Configuring Credentials for Starting and Stopping Enterprise Servers

Restriction: This topic applies only when the Enterprise Server feature is enabled.

When you start or stop an enterprise server from MF Directory Server, you are given the option of supplying two sets of credentials. The first is the operating system credentials under which the processes are to run (this is labelled Start/Stop processes as). The second, labelled Use Enterprise Server credentials of: is checked by the security features of MF Directory Server and Enterprise Server. The requirements of this second set of credentials are described below.

When an enterprise server starts, it connects to MF Directory Server to obtain its configuration details and to update its status information. To do this, it requires suitable Directory Server user credentials (that is, credentials that Directory Server will verify and authorize through the External Security Facility). You can specify that it should connect using a built-in default user or using the credentials with which you are currently logged on to Enterprise Server Administration. Alternatively, you can specify a different Directory Server username and password.

If you choose to use the built-in default user, the process is as follows:

  1. The enterprise server is started by the casstart command.
  2. It connects to MF Directory Server to obtain its configuration settings via the default user, mf_mdsa.
  3. The enterprise server subsequently spawns its communications server(s), referred to as MFCS.
  4. MFCS connects to MF Directory Server using the default user, mf_cs. This user requires permissions to do things like reading and writing data to the MF Directory Server repository. For example, it can read what configuration the server has, and write changes to the status field.
  5. The enterprise server will then use another default user, mfuser, as the identity for operations.

If you choose to use the credentials with which you are currently logged on to Enterprise Server Administration, or if you specify alternative credentials, the enterprise server and MFCS will use those credentials when connecting to MF Directory Server. The enterprise server will also use the credentials internally.

Therefore, the user that you specify must exist within the security domain of both the MF Directory Server and the enterprise server. In addition:

To stop an enterprise server, the requirements are the same, except that the user requires alter permission on the casstop entity with the OPERCMDS resource class.

Note:

Where an external security manager is configured for the enterprise server, a userid and password must be supplied when stopping it through any external method, such as casstop.