Consultor Eletrônico

Status: Verified

GOAL:

What UNIX file permissions are required to run AdminServer as non-root?

GOAL:

What UNIX file permissions are required to run AdminServer with OpenEdge Management console installed, as non-root?

GOAL:

What UNIX file permissions are required to run AdminServer with OpenEdge Management remote monitoring configured, as non-root?

GOAL:

How to start the AdminServer using a non-root user?

FACT(s) (Environment):

UNIX
Linux
OpenEdge 10.1B
OpenEdge 10.1C
OpenEdge 10.2x
OpenEdge Management 3.1x
OpenEdge Management 3.2x

FIX:

Even though it is not be stated within the installation guide, the expectation is that as part of the OpenEdge installation, users would configure the file permissions. A key reason for this is that customers should do this based on their company policy on how they set ownership of files on host machines and software packages. One configuration may not apply to every customer since there are many use cases.

The changes below are provided as a guide as to what is required for the AdminServer and OpenEdge Management to function and also some basic generic security settings.

AdminServer / OE Management file permissions testing has been conducted using the following versions. It is likely that other service pack levels of the same version will work the same way but it is not guaranteed as there may be slight changes:

OpenEdge 10.1B03 with OpenEdge Management 3.1B03
OpenEdge 10.1C04 with OpenEdge Management 3.1C
OpenEdge 10.2A03 with OpenEdge Management 10.2A
OpenEdge 10.2B01 with OpenEdge Management 10.2B

AdminServer with OpenEdge Management versions prior to the embedded Sonic upgrade as per KBase P123676 will be different (9.1E04, 10.0B05, 10.2A02, 10.1B and prior).

Notes:
1. The OpenEdge (OE) and OE Management product installations must be performed by root user.
2. If enabling OE Management (fmconfig -enable) or remote AdminServer containers (fmconfig -enable -host <host>) the commands must be run by root user otherwise the commands will fail.
3. If using OE Management, only after having enabled OE Management or remote containers should the commands below be used to change file permissions. Otherwise, some files may revert back to only having root permissions and therefore could cause the AdminServer or OE Management to fail to start when started by the Progress dba.
4. Ensure that all Progress processes are stopped prior to changing file permissions.
5. With certain OE Management versions, the chgrp and chmod commands will fail when run against the fathom.init.params file and /var/tmp/Jetty__9090__* directories because they might not exist. This is ok and you can ignore the errors.
6. The following chgrp and chmod commands must be run by root user.
7. The "progress" group should only be used for Progress dba users, non-dba users should not be part of this group. Non-dba users such as typical Progress clients should be part of a different group, say "progusers" and the database files themselves should have "progusers" as it's group and have g+rw permissions associated with them. The directory permissions of the directory containing the database files should also have the group "progusers" and r-x permissions (no write permissions) to protect against somebody deleting the files from the UNIX shell. All "other" permissions should be removed from the database directory and files (chmod o-rwx <dbfiles>). The Progress dba should be part of both the "progress" and "progusers" groups by comma separating them within the /etc/groups file.
8. Administrators should generally use a script to apply the file permissions since this configuration may need to be replicated, for example, when installing on multiple host machines or after applying a service pack.


The examples below assume:
a) "progress" is the group that the non-root user (the dba) will be a part of.
b) "dlc" is the directory where OpenEdge is installed.
c) "wrk" is the&nbs.p;OpenEdge working directory.
b) "oemgmt" is the OpenEdge Management installation directory.
c) "wrk_oemgmt" is the OpenEdge Management working directory.

The permissions below will:
a) Recursively change the group of all directories and files within dlc, oemgmt, wrk, wrk_oemgmt to become "progress".
b) Add -rwxrwx--- permissions for all directories listed below, including those within recursive (-R) chmod.
c) Add -rw-rw---- permissions for all files specified in the lists below, including those within recursive (-R) chmod. The capital X with chmod sets x permissions for directories but not for files within.
d) Recursively remove --------w- permissions for all files and directories in dlc and oemgmt directories.
Remember to change the group "progress" and the directory names within the following commands to suit your configuration.

If you have OpenEdge with no OE Management installed OR
OpenEdge with OE Management remote monitoring enabled after having run fmconfig -enable -host <host> (OE Mgmt not installed) :
chgrp -R progress dlc
chgrp -R progress wrk
chmod -R o-w dlc
chmod -R ug+rwX dlc/properties ; chmod -R o-rwx dlc/properties
chmod -R ug+rwX wrk


If you have OpenEdge with OE Management product installed and configured after having run fmconfig -enable (OE Mgmt console):
chgrp -R progress dlc
chgrp -R progress wrk
chgrp -R progress wrk_oemgmt
chgrp -R progress oemgmt
chgrp -R progress /var/tmp/Jetty__9090__*
chmod -R o-w dlc
chmod -R o-w oemgmt
chmod -R ug+rwX dlc/properties ; chmod -R o-rwx dlc/properties
chmod -R ug+rwX wrk
chmod -R ug+rwX wrk_oemgmt ; chmod -R o-rwx wrk_oemgmt
chmod -R ug+rwX oemgmt/MQ6.1/Fathom1 ; chmod -R o-rwx oemgmt/MQ6.1/Fathom1
chmod -R ug+rwX oemgmt/MQ6.1/SonicMQStore ; chmod -R o-rwx oemgmt/MQ6.1/SonicMQStore
chmod -R ug+rwX oemgmt/MQ6.1/log ; chmod -R o-rwx oemgmt/MQ6.1/log
chmod -R ug+rwX oemgmt/db ; chmod -R o-rwx oemgmt/db
chmod -R ug+rwX oemgmt/etc ; chmod -R o-rwx oemgmt/etc
chmod -R ug+rwX oemgmt/jspwork ; chmod -R o-rwx oemgmt/jspwork
chmod 770 oemgmt/web
chmod 770 oemgmt/config
chmod 770 /var/tmp/Jetty__9090__*
chmod 660 dlc/fathom.init.params.