Universal Broker Security
Overview
Universal Broker is designed to be a secure system. As the level of security rises, so does the administrative complexity of the system. Universal Broker has balanced the two to avoid the administrative complexity with a minimum sacrifice to security.
Universal Broker security concerns are:
- Access to Universal Broker files, directories, and configuration options.
- Account with which Universal Broker executes.
- Privacy and integrity of transmitted network data.
File Permissions
At a minimum, only trusted user accounts should have write access to the Universal Broker installation data sets. This most likely means only the administrators should have write access. For maximum security, only trusted accounts should have read access to these data sets.
IBM i | At a minimum, limit non-trusted user accounts to object authority of use to the Universal Broker product library, UNVPRD510; the product temporary library, UNVTMP510; the command reference library, UNVCMDREF; the universal spool library, UNVSPL510; and all objects within these libraries. |
---|---|
HP NonStop | All files that the Broker creates or updates are located in either $SYSTEM.UNVLOG or $SYSTEM.UNVTRACE. The Broker does not need write access to its installation subvolume. |
UNIX | All files that the Broker creates or updates are located in the /var/opt/universal directory. This means that the Broker does not need write access to its installation directory or subdirectories. |
Windows | Universal Broker requires write access to its primary install directory (that is, .\Universal\UBroker), which serves as its default trace file location. |
z/OS | Universal Broker requires update access to its database files, which exist as HFS- or zFS-allocated datasets mounted on the z/OS Unix System Services (z/OS USS) file system. The Broker accesses HFS-allocated datasets using the UNVDB and UNVSPOOL ddnames in its STC JCL. The Broker accesses zFS-allocated datasets via its UNIX_DB_DATA_SET and UNIX_SPOOL_DATA_SET configuration options. |
Configuration Files
Only trusted user accounts should have write, create or delete access to the Broker configuration files or any of the directories in the configuration file directory search list.
Windows | Although you can edit Universal Agent configuration files with any text editor (for example, Notepad), we recommend using the Universal Configuration Manager Control Panel application set configuration options. |
---|
Universal Access Control List
Universal Broker uses the Universal Access Control List (UACL) as an extra layer of security. The UACL contains entries (that is, rules) that permit or deny access to the Universal Broker (see Universal Access Control List (UACL) for details).
Universal Broker reads the UACL entries when the program is started. If the UACL file is changed, the new entries can be activated either by:
- Stopping and starting Universal Broker.
- Sending Universal Broker a Universal Control configuration refresh request, which instructs Universal Broker to reread all of its configuration files, including the UACL file (see Configuration Refresh).
Windows | Although you can edit the UACL file with any text editor (for example, Notepad), we recommend that you maintain UACL entries using the Universal Configuration Manager Control Panel application. The Universal Configuration Manager sends a configuration refresh request to the Universal Broker. Updated values take effect immediately, making it unnecessary to recycle the Broker to apply UACL changes. |
---|
Universal Broker User Account
Each Universal Agent component that the Universal Broker spawns inherits the Broker's account credentials. Occasionally, components must perform privileged operations, such as establishing a process execution environment using a local user account's credentials.
On some platforms, this means that the Broker must execute with an account whose inherited credentials allow the spawned components to perform these operations. On other platforms, the Broker may be executed with a lesser-privileged user, provided that the components are configured in way that permits them to elevate their privileges when necessary.
The section contains platform-specific requirements to consider when setting the Broker's user account.
IBM i | Universal Broker for IBM i runs with the UNVUBR510 user profile, which is created at product installation time. Any component started by Universal Broker inherits this user profile. Removing *ALLOBJ Authority from UNVUBR510 User ProfileGiven the extensive authority allowed by *ALLOBJ special authority, it is desirable to avoid its use when possible. As of PTF 0UC0126 for V1R2M1, it is possible to remove *ALLOBJ special authority from the UNVUBR510 user profile. However, by removing *ALLOBJ from the UNVUBR510 user profile, the administrative complexity is increased.
This can be accomplished with the following command: Removing *SPLCTL Authority from UNVUBR510 User ProfileUse the following command to remove the UNVUBR510 user profile *SPLCTL authority: Removing *ALLOBJ and *SPLCTL Authorities from UNVUBR510 User ProfileUse the following command to remove all special authority from the UNVUBR510 user profile: |
---|---|
HP NonStop | Universal Broker itself does not require super.super privileges. For example, Universal Command (UCMD) Server may require super.super authority. Since the component inherits its user ID from the Broker, either the Broker must be running as super.super or the UCMD Server program must be owned by super.super and ProgID must be set for the server program file. |
UNIX | Although Universal Broker itself does not require superuser privileges, some Universal Agent server components (for example, UCMD Server and UEM Server) may require superuser authority to switch execution context to another user account, initialize group membership, or perform other privileged operations.
|
Windows | The Universal Broker Windows service can be configured to execute with the Local System account or with a specially-configured Administrative account (see Windows Service). |
z/OS | The Universal Broker started task may execute with any OMVS user ID provided that account has read access to the BPX.DAEMON, BPX.SUPERUSER, and BPX.JOBNAME resources in the FACILITY class. Note
See z/OS Configuration - Started Tasks for more information. |