setupAdapterNonRoot

Name

setupAdapterNonRoot.sh configures end-to-end automation adapter to run with a non-root user account.

Synopsis

setupAdapterNonRoot.sh [-h] [--local] [--manage-group] [-X| --sa-admin ] [-g| [--group <groupName> username]

Description

The setupAdapterNonRoot configures the SAM adapter to run with a non-root user. It adapts group ownerships and permissions, as well as RSCT security definitions. The command setupadapternonroot makes the nonrootuser to control and monitor the end-to-end automation adapter. The adapter handles the communication between a System Automation for Multiplatforms domain and the System Automation Application Manager end-to-end automation server.

Run the script as a user with root permissions:

Prerequisite checking

It is checked whether a cluster exists, the automation adapter is stopped, and the user account exists. It is also checked whether the specified group is the primary group of the user account.

Changing group ownerships and permissions

Several files and directory ownerships and permissions need to be changed, because they are initially created for root user access only. For more information, see Changing group ownerships and permissions.

Note: The script changes the group, which owns the file:

/etc/ibm/tivoli/common/cfg/log.properties.

This file might be used by other Tivoli products as well. If one of these products is also run with a non-root user account, ensure that the log.properties file is still readable for these products.

Setting appropriate System Automation and RSCT permissions

To allow the non-root user account samadapt to use RSCT Resource Management Control (RMC), permissions must be granted by using the

/var/ct/cfg/ctrmc.acls file

For more information, see Setting appropriate System Automation and RSCT permissions.

Adapting the automation adapter configuration

The non-root user and group are added to the adapter configuration properties. For more information, see Adapting the automation adapter configuration.

Options

-h: Print this help.
-g or --group<groupName>: The name of the primary group for the specified user account.; (default: group name = sagroup)
-local: Run script only on local node. Optional, if omitted, the default is to perform changes on all cluster nodes.
--manage-group: Create local UNIX group (if group does not exist) and add specified user to this group Set group as primary group for the user. Optional, if omitted, the default is to not make any changes to group and user.
-X: Set ACL permissions for the sa_admin role. Optional, if omitted the default is to set ACL permissions for the sa_operator role.

Security

This command requires root authority, or a user ID with appropriate permissions. For more information, see Setting up non-root user Ids for the command line interface.

Returns

0- All configurations completed successfully
1- At least one configuration task failed - see print out for details
2- Prerequisites not satisfied - see print out for details

Examples

Configure SA MP adapter to run with non-root user "saoperator" and group "sagroup" ("sagroup" already exists).
Prerequisites

User "saoperator" and group "sagroup" exist.
"sagroup" is the primary group for user "saoperator.
```
setupAdapterNonRoot.sh -g sagroup saoperator
```
Result:

Configured SA MP adapter non-root user "saoperator" on all cluster nodes.
Configure SA MP adapter to run with non-root user "saoperator" and group "sagroup" ("sagroup" does not exist).
Prerequisites

User "saoperator" exists.

setupAdapterNonRoot.sh --manage-group -g sagroup saoperator.

Result:

Group "sagroup" is created on all cluster nodes.

User "saoperator" is added to group "sagroup" on all cluster nodes.

sagroup" is set as primary group for user "saoperator" on all cluster nodes.

Configured SA MP adapter non-root user "saoperator" on all cluster nodes.
Remove SA MP adapter non-root user configuration
Prerequisites

SA MP adapter non-root user is configured

AIX:

# setupAdapterNonRoot.sh -g system root

Linux:

# setupAdapterNonRoot.sh -g root root

Result:

SA MP adapter non-root user configuration is removed on all cluster nodes.

Files:

/opt/IBM/tsamp/sam/bin/setupAdapterNonRoot.sh

Location of the setupAdapterNonRoot.sh command.