Environment
Situation
Verastream Host Integrator (VHI) services may be run with a non-root user account on Linux, Solaris, or AIX systems. This technical note describes the installation tasks and known limitations.
To enhance system security and comply with organizational security policies, many services and applications are run with a non-administrative (non-root) user account whenever possible. You must use a root account for installation tasks (and local authentication feature, if applicable), but typically can run processes as non-root.
Resolution
Installation Tasks
You must be logged in with root user permissions (su) to perform the following tasks.
- Create users and groups: You may wish to create a new non-root user and group specifically for running Host Integrator, such as vhiuser and vhigroup.
- Run installer: The Host Integrator installer creates new subdirectories for program files (typically located under /opt, /usr, or /usr/local) and /etc/vhi. To complete installation, refer to the Installation Guide at https://support.microfocus.com/manuals/vhi.html.
- Set file ownership: You can specify the desired non-root user and group ownership with the installer (using one of the following methods: menu option "o" in interactive custom installation, --owner option on the installer command line, or owner= line in the install-input file for an unattended automated installation).
- Configure system daemon: To have the services automatically start as system services, you need to add a script to your system init.d or rc.tcpip configuration.
For the sample script and installation instructions, see http://docs2.attachmate.com/verastream/vhi/7.1/en/topic/com.attachmate.vhi.vmc.help.online/tasks/vhi_mc_session_svr_sys_daemon.xhtml.
To run the services as a non-root user, create a new script that will run the provided sample script. Example for Solaris:
#!/bin/sh
#This script, run by root, starts Host Integrator as user vhiuser.
su vhiuser -c "/etc/init.d/vhi $1"
Modify your /etc/rc3.d/S99vhi symbolic link on Solaris, /etc/rc.d/init.d/vhi symbolic link on Linux, or /etc/rc.tcpip file on AIX to run the new script you created above.
Note: If Host Integrator is configured to use local OS groups for authentication and authorization, you must run one of the services as root. See Local Authentication Requires Root Privileges below.
Testing Changes
It is recommended that you test manually stopping and starting services while logged in as the non-root user, and verify that services are automatically started after restarting the system.
- For more information on starting and stopping Host Integrator services manually, see KB 7021352.
- To verify services are successfully running, see KB 7021540.
- If services do not successfully start, check the operating system log as described in KB 7021303, Operating System Logs section.
Local Authentication Requires Root Privileges
One of the Host Integrator processes may need to run as root, depending on your Host Integrator version and security configuration:
If you enable local OS groups in Administrative Console (Management > Directories > Properties), then the Verastream Management Server service must run as root. However, this configuration is typically unnecessary, since version 7.x provides the following alternatives for authentication security:
- Secured administrative access using built-in "admin" user name and administrative password (set during installation or in Administrative Console).
- Improved support for LDAP directory services, such as Microsoft Active Directory. You can add users and groups from your directory server to the Administrator, Developer, and User authorization profiles.
If you determine that the Management Server or AADS component must run as root, the other services (Session Server, Host Emulator, etc.) can still run as non-root.
For more information on authentication and authorization security in Host Integrator, see KB 7021567.
Potential Resource Limitations for Non-Root Processes
Some system kernel versions may limit the number of threads or shared memory segments that can be created by non-root processes. You may need to adjust your system configuration. It is recommended that you test Host Integrator in your environment.