Step 6. Configuring the Server With Different Security Modes

The default security mode is OPSYS if you have satisfied the OPSYS requirements. Otherwise, the default mode is OFF. To apply a different security mode, configure server security in the Web Console.

Some security modes need to be configured before you can activate them. You can see a full description of all server security modes in the Web Console help, and also in the Server Administration for UNIX, Windows, OpenVMS, IBM i, and z/OS manual. To see it in the Web Console:

Procedure: How to Satisfy Security Mode OPSYS Requirements

To run a server in security mode OPSYS in OpenVMS, you must satisfy the following requirements. You must do this when you set up the server administration (iadmin) ID.

Although installation can be done by an ordinary user, the changes listed here require the SYSTEM ID.

Run MCR AUTHORIZE to add the following privileges to the iadmin ID.

Privilege	Function	Required for
CMKRNL	May change mode to kernel	Server impersonation features
IMPERSONATE	May impersonate another user	Server impersonation features
NETMBX	May create network device	Mailboxes *
PRMGBL	May create permanent global sections	IPC Shared Memory *
PRMMBX	May create permanent mailbox	IPC Control Pipes *
SYSGBL	May create system wide global sections	IPC Shared Memory *
SYSNAM	May insert in system logical name table	IPC Control Pipes *
SYSPRV	May access objects using system protection	Creating system logical tables* and server security features
TMPMBX	May create temporary mailbox	Mailboxes *
WORLD	May affect other processes in the world	Control of impersonated processes
SYSLCK	May lock system wide resources	Adapter for Progress only *

* Also required for non-secured servers.

Any additional privileges or changes in quota required by particular underlying databases must also be authorized and customized in the EDAENV.PRM file, as described in How to Add/Change Privileges and Quotas (EDAENV.PRM).

The default minimal quota resources are also contained in the default EDAENV.PRM file. You do not need to have values explicitly declared in the UAF or SYSTEM tables, provided the iadmin user ID has IMPERSONATE privileges. However, some situations may require quotas to be increased (for instance, if there are problems accessing very large databases). This is also done by customizing the EDAENV.PRM file, as described below.

Procedure: How to Add/Change Privileges and Quotas (EDAENV.PRM)

You can create privilege and quota settings using a configuration file (EDAENV.PRM). To customize the settings:

Copy the default EDAHOME [.BIN]EDAENV.PRM file to EDACONF [.BIN].
Edit and customize the EDACONF [.BIN]EDAENV.PRM file as needed (for edit rules, see below).
Recycle the server.
Repeat as needed until the desired effect is achieved (for example, until the page file quota is large enough to access large files).

EDAENV.PRM edit rules:

Changing quota values are simply edited values.
To add a quota, use the form name=value with one declaration per line. Actual names follow the standard OpenVMS names for resources.
Privilege declarations lines have the format Privilege_n : privilege [, privilege, ...], where n is any integer from 1 to 99. The value for n must be unique among the Privilege_n lines. Any number of comma-separated privilege names per line may be declared, but each Privilege_n line must be on separate lines. Privilege names follow the standard OpenVMS names for these privileges.

The EDAENV.PRM file should not be confused with the EDAENV.COM file, which is used for running additional OpenVMS commands (typically logical declarations) at startup. An example of EDAENV.PRM follows:

io_direct = 200
queue_limit = 100
page_file = 2097152
buffer_limit = 800000
io_buffered = 200
ast_limit = 300
working_set = 3076
maximum_working_set = 8192
extent = 10240
file_limit = 4096
enqueue_limit = 4000
job_table_quota = 10000
priority = 4
privilege_1 : TMPMBX, NETMBX, PRMMBX
privilege_2 : PRMGBL, SYSGBL, SYSNAM
privilege_3 : SYSPRV, CMKRNL, WORLD
privilege_4 : SYSLCK, IMPERSONATE