Step 6. Configuring the Server With Different Security Providers

How to:

You can run the server in any of the following security provider modes:

The default security provider mode is OPSYS if you have satisfied the OPSYS requirements. Otherwise, the default provider mode is OFF. To apply a different security mode, To apply a different security provider, use the Web Console. To configure the server security provider, access the Control Menu, right-click Security Providers, and then select Change Providers.

Note: To revert to OFF, if OPSYS was previously set up, additional steps are required as outlined in the OPSYS setup steps below to properly revert.

If a 7.7.04 or higher refresh is performed on a prior server of 7.7.03 or lower and the EDAEXTSEC variable was used to control the security modes of DBMS, PTH, or LDAP, the variable should be removed from wherever it was set. The server security should be re configured using the Web Console method of setting the security provider.

You must satisfy the requirements described in How to Satisfy Security Provider OPSYS Requirements.

Some security modes need additional information before they can be configured and activated, such as the various LDAP parameters involved in connecting to and using a LDAP directory. The various parameters are displayed within the Web Console configuration page for each mode with help icons next to them. You can also find Web Console help in the Server Administration for UNIX, Windows, OpenVMS, IBM i, and z/OS manual. To access the manual on the Web Console:

  1. From the Web Console menu bar, select Help, then Contents and Search.

    The Web Console Help window opens.

  2. In the left pane, expand Server Administration. The various mode topics will appear under the Server Security topic.

Top of page

x
Procedure: How to Satisfy Security Provider OPSYS Requirements

To run a server in security provider mode OPSYS in OpenVMS, you must satisfy the following requirements. You must do this when you set up the server administration (iadmin) ID.

Although installation can be done by an ordinary user, the changes listed here require the SYSTEM ID.

Run MCR AUTHORIZE to add the following privileges to the iadmin ID.

Privilege

Function

Required for

CMKRNL

May change mode to kernel

Server impersonation features

IMPERSONATE

May impersonate another user

Server impersonation features

NETMBX

May create network device

Mailboxes *

PRMGBL

May create permanent global sections

IPC Shared Memory *

PRMMBX

May create permanent mailbox

IPC Control Pipes *

SYSGBL

May create system wide global sections

IPC Shared Memory *

SYSNAM

May insert in system logical name table

IPC Control Pipes *

SYSPRV

May access objects using system protection

Creating system logical tables* and server security features

TMPMBX

May create temporary mailbox

Mailboxes *

WORLD

May affect other processes in the world

Control of impersonated processes

SYSLCK

May lock system wide resources

Adapter for Progress only *

* Also required for non-secured servers.

Any additional privileges or changes in quota required by particular underlying databases must also be authorized and customized in the EDAENV.PRM file, as described in How to Add/Change Privileges and Quotas (EDAENV.PRM).

The default minimal quota resources are also contained in the default EDAENV.PRM file. You do not need to have values explicitly declared in the UAF or SYSTEM tables, provided the iadmin user ID has IMPERSONATE privileges. However, some situations may require quotas to be increased (for instance, if there are problems accessing very large databases). This is also done by customizing the EDAENV.PRM file, as described below.


Top of page

x
Procedure: How to Add/Change Privileges and Quotas (EDAENV.PRM)

You can create privilege and quota settings using a configuration file (EDAENV.PRM). To customize the settings:

EDAENV.PRM edit rules:

The EDAENV.PRM file should not be confused with the EDAENV.COM file, which is used for running additional OpenVMS commands (typically logical declarations) at startup. An example of EDAENV.PRM follows:

io_direct = 200
queue_limit = 100
page_file = 2097152
buffer_limit = 800000
io_buffered = 200
ast_limit = 300
working_set = 3076
maximum_working_set = 8192
extent = 10240
file_limit = 4096
enqueue_limit = 4000
job_table_quota = 10000
priority = 4
privilege_1 : TMPMBX, NETMBX, PRMMBX
privilege_2 : PRMGBL, SYSGBL, SYSNAM
privilege_3 : SYSPRV, CMKRNL, WORLD
privilege_4 : SYSLCK, IMPERSONATE

iWay Software