How to change CAM component running as root after SystemEDGE installation using privilege_separation_user option

book

Article ID: 48992

calendar_today

Updated On:

Products

CA Systems Performance for IM (SystemEdge) CA eHealth

Issue/Introduction

Description:

Steps to change CAM component permissions.

Solution:

Due to security constraints, customers might want that the SystemEDGE agent including all its depending components are not allowed to run with root privilege.

This can be achieved by configuring the agent to run as a privileged user with the config entry "privilege_separation_user". The sysedge binary will then be executed with the specified user account, however there is the "cam" process which is still executed as root:

/appl/CA/SharedComponents/ccs/cam/bin/cam

CAM (CA Messaging) is a shared service used by other CA software such as DSM or NSM.

CAM (and CAFT) operates with relatively high default privileges. On UNIX and Linux, by default, they run under root and this cannot be changed from sysedge configuration.

CA understands that this may not always be desirable so a script camchown is provided (to be run by the root user) to change the users under which CAM and CAFT run appropriately.

Any changes made need to be carefully considered according to advice from CA personnel with a knowledge of all the CA applications you are using as this can affect individual applications using CAM component.

Environment

Release:
Component: SEAGNT