Running the non-root user adapter setup script

Run the script setupAdapterNonRoot.sh for the remaining actions for the non-root adapter setup.

The script is in directory /opt/IBM/tsamp/sam/bin. Before you run the script, the following conditions must be met:

If you upgrade System Automation for Multiplatforms from a version lower than 4.1 to version 4.1, all nodes in the cluster are upgraded to the new version. Rhe cluster migration is complete. The command samctrl –m is run successfully.
The adapter is stopped.
With System Automation for Multiplatforms version 4.1.0.3 or lower, ensure that the manual steps described in Setting up security for specific operating systems completed successfully.
The System Automation cluster is defined, but it is not required to stop the cluster. The setup steps do not interfere with cluster operations.

Run script setupAdapterNonRoot.sh on all cluster nodes.

There are different versions of this script based on the installed product version, which differ in required prerequisites and functionality. The following usage information and sample output applies to the script included within System Automation for Multiplatforms 4.1.0.0 up to version 4.1.0.3:


Name
setupAdapterNonRoot.sh  - configures end-to-end automation adapter to run with a non-root user account

Synopsis
      setupAdapterNonRoot.sh [–x] userName [groupName]

Description	
      Script to configure the end-to-end automation adapter to run with a non-root user account. 
      It adapts group ownerships and permissions, as well as RSCT security definitions.

Options
      -x  Set ACL permissions for the sa_admin role. Optional, if omitted, the default is to set ACL
          permissions for the sa_operator role.

Parameters
      userName  - the name of the user account that the adapter should run as
      groupName - the name of the primary group of the adapter user account

Exit Codes
	0 all configurations completed successfully
	1 at least one configuration task failed - see print out for details
	2 prerequisites not satisfied - see print out for details

Run the script as a user with root permissions:

Prerequisite checking: It is checked whether a cluster exists, the automation adapter is stopped, and the user account exists. It is also checked whether the specified group is the primary group of the user account.
Changing group ownerships and permissions: Several files and directory ownerships and permissions need to be changed, because they are initially created for root user access only. For more information, see Changing group ownerships and permissions.
Note: The script changes the group, which owns the file /etc/ibm/tivoli/common/cfg/log.properties. This file might be used by other Tivoli products as well. If one of these products is also run with a non-root user account, ensure that the log.properties file is still readable for these products.
Setting appropriate System Automation and RSCT permissions: To allow the non-root user account samadapt to use RSCT Resource Management Control (RMC), permissions must be granted by using the /var/ct/cfg/ctrmc.acls file. For more information, see Setting appropriate System Automation and RSCT permissions.
Adapting the automation adapter configuration: The non-root user and group are added to the adapter configuration properties. For more information, see Adapting the automation adapter configuration.

Sample output:

root@p6sa13 /opt/IBM/tsamp/sam/bin# ./setupAdapterNonRoot.sh -x samadapt
--------------------------------------------------------------------------------
Checking userid samadapt.
Group not set as parameter. Retrieving the primary group for user samadapt.
--------------------------------------------------------------------------------
Checking group sagroup for userid samadapt.
User account samadapt and group sagroup verified successfully. Continuing...
--------------------------------------------------------------------------------
Checking whether a Peer Domain exists  ...
Peer domain exists. Continuing ...
--------------------------------------------------------------------------------
Checking whether adapter exists and is offline ...
samadapter is not running.
Adapter exists and is offline. Continuing ...
--------------------------------------------------------------------------------
Checking for a previous non-root adapter setup ...
--------------------------------------------------------------------------------
Change various permissions. Press enter to continue ...

PolicyPool is /etc/opt/IBM/tsamp/sam/policyPool
Tivoli Common Directory is /var/ibm/tivoli/common
KeyStore not set.
TrustStore not set.
----------------------------------------------------------------------------------------
Replacing the DEFAULT stanza in file /var/ct/cfg/ctrmc.acls. Press enter to continue ...

Adding the following entires to the DEFAULT Stanza of /var/ct/cfg/ctrmc.acls
DEFAULT
   samadapt@0xc3d084925f78e253   *   rw
----------------------------------------------------------------------------------------
The command 'refresh -s ctrmc' will now be issued. Press enter to continue ...

0513-095 The request for subsystem refresh was completed successfully.
----------------------------------------------------------------------------------------
Adapting the file sam.adapter.properties
 Press enter to continue ...

Replacing lines in property file
----------------------------------------------------------------------------------------
All configurations have been completed successfully.
Run this script, including user account and group preparations on all nodes of the cluster.
If this was the last node of the cluster where you ran the script, you may now start the adapter.

The following usage information and sample output applies to the script included within System Automation for Multiplatforms version 4.1.0.4, and higher:

Synopsis:
   setupAdapterNonRoot.sh [-h] [--local] [--manage-group] 
                          [-x|--sa-admin][-g|--group <groupName>] 
					userName

 Description     
  Script to configure the end-to-end automation adapter to run with a non-root user account.
  It adapts group ownerships and permissions, as well as RSCT security definitions.

Parameters
  userName - the name of the user account that is used to start the adapter.

Exit Codes
  0 all configurations completed successfully
  1 at least one configuration task failed
  2 prerequisites not satisfied

Options:
  -h			   Print this help.
  -g or --group <groupName> The name of the primary group for the specified user account. (default: group name = sagroup)
  --local		     Run script only on local node. Optional, if omitted, the default is to perform changes on all cluster nodes.
  --manage-group	     Create local UNIX group (if group does not exist) and add specified user to this group. 
                            Set group as primary group for the user. If omitted, the default is to not make any changes to group and user.
  -x or –sa-admin	    Set ACL permissions for the sa_admin role.Optional, if omitted, the default is to set ACL permissions for the sa_operator role.

Run the script as a user with root permissions:

Prerequisite checking: It is checked whether a cluster exists, the automation adapter is stopped, and the user account exists. It is also checked whether the specified group is the primary group of the user account.
Changing group ownerships and permissions: Several files and directory ownerships and permissions need to be changed, because they are initially created for root user access only. For more information, see Changing group ownerships and permissions.
Note: The script changes the group, which owns the file /etc/ibm/tivoli/common/cfg/log.properties. This file might be used by other Tivoli products as well. If one of these products is also run with a non-root user account, ensure that the log.properties file is still readable for these products.
Setting appropriate System Automation and RSCT permissions: To allow the non-root user account samadapt to use RSCT Resource Management Control (RMC), permissions must be granted by using the /var/ct/cfg/ctrmc.acls file. For more information, see Setting appropriate System Automation and RSCT permissions.
Adapting the automation adapter configuration: The non-root user and group are added to the adapter configuration properties. For more information, see Adapting the automation adapter configuration.

Usage Examples
  1) Configure SA MP adapter to run with non-root user "saoperator" and group "sagroup"
      ("sagroup" already exists).
     Prerequisites:
     - User "saoperator" and group "sagroup" exist.
     - "sagroup" is the primary group for user "saoperator"

     Setup adapter non-root:
     # setupAdapterNonRoot.sh -g sagroup saoperator
     Result:
     - Configured SA MP adapter non-root user "saoperator" on all cluster nodes

  2) Configure SA MP adapter to run with non-root user "saoperator" and group "sagroup"
      ("sagroup" does not exist).
     Prerequisites:
     - User "saoperator" exists.
     Setup adapter non-root:
     # setupAdapterNonRoot.sh --manage-group -g sagroup saoperator
     Result:
     - Group "sagroup" is created on all cluster nodes
     - User "saoperator" is added to group "sagroup" on all cluster nodes
     - "sagroup" is set as primary group for user "saoperator" on all cluster nodes
     - Configured SA MP adapter non-root user "saoperator" on all cluster nodes
  3) Remove SA MP adapter non-root user configuration
     Prerequisites:
     - SA MP adapter non-root user is configured
     Remove adapter non-root setup
     AIX:
     # setupAdapterNonRoot.sh -g system root
     Linux:
     # setupAdapterNonRoot.sh -g root root
     Result:
     - SA MP adapter non-root user configuration is removed on all cluster nodes