Execute TUAM ewas under a non-root user
Can TUAM (Tivoli Usage Account Manager) be run using a non-root user ?
Yes. Below there are the steps to be executed in order to be able to run TUAM using a non-root user:
1. stop TUAM server:
2. change ownership of all directories under /opt/IBM/tivoli :
chown -R virtuser /opt/IBM/tivoli/tipv2
chown -R virtuser /opt/IBM/tivoli/tipv2Components
chown -R virtuser /opt/IBM/tivoli/tcr
chown -R virtuser /opt/IBM/tivoli/tuam
3. update the inittab's startup script:
su - virtuser -c "<existing start/stop script>"
In the file: /etc/init.d/rc.IBMTCR replace the line:
su - virtuser -c "$TCR_HOME/bin/startTCRserver.sh"
4. start TUAM server with virtuser using the inittab's startup script. Then, reboot the TUAM image.
As a result of this procedure TUAM server will be started as non-root user (virtuser). So it works fine for starting TUAM. But ONLY for starting the server.
The transfer of the metering files from TSAM image is NOT possible in the above solution, due to the fact that virtuser user is not authorized to connect to TSAM image via SSH.
To make this procedure complete you need to authorize virtuser on TSAM image, by running these steps:
1. On TUAM image as virtuser in home directory (/home/virtuser) create the .ssh directory:
2. On TUAM image as virtuser create the virtuser's key:
ssh-keygen -t rsa
- choose the default location of id_rsa file
- do not type any passphrase
There should be two new files in /home/virtuser/.ssh directory:
id_rsa and id_rsa.pub
3. On TUAM image as root copy the root's known_hosts file:
cp /root/.ssh/known_hosts /home/virtuser/.ssh/
chown virtuser /home/virtuser/.ssh/known_hosts
4. On TIVSAM image as root copy the id_rsa.pub key to TUAM image:
scp /root/.ssh/id_rsa.pub root@<hostname_of_tuam>:/tmp/
5. On TUAM image as virtuser add the copied id_rsa.pub to authorized_keys:
cat /tmp/id_rsa.pub >> /home/virtuser/.ssh/authorized_keys
6. On TUAM image copy the virtuser's id_rsa.pub file to TSAM image:
scp /home/virtuser/.ssh/id_rsa.pub root@<hostname_of_TSAM>:/tmp/
7. On TIVSAM image as root add the copied key to authorized_keys:
cat /tmp/id_rsa.pub >> /root/.ssh/authorized_keys
8. In TUAM TIP portal go to Task Management > Job Runner > Job Files and in the file: FileTransferSSH.xml change the line:
Save the file.
9. Reboot the TUAM image.
10. To be sure that this works fine now, on TUAM image as virtuser try to connect to TIVSAM image via ssh:
You should be logged in immediately, without asking for the password or accepting the rsa key.