Credentials to Run Optim Processes

Every Optim™ process initiated by a client, whether online (from a Request Editor) or from the Command Line Interface or the ODBC Interface, is run in its own process under the Server. This allows you to start individual processes under explicit user credentials and run multiple processes simultaneously without interfering with each other.

You can choose the credentials used to start these processes.

These credentials determine the network access allowed for the process, and, for Oracle OS Authentication or the Informix® Loader, the User ID used for DBMS access.

The credentials are verified by the system and must include a valid User ID known to the specified security provider. For Windows, an actual logon for the specified user occurs and the process is started under those credentials, as if the user logged on from the console directly. For UNIX or Linux, the effective User ID and Group ID for the process are changed to the credentials specified for running Optim processes.

Run Under Server Credentials

You can run processes under the authentication provided by the Server credentials. This limits access to the files local to the Server machine or, at least, to the files that are accessible with the Server credentials.

Select Server credentials for processes, as follows:

Windows
On the Security tab of the Optim Server Settings applet, select Server for the File Input/Output option and select the Only files local to this Server may be accessed check box.
UNIX or Linux
For pstserv.cfg, set the filelogon parameter to “local.”

Note the following when you use the Server credentials to run processes:

  • For Windows, a service running under Local System Account cannot be logged on to the network. (See UNC Network Share Access (Windows) for more information.)
  • Oracle OS Authentication will run under the user that started the service (Windows) or daemon (UNIX or Linux). Oracle requires a known User ID (established by an administrator); therefore, you cannot use the Local System Account for Windows. Informix Loader, which uses credentials for the currently logged on user, also requires a known User ID. (For more information, see Oracle OS Authentication.)
  • For UNIX or Linux, mount points for networked shares or file access are allowed according to the effective User or Group accounts for the process. Therefore, all processes can use files available to the User account under which the Server daemon is started. (For more information, see UNIX or Linux File Access.)

Run Under Explicit Credentials

You can run processes under an explicit user account to control network access and DBMS logons that use the account for the process (for Oracle OS Authentication and Informix Loader).

You can use the Server to access Optim Directories, DB Aliases, and network shares that individual clients cannot access, and simply restrict the users that can log on to the Server machine. You must require that the credentials in the Optim Server Settings applet (Windows) or pstserv.cfg (UNIX or Linux) be used instead of credentials from the initiating clients, as follows:

Windows
On the Security tab of the Optim Server Settings applet, select Server for the File Input/Output option, clear the Only files local to this Server may be accessed check box, and provide explicit credentials in User ID, Password, and Domain.
UNIX or Linux
For pstserv.cfg, set the filelogon parameter to “server” and provide an explicit User ID and password.
Note: The Server credentials must have specific rights, as specified in Server Privileges for Explicit or Client Credentials.

Run Under Client Credentials

You can run processes under the credentials from the workstation used to initiate the process. The process is run with the same rights as if it were run on the initiating machine as a LOCAL request.

Require the use of initiating credentials on the Server as follows:

Windows
On the Security tab of the Optim Server Settings applet, select Client for the File Input/Output option.
UNIX or Linux
For pstserv.cfg, set the filelogon parameter to “client.”

Also, on each initiating machine, you must provide the credentials for the Server.

Windows
On the Server tab in Personal Options, enter the credentials for all (Default) or individual Servers.
UNIX or Linux
In pstlocal.cfg, specify the credentials on each server parameter.
Note: The Server credentials must have specific rights, as specified in Server Privileges for Explicit or Client Credentials.


Feedback