|
How to: |
The default security provider for a new installation is the internal security provider, PTH. The PTH provider implements security using user IDs, passwords, and group memberships stored in the admin.cfg configuration file.
After the initial installation, the Server Administrator that was configured during the installation can start the server and use the Web Console to further customize security settings, for example, to configure alternate or additional security providers, create additional PTH IDs, and register groups and users in a security role. For more information about security providers, see the Server Security chapter in the Server Administration manual.
To run a server with security provider OPSYS in OpenVMS, you must satisfy the following requirements. You must do this when you set up the server administration (iadmin) ID.
Although installation can be done by an ordinary user, the changes listed here require the SYSTEM ID.
Run MCR AUTHORIZE to add the following privileges to the iadmin ID.
|
Privilege |
Function |
Required for |
|---|---|---|
|
CMKRNL |
May change mode to kernel |
Server impersonation features |
|
IMPERSONATE |
May impersonate another user |
Server impersonation features |
|
NETMBX |
May create network device |
Mailboxes * |
|
PRMGBL |
May create permanent global sections |
IPC Shared Memory * |
|
PRMMBX |
May create permanent mailbox |
IPC Control Pipes * |
|
SYSGBL |
May create system wide global sections |
IPC Shared Memory * |
|
SYSNAM |
May insert in system logical name table |
IPC Control Pipes * |
|
SYSPRV |
May access objects using system protection |
Creating system logical tables* and server security features |
|
TMPMBX |
May create temporary mailbox |
Mailboxes * |
|
WORLD |
May affect other processes in the world |
Control of impersonated processes |
|
SYSLCK |
May lock system wide resources |
Adapter for Progress only * |
* Also required for non-secured servers.
Any additional privileges or changes in quota required by particular underlying databases must also be authorized and customized in the EDAENV.PRM file, as described in How to Add/Change Privileges and Quotas (EDAENV.PRM).
The default minimal quota resources are also contained in the default EDAENV.PRM file. You do not need to have values explicitly declared in the UAF or SYSTEM tables, provided the iadmin user ID has IMPERSONATE privileges. However, some situations may require quotas to be increased (for instance, if there are problems accessing very large databases). This is also done by customizing the EDAENV.PRM file, as described below.
You can create privilege and quota settings using a configuration file (EDAENV.PRM). To customize the settings:
EDAENV.PRM edit rules:
The EDAENV.PRM file should not be confused with the EDAENV.COM file, which is used for running additional OpenVMS commands (typically logical declarations) at startup. An example of EDAENV.PRM follows:
io_direct = 200 queue_limit = 100 page_file = 2097152 buffer_limit = 800000 io_buffered = 200 ast_limit = 300 working_set = 3076 maximum_working_set = 8192 extent = 10240 file_limit = 4096 enqueue_limit = 4000 job_table_quota = 10000 priority = 4 privilege_1 : TMPMBX, NETMBX, PRMMBX privilege_2 : PRMGBL, SYSGBL, SYSNAM privilege_3 : SYSPRV, CMKRNL, WORLD privilege_4 : SYSLCK, IMPERSONATE
| WebFOCUS | |
|
Feedback |