|
|
|
Running Verastream Host Integrator Using a Root or Non-Root UserID
Technical Note 10016
Last Reviewed 25-Jun-2010
Applies To
Verastream Host Integrator version 6.0 or higher
Summary
Technical Note 10016
Last Reviewed 25-Jun-2010
Applies To
Verastream Host Integrator version 6.0 or higher
Summary
Verastream Host Integrator (VHI) services may be run with a non-root user account on Linux, Solaris, or AIX systems. This technical note describes the installation tasks and known limitations.
Root vs. Non-Root
To enhance system security and comply with organizational security policies, many services and applications are run with a non-administrative (non-root) user account whenever possible. You must use a root account for installation tasks (and local authentication feature, if applicable), but typically can run processes as non-root.
Installation Tasks
You must be logged in with root user permissions (su) to perform the following tasks.
- Create users and groups: You may wish to create a new non-root user and group specifically for running Host Integrator, such as vhiuser and vhigroup.
- Run installer: The Host Integrator installer creates new subdirectories for program files (typically located under /opt, /usr, or /usr/local) and /etc/vhi. To complete installation, refer to the Installation Guide at http://support.attachmate.com/manuals/vhi.html.
- Set file ownership:
- Version 7.0: You can specify the desired non-root user and group ownership with the installer (using one of the following methods: menu option "o" in interactive custom installation, --owner option on the installer command line, or owner= line in the install-input file for an unattended automated installation).
- Version 6.6 or earlier: You must change ownership after installation. For example:
chown -R vhiuser:vhigroup /usr/vhi- Configure system daemon: To have the services automatically start as system services, you need to add a script to your system init.d or rc.tcpip configuration.
- Version 7.0: For the sample script and installation instructions, see http://docs.attachmate.com/verastream/vhi/7.0/help/admin-vhi/tasks/vhi_mc_session_svr_sys_daemon.xhtml.
- Version 6.6 or earlier: To use the sample script file named vhi installed in the examples subdirectory, see the Installation Guide at http://docs.attachmate.com/verastream/vhi/6.6/doc/help/install_guide_66.pdf.
To run the services as a non-root user, create a new script that will run the provided sample script. Example for Solaris:
#!/bin/sh#This script, run by root, starts Host Integrator as user vhiuser.su vhiuser -c "/etc/init.d/vhi $1"Modify your /etc/rc3.d/S99vhi symbolic link on Solaris, /etc/rc.d/init.d/vhi symbolic link on Linux, or /etc/rc.tcpip file on AIX to run the new script you created above.
Note: If Host Integrator is configured to use local OS groups for authentication and authorization, you must run one of the services as root. See Local Authentication Requires Root Privileges below.
Testing Changes
It is recommended that you test manually stopping and starting services while logged in as the non-root user, and verify that services are automatically started after restarting the system.
- For more information on starting and stopping Host Integrator services manually, see Technical Note 10004.
- To verify services are successfully running, see Technical Note 10054.
- If services do not successfully start, check the operating system log as described in Technical Note 40032, Operating System Logs section.
Local Authentication Requires Root Privileges
One of the Host Integrator processes may need to run as root, depending on your Host Integrator version and security configuration:
- Version 7.0: If you enable local OS groups in Administrative Console (Management > Directories > Properties), then the Verastream Management Server service must run as root. However, this configuration is typically unnecessary, since version 7.0 provides the following alternatives for authentication security:
- Secured administrative access using built-in "admin" user name and administrative password (set during installation or in Administrative Console).
- Improved support for LDAP directory services, such as Microsoft Active Directory. You can add users and groups from your directory server to the Administrator, Developer, and User authorization profiles.
- Version 6.6 and earlier: If security is enabled in Administrative WebStation (Host Integrator Setup > Security), then the AADS service must run as root. This configuration is recommended to secure administrative access. For more information, see Technical Note 10079.
If you determine that the Management Server or AADS component must run as root, the other services (Session Server, Host Emulator, etc.) can still run as non-root.
For more information on authentication and authorization security in Host Integrator, see Technical Note 10110.
Potential Resource Limitations for Non-Root Processes
Some system kernel versions may limit the number of threads or shared memory segments that can be created by non-root processes. You may need to adjust your system configuration. It is recommended that you test Host Integrator in your environment.
