCUMENTUM/dba/dm_start_$REPO
sleep 60
echo "Step 8b. Starting java method server (if required)"
nohup $DOCUMENTUM_SHARED/jboss4.3.0/server/startMethodServer.sh &

echo "Please ensure to start the IndexAgent and IndexServer in the case that xPlore or FAST is required. Press ENTER to confirm and continue."
read x
echo "Steps 9 and 10 - install MessagingApp and Workflow dar files. "
echo "Step 9d. Creating a temporary xml file to prepare to install dar files."
cat << EOF >$DOCUMENTUM/build.xml

This is the ant script code to install a dar in the docbase




EOF
echo "Step 9e. Launching dar installer"
$JAVA_HOME/bin/java -Dlogpath=/tmp/$REPO\.log -cp $DM_HOME/install/composer/ComposerHeadless/startup.jar org.eclipse.core.launcher.Main -data $DM_HOME/install/composer/workspace -application org.eclipse.ant.core.antRunner -buildfile build.xml
echo "Please check the log in /tmp/$REPO.log"

echo "Step 11. Installing lifecycle.jar"
iapi $REPO -U$I_OWNER -P -e << EOF
retrieve,c,dmc_jar where object_name = 'lifecycle.jar'
checkout,c,l
setfile,c,l,$DOCUMENTUM/lifecycle.jar
checkin,c,l
exit
EOF
status=$?

echo "EVIDENCE confirming jar has been installed follows:"
idql $REPO -U$I_OWNER -P -e << EOF
select r_modify_date, r_creation_date from dmc_jar where object_name='lifecycle.jar';
go
exit
EOF
status=$?
echo $status
echo "Step 6. This is moved to last and is just cleaning up files from the application of the patch."
rm -rf $DOCUMENTUM/jboss4.3.0
rm -rf $DOCUMENTUM/shared
if [[ -f $DOCUMENTUM/lifecycle.jar ]] ; then rm $DOCUMENTUM/lifecycle.jar ; fi
if [[ -f $DOCUMENTUM/MessagingApp.dar ]] ; then rm $DOCUMENTUM/MessagingApp.dar ; fi
if [[ -f $DOCUMENTUM/Workflow.dar ]] ; then rm $DOCUMENTUM/Workflow.dar ; fi
if [[ -f $DOCUMENTUM/mthdservlet.jar ]] ; then rm $DOCUMENTUM/mthdservlet.jar ; fi
if [[ -f $DOCUMENTUM/dmldap.jar ]] ; then rm $DOCUMENTUM/dmldap.jar ; fi
if [[ -f $DOCUMENTUM/build.xml ]] ; then rm $DOCUMENTUM/build.xml ; fi
if [[ -f $DOCUMENTUM/server-impl.jar ]] ; then rm $DOCUMENTUM/server-impl.jar ; fi
if [[ -f $DOCUMENTUM/xhiveconnector.jar ]] ; then rm $DOCUMENTUM/xhiveconnector.jar ; fi
if [[ -f $DOCUMENTUM/adminagent.jar ]] ; then rm $DOCUMENTUM/adminagent.jar ; fi
if [[ -f $DOCUMENTUM/run_as_root.sh ]] ; then rm $DOCUMENTUM/run_as_root.sh ; fi

echo "Please refer to the patch documentation technical notes and any final deployment tasks. This automation is complete."

DM_FT_INDEX_E_FULLTEXT_CONFIG_NOT_LOADED

kevinyeandel — Fri, 16 Sep 2011 06:53:33 +0000

xPlore 6.7 Content Server 6.6

When configuring xPlore 6.7 against 6.6 repository (maybe other versions) Documentum server config object will not save with the out-of-the-box file, dmfulltext.ini – if using RedHat Linux.
This is because of an incorrect ini file.

If suitably configured to use xPlore, the Content Server log should properly document the correct plugin which would be something like

Loaded FT Query Plugin: /srv/ecm/dmreach01/product/6.6/bin/libDsearchQueryPlugin.so, API Interface version: 1.0, Build number: HEAD; May 17 2011 05:20:39, FT Engine version: X-Hive/DB 8.2

The dm_server_config_object may fail to update properly when running fulltext_setup_for_dss.ebs with the error message DM_FT_INDEX_E_FULLTEXT_CONFIG_NOT_LOADED when it reaches the function setupFulltextLocation within the script which is used as part of the setup.

The location dsearch should already be setup in file_system_path of dm_location (select file_system_path from dm_location where object_name=’dsearch’ should return /path/to/fulltext/dsearch where dmfulltext.ini is located.

fulltext.ini may well be there and should be but contains an invalid path to the search plugin. This path reads:
[LINUX_FULLTEXT]
bin_location = _ssol26/bin
library_name = libDsearchQueryPlugin.so

but should read

[LINUX_FULLTEXT]
bin_location = bin
library_name = libDsearchQueryPlugin.so

Backup the original file and remove the _ssol26/ from the bin_location parameter as shown.
Once changed run the api against the repository (assuming dsearch is a valid dm_location):

>retrieve,c,dm_server_config
>set,c,l,fulltext_location
SET>dsearch
>save,c,l

Which should be OK now. If the CS can’t find the library file then it is not possible to save the changes to the server_config.

Restart repository and check the loaded FT Query plugin refers to the xhive as shown towards the top of this post.
Make sure the other instructions were followed in the xplore 1.1 installation guide.
Obviously verify the installation and test the search from a WDK app connected to the repository.

Reading XML Blender 2.5x using Python and Minidom

kevinyeandel — Sat, 16 Jul 2011 07:36:46 +0000

reading and extracting XML data in Python and Blender

Just found a Blender App for drawing charts from xml data on my HD that I wrote some months ago.
It may have a bit of use for someone learning Blender/Python who needs to process data from XML.
The Python code was cut in the built-in editor of Blender 2.5 and does not require any additions beyond the installation of Blender to process it.

The purpose of this post is simply to illustrate the reading and and extraction of data from an xml – in this case in the context of Blender. It is not to convey any knowledge of the Blender API.

The following XML is in chart.xml on a local drive as can be seen from the python code below

This is the bit of python code used to process the elements of the xml

import xml.dom.minidom
from xml.dom.minidom import Node
import bpy
from bpy import *
import sys,os
os.chdir('/Users/kev/Blender/xmltest')
doc = xml.dom.minidom.parse("chart.xml")

height_max=0  
columns=0                                       
layers = [False]*32
layers[0] = True
matblue = bpy.data.materials.new('blue')
matblue.diffuse_color = (0.0, 0.0, 1.0)
matblue.specular_color = (1.0, 1.0, 0.0)
matred = bpy.data.materials.new('red')
matred.diffuse_color = (1.0, 0.0, 0.0)
matred.specular_color = (0.0, 1.0, 1.0)
matgreen = bpy.data.materials.new('red')
matgreen.diffuse_color = (0.0, 1.0, 0.0)
matgreen.specular_color = (1.0, 0.0, 1.0)
matyellow = bpy.data.materials.new('yellow')
matyellow.diffuse_color = (1.0, 1.0, 0.0)
matyellow.specular_color = (0.5, 0.5, 1.0)


for element in doc.getElementsByTagName("bar"): 
    a = element.attributes["id"]
    b = element.attributes["colour"]
    c = element.attributes["title"]
    d = element.attributes["value"]
    if int(d.value) > height_max:
        height_max=int(d.value)
    columns +=1 
    bpy.ops.mesh.primitive_cube_add()
    cube = bpy.context.object
    cube.name = a.value
    ob = bpy.context.object
    bpy.ops.object.material_slot_remove()
    bpy.context.active_object.location = [0, columns *2.2, 0]
etc...

300K Icon? Pointless network overhead in TaskSpace and other WDK apps

kevinyeandel — Fri, 01 Jul 2011 05:50:22 +0000

There is an icon in the root of WDK apps called favicon.ico which is 300,318 bytes – rather rediculously large for an icon.
It’s in Documentum 6.5 through to 6.7 at least and seems to get loaded each time a new page is called putting a massive overhead on the network and slowing down TaskSpace and other apps built on WDK.

I put a ticket into EMC for this but also tried a number of tools online to shrink the icon from 300K to 1.4K and the best site was . This tool also provides a number of rendition options (which all looked pretty much the same so I picked the smallest filesize).

Another tool I tried online shrunk it to 61K which is still huge for an icon but definitely prodraw offers the most efficient solution.

VirtualBox [other] running Redhat Linux Putty and Internet Access

kevinyeandel — Sat, 14 May 2011 13:17:11 +0000

Redhat/CentOS on a Virtual Machine with Putty/WinSSh/SSh and access to Internet

Trying to get things all connected at once is easy unless you have a porous memory like me. Hence the Random Access Memory Blog.
Also this is a quick and dirty guide which should apply to any VM, the issues are generally with the OS config. (RedHat in this case, OOTB without SELinux enabled). Please send me any enhancements and recommendations if you don’t mind.

Assumptions

You didn’t already set everything up when you installed the OS during VM creation (else you wouldn’t be here or the install didn’t work)
The network adapter for the OS is bridged.
The version of RedHat Enterprise Server I used is Enterprise Client 5.6 (irrelevant really, should work on CentOS et al)
Host is Windows 7 in this case.
The host is connected to the Internet.
You have installed WinSCP and/or Putty. (Its always cleaner to get things like this from www.portableapps.com)

Launch Instance – check security settings

From the OS go to System -> Administration -> Security Level Configuration
Check the firewall is open along with SSH
Apply/Save changes

Identify Adapter IP and information from the host

This is the network adapter which has been installed with the VM
At the CMD prompt on the Windows host type ipconfig /all
Identify the adapter IP associated with the instance. Write it down.
Identify the DNS servers. Write these down.
Identify the Gateway address and write this down.

Note that if your host is DHCP – enabled then you should modify the router settings so DHCP does not assign possible values to all local IP’s in the range. You should configure your host to use a static local IP. You may have a few odd issues if you don’t remember to do this later… moving on.

Configure OS

Assume to be on the VM in the OS as root.
From System -> Administration -> Network Configuration
Select default Network Device and press the Edit button.
Set Statically set IP Address. Refer now to the range that you wrote down. e.g. If you wrote 192.168.3.3 then enter a high value such as 192.168.3.133 (rather than 192.168.3.4 because the DHCP may try to assign it to another user that came on the network, you are just reducing risk of conflict by picking a higher number – this only applies if you couldn’t be bothered to follow the note about configuring your router).
Write down the IP address you chose. This is needed to access the VM from the host OS. It is also necessary to ensure you did not assign this IP to a previous VM.
Add the Default Gateway Address that you wrote down.

Select the DNS tab and enter the DNS entries you wrote down that were sourced from your router when you ran ipconfig /all from the cmd prompt of the host.

Go to File -> Save
Open a terminal window and type:
service network restart
You should see OK appear about 4 times.
type
ping www.google.co.uk
You should see the ip address of Google appear
Check also with a browser that you can connect to the Internet.
Launch Putty and enter the IP address that you statically assigned to your VM.

You should be able to shell in. If you can’t then you will have to surf for a solution elsewhere because OOTB RH/CentOS defined in this document works fine.

Configure Kernel

kernel /vmlinuz-2.6.18-238.9.1.el5 ro divider=10 root=/dev/VolGroup00/LogVol00 rhgb quiet

Set the divider value in /boot/grub/menu.lst as shown above to stop IO/CPU thrashing

Verbal Abuse – it’s beyond words

kevinyeandel — Sat, 16 Apr 2011 18:59:33 +0000

The presentation above is the ‘first cut’ of one I intend putting on a new website addressing the painful issue of ‘verbal abuse and control’. A professional will tailor the final – hopefully with a voice-over.
I want to promote understanding and knowledge through the website and a discussion forum controlling.proboards.com where the victims and recovering abusers can share their experiences – it’s been done before and can be done again so it’s not unexplored territory. Right now I get lots of visitors but no posts, so, please I’m asking those addressed to be bold enough to help me start it. It’s not necessary to leave more established forums you may be involved in but I would value content and support to (initially) leverage publicity.

In the past MEVAC (Men Ending Verbal Abuse And Control) hosted forums for both victims and abusers but the rules changed and MEVAC now focus on the ‘here and now’ in relation to men wanting to heal themselves.

Other forum’s exist exclusively for women but I think it necessary to have “in view” BOTH sides for what I am trying to achieve.
Additionly, I believe “Parental Alienation” also has a place here – it’s a related abuse and something which should be addressed in the same forum.

Lastly, a discussion group for school teachers and classroom assistants (acting as schoolteachers) to share thoughts and concerns (anonymously) so they can optimise the means to best identify potential problems so vulnerable children can be connected to those trained to safely evaluate and address matters potentially relating to an abusive home that is impacting that child’s mental growth and future stability.

Under exposed and improperly managed – My findings

Verbal Abuse (UK:under the heading of domestic abuse) is more often conducted by men against women. It’s purpose is ‘control’ and that may extend beyond one target to the entire family possibly into the workplace.

In the case of separated couples (and couples living in a ‘control’ environment) it can tie in with Parental Vilification (Parental Alienation – as it’s also known).
Parental Alienation (PA) occurs when one parent targets the other to make a child hate or fear the targeted parent (for no logical reason, as hopefully the child grows up to discover – although this may lead to trauma).

It can be the case that both parents are guilty of using their children against the other parent (children are powerful weapons) which the law would normally offer protection. And since both parents are responsible for the welfare of their child (according to this legislation), one parent reporting the other for abuse is potentially ‘self-indictment’ and minimises the chance of exposure to the authority charged with protecting the child from all types of abuse.

The child therefore remains open to toxic parenting in the longer term and further ‘detriment’ in regards to mental health – to include ongoing of unconscious ‘programming’ of antisocial behaviour and subsequent continuation of the ‘cycle of abuse’ to the next generation – And the reason?
Because the child was literally not afforded their basic human rights defined by our lawmakers and intrinsic to society.

Lack of education – a danger in schools

My God-daughters (14 and 16 years old girl) are beautiful kids and the product of sound parents who I have known from school. I asked the girls what their understanding of Verbal/Domestic/Physical Abuse was and received limited answers. It was clear they didn’t really have a grasp of the details of verbal abuse and it was evident that, even if their school had delivered the message as part of their education, it wasn’t received in any detail. There is also the business of unqualified teachers and if these are being used in the classroom then it it an opportunity for them to be made aware of the issues as well as fully qualified teachers.

A BBC article last year revealed that many divorced couples have long term disputes centred around their children. It states England’s Children’s Minister Delyth Morgan saying: “Divorce and separation can have a devastating impact on children caught in the middle. But this survey, looking as far back as 20 years ago, simply doesn’t reflect what support is available for families now.” It doesn’t state that many of these parents have personality disorders a core problem mentioned in “Adult Children of Parental Alienation Syndrome – by Amy J L Baker” and “The Narcissistic/Borderline Couple by Joan Lachkar”.

I have no reason to doubt the Minister is true to her words and that support is available to children but is that support getting to the children? I know for a fact it is most definitely not and that children remain subject to intoxication which could otherwise be avoided.

Another BBC article, “Divorcing parents can ‘damage’ children, says judge” makes many interesting points to include, “Sir Nicholas Wall, president of the Family Division of the High Court, said well-educated parents were particularly adept at using their children “.

‘Well educated’ parents often have an earning potential to send their children to private schools. I asked an investigator to conduct research. One of the things looked at were the finances of a private school at which I believed it likely there were children attending who were subject to emotional/psychological abuse. It highlighted an issue but did not implicate the school.

On paper, the school was teetering on the brink of a financial catastrophe. It would suggest the subsequent removal of even one child by a fee-paying parent ‘spooked’ by a sudden befriending of their child(ren) by people trained to deal with those ‘secrets behind the front door’ would not be beneficial in it’s survival.

What were the choices…. Nothing materialised that suggested the school had at any time deliberately acted “out of the” interest of any child. If anything was of particular concern it was that of the local authority. (It’s deliberate that not all details are provided in this post but likely revealed later).

As part of that ‘exercise’ I contacted Visyon, a Cheshire based charity, and asked them what the terms of engagement were in the case that I wanted them to attend a school to befriend a child who, say, recently self harmed as a result of parental dysfunction. I offered to pay for the services personally but it was not possible to engage. I recall the reason was that consent would have to be given by one of the parents. This, again, would potentially be an act of self-indictment if both parents are instigators of emotional and mental abuse – it could be construed that their ongoing disputes would take precedence over their own child’s welfare. Basically, these parents don’t want their children to talk regardless of the long term implications.

In other words, those most likely to advise a child to seek assistance are not the parents but other adults which come into proximity of the child – such as school teachers and (worse for a controller) adult family friends having life experience and further knowledge of the controller. That person subsequently being of utmost ‘danger’ to the controller and one he would put at arms length if he thought someone had sussed his modus-operandi – more dangerous if that person was being approached by his confused child.

Using the legal system to aid manipulation and control

I tried to identify cases where parents had been prosecuted under the Children’s Act 1989 and found the supply limited. In fact, I didn’t find any.
Mental and emotional abuse doesn’t get the attention sexual abuse does yet it remains devastating.

I wanted to understand why mental abuse seemed so under-investigated and discovered little other than it would seem ‘hard to prove’ and testimony from those involved highly unreliable and further hindered by lack of law-enforcement. First it should be born in mind in relation to the abuses below:

Parental Alienation ‘seems’ mostly the work of mothers targeting the other parent (meaning what ‘I’ discovered not necessarily a universal belief)
Verbal Abuse and Control is predominantly a function of dysfunctional men – this is pretty much cast in stone

In both cases it seems the Freudian Defence Mechanism, ‘Projection’ is at work.

Projection can be analysed in a therapeutic setting and a useful aid in understanding the thinking of the client.
It offers revelation of actual truth about the projector, for example, one who has gay tendencies which they have internalised as being objectionable may project this ‘objectionable’ characteristic onto another through accusation of the targets sexual preference in a negative manner.

Further random examples include:

(i) a mother detesting her ex husband but developed sexual feelings towards their child may claim her husband has sexually assaulted that child and she may attempt to use that in the court to disrupt his access.
(ii) a father claiming to others that his ex-wife wants to hurt the children to punish him may in fact be bullying the mother and hurting the child in the process to punish her.

In any case those who absorb their own lies as truthful depictions of reality are particularly troublesome if the police get involved and don’t get a proper handle on the situation. If these projections are interpreted as accurate representations of the truth then it can be extremely harmful to anyone targeted by the controller that was trying to make sense of a chaotic situation – by seeing ‘behind the mask’ of the controller – especially dangerous if that controller is a serial bully/psychopath.

I looked into what it takes to become a police officer in the UK, not much: a CRB and credit check will essentially open the door to an interview room – hardly surprising the prerequisite does not include a degree in psychology and 8 years experience working with the insane – however, the police come into contact with them daily.

Police get used to dealing with liars – people out to deceive them all the time – they deal with domestic abuse and generally won’t have a clue how many psychopaths they come into contact with in any given month.

Deception is an intentional act and a big component of police investigatory work. It might be that police officers career, like any other, begins with minimal experience and conclude “fully seasoned” but even after years of experience, there is currently no infallible system available to him providing 100% reliable deception detection.

Police officers are used to dealing with persons with limited intelligence more often than smart people. Sending an inexperienced police officer into a ‘domestic’ where the abuse involves psychological violence (caused by one probably far smarter than the police officer) has the potential to result in a misread situation which is not then properly followed up.
Is he more likely to believe a psychopathic (verbal abuser) “master of deception” than a confused witness?

As it happens, the BBC article, Personality disorders are widespread, say experts tells that video training is being rolled out to police officers – so there is an identified problem.
I’ve no information as to what is in those videos but it’s one thing being able to spot when a lie is being offered but completely another if that suspect or witness is able to avoid visual cues (such as behavioural controls or impression management) associated with deception or because they are psychotic enough to portrait belief in something which is completely untrue.

Validation and the danger of forums

A friend told me (not that I checked the accuracy of this) that Hitler (one with a psychopathic persuasion) had a psychiatrist who endorsed his behaviour. He validated it. He suggested to Hitler that what he was doing was just.

Since there are always numerous sides to any story, determining the facts may need testimony from more than a single source or viewpoint.

I have visited the forums of (e.g.) Families need Fathers and read numerous postings. It is obviously incomprehensibly distressing and mental torture when a mother somehow prevents a father from accessing his children – especially when it is wholly unjustified.
And while it’s highly beneficial for men to lean on the shoulders of other men to support them it’s important that validation isn’t given to fathers based on distorted facts these men fully believe to be true otherwise problems are deepened. I just picked FnF as an example, the principle applies to any forum dealing with ‘life matters’ where counsel is given by fellow members.

Its not my expectation a recovering verbal abuser will register in his section here and his corresponding victim in hers – this is not ‘couple’s therapy’ it’s simply to get support for both but also allow others to witness and learn from the anguish and trauma that both are experiencing so that learning can be applied, if needed.

Securing Documentum – Audit trail lockdown

kevinyeandel — Fri, 15 Apr 2011 12:09:29 +0000

Installing ‘Big Brother’ round the back

(For Securing a Unix/Linux Installation please see here)

Documentum has the ability to audit hundreds of events relating to activity within a Repository. Events are generated because something happens (a user read a document, their login failed, a document reached a certain point in a workflow). These events are captured if the business required them and they were properly registered in the Documentum system.

That’s all well and good but a dubious Documentum administrator is able to act wrecklessly or maliciously: He can create random users, giving them extreme powers. He has the ability to get in the back end database and remove or change information – particularly that of the Documentum audit trail tables which capture the events mentioned.
But – and especially if it is a regulated/production system the customer won’t want that system open to compromise.
There are ways to make sure unauthorised change is identified and culprits caught. We also have the option of preventing security incidents by letting staff having special privileges know any abuse of power is recorded as evidence – which they can’t change. What evidence? Well that’s generally what audit trails are good at capturing – but it’s not reliable if it is easy to delete evidence or maliciously implicate another. Proof may be needed that someone wanted to:

delete evidence from the audit trail – that he unregistered certain events or something else.
modify an entry in the audittrail to “point the finger” at an unsuspecting and otherwise totally innocent scientist by pushing a sensitive document into an approved and published state.

The thing to do is to look at how we can capture any suspicious activity and good ways to do it.

Oracle Auditing

From a recent read-up on Oracle’s Auditing features I got the impression that it’s not Oracle’s most well-known and most utilised feature.
Since possibly you need to manufacture a solution post-haste and the Oracle Admin was not already familiar with Oracle Auditing it could be lead to voluminous amounts of redundant information being captured only then to have to be filtered as well as decreasing performance if all the options are enabled.
I’m not an expert on Oracle and was given a fair bit of help from my friend Ari with the Oracle parts of this Document. This is a slick and easy alternative method which focuses on the audit trail tables. It works but is subject to further customisation and enhancements. Please feed them back to me.

Alternative and effective method

First the drawback here is that the following SQL is more limited that Oracle Auditing but it could be implemented as either a proper solution to satisfactorally address a security requirement or react quicly to a potential security incident. The steps are first to prepare the system and ensure the right events are being captured. For this post we are only interested in Documentum’s dm_getlogin event and so we’ll commence by making sure getlogin events are being captured.

Register the dm_getlogin event

(Also register dm_connect)

Using the API tool, connect to the repository as a user that has been assigned the extended privileges which permit the manipulation of the audit trail. The simplest way to achieve this is to login to DA as the installation owner, create user with an inline password and provide them with Superuser and all extended privileges.

API> retrieve,c,dm_type where name = 'dm_user' ... 030f436180000103 API> audit,c,,dm_connect ... OK API> audit,c,,dm_getlogin ... OK API>

Create some events

Have available the login details of a user you which to spoof. The user has to be one that exists in the repository.
Write down the name of a different user that also exists in the repository and connect as that user to the repository using the API tool and get a login:
Connected to Documentum Server running Release 6.6.0.041 Linux.Oracle Session id is s0 API> getlogin,c,user01 ... DM_TICKET=T0JKIE5VTEwgMAoxMwp2ZXJzaW9uIElOVCBTIDAKMwpmbGFncyBJTlQgUyAwCjAKc2VxdWVuY2VfbnVtIElOVCBTIDAKMTkKY3JlYXRlX3RpbWUgSU5UIFMgMAoxMzAyNTA0MDQ2CmV4cGlyZV90aW1lIElOVCBTIDAKMTMwMjUwNDM0Ngpkb21haW4gSU5UIFMgMAowCnVzZXJfbmFtZSBTVFJJTkcgUyAwCkEgMTIgWUFOREVMIEtldmluCnBhc3N3b3JkIElOVCBTIDAKMApkb2NiYXNlX25hbWUgU1RSSU5HIFMgMApBIDExIFNWSENfUFJPVE8yCmhvc3RfbmFtZSBTVFJJTkcgUyAwCkEgMzEgcy1kZXYtdmRlY20tMDYuZGV2LmV1cm9wYS5sb2NhbApzZXJ2ZXJfbmFtZSBTVFJJTkcgUyAwCkEgMTEgU1ZIQ19QUk9UTzIKc2lnbmF0dXJlX2xlbiBJTlQgUyAwCjU2CnNpZ25hdHVyZSBTVFJJTkcgUyAwCkEgNTYgcWZQMFY3U1hkQitrTDdGUmpKc29hSEl2U2FqcklrbGRqMWpJcWgrZVlRMlJHYnloU1orNXFBPT0K
While you are at it, quit the tool and repeat the exercise with a different user.
Make sure to write down who you are going to log in as this time and who you are going to spoof.

API> getlogin,c,user02 ... DM_TICKET=T0JKIE5VTEwgMAoxMwp2ZXJzaW9uIElOVCBTIDAKMwpmbGFncyBJTlQgUyAwCjAKc2VxdWVuY2VfbnVtIElOVCBTIDAKMjAKY3JlYXRlX3RpbWUgSU5UIFMgMAoxMzAyNTA0MDc2CmV4cGlyZV90aW1lIElOVCBTIDAKMTMwMjUwNDM3Ngpkb21haW4gSU5UIFMgMAowCnVzZXJfbmFtZSBTVFJJTkcgUyAwCkEgMTggTUFMQ1pFV1NLSSBNaWNoYWVsCnBhc3N3b3JkIElOVCBTIDAKMApkb2NiYXNlX25hbWUgU1RSSU5HIFMgMApBIDExIFNWSENfUFJPVE8yCmhvc3RfbmFtZSBTVFJJTkcgUyAwCkEgMzEgcy1kZXYtdmRlY20tMDYuZGV2LmV1cm9wYS5sb2NhbApzZXJ2ZXJfbmFtZSBTVFJJTkcgUyAwCkEgMTEgU1ZIQ19QUk9UTzIKc2lnbmF0dXJlX2xlbiBJTlQgUyAwCjU2CnNpZ25hdHVyZSBTVFJJTkcgUyAwCkEgNTYgcWZQMFY3U1hkQitrTDdGUmpKc29hSWhyUGRZZFpqNUtBVUVPeUF6SXB3YldyTzI0dFdjUXZBPT0K

List the events captured to the audit trail

Test the actual events are being recorded in the audit trail. The example below uses SQLPLUS but you can use DQL.

COL event_name FORMAT A12 COL string_1 FORMAT A20 COL host_name format A26 COL user_name format A14


select time_stamp, user_name, host_name, string_1 from dm_audittrail_s

where event_name='dm_getlogin';

TIME_STAM USER_NAME HOST_NAME STRING_1 --------- -------------- -------------------------- -------------------- 11-APR-11 user01 psyc-vdev06.dev.local YEANDEL Kevin 11-APR-11 user02 psyc-vdev10.dev.local ANOTHER User

Creating the secured database

We need to covertly and secretly sniff for certain things occurring in the Documentum audit trail.
A secured database is designed to capture deletes, inserts and changes to user permissions and certain Documentum auditable events (such as dm_getlogin).

This database schema is not accessible to the Documentum Administrator and the password is kept by a secure user.
There are no changes made to the Documentum installation or its underlying database. The Documentum Administrators need have no knowledge of it’s existence.

Secured audit user

The account is created and a number of grants given.
This user has to select rows from the dm_audit_trail_s table of the Documentum repository(y|ies) of interest.
A grant is given for each Documentum installation it has to be aware of.
CREATE USER "ECMAUDIT" PROFILE "DEFAULT" IDENTIFIED BY DEFAULT TABLESPACE "USERS" TEMPORARY TABLESPACE "TEMP" QUOTA UNLIMITED ON "USERS" ACCOUNT UNLOCK; GRANT UNLIMITED TABLESPACE TO "ECMAUDIT"; GRANT SELECT ON "REPOSITORY_OWNER"."DM_AUDITTRAIL_S" TO "ECMAUDIT"; GRANT "CONNECT" TO "ECMAUDIT"; GRANT CREATE ANY TRIGGER TO "ECMAUDIT"; GRANT "RESOURCE" TO "ECMAUDIT";

Creating the table

We need to securely store data from the audit trail belonging to a repository. We need to limit the data to what is really needed and in this case the table is a cut down version of a standard dm_audittrail_s table that is in Documentum Version 6.6

create table ecmaudit.dm_audittrail_admin_log ( EVENT_NAME varchar2(64), USER_NAME varchar2(32), TIME_STAMP DATE, STRING_1 varchar2(200), STRING_2 varchar2(200), HOST_NAME varchar2(128), ENTRY_DATE DATE, ENTRY_USER varchar2(15), ACTION varchar2(10) );
A couple of additional fields have been created. One of these is to record the action (DELETE, INSERT, CHANGE) and which user (repository) it came from as well as the date the event occurred.
A couple of additional fields have been created. One of these is to record the action (DELETE, INSERT, CHANGE) and which user (repository) it came from as well as the date the event occurred.

Creation of triggers

-- Creates a trigger to monitor INSERT statements with 'dm_getlogin', 'dm_connect' and 'dm_audit' event_names
-- Trigger generates a row for each insert done to dm_audittrail_s
-- NOTE: Remember to change the db user of dm_audittrail_s table

create or replace trigger ecmaudit.dm_audittrail_ins_trg
before insert
on svhc_proto2.dm_audittrail_s
REFERENCING NEW AS NEW OLD AS OLD
for each row

declare
	v_username varchar2(15);
	v_action varchar2(10);
	
begin
	select user into v_username from dual;
	
	v_action := 'INSERT';
	
	if :new.event_name = 'dm_getlogin' then
		insert into dm_audittrail_admin_log values (
			:new.event_name,
			:new.user_name,
			:new.time_stamp,
			:new.string_1,
			:new.string_2,
			:new.host_name,
			sysdate,
			v_username,
			v_action);
	elsif :new.event_name = 'dm_connect' then
		insert into dm_audittrail_admin_log values (
			:new.event_name,
			:new.user_name,
			:new.time_stamp,
			:new.string_1,
			:new.string_2,
			:new.host_name,
			sysdate,
			v_username,
			v_action);
	elsif :new.event_name = 'dm_audit' then
		insert into dm_audittrail_admin_log values (
			:new.event_name,
			:new.user_name,
			:new.time_stamp,
			:new.string_1,
			:new.string_2,
			:new.host_name,
			sysdate,
			v_username,
			v_action);
	end if;

end referencing_clause;
/

-- Creates a trigger to monitor DELETE statements with 'dm_getlogin', 'dm_connect' and 'dm_audit' event_names
-- Trigger generates a row for each delete done to dm_audittrail_s
-- NOTE: Remember to change the db user of dm_audittrail_s table
	
create or replace trigger ecmaudit.dm_audittrail_del_trg
before delete
on proto2.dm_audittrail_s
REFERENCING NEW AS NEW OLD AS OLD
for each row

declare
	v_username varchar2(15);
	v_action varchar2(10);
	
begin
	select user into v_username from dual;
	
	v_action := 'DELETE';
	
	if :old.event_name = 'dm_getlogin' then
		insert into dm_audittrail_admin_log values (
			:old.event_name,
			:old.user_name,
			:old.time_stamp,
			:old.string_1,
			:old.string_2,
			:old.host_name,
			sysdate,
			v_username,
			v_action);
	elsif :old.event_name = 'dm_connect' then
		insert into dm_audittrail_admin_log values (
			:old.event_name,
			:old.user_name,
			:old.time_stamp,
			:old.string_1,
			:old.string_2,
			:old.host_name,
			sysdate,
			v_username,
			v_action);
	elsif :old.event_name = 'dm_audit' then
		insert into dm_audittrail_admin_log values (
			:old.event_name,
			:old.user_name,
			:old.time_stamp,
			:old.string_1,
			:old.string_2,
			:old.host_name,
			sysdate,
			v_username,
			v_action);
	end if;

end referencing_clause;
/

-- Creates a trigger to monitor UPDATE statements with 'dm_getlogin', 'dm_connect' and 'dm_audit' event_names
-- Trigger generates a row for each update done to dm_audittrail_s
-- It records the OLD and NEW values, so you end up with two records for each update done on dm_audittrail_s table
-- NOTE: Remember to change the db user of dm_audittrail_s table

create or replace trigger ecmaudit.dm_audittrail_upd_trg
before update
on proto2.dm_audittrail_s
REFERENCING NEW AS NEW OLD AS OLD
for each row

declare
	v_username varchar2(15);
	v_action varchar2(10);
	
begin
	select user into v_username from dual;
	
	
	
	if :old.event_name = 'dm_getlogin' then
	
		v_action := 'UPDATE_OLD';

		insert into dm_audittrail_admin_log values (
			:old.event_name,
			:old.user_name,
			:old.time_stamp,
			:old.string_1,
			:old.string_2,
			:old.host_name,
			sysdate,
			v_username,
			v_action);
		
		v_action := 'UPDATE_NEW';
		
		insert into dm_audittrail_admin_log values (
			:new.event_name,
			:new.user_name,
			:new.time_stamp,
			:new.string_1,
			:new.string_2,
			:new.host_name,
			sysdate,
			v_username,
			v_action);
			
	elsif :old.event_name = 'dm_connect' then
		
		v_action := 'UPDATE_OLD';
		
		insert into dm_audittrail_admin_log values (
			:old.event_name,
			:old.user_name,
			:old.time_stamp,
			:old.string_1,
			:old.string_2,
			:old.host_name,
			sysdate,
			v_username,
			v_action);
		
		v_action := 'UPDATE_NEW';
		
		insert into dm_audittrail_admin_log values (
			:new.event_name,
			:new.user_name,
			:new.time_stamp,
			:new.string_1,
			:new.string_2,
			:new.host_name,
			sysdate,
			v_username,
			v_action);
	elsif :old.event_name = 'dm_audit' then
		
		v_action := 'UPDATE_OLD';
		
		insert into dm_audittrail_admin_log values (
			:old.event_name,
			:old.user_name,
			:old.time_stamp,
			:old.string_1,
			:old.string_2,
			:old.host_name,
			sysdate,
			v_username,
			v_action);
			
		v_action := 'UPDATE_NEW';	
			
		insert into dm_audittrail_admin_log values (
			:new.event_name,
			:new.user_name,
			:new.time_stamp,
			:new.string_1,
			:new.string_2,
			:new.host_name,
			sysdate,
			v_username,
			v_action);
	end if;

end referencing_clause;
/

Output

The output captures any changes in the audit trail before change was applied. It captures the name of the user that has been getlogin’d and actual deletes – which apply. It probably wont be so useful when the audittrail purge runs but its something to get up and running with.

SQL> select event_name,action,user_name from dm_audittrail_admin_log


EVENT_NAME                                                       ACTION     USER_NAME

---------------------------------------------------------------- ---------- --------------------------------

dm_connect                                                       DELETE     dev-op-jb

dm_getlogin                                                      DELETE     dev-op-jb

dm_connect                                                       DELETE     dev-op-jb

dm_connect                                                       INSERT     dmadmin2

dm_getlogin                                                      INSERT     dmadmin2

dm_connect                                                       INSERT     dmadmin2

dm_connect                                                       INSERT     dev-op-ky

dm_getlogin                                                      INSERT     dev-op-ky

dm_getlogin                                                      INSERT     dev-op-ky

dm_connect                                                       INSERT     dmadmin2

dm_connect                                                       INSERT     dev-op-ky

dm_getlogin                                                      INSERT     dev-op-ky

Conclusion

Documentum is safe and secure – if all the measures have been put in place. This can only be achieved if the vulnerabilities are exposed. In the mean time, I’ve yet to work at a customer site which has properly locked down Documentum in an environment which hosts it – I’m sure they are out there.
(If you know of any please let me know).

Putty ssh shell colours not so good – a tidbit since I have a spare moment

kevinyeandel — Wed, 13 Apr 2011 14:59:10 +0000

If you’ve not customised the colours in your putty session then chances are blue is hard to see – makes directory listings a bit difficult.
You can type
unset LS_COLORS
at the prompt to make things display easier.

You can also configure your shell to be a bit more attractive.

edit ~/.bash_profile
unset LS_COLORS red='\e[0;31m' # '\e[1;32m' green='\e[0;32m' # '\e[1;32m' endColor='\e[0m' #when logging in show the version of documentum - this is nice to have if you have a lot of installs on one box echo "" echo -e "${green}" `documentum -version` "${endColor}" echo ""

Victims of Verbal Abuse and Control, Parental Alienation

kevinyeandel — Tue, 12 Apr 2011 19:07:17 +0000

I started this group many months ago but never really went public with it.
It’s mainly for women who have been victims of verbal abuse but it is an open forum which can also host other related subject matters. The group is here:
controlling.proboards.com

There is also a well established group called MEVAC which is a forum mainly for men who are recovering verbal abusers and controllers:
mevac.proboards.com.

When I first discovered someone I had known for many years was a verbal abuser and controller I was particularly shocked at the secret they had kept from me for a decade and the lengths they would go to in trying to prevent me from seeing behind their mask in their persuit of control.
I feel very sad for these men but moreso for their victims – the women and children they hurt.

When his partner also told me she was receiving therapy for his abuse and that nobody could help her I didn’t really ‘disbelieve her’ but also I found what she was saying to be extremely hard to believe. I didn’t know what verbal abuse was until I read Patricia Evan’s book “Controlling People” and Lundy Bankcroft’s book, “Why does he do that? Inside the minds of angry and controlling men”.

Even though I have myself been on the receiving end of his emailed abuse and horiffic attacks online, I don’t hate him. I just wish he’d get some help and realise what he is doing.

My focus changed once I discovered what verbal abuse and control was. I started spending thousands of hours basically doing the material for a PhD in psychoanalysis. I find it amazing how we think, how the brain works and what coping styles humans will use, how some lie and brainwash their children to hate their targeted parent. How couples with personality disorders come together and lock themselves in never ending battles centred around their children. How some distort truth, believe their own lies, sell their faulty beliefs to their children, how they use their children as amunition – regardless of the long term consequences it has on their own childs mental health.

If you are a man that has recognised his behaviour to be less than perfect then you may wish to start moving forward by making yourself known here:
mevac.proboards.com

Where you will meet other men like yourself. Where you can start to learn about your behaviour and how to stop hurting other people in your life. How you don’t need to control them.

The focus really has changed since the new year (2011) and steered more towards men who are recovering verbal abusers rather than women expressing themselves.

I do visit from time to time but it’s not a place for me. That’s why I started my groups in controlling.proboards.com in response to changes in the rules in MEVAC. I am a researcher essentially but want to invite women and adult children of parental alienation and victims of control to feel free to share their experiences and both receive and provide other men and women support.

Securing Documentum – Lockdown script (1)

kevinyeandel — Fri, 08 Apr 2011 05:38:51 +0000

Introduction

(For Oracle/Documentum audittrail lockdown please see here)

I would love to sit all day writing shell scripts for things like this and there would be no end of work too.

So I took a couple of days and wrote this script based on experience working with customers of Documentum that have separate Unix and Oracle teams and limited exposure to Documentum itself. The audience here is more operations-related than Documentum and of less value to those running Documentum on Windows (hello!). Hopefully it will help a little in crossing the bridge into the world of Documentum running on the servers which they are managing.

The point of this is really two-fold:
In the first case it gives some further insight into what is already known about the newly hosted Documentum Content Server – essentially a Unix/LinuxWindows application that writes files to a file system and makes connections to a database and to other parts within an infrastructure.

The script uses SQL instead of DQL (Documentum Query Language) – although very similar SQL is more familiar to an Oracle Admin that has not used tools like Documentum Administrator or the idql tool.

Secondly, it’s about locking down the installation from a security/operations point of view and looking for vulnerabilities.

Validity and prerequisites

This script is ‘bash’ and should be run as root. It assumes root password had been properly contained and not been made available to other administrators. If not run as root then full checks won’t be possible and it will persistently challenge for the Documentum installation owner password.

Below are highlights of the code and not the main body. I will upload a fully working script in the coming weeks.

Highlights of the code

Note the variable:

SIGNATURE=”273c7ea8ffdf840138b2c6ab86095de3″

This is the standard signature of dm_check_password which runs through many versions of Documentum (maybe as back as 5.4 unchanged).
You can deem this fingerprint to be reliable but should be properly obtained from an approved source – such as via the official EMC/Documentum download site.
As part of your upgrade/patching process it is advisable to build into your checklists a new check against dm_check_password using
md5sum dm_check_password
and place the value into the SIGNATURE variable shown above.
If there are different versions of Documentum on the same host you made need multiple copies of dm_sectest.sh – you can obviously rename the script as required.
You may wish to consider any dependencies this file has (such as libraries).

The script declares the variable SANITY
SANITY="/srv/ecm/$2/dba/config/$1/server.ini.default"

In this case a verified copy of $DOCUMENTUM/dba/config/docbase-name/server.ini to be made to a location declared by SANITY. It should be owned by root with read access to the installation owner of Documentum (not write access).

I have actually tested re-owning the actual server.ini as root with read access to the installation owner without encountering problems but you must ensure you change the permissions back before doing an upgrade. You may well find the EMC never thought to test this so probable they would report this activity as unsupported.

Example:
Locked server.ini
-rw-r–r– 1 root dmadmin 1585 May 4 2010 server.ini

Unlocked server.ini
-rw-rw-r– 1 dmadmin dmadmin 1585 May 4 2010 server.ini

While a root owned server.ini could lend itself to managing and controlling change, it is a massive hindrance to the Documentum Administrator in that a small but vital emergency increasing the number of sessions – is going to add delay at a busy (inconvenient) time but worked around by a change to the docbase start script to point the repository at a writeable initialisation file – such an unmanaged or unauthorised change will be identified by this script and written to the log.

2 final notes on the subject of server.ini: (1) The script expects a space before and after the ‘=’ with regards to variable declaration. If your server.ini doesn’t conform to this then tidy it up or rewrite this script. (2) server.ini can be a different name – e.g. if host repository installation was created using the content server cfs tool from a running repository on a different host.

And a final note in regards to configuration files in general: You could use this means (with copy and paste) to add further tests for other configuration files which are part of your installation – such as $DOCUMENTUM_SHARED/config/dfc.properties for changes to trace levels etc.

Limitation and testing

The script goes some way to reducing risk but does not exhaust all the possibilities. It is very focussed on vulnerabilities “around” Documentum and access to that core system. For example, if you upload confidential documents to a Documentum system and apply a security model which makes them public then that’s the type problem dealt with elsewhere (not this script – yet) and more to do with your system design and implementation.

I tested the script on RedHat Release 5.3 and 5.4
If you need to know which version of RedHat you are using at the prompt you can enter
cat /etc/redhat-release

The Oracle Version used for the client and server was 11.1.0.7.0
If you need to determine which version of Oracle client you are using, at the prompt type
sqlplus -version

The Documentum version was 6.5.0.342 SP3 Linux.Oracle.
If you want to know what version of Documentum you are running type
documentum -version
at the prompt but log in as the installation owner and source the variables to do this – especially if there are multiple versions of Documentum on the same host)

Usage

The script should be installed as root user with rwx permissions. The user running the script must be able to execute sqlplus.

dm_sectest.sh REPOSITORY installation_owner
Example:
./dm_sectest.sh ECMREPO dmadmin

This will set up two variables which will be used throughout the script.
DOCBASE=$1
USER=$2

Output

The output from executing the script is a log file the location and name of which is stored in
LOG=”./dm_sec_check.log”
The log should be written with the same permissions as the person executing it.
Since the script uses the same convention for renaming the docbase server log that Documentum does it backs up the old log and creates a new one.
This will fail if the user tries to run the script as non-root after previously running it as root. The name of the old log is the time at which it was saved as a new name – not the time it was executed. This can be found at the top of the report.

The code user to rename the log is
RTIME=`date +%m.%d.%Y.%H.%M.%S` if [ -f $LOG ] ; then mv $LOG $LOG.save.$RTIME fi

How it works

The script goes through a number of checks which are described under the following headings.

Get the initialisation file

Analyse a process running as documentum and determine the name of the init file
INITFILE=`ps -fel | grep "\./[d]ocumentum -docbase_name $DOCBASE" | awk {'print $21'} | awk 'NR>0 && NR<1'`
This will be the initialisation file passed in by the dm_start_DOCBASE script. The process is documentum and is entered [d]ocumentum to prevent the INITFILE being blank because the ps returned the result of the grep function instead of the process.

Check the script is being run by root

if [ "$(id -u)" != "0" ]; then echo "WARNING - Script should be run as root" >>$LOG fi

If the script is not being run as root user you will need the passwords to the Documentum installation owner account and will be challenged for this password. It’s OK to run this as an installation owner as it will produce some very useful output but that output will also be written as the installation owner and subject to alteration.

Check the repository is running

if [[ -z "$INITFILE" ]] ; then echo "Docbase not running" exit fi

Check the root_secure_validator

Since we know exactly which password check program was passed to the content server we should test it against a known signature.
The known signature is hardcoded into the script in the variable SIGNATURE and discussed previously.
This signature should be checked against a standard. You should also note that the program relies on other binary libraries which may have started life as an open source project on some operating systems.
These dependencies can be identified by examining the source code that was definitely used in the compilation of dm_check_password or using the Unix commands lsof (tricky since this examines running processes) or strace (which could be prefixed and dm_check_password and run at the prompt to grab the system calls). The dependencies may be checked for timestamps against known files.

RSVAL=$(echo `grep root_secure_validator $INITFILE | awk '{print $3}'`) RSVSUM=$(echo `md5sum $RSVAL | awk {'print $1'}`) if [[ "$RSVSUM" == "$SIGNATURE" ]] ; then echo "Signature Match ($RSVSUM)" >>$LOG ; else echo "ALERT: Signature Mismatch. Found ($RSVSUM) expected ($SIGNATURE)" >>$LOG fi
As can be seen in the code above, the password check program is extracted from a copy of a file which is supposed to be running in memory.

It may be possible to start Documentum then change the server.ini file on the filesystem so it would not be picked up by a security audit but changes to this file would be detected by this script in the defences are in place. But the security manager may also want to make a note of the time and date stamps on configuration files in general.

Database Checks – check the root_secure_validator

I’m keen to discover why Documentum keeps the dm_check_password program in both a database table AND a configuration file but I certainly know it totally depends on server.ini. However, as part of out checks we’ll determine where Documentum expects to see the root_secure_validator from and RDBMS perspective.

#extract a couple of values for the following functions DOMAIN=$(echo `grep database_conn $INITFILE | awk '{print $3}'`) DBP=$(echo `grep database_password_file $INITFILE | awk '{print $3}'`) function db_check_root_secure_validator(){ ENC=$(cat $DBP) X=`su - $USER -c "iapi $DOCBASE -U$USER -P -e << EOF decrypttext,c,$ENC exit EOF status=$? " ` PASS=$(echo $X | awk -F$ENC'|~' '{print $2}' | awk {'print $2'}) if [[ -z "$PASS" ]] ; then echo "Password failure" exit 1 fi X=`su $USER -c "sqlplus -s -l $DOCBASE/$PASS@$DOMAIN < SELECT COUNT(*) FROM DM_LOCATION_S WHERE FILE_SYSTEM_PATH='\$RSVAL'; exit EOF "` echo "ROWS = $X" ROWS=$(echo $X | awk -F'COUNT\$\\*\$ ---------- |~' '{print $2}') if [[ "$ROWS" -eq "0" ]] ; then echo "ALERT: Mismatch between DM_LOCATION_FILE_SYSTEM_PATH and server config" >>$LOG; else echo "Database and initialisation file correspond (check_password program)" >>$LOG; fi }

What we are doing in the above code is switching user to the installation owner to get some database connectivity details then connecting as the Oracle user and executing a query against the database. If there is an inconsistency then the report will be appended. The output is parsed as text. We could have made life easier in the SQL by including,
SET HEADING OFF
SET VERIFY OFF
SET FEEDBACK OFF
Which would cause sqlplus to return the output free of chaff and make it easier to store in a Unix variable.

Checking the LDAP Active Directory Configuration

The function below checks to see the installation is using Active Directory.
AD is a means of authenticating users into a repository. If it is setup without using network encryption then it could offer an opportunist the chance to obtain authentication details of any user using easy to install network packet sniffers.
function ldap_check_ssl(){ echo "" >>$LOG echo "Checking LDAP configuration" >>$LOG X=`su $USER -c "sqlplus -s -l $DOCBASE/$PASS@$DOMAIN <<$LOG SET VERIFY OFF SELECT ALL r_object_id,ssl_mode,ssl_port,TRIM(ldap_host),TRIM(certdb_location) FROM dm_ldap_config_s where r_object_id like '08%'; exit; else echo "LDAP CONFIGURATION EXISTS" >>$LOG fi SSLMODE=$(echo $X | awk '{print $2}') SSLPORT=$(echo $X | awk '{print $3}') LDAPHOST=$(echo $X | awk '{print $4}') echo "SSL MODE = $SSLMODE" >>$LOG echo "SSL PORT = $SSLPORT" >>$LOG echo "LDAP HOST = $LDAPHOST" >>$LOG if [[ "$SSLMODE" -eq "0" ]] ; then echo "Secure Sockets Layer not available. It is recommended you change your configuration or implement alternative security" >>$LOG fi }

System Admin and Superuser Check

It’s very easy in Documentum as an Administrator for one Superuser to create another user with God like privileges (PLUS the ability to view, edit and purge the audit).

Since you can give that account “inline” passwords it means the Administrator doesn’t have to go through a standard process within the company to formalise a request of of a new user via, say, the AD team and thus reduce the chances of the request be challenged and sanctioned.

The block below adds a table to the report of users having System Admin or Superuser privileges. From this table you can also deduce those that have inline passwords. (I used decode in the SQL query because “inline password” is two words and I actually have far more sophisticated checks which I am not publishing and was reading the values into Unix variables)

function check_sysadmin_and_superusers(){ echo "" >>$LOG echo "Checking User Permissions" >>$LOG USERP=`su $USER -c "sqlplus -s -l $DOCBASE/$PASS@$DOMAIN <=8; SPOOL $LOG APPEND select user_name, decode(user_source,'inline password','inline',' ','NULL'),user_privileges from dm_user_s where user_privileges >=8; SPOOL OFF exit EOF "` echo $USERP }

Auditing privileged users

In the context of this document, an “Administrator” is one who has obtained a password to the Documentum system which gives them Administrator access to tools for which they could administrate the system. It doesn’t mean they have been working with Documentum for 1+ years and done the certifications.

This function looks for sysadmins and superusers which can execute a getlogin if they have access to a suitable tool – such as iapi (Documentum’s Interactive Application Progamming Interface) or Documentum Administrator.

A getlogin api command returns a long “token” which can be used in place of a password, so, if an Administrator wanted to connect as another user in Documentum Webtop or TaskSpace then they could do this without that user being aware.
The unaware user could be a business user who could find themselves in a situation where something was approved and published for which they could be blamed.
Although a Documentum Administrator already has access to most of that system, in most cases having a sneaky look at a document of interest would most likely not set off any alarm bells – unless that person was under corporate surveillance.
function dm_check_audit_events(){ echo “” echo "PRIVILEGED USERS WITH NO GETLOGIN EVENT" >>$LOG USERP=`su $USER -c "sqlplus -s -l $DOCBASE/$PASS@$DOMAIN SET HEADING OFF SET LINESIZE 200 SPOOL $LOG APPEND select user_name from dm_user_s where user_privileges>=8 and user_name not in (select user_name from dmi_registry_s where event in ('dm_getlogin')); SPOOL OFF exit EOF "` echo $USERP echo "" >>$LOG echo "PRIVILEGED USERS WITH GETLOGIN EVENT" >>$LOG SPOOL $LOG APPEND select user_name from dm_user_s where user_privileges>=8 and user_name in (select user_name from dmi_registry_s where event in ('dm_getlogin')); SPOOL OFF exit EOF "` echo $USERP }

Executing the code

Some tests are made when the script is executed – such as determining if the repository is running. It really begins in the function start() which is below.
It would be an idea to automate the execution of this script and add an alert handler which would email the report to a security official.

A final check done by the script is to determine if there is an alternate server.ini file on the system and compare one with unmodified parameters against one that root owns and add that to the report.
function start(){ db_check_root_secure_validator;#must be run first to get oracle password ldap_check_ssl; check_sysadmin_and_superusers; dm_check_audit_events; if [ -f $SANITY ]; then echo "Sanity checking server init file against root secured init file" >>$LOG D=$(echo `diff --brief $INITFILE $SANITY`) if [[ -z "$D" ]] ; then echo "Root secured init files compares with live" >>$LOG; else echo "Live init file and root secured file differ" >>$LOG fi else echo "Can't sanity check $INITFILE against $SANITY because $SANITY is missing" fi }; #start. This is the entry point start echo "Finished" #[conditionally] mutt a mail but better to make the log accessible to monitoring such as the nagios system.

Conclusion

This is a paranoid approach to adding some security or having reason to monitor situations/people – especially since Documentum is used to secure a companies most valuable assets.