The installation of a server requires an ID to install and own the files, as well as to administer the server. This is also known as the iadmin ID. The same ID should be used for both functions (installation and administration) and should not be the SYSTEM ID. The iadmin ID can be any user ID that has the required privileges and quotas for running the server in all security modes. For the iadmin privileges necessary for running the server in security mode OPSYS, see Step 6. Configuring the Server With Different Security Providers, and configure for that mode at this time. We highly recommend running the server secured (that is, with security set to OPSYS, PTH, or DBMS).
The iadmin privileges necessary for running a server in security mode OFF are:
Privilege |
Function |
Required for |
---|---|---|
NETMBX |
May create network device |
Mailboxes |
PRMGBL |
May create permanent global sections |
IPC Shared Memory |
PRMMBX |
May create permanent mailbox |
IPC Control Pipes |
SYSGBL |
May create system wide global sections |
IPC Shared Memory |
SYSNAM |
May insert in system logical name table |
IPC Control Pipes |
SYSPRV |
May access objects using system protection |
Creating system logical tables |
TMPMBX |
May create temporary mailbox |
Mailboxes |
SYSLCK |
May lock system wide resources |
Adapter for Progress only |
Any additional privileges required by particular underlying databases must also be authorized.
We recommend running the OpenVMS server in security mode OPSYS. This is because non-secured servers also run as an account with elevated privileges and connecting end-user requests run as the privileged account, thus presenting a security risk. Non-secured mode should only be used when adequate safeguards have been taken so that the required privileges do not present a risk, or for short periods of time only (such as while debugging an issue).
The following OpenVMS minimal quota resources are also required for the iadmin ID:
Quota Resources |
UAF Keyword |
Value |
---|---|---|
PAGE_FILE |
Pgflquo |
1000000 |
BUFFER_LIMIT |
Bytlm |
800000 |
IO_BUFFERED |
BIOlm |
200 |
IO_DIRECT |
DIOlm |
200 |
AST_LIMIT |
ASTlm |
300 |
QUEUE_LIMIT |
TQElm |
50 |
PRIORITY |
Prio |
4 |
WORKING_SET |
WSdef |
3076 |
MAXIMUM_WORKING_SET |
WSquo |
8192 |
MAX_JOBS |
Maxjobs |
0 |
EXTENT |
WSextent |
10240 |
FILE_LIMIT |
Fillm |
300 |
ENQUEUE_LIMIT |
Enqlm |
2000 |
JOB_TABLE_QUOTA |
JTquota |
10000 |
Note: The IMPERSONATE privilege (one of the requirements for secured mode operation) allows dynamic setting of quota levels and uses the above table of values. If the configuration is run in secured mode, the initial default values for server validation purposes do not need to be a concern unless the defaults are unusually low.
The iadmin ID must also have a UIC group associated with the ID (so the calls for ID information under OpenVMS 7.x and 8.x are returned in standard OpenVMS 6.x [group,member] format).
To check the UIC, issue the following:
WRITE SYS$OUTPUT F$USER()
Note: The iadmin ID should only be available to users who require administrative privileges to the server for security purposes.
End-users connecting to a server will also require an ID with specific set up for access. For details, see End-User Requirements.
iWay Software |