(updated for server version 5.24 or later)
The MOMI server on the NonStop system is initially launched via a TACL obey file to start the main $MOMI process. This process starts other processes that support the MOMI environment.
When a user 'logs on' to a MOMI PC Client, a logon server process is launched that assumes given User ID. When a sensitive command is issued at the client, such as viewing a Spooler Job, a process is launched from the logon server to perform the sensitive commands under the users authority and not under the authority of the main $MOMI process.
MOMI does NOT contain privileged code so it does NOT require to be licensed via FUP. However, certain Operating System functions, such as PING, require additional levels of authority. MOMI can obtain this authority via the object file BWSSG (discussed below). BWSSG is manually created when MOMI is installed during installation.
There are three general User ID classifications. Super.Super (i.e. 255,255), Super.Group (i.e. 255,*) and all other "normal" User ID's. The simplest configuration for MOMI is to start it under Super.Super, followed by Super.Group and lastly under a "normal" User ID, perhaps one specifically created for MOMI, and then also creating BWSSG.
The use of SAFEGUARD or SQL/MP may require that you operate MOMI under a higher level of authority.
Below are the security guidelines for various files/subvolume:
The BWMOMI executable
Must be secured to allow Execute for all users. For example, a Guardian security string of "UUNU". Additionally, in order to allow the creation of SAVEABEND files (used in troubleshooting), READ access should also be considered for a resulting security string of "NUNU".
A user created copy of BWMOMI (or BWMOMIi) and functions as a helper program to perform TCP/IP "Ping" (the ICMP Echo command) and adjustment of System time (if enabled)
If MOMI is started under Super.Super, this file is not needed.
For TNS/R systems this file is needed and should be PROGID to either Super.Super or to a Super.Group.
For TNS/E systems this file is needed and should be PROGID to Super.Super.
As of H06.20 and J06.09 Super.Group may now be used on TNS/E platforms.
File security must allow Execute for all users (i.e. "UUNU"). To allow the creation of SAVEABEND files (used in troubleshooting), READ access should also be considered for a resulting security string of "NUNU".
Subvolume of BWMOMI
MOMI creates several work files in the subvolume where the object resides. The User ID MOMI runs under must have read/write/execute/purge/create access in this subvolume. It is recommended that SAFEGUARD is not used for this subvolume.
The files created in this default location can be directed to another location with the CONFMOMI keywords:
Note that if these keywords are used and an existing file is present in the default location, you must stop MOMI, manually move the file, add the keyword and then restart MOMI.
Subvolume of MOMI history files (HSTnnDB)
MOMI must be given read/write/create access to the subvolume(s) specified for the history files.
MEASURE support files
MOMI makes extensive use of MEASURE . These files must allow read/execute access.
EMS distributor program.
The file must allow execute access.
ProcessH support file.
MOMI uses this file in ProcessH "System" code report on Integrity and later systems. The file must allow read access.
ProcessH support file.
MOMI uses this file in ProcessH "System" code report on Integrity and later systems. The file must allow read access.
Tape programmatic server.
MOMI uses this to report on tape status. The file must allow execute access.
Virtual memory access utility.
MOMI uses this to report on virtual memory usage. The file must allow execute access.
O/S release information (i.e. G06.29.02).
The file must allow read access.
TMF programmatic server.
MOMI uses this to report on TMF status. The file must allow execute access.
ProcessH support file - 16-bit code.
MOMI uses this file in ProcessH "System" code report on S-Series systems. The file must allow read access.
ProcessH support file.
MOMI uses this file in ProcessH "System" code report. The file must allow read access.
ProcessH support file.
MOMI uses this file in ProcessH "System" code report on S-Series systems. The file must allow read access.
SQL/MP compilation utility.
The display of SQL/MP information is the result of dynamic SQL statements. This file must allow read/execute access.
MOMI provides SQL/MP information by reading this subsystem's catalogs. MOMI needs read access to all the catalogs on the system, particularly to the Catalog of the System, to provide information on the SQL/MP screens.
$SYSTEM.SYSTEM.EVENTCX (this file is optional)
EMS user defined cause/effect/recovery information.
MOMI makes use of this file to display EMS user defined cause/effect/recovery information. MOMI needs read/write access to this file. MOMI Client access controls the ability to display/alter information. The location of this file may be overridden with the CONFMOMI keyword EVENTCX.
EMS HTML cause/effect/recovery information.
MOMI makes use of this file to display EMS cause/effect/recovery information. MOMI needs read access to this file.
(This file is not found on pre-S-series systems.)
EMS log file subvolume.
In order to display EMS messages from $0, the EMS log files must allow read access. Use EMSCINFO $0 to display the current EMS log file settings and EMSCCTRL $0,<command> to alter the settings. Existing files will need to have their file security manually altered via FUP.
EMS log file subvolume for hardware events.
In order to display EMS messages from $ZLOG, the EMS log files must allow read access. Use EMSCINFO $ZLOG to display the current EMS log file settings and EMSCCTRL $ZLOG,<command> to alter the settings. Existing files will need to have their file security manually altered via FUP.