Universal Data Mover Server Security

Universal Data Mover Server is designed to be a secure system. As the level of security rises, so does the administrative complexity of the system. Universal Data Mover Server has balanced the two to avoid the administrative complexity with a minimum sacrifice to security.

Universal Data Mover Server security concerns are:

Access to product data sets
Access to Universal Agent configuration files
Universal Broker user account
Privacy and integrity of transmitted network data
User authentication

File Permissions

Only trusted user accounts should have write permission to the Universal Data Mover Server installation directory and sub-directories, and all of the files within them.

IBM i

Object Permissions

Only administrator accounts should have write permission to the following Universal Agent libraries (and all objects within these libraries):

Installation library, UNVPRD510 (by default)
Product temporary library, UNVTMP510
Universal spool library, UNVSPL510

For maximum security, only trusted accounts (administrators and the UNVUBR510 user profile) should have management, existence, alter, add, update or delete authority to these objects. As a reminder, the system value QCRTAUT controls public access authority to created objects unless overridden by specific commands.

z/OS

Data Set Permissions

Only trusted user accounts should have write permission to the Universal Data Mover Server installation data sets. No general user access is required.

Configuration Files

Only trusted user accounts should have write access to the Universal Data Mover Server configuration files.

Windows	Although you may edit configuration files with any text editor (for example, Notepad), we recommend that you manage configuration options using the Universal Configuration Manager Control Panel application. Only user accounts in the Administrator group can execute the Universal Configuration Manager.

Universal Data Mover Server User ID

Universal Data Mover Server requires read access to its installation directory and its working directory (defined in the component definition).

UNIX	If user security is activated, the Server requires root access to create processes that execute with another user's identity. The Server security identity is inherited from the Broker. If the Broker is running with a non-root user ID, then the Server program must have the set user ID on execution permission set and root as owner.
z/OS	Universal Data Mover Server requires read access to its installation data sets and its HFS working directory (defined in the component definition).

Universal Data Mover Server User Profile

IBM i

If user security is activated, the UDM Server for IBM i requires, by default, *ALLOBJ authority to switch user profiles. This *ALLOBJ authority requirement may be removed. The UDM Server initially inherits authority from the UNVUBR510 user profile. Following the switch to the user profile, the UDM Server runs under the authority of the user initiating the data transfer.

The UNVUBR510 user profile requires *SPLCTL authority in order to provide Universal Submit Job with job logs in specific limited situations. The *SPLCTL authority requirement can be removed. Removing *SPLCTL from the UNVUBR510 user profile may prevent the job log processing in limited situations.

(See Universal Broker User Account for information on removing the *ALLOBJ and *SPLCTL authorities.)

User Authentication

User authentication is the process of verifying that a user is known and valid to the system. The process used by UDM Server requires the user to provide a user name / ID and a password. The UDM Server passes the name / ID and password to the operating system for verification; this is referred to as logging on the user.

IBM i	For IBM i, user authentication is optional. However, if security is enabled, a user name / ID and password are required in order to verify the user's credentials. With security enabled, you transfer files using a specific user's security context.
UNIX	For UNIX, user authentication is optional. However, if security is enabled, a user name / ID and password are required in order to verify the user's credentials. With security enabled, you transfer files using a specific user's security context. Universal Data Mover can use three different types of user authentication methods: Default authentication uses the UNIX traditional password comparison method. PAM authentication uses the PAM API to authenticate users. The PAM modules, which authenticate and account, are called. This option is available only for certain UNIX platforms. HP-UX Trusted Security uses HP-UX Trust Security APIs to authenticate users. This is available only on Hewlett Packard HP-UX platforms.
HP-UX 11.00 and later	By default, supplemental group memberships are recorded in the /etc/group file. However, if an /etc/logingroup file exists, it governs all supplemental group memberships and effectively overrides the entries in /etc/group. Note /etc/logingroup is not required to record supplemental group membership. If /etc/logingroup does not exist, /etc/group is sufficient to record the groups in which a user belongs. If any Universal Agent component fails to access system resources that are secured based on supplemental group membership, make sure that the authenticated user has an entry in /etc/logingroup, if that file exists. Otherwise, the default entry in /etc/group should be sufficient. For more information about /etc/logingroup, please see the HP-UX system documentation.
Windows	For Windows, user authentication is optional. However, if security is enabled, a user name / ID and password are required in order to verify the user's credentials. (With security enabled, you transfer files using a specific user's security context.)