Hi All,
We are on Windows 2008 R2 for DS 8.7
(All 3 tiers, Services, Metadata and Engine are on same Server)
For Security/User Authentication
We are mapping credentials between the Information Server User Registry and the Datastage Engine (We are not using the Active Directory)
My question is, as per corporate policy, we need to change the password every 3 months for all the users, so this means we will need to remap the credentials (change password) everytime this happens..can this scenario be avoided or handled differently, especially in a Production environment?
or Does this mean we need to create a new Windows Domain User (like a new process id) with a non expiring password..add this user in the Information Server and then map its credentials accordingly (one time only)?
Thanks,
NV
Map Credentials between the Info Server and Datastage Engine
Moderators: chulett, rschirm, roy
Re: Map Credentials between the Info Server and Datastage En
No. You need either the datastage-adminuser (usually dsadm) or a user belonging to the same group with a non-expiring password. The important thing is, that the user needs to have write-access to all relevant file-system folders. The user does not necessarily have to be set up as a DataStage-User in the web-console. This would allow login to DataStage-Designer as user dsadm, which may not be desired.nvalia wrote:or Does this mean we need to create a new Windows Domain User (like a new process id) with a non expiring password..add this user in the Information Server and then map its credentials accordingly (one time only)?
Then map the credentials of your personalized users to the user with non-expiring password. Information Server itself will not ask users to change their passwords every three months. It does not support password policies. So to be compliant with your corporate policies you had better use Active Directory.
"It is not the lucky ones are grateful.
There are the grateful those are happy." Francis Bacon
There are the grateful those are happy." Francis Bacon
Thanks for your reply BI-RMA.
The dsadm was not set up during installation, only isadmin and wasadmin
Can we set it up now? If yes, how can we do that
Also Under
Domain Management-->Engine Credentials-->Open Configurations
we have this option, is there where we need to mention the dsadm user post creation?
"Default Credentials"
Define the default credentials below for users that don't have their own credential mapping. Otherwise leave blank to use only mapped credentials.
Thanks,
Nirav
The dsadm was not set up during installation, only isadmin and wasadmin
Can we set it up now? If yes, how can we do that
Also Under
Domain Management-->Engine Credentials-->Open Configurations
we have this option, is there where we need to mention the dsadm user post creation?
"Default Credentials"
Define the default credentials below for users that don't have their own credential mapping. Otherwise leave blank to use only mapped credentials.
Thanks,
Nirav
-
ray.wurlod
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
You need a UNIX user. dsadm is the conventional name, but there is no restriction on what the name is. This user and its primary group (conventionally dstage) should be the owner of all DataStage project objects, as well as most of the Engine objects (but be careful there - there are scripts to help you to get the permissions in the Engine correct). You can map engine credentials to this O/Suser for all Information Server users, or you can map everyone to his/her own O/S user ID. All UNIX users used for DataStage should belong to the group, and should have their umask set to 002 (not the default 022) so that other members of the group can write to objects created by the user.
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.