Step 6. Configuring the Server With Different Security Modes

In this section:

Preventing Unsecured Server Starts After Upgrades

How to:

Satisfy Security Mode OPSYS Requirements

You can run the server in any of the following security modes:

OFF, in which access to data sources and the Web Console is unrestricted. Users do not need to provide a password.
OPSYS, each connecting user is authenticated against the IBM i security subsystem, and the data agents impersonate the user ID to control access rights to data files and DBMS objects. Access to the Web Console administrative functions is protected by user authentication at the operating system level.
PTH, in which access to the Web Console is controlled by authentication against the user list defined at the configuration level.
DBMS, in which access to data sources and the Web Console is controlled by authentication against the database list of user IDs. Control of data resources can be accomplished by creating different profiles.
LDAP, in which access to data resources and the Web Console is controlled by authentication through the established directory.

The default security mode is OPSYS if you have satisfied the OPSYS requirements. Otherwise, the default mode is OFF. To apply a different security mode, configure server security in the Web Console.

You must satisfy the requirements described in How to Satisfy Security Mode OPSYS Requirements.

Some security modes need to be configured before you can activate them. You can see a full description of all server security modes in the Web Console help, and also in the Server Administration for UNIX, Windows, OpenVMS, IBM i, and z/OS manual. To see it in the Web Console:

From the Web Console menu bar, select Help, then Contents and Search.
The Web Console Help window opens.
In the left pane, expand Server Administration.

Top of page

Procedure: How to Satisfy Security Mode OPSYS Requirements

To run a server in security mode OPSYS in IBM i, you must satisfy the following requirements. You must complete these steps once after installing and repeat them after any server upgrade.

Certain files must be owned and run under the QSECOFR profile or a QSECOFR-authorized ID (such as iserver) that allows impersonation for the OPSYS security mode. Running with security mode OPSYS requires users to send a password to connect to the server, or to use some other form of verification. Although general installation of the server software is done by iadmin (an ordinary user ID), this step requires QSECOFR authority.

To change ownerships, do the following:

Log on as QSECOFR.
Using the library specified during the installation, change the file ownership by entering the following commands:
```
CHGOBJ    OBJ(SRV77/TSCOM300) USRPRF(*OWNER)
CHGOBJOWN OBJ(SRV77/TSCOM300) OBJTYPE(*PGM) NEWOWN(QSECOFR)
```

This step will need to be repeated after any sever upgrade since these files are replaced during upgrade.

Top of page

Preventing Unsecured Server Starts After Upgrades

If the explicit environment variable EDAEXTSEC is set to OPSYS (or ON) and the server cannot impersonate users because it lacks platform-specific authorization steps, the server start aborts and error messages are written to the edaprint log.

This feature prevents an unsecured server start after a software upgrade if any of the required post-upgrade, reauthorization steps are missed on a UNIX, IBM i, or z/OS HFS deployment. This is not applicable to other platforms. The setting may be placed in any normal server start-up shell or profile that a site is using or in the server edaenv.cfg configuration file. The messages vary slightly by platform.

The edaprint messages are:

Configured security is 'ON' as set by EDAEXTSEC variable.

TSCOM300.PGM has no QSECOFR authority.

Workspace initialization aborted.

(EDA13171) UNABLE TO START SERVER

iWay Software