ovswitchuser()ovswitchuser()NAMEovswitchuser - Run the OpenView agent processes under a non-administra‐
tive account (not the root account).
SYNOPSIS
NOTE: Stop all OpenView processes on the system before applying an
ovswitchuser command to change the user/account that you want to use
for the OpenView processes. Use the command:
ovc -kill
ovswitchuser-h | -help
ovswitchuser-v | -version
On UNIX systems:
ovswitchuser.sh -existinguser <userName> | -existinguserID <userID>
-existinggroup <groupName> | -existinggroupID <groupID>[-passwd
<passwd>] | -setgroup <package>
On Windows systems:
NOTE: On Windows, the user that is specified with ovswitchuser needs to
have the Log On as a Service permission.
cscript ovswitchuser.vbs -existinguser <userName> | -existinggroup
<groupName> | [-passwd <passwd>]
DESCRIPTION
By default, the OpenView core processes run under the root/Administra‐
tor account. The ovswitchuser command allows you to run the OpenView
processes under a non-administrative account. The group ownership of
all registered OpenView component product files and directories of
<OVDataDir> is changed. The specified user is added to the group and
the core OpenView processes are started under this user account. Boot
scripts are changed to allow Daemons/Services to run under non-
root/non-Administrative accounts and modifies the operating-system-spe‐
cific registration of deamons/services so that OV processes start under
the specified user.
The ovswitchuser command also stores information about the specified
group in the OpenView configuration file.
The non-root concept relies on the user under which the agent runs
belonging to a specific UNIX group. Therefore the group bits of any
files that are created by OV applications must be set. This allows OV
applications to be run under dedicated users if required, while sharing
the same resources, for example log files. Therefore, it is recommended
to set the umask appropriately for the users that are used to run OV
applications.
A umask setting of 02 is preferable. 022 would cause problems when mul‐
tiple applications are run under different users.
If all OpenView applications run under the same user, the umask setting
is not required.
If the OV Communication Broker is running, the port that it uses must
be 1024 or greater or set the switchuser bit to ovbbccb. You may need
to change the port number on both communication systems. Refer to prod‐
uct documentation for exact details.
To check if the Communication Broker is running, execute the command:
/opt/OV/bin/ovc -status
It is running if there is the following entry:
ovbbccb����������OV�Communication�Broker����CORE����(****)����Running
If the Communication Broker is running, set the port number to 1024 or
greater or set the switchuser bit to ovbbccb. An example command for
the node mynode is given below. Refer to the Communication Broker man
pages for further details.
ovconfchg -ns bbc.cb.ports -set PORTS mynode:1024
It is also recommended that the domain for the system is also speci‐
fied. For example:
ovconfchg -ns bbc.http -set DOMAIN mydomain.com
For further information, refer to the ovconfget, ovconfchg, bbc.ini,
and ovbbccb man pages.
Usage restrictions and further considerations may apply depending on
the OpenView product being used. Some OpenView products must be run
under the root/Administrative account. Do not use the ovswitchuser
functionality in these environments. Refer to the product documentation
before attempting to change the user account with the ovswitchuser
tool.
Parameters
ovswitchuser recognizes the following options:
-h | -help
Displays the options for the ovswitchuser command.
-version
Displays the version number of the cross platform component.
-existinguser <userName>
Specifies an existing user <userName> who can run the OV pro‐
cesses.
-existinguserID <userID>
The -existinguserID option is for UNIX only.
Specifies an existing user <userID> under which to run the OV
processes.
-existinggroup <groupName>
Specifies an existing group <groupName> that can run the OV pro‐
cesses. The <userName> specified with the -existinguser parame‐
ter is added to this group if the <userName> does not belong to
this group.
-existinggroupID <groupID>
The -existinggroupID option is for UNIX only.
Specifies an existing group <groupID> under which to run the OV
processes.
[-passwd <passwd>]
The -passwd option is for MS Windows only.
If you use the -passwd option to specify the password of the
user <userName> defined in -existinguser, the password is used
as logon for the OV services, which are started. Note that, for
security reasons, a password is required to start the OV Ser‐
vices. So, if you choose not to specify a password here, you
will have to enter the password manually in the Services dialog
when you start the OV Services after the ovswitchuser command
completes.
-setgroup <package>
Sets group ownership for the specified package defined in the
XPL config
AUTHORovswitchuser was developed by Hewlett-Packard Company.
EXAMPLES
The following examples show how to use the ovswitchuser command:
· To set ownership of all the installed package files to the group
defined in <groupName>=OV_group and the user defined in
<userID>=1000:
ovswitchuser.sh -existinguserID 1000 -existinggroup OV_group
SEE ALSO
ovconfchg, ovconfget, bbc.ini, ovbbccb
ovswitchuser()