Working with the Agent Controller security feature
The following list contains hints and tips for using the
Agent Controller security feature on all platforms.
- Authentication is provided by the operating system. Only users specified at installation time are allowed to authenticate. If the user name ANY is provided, any valid user name and password pairs are forwarded to the operation system for authentication, otherwise only listed pairs are forwarded.
- When security is enabled, the users you specified at installation time are required to authenticate with the operating system before any information can be exchanged with Agent Controller. The workbench user must provide a valid user name and password combination that is an operating system user name and password.
- (Windows only) Passwords for domain names are not authenticated. You must provide local user name and password pairs.
- There are no key management capabilities provided. Agent Controller uses Java™ keystores for security.
- A default keystore and exported certificate are in the Agent Controller directory <rac_install_dir>\security for Windows, and <rac_install_dir>/security, where <rac_install_dir> is the installation directory of Agent Controller. Replace these samples with a keystore containing meaningful certificates.
Additional security configuration for z/OS
If security is enabled in the
agent controller configuration, then BPX.DAEMON privileges are required
for the agent controller. Speak with your system administrator to
ensure that the Agent Controller binaries and libraries have the appropriate
privileges. The following set of files typically require program-control
privileges in order to allow security to run. (extattr +p)
- <RAC_INSTALL_DIR>/bin/ACServer
- <RAC_INSTALL_DIR>/bin/tptpProcessController (all files, including libTPTPUtil and libtptpCCTL)
- <RAC_INSTALL_DIR>/lib/*
- <XML_TOOLKIT_INSTALL_DIR>/xml4c-5_7/lib/* (all files)
- <JAVA_INSTALL_DIR>/jre/J6.0/bin/classic/* (all files in this directory)
- <JAVA_INSTALL_DIR>/jre/J6.0/lib/* (or, more generally, the lib directory of the JVM specified in the serviceconfig.xml file)
- <JAVA_INSTALL_DIR>/jre/J6.0/lib/s390/j9vm/* (where s390 is either s390 or 390x, for 31or 64 bit.)
- <JAVA_INSTALL_DIR>/jre/J6.0/lib/s390/* (where s390 is either s390 or 390x, for 31 or 64 bit.)
- <JAVA_INSTALL_DIR>/jre/J6.0/lib/s390/default/* (where s390 is either s390 or 390x, for 31 or 64 bit.)