Help Center

Recommendations for HPE NonStop Servers

Prognosis User

The software must be installed and patched using the SUPER.SUPER user (255,255). SUPER.SUPER is only required for the installation and patching and it is not recommended to use this account is used on a day-to-day basis or to start the Prognosis service.

It is recommended to create a Prognosis group (ie. "PRGN"). The Prognosis service should be started using the manager account of this group (ie. PRGN.MGR). If there are Prognosis administrator accounts, then they should also be members of the Prognosis group.

Elevated Processes

In addition, several processes are set with ProgID or LICENSE to run with different user ids, this is performed during Installation or Patching, as required. Some of these processes will not be required to run in a given installation and for these, the ProgID can be removed. Others can be re-secured after installation to run with lower permissions. Some, though, do need to be run as SUPER.SUPER. See the sections below for details on these processes.

ProgID

When a ProgID program is executed, the program operates using the privileges of the program owner and accesses only resources to which the program owner has access. ProgID programs allow one user to temporarily gain a controlled subset of another user’s privileges

LICENSE

Licensing a program has the effect of giving the program the privileges of the operating system.

SUPER.SUPER

This is the HPE NonStop user group with full administrative privileges.

LICENSE Processes

The following process needs to be licensed (LICENSE):

Executable Name

Purpose of Executable

Reason for License

Min. Permissions

IRTACL

An agent that interfaces with TACL processes. Used by IRCMDSRV.

To ensure it can call SWITCHUSER to run TACL processes as the relevant user

Without this permission, Prognosis shell commands will be disabled.

Commands can be triggered by Thresholds or Analyst rules as part of configured automation, or on demand from a configured link in a Display. They are also used for internal Prognosis scheduling (e.g. Running regular database summaries). IRCMDSRV can be disabled but it would disable automation capabilities and require external scheduling of Prognosis batch activities.

ProgID Processes

The following process needs ProgID to give SUPER.SUPER privileges:

Executable Name

ProgID to

Purpose of Executable

Reason for ProgID

Min. Permissions

STDC

SUPER.SUPER

Disk Collector

To ensure it can read the disk directory

Not Applicable

The following processes have the ProgID set, but can be re-secured after installation:

Executable Name

ProgID to:

Purpose of Executable

Reason for ProgID

Min. Permissions

IRATMMON

SUPER.SUPER

ATM Monitoring for BASE24

Ensures that EMSDIST processes can be started

A user that can start EMSDIST

IRAVCOL

SUPER.SUPER

Availability monitoring

Ensures that raw sockets can be opened

SUPER group

IRBATCOL

SUPER.SUPER

Netbatch monitoring

Ensures that Netbatch logs can be read and that the SPI interface can be accessed

A user that has read access to logs and can access Netbatch SPI.

IRCLEAN

SUPER.SUPER

Support utility

Ensures that any file created, can be removed

A user with purge permissions on the Prognosis subvol

IREMSEXT

SUPER.SUPER

Advanced event collector

Ensures that EMSDIST processes can be started

A user that can start EMSDIST

IREPSEVT

SUPER.SUPER

Event reader for BASE24-eps ATM monitoring

Ensures that EMSDIST processes can be started

A user that can start EMSDIST

IRGFSRV

SUPER.SUPER

General purpose shared memory collector

Ensures that any shared memory file created, can be read and deleted

A user with read and purge permissions on the Prognosis folders

IRINVOKE

SUPER.SUPER

Patching utility

To ensure it has permissions to read/write/purge files in the Prognosis subvol including the patch repository.

A user with read/write/purge access to the Prognosis folders.

IRMQSCOL

<mqseries-user>

IBM MQ collector

A user that can access IBM MQ queues and execute PCF commands.

A user with MQ group privileges.

IRPATCH

SUPER.SUPER

Patching utility

To ensure it has permissions to re-secure (including ProgID) other executables.

ProgID can be removed, but IRPATCH will need to be run manually as SUPER.SUPER to install patches.

IRSNMPTR

SUPER.SUPER

SNMP trap receiver collector

To ensure it can open raw sockets

SUPER group

STCOMM

SUPER.SUPER

Comms collector (TCP/IP, X25)

To ensure it can establish SPI access to TCP/IP process and X25 line handler

SUPER group

STEMS

SUPER.SUPER

EMS collector

To ensure it can start EMSDIST processes

A user that can start EMSDIST

STMEAS

SUPER.SUPER

Measure collector

To ensure it can start measurements

A user that can start measurements

STPATH

SUPER.SUPER

Pathway collector

To ensure it can access monitored Pathway systems using their SPI interface

A user that has SPI access to all monitored Pathway systems



Provide feedback on this article