| Sun Mainframe Transaction Processing Software Release Notes for AIX Platforms |    
|
| Sun Mainframe Transaction Processing Software Release Notes for AIX Platforms |
|
| C H A P T E R 5 |
|
Other Components |
This chapter briefly describes changes to some of the components that you can run with the Sun MTP software:
Because these components are separate from Sun MTP, check the SunSolve web site at http://sunsolve.sun.com on a regular basis for any patches that are available, and apply the recommended patches.
For AIX platforms, all software components are packaged as tar files, rather than zip files. When following the instructions in the documentation for installing any of these software packages, make sure to use the tar command with the appropriate options.
A new environment variable is available for configuring the properties of the Java virtual machine (JVM
) used by the unikixadmin daemon. The tuning options described in this section apply to very large Sun MTP configurations.
In certain cases, it might be necessary to define properties to the JVM used by the unikixadmin daemon. Typically, this occurs when the administration framework is enabled for a large Sun MTP configuration. A large configuration is defined as one consisting of several thousand resources, such as 5,000 programs or maps and 10,000 endpoints.
If you must configure the JVM to support a large overhead, use the ADMIN_JVM_OPTIONS environment variable to propagate options to the JVM instance created by unikixadmin. JVM command-line options normally supplied as part of the java command can be specified by means of the ADMIN_JVM_OPTIONS environment variable. Include this environment setting in your region's setup file. If you are using multiple options, separate them with a space. Each option must be enclosed in single quotes.
For example, to increase the size of the memory space used to hold Java objects, you must define the size of the Java heap using the '-Xmsn' and '-Xmxn' options. For example, if the size of the Java object pool must be increased to a maximum of 512 Mbytes, set the ADMIN_JVM_OPTIONS environment variable as follows:
The unikixadmin daemon maintains a cache representing the Sun MTP resources under management. By default, the cache has a life span of one second. After the cache life span has expired, the cache is considered to be stale and a subsequent request for data results in a cache refresh. In large configurations, the cost of performing the cache refresh might be expensive. In this case, it is a good idea to increase the life span of the cache. Determine the cache life span in the following way:
1. Calculate the total number of resources in the region (maps, programs, terminals, transactions, and so on).
2. Round up the figure to the next multiple of 5,000.
3. Use one second for each 5,000 resources.
For example, if the region has 2,000 programs and maps and 5,000 terminals, set the cache life span to a value of two seconds. To set the cache life span, use the cache_lifespan property of the JVM in the ADMIN_JVM_OPTIONS environment variable as follows:
Important changes have been made to Sun MSF since it was first released. Read the information in this section carefully to make sure you properly configure the software.
The SecurityServer command no longer requires that you type the user name and password on the command line. It prompts for the required user name and password.
An example of the computer-user dialog is as follows:
A VERSION file is part of the Sun MSF package. It is installed in the $EMPSECURITY directory.
A new property, com.sun.emp.security.hostPrincipal, has been added to the MSFconfig.properties file. This property specifies the Java class that provides the platform-specific Principal implementation representing a UNIX user ID. With this release, Sun MSF is supported on AIX platforms, as well as Solaris. The default setting on AIX platforms for this property is as follows:
|
As a result of some internal changes to Sun MSF, the following property in the MSFConfig.properties file is no longer used:
com.sun.emp.security.adapterBrand
If the property is configured, it is treated as a comment.
A file named java.security is installed in the lib directory of the Sun MSF installation ($EMPSECURITY/lib/java.security). It contains values required for Sun MSF and can reduce the chance of introducing errors when editing the java.policy and java.security files.
1. Append the contents of the $EMPSECURITY/lib java.security file, which contains values required for Sun MSF, to the java.security file located in the
Java-home/lib/security directory.
2. To ensure that security is enforced by disabling a command-line override of the security policy set in the java.policy file, the following option has been set in the $EMPSECURITY/lib/java.security file. If that option is not appropriate in your environment, delete that line.
policy.allowSystemProperty=false
The directions in the Sun Mainframe Transaction Processing Software Administrator's Guide for updating the java.policy file have been changed as follows:
Append the contents of the $EMPSECURITY/lib/java.policy file, which contains Sun MSF-specific entries, to the java.policy file located in the
Java-home/lib/security directory.
Ignore any references to the jaas.policy file in the Sun MSF chapter of the Sun Mainframe Transaction Processing Software Administrator's Guide.
Ignore any references to the jaasmod.jar file in the Sun MSF chapter of the Sun Mainframe Transaction Processing Software Administrator's Guide.
The Sun MSF security repository must contain Sun MTP resources, as well as your application's resources. To make it easier for you to load the Sun MTP resources into the repository, a template file is installed in the $EMPSECURITY/test directory. This file, suppliedLoadFile.txt, contains the commands to create the resources, create the resource domains, add the resources to their respective domains, and add role permissions. You can use this template as is, or you can modify it to match the role and resource domain names that your environment uses. Make a backup of the original file before you modify it. Refer to the README.doc file in the $EMPSECURITY/test directory for more information.
Sun MSF has been enhanced with a new snapshot utility that collects the Sun MSF configuration and log files into a compressed file that can be transmitted by means of ftp or email to another location for analysis. The utility is named msfsnap and is located in the $EMPSECURITY/bin directory of the Sun MSF installation.
msfsnap [-d directory] [-u userid]
The snapshot is packaged as a compressed file in the specified directory in one of the following formats, depending on the compression utility it finds on your system:
This file must be uncompressed into its component files for analysis.
Example 1: Write the snapshot to the /tmp directory without security server statistics:
Example 2: Write the snapshot to the /tmp directory and include security server statistics. In this example, the administrator's ID is admin1.
Example 3: Write the snapshot to the $MSFSNAPDIR directory without security server statistics:
Example 4: Write the snapshot to the $MSFSNAPDIR directory and include security server statistics:
The IBM database DB2 UDB 8.1 has been qualified with Sun MSF. The information in this section provides an example of how to create the table space and user IDs for a DB2 UDB database that will be used as the security repository. The tools or utilities used to perform these tasks can be different based on the DB2 UDB release you are using. The major tasks are:
1. Create UNIX logins. See Creating the UNIX Logins.
2. Create the table space/database. See To Create the Table Space/Database.
3. Set up the configuration files. See Setting Up the Configuration Files.
4. Set up the execution environment. See To Set Up Your Execution Environment.
5. Initialize the repository. See To Initialize the Repository.
Contact your UNIX system administrator to create three UNIX logins on your host system for the DB2 UDB database. The logins should belong to a single group, for example, dbtwo. Consult your DB2 UDB administrator for information about the group on your host system. The three UNIX logins could be, for example:
These login names must match the corresponding values in the MSFConfig.properties file for the following items:
1. Log in to the host system as udbsec.
2. Make sure the db2 command is in your path.
Source the db2profile file given to you by your DB2 UDB administrator.
The db2 => prompt is displayed.
4. To create a database named MSFSECUDB, type the CREATE and connect commands as shown.
The following shows the computer-user dialog:
You can now set up the configuration files.
Set the necessary properties in the MSFconfig.properties file. Remember the three UNIX logins and the name of your database (in this case MSFSECUDB). For example:
Set up your java.policy file so that the DB2 UDB Java runtime file (for example, db2jcc.jar) has permission to connect and resolve connections. For example:
Your directory, host names, and ports might be different. Consult with your DB2 UDB administrator for the correct URL, environment setups, and client configurations for JDBC.
Ensure that your environment includes the necessary Sun MSF and DB2 UDB file paths.
The proper DB2 UDB Java runtime file (for example, db2jcc.jar) must be in your CLASSPATH.
Run the MakeAnAdministrator utility.
Refer to the Sun Mainframe Transaction Processing Software Administrator's Guide for detailed information.
If your Sun MTP region is configured to use WebSphere MQ and Sun MSF, be aware that MQ requires that the region user ID have permission to access the queues, and therefore, permission to start the MQ trigger transaction.
For example, using the Sun MSF SecAdmin tool, run the following commands to create the resources and add them to the resource domain:
crs,KIX_ATTACH_TRANS,KMQ1,MQ triggered Cobol transaction ard,KIX_ATTACH_TRANS,KMQ1,MTPadminTransactions commit |
To Update the java.security File
SecSvc_300=(SecSvc_300) Security Repository Error occurred: {0}
Description: This message is displayed if there is a problem in the security repository, for example, the database is not functioning, a table is missing, or there is a network disconnection to the repository. This message is also written to the audit logs.
Solution: Notify the super administrator for the security system about this problem and provide the appropriate log information.
SecSvc_301=(SecSvc_301) Unknown Security Error occurred: {0}
Description: This message is displayed by the SecAdmin tool if any non-repository error occurs while operating SecAdmin. This message is also logged to the audit files.
Solution: Contact your authorized service provider for assistance.
| Sun Mainframe Transaction Processing Software Release Notes for AIX Platforms | 817-5614-10 |
|
Copyright © 2004, Sun Microsystems, Inc. All rights reserved.