Choosing a Security Mode

In this section:

How to:

You can run the server in any of the following security modes:

The default security mode is OPSYS if you have satisfied the OPSYS requirements. Otherwise, the default mode is OFF. To apply a different security mode, configure server security in the Web Console.

For the requirements for activating security mode OPSYS, see How to Configure Security Mode OPSYS.

Some security modes need to be configured before you can activate them. You can see a full description of all server security modes in the Web Console help, and also in the Server Administration for UNIX, Windows, OpenVMS, IBM i, and z/OS manual. To see it in the Web Console:

  1. From the Web Console menu bar, select Help, then Contents and Search.

    The Web Console Help window opens.

  2. In the left pane, expand Server Administration.
Top of page
x
Procedure: How to Configure Security Mode OPSYS

To run a server in security mode OPSYS in UNIX, you must perform the following steps. You must do this once after installing or refreshing the server.

Set up tscom300.out as a root-owned SUID program:

  1. If the server is running, bring it down.
  2. Logon to the system as root, or issue the su root command.
  3. Change your current directory to the bin directory of the home directory created during the installation procedure.

    For example, type the following command:

    cd /home/iadmin/ibi/srv77/home/bin
  4. Change file ownership permissions by typing the following commands: 
    chown root tscom300.out
chmod 4555 tscom300.out
  5. Verify your changes by issuing the following command: 
    ls -l tscom300.out

    The output should be similar to the following:

    -r-sr-xr-x 1 root iadmin 123503 Aug 23 04:45 tscom300.out

    Note the permissions and ownerships.

When you start the server, it will now run in security mode OPSYS (unless an EDAEXTSEC value overrides this).

This step will need to be repeated after any sever upgrade since the file is replaced during upgrade.
Top of page
x
Preventing Unsecured Server Starts After Upgrades

If the explicit environment variable EDAEXTSEC is set to OPSYS (or ON) and the server cannot impersonate users because it lacks platform-specific authorization steps, the server start aborts and error messages are written to the edaprint log.

This feature prevents an unsecured server start after a software upgrade if any of the required post-upgrade, reauthorization steps are missed on a UNIX, IBM i, or z/OS HFS deployment. This is not applicable to other platforms. The setting may be placed in any normal server start-up shell or profile that a site is using or in the server edaenv.cfg configuration file. The messages vary slightly by platform.

The edaprint messages are:

Configured security is 'ON' as set by EDAEXTSEC variable.
Server has no root privilege.
Workspace initialization aborted.
(EDA13171) UNABLE TO START SERVER
iWay Software