Securing PS_HOME on UNIX

The UNIX operating system lends itself to a read-only configuration for PS_HOME because of the way that Inter-process Communication (IPC) resources are allocated and managed. UNIX was designed to allow multiple users concurrent access to the same physical hardware and file system while enforcing a strong privileges model.

Note: It is necessary to have access to at least two user accounts in order to setup a true and complete read-only environment on UNIX.

To illustrate the procedure, two user accounts are used.

User Account

Description

InstallAdmin

User responsible for installing PeopleTools.

DomainAdmin

User responsible for creating, configuring, and booting domains.

Note: It is under this account that domain processes will run and therefore should have the most stringent permissions.

To setup read-only PS_HOME on UNIX:

  1. Install PeopleTools using the InstallAdmin account.

  2. Verify that PS_HOME is read-only.

    After installing PeopleTools, attempt to delete both a directory and file from PS_HOME using the DomainAdmin account.

    If it is not read-only to the DomainAdmin account, login as the InstallAdmin account and use the chmod command to make PS_HOME read-execute to the world.

    If the DomainAdmin account is a member of the same group as the InstallAdmin account you will need to apply the read-execute restriction to the group also. For example,

    chmod -R 755 $PS_HOME

  3. Sign in as the DomainAdmin account, open a shell, and change directory to PS_HOME.

  4. Invoke psconfig.sh to set the environment.

  5. Create and configure a new domain.

    This can be an application server or Process Scheduler domain.

  6. Start the new domain and verify that all of the domain processes have started.

    For application server domains, ensure that you can sign in through PIA and make successful page requests.