Users Accounts Passwords Security

LeasePak Users

• Users
• User Accounts
• Passwords
• Security

 

Users

Following are the descriptions of the users (other than root) required for LeasePak installation, configuration, and use.

Database Software Administrator

Default oracle or sybase. Performs installation and configration functions for the database server software. You must create a separate Unix/Linux group to go with this user.

DBMS Server Administrator

Default srvadm. Performs the functions of either sysdba (for Oracle) or sa (for Sybase) to administrate the database server, individual databases/schemas, and users.

LeasePak Administrative User

Although you can assign this role to the MSI release administrator (msiadmin), msiadmin can no longer change its own environment (or the environment of msidba) by using change_env, so MSI recommends creating a separate user, such as lpadmin. Performs software administration tasks such as adding new LeasePak users into the Security [U0706] update, submitting batch files, running End of Period, and using programs from $uexe/lpautil.exe.exe. Set up the lpadmin as part of the initial installation and configuration of LeasePak. You can also create a separate LeasePak administrative user for each environment.

LeasePak Client User(s)

LeasePak Users with client string passwords allowing them to log on the LeasePak client, but, in most cases, no access to the server or DBMS. They may have access to both LeasePak updates and reports, or LeasePak reports only. Level and type of privileges will depend on the individual user's assigned tasks and responsibilities.

MSI Database Administrator

Default msidba. Performs tasks and runs scripts related to the configuration and administration of LeasePak databases, including db_create, db_add_login, and db_add_user.

MSI Release Administrator

Default msiadmin. Performs tasks and runs scripts related to the configuration and administration of the LeasePak server software, including Sector7 configuration and setup_new_env.

 

User Accounts

Overview

The following table illustrates which accounts you will need to set up for the various types of users.

User	Default	Default Group	Unix/Linux Account	DBMS Account	LeasePak Account
database software administrator	(oracle or sybase)	(oracle or sybase)	yes
DBMS server administrator	srvadm	N/A		(see below)
LeasePak administrative user	lpadmin	msi	yes	yes	yes
LeasePak client user(s)	(various)	msi	yes	yes	yes
MSI database administrator	msidba	msi	yes
MSI release administrator	msiadmin	msi	yes

 

DBMS administrative user (srvadm)

Do not create a Unix/Linux or DBMS account for this user. The LeasePak server setup program prompts for a new user name (default is srvadm) and password, then uses these to create either a login in Sybase and grant it sa privileges, or create an Oracle schema (using a default tablespace) and grant it sysdba privileges. Normally only the msiadmin and msidba users know the srvadm password.

 

LeasePak Environment Startup Files

The LeasePak environment files .lplogin and .lpprofile only need to be incorporated into the startup files of users who perform LeasePak-related tasks requiring direct access to the LeasePak server. These users typically include msiadmin and msidba, whose startup files should always point them to the administrative environment (adm_*), and lpadmin, but can also include other users as needed.

 

 

Passwords

LeasePak Client

When Leasepak administrative, updates, or reports users log on the LeasePak client, the password (called the client string) they use is passed through and translated into the actual three passwords required to connect to the LeasePak server--a network password, a server OS password, and a password for the DBMS. The algorithm translating the client string always produces the same output--that is, "string" always translates to "yihnx8" and "tjgui3." MSI does not recommend using the word "string" for an actual client string.

Users logging on the LeasePak Client only know their client string unless they are explicitly given the server or DBMS password separately. Normally, only LeasePak administrative users (such as lpadmin) know their passwords for logging on the LeasePak server and DBMS server.

Password Configuration

This password system depends on setting up the users' LeasePak server and DBMS accounts using passwords that match the translations of the client string. The following is an overview of the steps for adding a new LeasePak client user

1. Select an initial user name and client string. The LeasePak client user can change the client string (and the translated passwords with it) later through the LeasePak client Change Password option
2. Use $uexe/lpautil.exe 112 to determine the translated server and DBMS server passwords based on the client string
3. Create server and DBMS server accounts for the LeasePak user with the correct translated passwords
4. Add the user to the appropriate LeasePak database(s)/tablespace(s)
5. Log on the LeasePak client as the LeasePak administrative user (lpadmin)
6. Use the LeasePak Security [U0706] update to add the user to the LeasePak security table (rsc).

Do not use $uexe/lpautil.exe 108 to add any user to the LeasePak security table other than the LeasePak administrative user. The $uexe/lpautil.exe 108 function provides no control in how the user is added to LeasePak security, and the LeasePak administrative user must still log on the LeasePak client in order to correctly configure a user's security.

User Names

Create user names in compliance with your company's security guidelines. Use the same user name when setting up the server and DBMS accounts.

Client Strings

Create client strings in compliance with your company's security guidelines. Client strings must be 6 to 8 characters long and all lowercase.

Translating Passwords

Use $uexe/lpautil.exe 112 to translate the client string

1. Log on the LeasePak server as msiadmin or lpadmin

   Terminal emulation: you must use one of the supported terminal types. Refer to the Terminal Emulation section of the document System Requirements for more information.

2. Type $uexe/lpautil.exe 112 and press Enter The terminal will prompt

   This Utility option may be used to translate a Client password 
   into the equivalent Unix and SQL Server passwords.
   
   Do you wish to continue (Y/N)? 
   

   Type y and press Enter.

3. The utility will prompt for the client string

   Unix and SQL Server password translation utility
   
   Instructions: Enter the Client password. The equivalent Unix and SQL Server passwords will be displayed.
   
   Enter the Client string, <RETURN> to exit: 
   

   Type the selected client string and press Enter. If type password as the client string, the terminal will display

   Client string: password
   SQL Server string: rkqcguh4
   Unix string: rrchglt1
   

   MSI does not recommend using the word "password" as an actual client string.

4. The utility will prompt for another client string

   Enter the Client string, <RETURN> to exit:

   Press Enter to exit the utility.

You can create a text file to translate several client strings at once

1. Log on the LeasePak server as msiadmin or lpadmin.
2. In your home directory, use cat, vi, or other means to create a text file password.in

   y
   passwd1
   passwd2
   passwd3
   passwd4
   
   

   The last line of the file must be a blank line (newline character).

3. Run $uexe/lpautil.exe 112 with input and output files

   $uexe/lpautil.exe 112 < password.in > password.out

4. Use cat, vi, or other means to view the file

   This Utility option may be used to translate a Client password 
   into the equivalent Unix and SQL Server passwords.
   
   Do you wish to continue (Y/N)? y
   
   
   Unix and SQL Server password translation utility
   
   Instructions: Enter the Client password. The equivalent Unix and SQL Server passwords will be displayed.
   Enter the Client string, <RETURN> to exit: 
   Client string: passwd1
   SQL Server string: kudejz2
   Unix string: stpjvq0
   
   Enter the Client string, <RETURN> to exit: 
   Client string: passwd2
   SQL Server string: aodmbd9
   Unix string: drczoy0
   
   Enter the Client string, <RETURN> to exit: 
   Client string: passwd3
   SQL Server string: qiduth2
   Unix string: cjpvty4
   
   Enter the Client string, <RETURN> to exit: 
   Client string: passwd4
   SQL Server string: kedahf9
   Unix string: bfcfsq2
   

   (etc.)

   MSI does not recommend using any of the above client string examples as actual client strings.

Server Accounts

Follow the appropriate instructions for your OS platform to add a LeasePak user acount with the translated password. Make the LeasePak group msi the primary group for the user, and ensure that the user can write to the $HOME directory. If you assign a user's UID number manually, do not use a number greater than 32757. Contact your MSI representative for more information.

Adding LeasePak users: make msi the group for all LeasePak users, but do not add users to the msi line of the /etc/group file. Having all LeasePak users listed on this line will cause fatal errors during the LeasePak installation.

Multiple concurrent versions: if you are running more than one version of LeasePak on the same server, be sure to use the appropriate startup files (such as .lplogin and .lpprofile) with the MSI release administrator for the version you are working in. MSI strongly recommends that you set up separate, version-specific MSI release administrator users for this situation.

DBMS Accounts

Use the LeasePak script db_add_login to create an account on your DBMS server

1. Log on the server as msidba

   Terminal emulation: you must use one of the supported terminal types. Refer to the Terminal Emulation section of the document System Requirements for more information.

2. Run the db_add_login script

   db_add_login dbms-type new-login-name [new-login-password [srvadm-password]]

   where dbms-type is either ora for Oracle or syb for Sybase, new-login-name is the same user name as the server account, new-login-password is the corresponding translated password, and srvadm-password is the password for the srvadm user.

You can create a script to add several DBMS users at once

1. Log on the LeasePak server as msiadmin or lpadmin.
2. In your home directory, use cat, vi, or other means to create the file my_add_login

   db_add_login dbms-type msitest1 kudejz2 srvadm-password
   db_add_login dbms-type msitest2 aodmbd9 srvadm-password
   db_add_login dbms-type msitest3 qiduth2 srvadm-password
   db_add_login dbms-type msitest4 kedahf9 srvadm-password
   

3. Run the script
   1. for Korn/Bourne/HP-UX Posix shell (sh) users, type sh my_add_login and press Enter
   2. for C shell (csh) users, type csh -c my_add_login and press Enter

   MSI does not recommend using any of the above user names or passwords as actual user names and passwords.

Database Permissions

Use the LeasePak script db_add_user to grant permissions to a specific LeasePak environment and database

1. Log on the server as msidba

   Terminal emulation: you must use one of the supported terminal types. Refer to the Terminal Emulation section of the document System Requirements for more information.

2. Run the db_add_user script

   db_add_user environment-name legal-DBMS-user msi-access-group dbo-password

   where environment-name is the specific LeasePak environment, legal-DBMS-user is the user's DBMS account user name, msi-access-group is either msi for normal read/write permissions or msir for read-only permissions, and dbo-password is the password for the dbo of the specific database (as specified during db_create.

You can create a script to add several DBMS users at once

1. Log on the LeasePak server as msiadmin or lpadmin.
2. In your home directory, use cat, vi, or other means to create the file my_add_user

   db_add_user environment-name msitest1 msi dbo-password
   db_add_user environment-name msitest2 msi dbo-password
   db_add_user environment-name msitest3 msir dbo-password
   db_add_user environment-name msitest4 msi dbo-password
   

   The user msitest3 is a reports user and will have read-only permissions for this database.

3. Run the script
   1. for Korn/Bourne/HP-UX Posix shell (sh) users, type sh my_add_user and press Enter
   2. for C shell (csh) users, type csh -c my_add_user and press Enter

   MSI does not recommend using any of the above user names as actual user names.

LeasePak Security Records

Do not use $uexe/lpautil.exe 108 to add any user to the LeasePak security table other than the LeasePak administrative user. The $uexe/lpautil.exe 108 function provides no control in how the user is added to LeasePak security, and the LeasePak administrative user must still log on the LeasePak client in order to correctly configure a user's security.

 

 

Security

LeasePak Server

On the LeasePak server, the root user controls security by determining

• which users have server (OS) accounts
• which users are members of the LeasePak user group (msi).

The users msiadmin and msidba control security by determing

• which users have DBMS accounts
• which environments/databases users have permissions for
• what type of database permissions users have (read/write msi or read-only msir)
• which LeasePak client users have explicit access to their server and DBMS account passwords, as well as the various dbo passwords and the password for srvadm (root may also control this).

The following table illustrates typical password access for the various types of users:

	Explicit Password Access by Account or Type
	Client String	Server	DBMS	srvadm	dbo
msiadmin		yes
msidba		yes	yes	yes	yes
lpadmin	yes	yes	yes		yes
LP client user	yes

 

LeasePak Client

On the LeasePak client, The lpadmin user or other administrator controls the privileges of other users through the Security [U0706] update. This update configures the security records for users within a specific LeasePak environment/database--that is, each database in LeasePak contains its own distinct security table and set of records. An administrative user for one LeasePak environment/database will not have access to any other unless msiadmin gives them access to the environment and msidba grants them access to the database.

Once lpadmin sets a LeasePak client user up with an initial client string password, the user can change the client string (and the corresponding translated passwords) by using Change Password in the LeasePak Options menu. Using Change Password does not reveal the server or DBMS password to the LeasePak client user.

For more information about changing passwords on the LeasePak client, refer to the document LeasePak Basics. For more information about LeasePak client security, refer to the document Security [U0706].

 

 

LeasePak  System Administration Guide

©  by McCue Systems Incorporated. All rights reserved.

The information contained in this document is the property of McCue Systems, Inc. Use of the information contained herein is restricted. Conditions of use are subject to change without notice. McCue Systems, Inc. assumes no liability for any inaccuracy that may appear in this document; the contents of this document do not constitute a promise or warranty. The software described in this document is furnished under license and may be used or copied only in accordance with the terms of said license. Unauthorized use, alteration, or reproduction of this document without the written consent of McCue Systems, Inc. is prohibited.