Universal Command Server Security

File Permissions

Only trusted user accounts should have write permission to the Universal Command (UCMD) Server installation directory, subdirectories, and all files within them.
 

IBM i

Only administrator accounts should have write permission to the UCMD Server product library, UNVPRD510; the command reference library, UNVCMDREF; the universal spool library, UNVSPL510 and all objects within these libraries. For maximum security, only trusted accounts (administrators and the UNVUBR510 profile) should have management, existence, alter, add, update, and delete authority to these objects. As a reminder, the system value QCRTAUT controls public access authority to created objects unless overridden by specific commands.
 
Other than users authorized to use Universal Agent components, the same applies to the product temporary library, UNVTMP510.

Windows

Only trusted user accounts should have write permission to the UCMD Server installation directory and subdirectories, and all of the files within them. This most likely means only the administrator group should have write access. Eligible users of Universal Command require read access to the message catalogs (*.umc files) in the nls subdirectory of the Universal Agent installation directory.
 
All eligible users of UCMD require permission to create directories in the UCMD Server working directory, if security is activated. A directory named after the user ID requesting the command is created for each user. The directory is created while impersonating the user; hence, it's created using the user's security account.
 
Home directories are created with permissions giving the user full control of both the directory and the files within the directory.

z/OS

Only trusted user accounts should have write permission to the UCMD Server installation data sets. No general user access is required.

Configuration Files

Only trusted user accounts should have write access to the UCMD Server configuration files.
 

Windows

Although you may edit configuration files with any text editor (for example, Notepad), we recommend that you manage configuration options using the Universal Configuration Manager Control Panel application. Only user accounts in the Administrator group may execute the Universal Configuration Manager.

Universal Command Server User ID


UNIX

UCMD Server requires read access to its installation directory and its working directory (defined in the component definition). If user security is activated, the Server requires root access to create processes that execute with another user's identity. The Server security identity is inherited from the Broker. If the Broker is running with a non-root user ID, then the Server program must have the set user ID on execution permission set and root as owner. See Universal Message Translator for details.

z/OS

UCMD Server for z/OS requires read access to its installation data sets and its HFS working directory (defined in the component definition).

Universal Command Server User Profile


IBM i

If user security is activated, the UCMD Server for IBM i requires, by default, *ALLOBJ authority to change user profiles. Unless modifications are made (as described in Removing *ALLOBJ Authority from UNVUBR510 User Profile in the IBM i section of Universal Broker User Account in Universal Broker Security), the Server user profile, which is inherited from the Broker, requires *ALLOBJ authority.

User Authentication

User authentication is the process of verifying that a user is a known and valid user. The process used by UCMD Server requires the user to provide an operating system-specific user name / ID and a password. The UCMD Server passes the name / ID and password to the operating system for verification; this is referred to as logging on the user.
 

Windows

Windows provides two primary types of log on processes: batch and interactive. A user must be given the right to log on as a batch job for them to do a batch log on. All users can do an interactive log on. See the LOGON_METHOD option for more details.

UNIX

Universal Command can use three different types of user authentication methods:

  1. Default authentication uses the UNIX traditional password comparison method.
  2. PAM authentication uses the PAM API to authenticate users and, optionally, process session modules. This option is available only for certain UNIX platforms.
  3. HP-UX Trusted Security uses HP-UX Trust Security APIs to authenticate users. This is available only on Hewlett Packard HP-UX and Tru64 platforms.

HP-UX 11.00 and later

By default, supplemental group memberships are recorded in the /etc/group file. However, if an /etc/logingroup file exists, it governs all supplemental group memberships and effectively overrides the entries in /etc/group.
 

Note

/etc/logingroup is not required to record supplemental group membership. If /etc/logingroup does not exist, /etc/group is sufficient to record the groups in which a user belongs.

 
If any Universal Agent component fails to access system resources that are secured based on supplemental group membership, make sure that the authenticated user has an entry in /etc/logingroup, if that file exists. Otherwise, the default entry in /etc/group should be sufficient.
 
For more information about /etc/logingroup, please see the HP-UX system documentation.

IBM i

If the user name and password are successfully validated by the operating system, the Initiator program (UCMSINIT) changes the current user profile to the user profile of the user ID.

Command References

A command reference is file, residing on a Universal Command (UCMD) Server system, which contains a pre-defined command or script to be executed upon request of a Universal Command Manager.

When used with Universal Access Control List (UACL) entries, command references allow UCMD administrators to restrict what commands and processes can be executed by remote UCMD Managers.

For more information, see Universal Command - Command References.