Step 6. Configuring the Server With Different Security Providers

How to:

You can run the server in any of the following security provider modes:

The default security provider mode is OPSYS if you have satisfied the OPSYS requirements. Otherwise, the default provider mode is OFF. To apply a different security mode, To apply a different security provider, use the Web Console. To configure the server security provider, access the Control Menu, right-click Security Providers, and then select Change Providers.

Non-OPSYS server modes (OFF, DBMS, PTH, LDAP, and CUSTOM) run as the server admin id and do not employ user impersonation. While the server isolates one user from another, from an internal perspective, operating system security (file permissions) protects files from external exposure. This includes both permanent files and directories, like application metadata and programs (FOCEXECs), and temporary files, like edaprint.log and edatemp/* files.

For Non-OPSYS configurations, setting a permissions on the permanent files (generally a one-time task) and including Set Protection=(S:RWED,O:RWED,G:RE,W:RE)/Default before sever start up and in the EDAENV.COM file limits access to these files to the server admin id (or IDs within a group, if so configure). For Non-OPSYS configurations, it is best to add the specific desired Set Protection value in the server start up script and EDAENV.COM so that a consistent start up is ensured.

Note: To properly revert to OFF, if OPSYS was previously set up, additional steps are required as outlined in the OPSYS setup steps below.

If a 7.7.04 or higher refresh is performed on a prior server of 7.7.03 or lower and the EDAEXTSEC variable was used to control the security modes of DBMS, PTH, or LDAP, the variable should be removed from wherever it was set. The server security should be re configured using the Web Console method of setting the security provider.

You must satisfy the requirements described in How to Satisfy Security Provider OPSYS Requirements.

Some security modes need additional information before they can be configured and activated, such as the various LDAP parameters involved in connecting to and using a LDAP directory. The various parameters are displayed within the Web Console configuration page for each mode with help icons next to them. You can also find Web Console help in the Server Administration for UNIX, Windows, OpenVMS, IBM i, and z/OS manual. To access the manual on the Web Console:

  1. From the Web Console menu bar, select Help, then Contents and Search.

    The Web Console Help window opens.

  2. In the left pane, expand Server Administration. The various mode topics will appear under the Server Security topic.

Top of page

Procedure: How to Satisfy Security Provider OPSYS Requirements

To run a server in security provider mode OPSYS in OpenVMS, you must satisfy the following requirements. You must do this when you set up the server administration (iadmin) ID.

Although installation can be done by an ordinary user, the changes listed here require the SYSTEM ID.

Run MCR AUTHORIZE to add the following privileges to the iadmin ID.



Required for


May change mode to kernel

Server impersonation features


May impersonate another user

Server impersonation features


May create network device

Mailboxes *


May create permanent global sections

IPC Shared Memory *


May create permanent mailbox

IPC Control Pipes *


May create system wide global sections

IPC Shared Memory *


May insert in system logical name table

IPC Control Pipes *


May access objects using system protection

Creating system logical tables* and server security features


May create temporary mailbox

Mailboxes *


May affect other processes in the world

Control of impersonated processes


May lock system wide resources

Adapter for Progress only *

* Also required for non-secured servers.

Any additional privileges or changes in quota required by particular underlying databases must also be authorized and customized in the EDAENV.PRM file, as described in How to Add/Change Privileges and Quotas (EDAENV.PRM).

The default minimal quota resources are also contained in the default EDAENV.PRM file. You do not need to have values explicitly declared in the UAF or SYSTEM tables, provided the iadmin user ID has IMPERSONATE privileges. However, some situations may require quotas to be increased (for instance, if there are problems accessing very large databases). This is also done by customizing the EDAENV.PRM file, as described below.

Top of page

Procedure: How to Add/Change Privileges and Quotas (EDAENV.PRM)

You can create privilege and quota settings using a configuration file (EDAENV.PRM). To customize the settings:

EDAENV.PRM edit rules:

The EDAENV.PRM file should not be confused with the EDAENV.COM file, which is used for running additional OpenVMS commands (typically logical declarations) at startup. An example of EDAENV.PRM follows:

io_direct = 200
queue_limit = 100
page_file = 2097152
buffer_limit = 800000
io_buffered = 200
ast_limit = 300
working_set = 3076
maximum_working_set = 8192
extent = 10240
file_limit = 4096
enqueue_limit = 4000
job_table_quota = 10000
priority = 4
privilege_1 : TMPMBX, NETMBX, PRMMBX
privilege_2 : PRMGBL, SYSGBL, SYSNAM
privilege_3 : SYSPRV, CMKRNL, WORLD

iWay Software