Extra “protection” with trusted content services :)

Just to continue a theme about usefulness of TCS option mentioned in Some ideas about organising storage for content files.

GetSignData RPC-command is intended to verify digital signature of dm_audittrail:

API> retrieve,c,dm_audittrail
...
5f024be980000100
API> get,c,l,_sign_data
...
<audit-record>
<dctm-attr name="r_object_id" type="ID"><![CDATA[5f024be980000100]]></dctm-attr>
<dctm-attr name="event_name" type="STRING"><![CDATA[dm_logon_failure]]></dctm-attr>
<dctm-attr name="event_source" type="STRING"><![CDATA[System Unspecific]]></dctm-attr>
<dctm-attr name="r_gen_source" type="INT"><![CDATA[1]]></dctm-attr>
<dctm-attr name="user_name" type="STRING"><![CDATA[dm_bof_registry]]></dctm-attr>
<dctm-attr name="audited_obj_id" type="ID"><![CDATA[11024be980000139]]></dctm-attr>
<dctm-attr name="time_stamp" type="TIME"><![CDATA[2015-05-05 15:24:19]]></dctm-attr>
<dctm-attr name="string_1" type="STRING"><![CDATA[dm_bof_registry]]></dctm-attr>
<dctm-attr name="string_2" type="STRING"><![CDATA[dm_bof_registry]]></dctm-attr>
<dctm-attr name="string_3" type="STRING"><![CDATA[]]></dctm-attr>
<dctm-attr name="string_4" type="STRING"><![CDATA[]]></dctm-attr>
<dctm-attr name="string_5" type="STRING"><![CDATA[]]></dctm-attr>
<dctm-attr name="id_1" type="ID"><![CDATA[0000000000000000]]></dctm-attr>
<dctm-attr name="id_2" type="ID"><![CDATA[0000000000000000]]></dctm-attr>
<dctm-attr name="id_3" type="ID"><![CDATA[0000000000000000]]></dctm-attr>
<dctm-attr name="id_4" type="ID"><![CDATA[0000000000000000]]></dctm-attr>
<dctm-attr name="id_5" type="ID"><![CDATA[0000000000000000]]></dctm-attr>
<dctm-attr name="chronicle_id" type="ID"><![CDATA[11024be980000139]]></dctm-attr>
<dctm-attr name="object_name" type="STRING"><![CDATA[dm_bof_registry]]></dctm-attr>
<dctm-attr name="version_label" type="STRING"><![CDATA[]]></dctm-attr>
<dctm-attr name="object_type" type="STRING"><![CDATA[dm_user]]></dctm-attr>
<dctm-attr name="event_description" type="STRING"><![CDATA[Logon Failure]]></dctm-attr>
<dctm-attr name="policy_id" type="ID"><![CDATA[0000000000000000]]></dctm-attr>
<dctm-attr name="current_state" type="STRING"><![CDATA[]]></dctm-attr>
<dctm-attr name="workflow_id" type="ID"><![CDATA[0000000000000000]]></dctm-attr>
<dctm-attr name="session_id" type="ID"><![CDATA[01024be980000123]]></dctm-attr>
<dctm-attr name="user_id" type="ID"><![CDATA[11024be980000139]]></dctm-attr>
<dctm-attr name="owner_name" type="STRING"><![CDATA[dm_bof_registry]]></dctm-attr>
<dctm-attr name="acl_name" type="STRING"><![CDATA[dm_45024be98000021f]]></dctm-attr>
<dctm-attr name="acl_domain" type="STRING"><![CDATA[dm_bof_registry]]></dctm-attr>
<dctm-attr name="application_code" type="STRING"><![CDATA[]]></dctm-attr>
<dctm-attr name="controlling_app" type="STRING"><![CDATA[]]></dctm-attr>
<dctm-attr name="attribute_list" type="STRING"><![CDATA[]]></dctm-attr>
<dctm-attr name="attribute_list_id" type="ID"><![CDATA[0000000000000000]]></dctm-attr>
<dctm-attr name="audit_version" type="INT"><![CDATA[4]]></dctm-attr>
<dctm-attr name="host_name" type="STRING"><![CDATA[docu72dev01]]></dctm-attr>
<dctm-attr name="time_stamp_utc" type="TIME"><![CDATA[2015-05-05 12:24:19]]></dctm-attr>
<dctm-attr name="i_audited_obj_class" type="INT"><![CDATA[2]]></dctm-attr>
<dctm-attr name="registry_id" type="ID"><![CDATA[26024be980000100]]></dctm-attr>
<dctm-attr name="audited_obj_vstamp" type="INT"><![CDATA[1]]></dctm-attr>
<dctm-attr name="attribute_list_old" type="STRING"><![CDATA[]]></dctm-attr>
<dctm-attr name="attribute_list_aspect_id" type="ID"><![CDATA[0000000000000000]]></dctm-attr>
</audit-record>

it real life it may be used to retrieve metadata of any object in repository regardless it’s security settings:

API> create,c,dm_document
...
09024be980526275
API> grant,c,l,dm_world,AccessPermit,,1
...
OK
API> save,c,l
...
OK
API> connect,DCTM_DEV,test_user,test_user
...
s1
API> fetch,c,09024be980526275
...
[DM_API_E_EXIST]error:  "Document/object specified by 09024be980526275 does not exist."

[DM_SYSOBJECT_E_NO_BROWSE_ACCESS]error:  "No browse access for sysobject with ID '09024be980526275'."


API> apply,c,09024be980526275,GetSignData
...
q0
API> next,c,q0
...
OK
API> dump,c,q0
...
USER ATTRIBUTES

  result                          : <audit-record>
<dctm-attr name="r_object_id" type="ID"><![CDATA[09024be980526275]]></dctm-attr>
<dctm-attr name="object_name" type="STRING"><![CDATA[]]></dctm-attr>
<dctm-attr name="r_object_type" type="STRING"><![CDATA[dm_document]]></dctm-attr>
<dctm-attr name="title" type="STRING"><![CDATA[]]></dctm-attr>
<dctm-attr name="subject" type="STRING"><![CDATA[]]></dctm-attr>
<dctm-attr name="authors" type="STRING" repeating="true" index="0"><![CDATA[]]></dctm-attr>

Wrong JDK

Recently I have noticed a dumb tendency when devops/developers instead of installing Oracle JDK do something weird: they download Documentum Foundation Classes distribution archive from EMC portal and try to use JDK shipped within that distribution archive (another weird case is an attempt to deploy applications into JBoss installed on Content Server host) – never ever do that: the JRE/JDK bundled with Documentum products is broken. The problem is since D7 EMC started poisoning bundled JRE by their cryptographic libraries – I already mentioned that here, but slow startup is only a part of problem, the real problem is these cryptographic libraries are broken (check the thorough explanation on ECN: xcp wait for email on gmail working for anyone?). Typical stacktraces are:

Caused by: java.security.cert.CertificateException: Certificate contains invalid public key: Unrecognized public key.
 at com.rsa.cryptoj.o.pk.g(Unknown Source)
 at com.rsa.cryptoj.o.pk.<init>(Unknown Source)
 at com.rsa.cryptoj.o.pj.<init>(Unknown Source)
 at com.rsa.cryptoj.o.pg.a(Unknown Source)
 at com.rsa.cryptoj.o.ot.engineGenerateCertificate(Unknown Source)
 at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
 at com.bea.common.security.jdkutils.X509CertificateFactory.engineGenerateCertificate(X509CertificateFactory.java:118)
 at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339)
java.security.SignatureException: Certificate verify failed!
 at com.rsa.cryptoj.o.pj.a(Unknown Source)
 at com.rsa.cryptoj.o.pj.verify(Unknown Source)
 at com.dstc.security.util.licensing.License.getPublicKey(License.java:275)
com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Connection reset ClientConnectionId:21963716-d0fc-4801-9904-f7c304848444".
at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:1668)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1668)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1324)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:992)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:828)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1012)
at java.sql.DriverManager.getConnection(DriverManager.java:579)
at java.sql.DriverManager.getConnection(DriverManager.java:243)
Caused by: java.io.IOException: Connection reset ClientConnectionId:21963716-d0fc-4801-9904-f7c304848444
at com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.readInternal(IOBuffer.java:717)
at com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.read(IOBuffer.java:700)
at com.microsoft.sqlserver.jdbc.TDSChannel$ProxyInputStream.readInternal(IOBuffer.java:895)
at com.microsoft.sqlserver.jdbc.TDSChannel$ProxyInputStream.read(IOBuffer.java:883)
at com.rsa.sslj.x.aP.c(Unknown Source)
at com.rsa.sslj.x.aP.a(Unknown Source)
at com.rsa.sslj.x.aP.a(Unknown Source)
at com.rsa.sslj.x.aP.h(Unknown Source)
at com.rsa.sslj.x.cy.startHandshake(Unknown Source)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1618)