When you start or stop an enterprise server from MF Directory Server, you are given the option of supplying two sets of credentials. The first is the operating system credentials under which the processes are to run (this is labelled Start/Stop processes as). The second, labelled Use Enterprise Server credentials of: is checked by the security features of MF Directory Server and Enterprise Server. The requirements of this second set of credentials are described below.
When an enterprise server starts, it connects to MF Directory Server to obtain its configuration details and to update its status information. To do this, it requires suitable Directory Server user credentials (that is, credentials that Directory Server will verify and authorize through the External Security Facility). You can specify that it should connect using a built-in default user or using the credentials with which you are currently logged on to Enterprise Server Administration. Alternatively, you can specify a different Directory Server username and password.
If you choose to use the built-in default user, the process is as follows:
If you choose to use the credentials with which you are currently logged on to Enterprise Server Administration, or if you specify alternative credentials, the enterprise server and MFCS will use those credentials when connecting to MF Directory Server. The enterprise server will also use the credentials internally.
Therefore, the user that you specify must exist within the security domain of both the MF Directory Server and the enterprise server. In addition:
In the MF Directory Server domain, it must be a member of the #System group, and this group must have modify permission on the resource entity in the Servers class that corresponds to the enterprise server
In the context of the enterprise server, it must have alter permission on the casstart entity within the OPERCMDS resource class
To stop an enterprise server, the requirements are the same, except that the user requires alter permission on the casstop entity with the OPERCMDS resource class.
Where an external security manager is configured for the enterprise server, a userid and password must be supplied when stopping it through any external method, such as casstop.