...
IBM i | At a minimum, limit non-trusted user accounts to object authority of use to the Universal Broker product library, UNVPRD510; the product temporary library, UNVTMP510; the command reference library, UNVCMDREF; the universal spool library, UNVSPL510; and all objects within these libraries. |
---|---|
HP NonStop | All files that the Broker creates or updates are located in either $SYSTEM.UNVLOG or $SYSTEM.UNVTRACE. The Broker does not need write access to its installation subvolume. |
UNIX | All files that the Broker creates or updates are located in the /var/opt/universal directory. This means that the Broker does not need write access to its installation directory or subdirectories. |
Windows | Universal Broker requires write access to its primary install directory (that is, .\Universal\UBroker), which serves as its default trace file location. |
z/OS | Universal Broker requires update access to its database files, which exist as HFS- or zFS-allocated datasets mounted on the z/OS Unix System Services (z/OS USS) file system. The Broker accesses HFS-allocated datasets using the UNVDB and UNVSPOOL ddnames in its STC JCL. The Broker accesses zFS-allocated datasets via its UNIX_DB_DATA_SET and UNIX_SPOOL_DATA_SET configuration options. |
Configuration Files
...
Windows | Although you can edit Universal Agent configuration files with any text editor (for example, Notepad), we recommend using the Universal Configuration Manager Control Panel application set configuration options. |
---|
...
- Stopping and starting Universal Broker.
- Sending Universal Broker a Universal Control configuration refresh request, which instructs Universal Broker to reread all of its configuration files, including the UACL file (see Configuration Refresh).
Windows | Although you can edit the UACL file with any text editor (for example, Notepad), we recommend that you maintain UACL entries using the Universal Configuration Manager Control Panel application. The Universal Configuration Manager sends a configuration refresh request to the Universal Broker. Updated values take effect immediately, making it unnecessary to recycle the Broker to apply UACL changes. |
---|
...
IBM i | Universal Broker for IBM i runs with the UNVUBR510 user profile, which is created at product installation time. Any component started by Universal Broker inherits this user profile. Removing *ALLOBJ Authority from UNVUBR510 User ProfileGiven the extensive authority allowed by *ALLOBJ special authority, it is desirable to avoid its use when possible. As of PTF 0UC0126 for V1R2M1, it is possible to remove *ALLOBJ special authority from the UNVUBR510 user profile. However, by removing *ALLOBJ from the UNVUBR510 user profile, the administrative complexity is increased.
This can be accomplished with the following command:
Removing *SPLCTL Authority from UNVUBR510 User ProfileUse the following command to remove the UNVUBR510 user profile *SPLCTL authority:
Removing *ALLOBJ and *SPLCTL Authorities from UNVUBR510 User ProfileUse the following command to remove all special authority from the UNVUBR510 user profile:
| ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
HP NonStop | Universal Broker itself does not require super.super privileges. For example, Universal Command (UCMD) Server may require super.super authority. Since the component inherits its user ID from the Broker, either the Broker must be running as super.super or the UCMD Server program must be owned by super.super and ProgID must be set for the server program file. | ||||||||||
UNIX | Although Universal Broker itself does not require superuser privileges, some Universal Agent server components (for example, UCMD Server and UEM Server) may require superuser authority to switch execution context to another user account, initialize group membership, or perform other privileged operations.
| ||||||||||
Windows | The Universal Broker Windows service can be configured to execute with the Local System account or with a specially-configured Administrative account (see Windows Service). | ||||||||||
z/OS | The Universal Broker started task may execute with any OMVS user ID provided that account has read access to the BPX.DAEMON, BPX.SUPERUSER, and BPX.JOBNAME resources in the FACILITY class.
|