Login tickets

On Thursday I was asked a naive question:…DM_TICKET=T0JKIE5VTEwgMAoxMwp2ZXJz…

this servlet is used by D2 for the PDF widget viewer
I was supposing that the ticket is a one time ticket, but it is not!
I don’t know why, maybe EMC is using the same ticket during all the session but I would have used a one time DM_TICKET to avoid to use it multiple time

Strictly speaking Documentum tickets has nothing in common with one-time passwords. Let me explain. The main idea of one-time passwords is not to verify your credentials but verify you as a person, for example, I have a bank account in Russian bank (actually, I also have a bank account in Australian bank, but IT in Australia is so infant that it is not possible to provide a real-world example), in order to take advantage of their internet banking I do following: I open browser, enter internet banking URL and submit my credentials, after that internet banking asks me to submit a one-time password and, in order to do so, it provides me two options to get one-time password:

  • receive one-time password by sms
  • go to ATM and get a hard-copy with a list of ten one-time passwords (if I choose this option i)

I submit one-time password and now I’m able to work with internet banking, so, the bank assumes that the person who knows credentials and able to receive one-time password by sms (or able to go to ATM and get a hard-copy with a list of one-time passwords) is me, actually, it’s a kind of tradeoff between security and convenience – bank may create more comprehensive authorization scheme, but it’s hardly possible that after that anyone will use their internet banking.

Documentum tickets should be considered just as temporary passwords which are valid during a specific period of time (see also login_ticket_timeout in dm_server_config):

API> getlogin,c,
API> Bye
[dmadmin@docu72dev01 ~]$ base64 -d
version INT S 0
flags INT S 0
sequence_num INT S 0
create_time INT S 0
expire_time INT S 0
domain INT S 0
user_name STRING S 0
A 7 dmadmin
password STRING S 0
A 108 DM_ENCR_TEXT_V2=AAAAECl8Z27wuzh+nFxw3Z/529zcqbt5yGQU5drswjxhC7wzl6a9AGlSYbam5W93zrppV1l687hJL4LZ9rvGkoo3z3Y=
docbase_name STRING S 0
host_name STRING S 0
A 11 docu72dev01
server_name STRING S 0
signature_len INT S 0
signature STRING S 0
A 112 AAAAEIqt6S+Fp1tSlsB+lkmSupePYU1JOCOrXrFl4Ee0sqpBVrzhq7zxtepdm3BqynavghKW2DdOiAX+WipODG7q3J2OUCwZy/Lps8qOPWtHwrDG
[dmadmin@docu72dev01 ~]$ perl -MPOSIX -e 'print strftime "%a %b %e %H:%M:%S %Y\n", gmtime 1455051412'
Tue Feb  9 20:56:52 2016
[dmadmin@docu72dev01 ~]$ perl -MPOSIX -e 'print strftime "%a %b %e %H:%M:%S %Y\n", gmtime 1455051712'
Tue Feb  9 21:01:52 2016

and initially login tickets were used when Content Server was need to force external client to authenticate using certain credentials, some examples:

but what you are observing in D2 is just a result of smelling code.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s