Choosing a Security Provider Mode

In this section:

How to:

You can run the server in any of the following security provider modes:

The default security provider mode is OPSYS if you have satisfied the OPSYS requirements. Otherwise, the default provider mode is OFF or whatever has been explicitly configured previously. To apply or use a different security provider mode, use the Web Console to configure server security provider by selecting Access Control Menu, right-clicking Security Providers and selecting Change Providers.

Note: To properly revert to OFF, if OPSYS was previously set up, additional steps are required as outlined in the OPSYS setup steps below.

If a 7.7.04 (or higher) refresh is done to a prior server of 7.7.03 or lower and the EDAEXTSEC variable was used to control the security modes of DBMS, PTH or LDAP, the variable should be removed from wherever it was set and the server security should be reconfigured using the Web Console method of setting the security provider.

To use OPSYS, you must satisfy the requirements described in How to Satisfy Security Provider OPSYS Requirements.

Some security modes need additional information before they can be configured and activated, such as the various LDAP parameters involved in connecting to and using an LDAP directory. The various parameters are displayed within the Web Console configuration page for each mode (with Help icons next to them), as well as Web Console help for the Server Administration for UNIX, Windows, OpenVMS, IBM i, and z/OS manual. To access the manual on the Web Console:

  1. From the Web Console menu bar, select Help, then Contents and Search.

    The Web Console Help window opens.

  2. In the left pane, expand Server Administration. The various mode topics will be under the Server Security topic.

Top of page

x
Procedure: How to Satisfy Security Provider OPSYS Requirements

To run a server in security provider OPSYS mode in UNIX, you must perform the following steps. You must do this once after installing and after each refresh of the server with fixes.

Set up tscom300.out as a root-owned SUID program:

  1. If the server is running, bring it down.
  2. Log on to the system as root, or issue the su root command.
  3. Change your current directory to the bin directory of the home directory created during the installation procedure.

    For example, type the following command:

    cd /home/iadmin/ibi/srv77/home/bin
  4. Change file ownership and permissions by typing the following commands:
    chown root tscom300.out
    chmod 4555 tscom300.out
  5. Verify your changes by issuing the following command:
    ls -l tscom300.out

    The output should be similar to the following:

    -r-sr-xr-x 1 root iadmin 123503 Aug 23 04:45 tscom300.out

    Note the permissions and ownerships.

When you start the server, it will now run in security mode OPSYS (unless an EDAEXTSEC value overrides this).

The chmod and chown steps will need to be repeated after any sever upgrade since the tscom300.out file is replaced during upgrade and the attributes are lost.

Note: If this Security Provider OPSYS step has been done and the site later decides to switch to Security OFF, special steps must be taken to ensure the mode remains after a full server shutdown (where edastart -start is used to restart the server). The steps are:

After server recycles from the change to OFF, use the Web Console to open the environment configuration file of the server by clicking Workspace and expanding the Configuration Files folder, followed by the Miscellaneous folder. Double-click Environment - edaenv.cfg to edit the file and add the EDAEXTSEC=OFF variable. Then save your work.

After the next full server shutdown, be sure to do an edastart -cleardir before restarting the server. This will clear any root owned files that would prevent a security OFF server from starting.


Top of page

x
Preventing Unsecured Server Starts After Upgrades

If the explicit environment variable EDAEXTSEC is set to OPSYS (or ON) and the server cannot impersonate users because it lacks platform-specific authorization steps, the server start aborts and error messages are written to the edaprint log.

This feature prevents an unsecured server start after a software upgrade if any of the required post-upgrade, reauthorization steps are missed on a UNIX, IBM i, or z/OS HFS deployment. This is not applicable to other platforms. The setting may be placed in any normal server start-up shell or profile that a site is using or in the server edaenv.cfg environment configuration file. The messages vary slightly by platform.

The edaprint messages are:

Configured security is 'ON' as set by EDAEXTSEC variable.
Server has no root privilege.
Workspace initialization aborted.
(EDA13171) UNABLE TO START SERVER

iWay Software