DX Unified Infrastructure Management

 View Only
  • 1.  Converting DX UIM installation to non-admin user

    Posted 26 days ago

    Hello All,

    Currently the account running the Nimsoft Robot service on Primary Hub and OC servers is in the Local Admins group.  We've also used this account to login to the server locally and run the installs/upgrades.  Is this just as simple as removing it from local admin, granting the account Logon as Service rights and Full Control to the UIM Installation folder?  Does anyone know of any other gotchas they've encountered when trying to do this?

    Thanks,

    Larry 



  • 2.  RE: Converting DX UIM installation to non-admin user

    Broadcom Employee
    Posted 20 days ago

    Hi Larry,

    It requires additional permissions other than granting an account as Service. Could you please verify required privileges at the following link

    https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/23-4/installing/install-the-product-as-a-non-admin-non-root-user/prerequisites-for-installation.html#concept.dita_512a2b67-81f8-41da-89fb-9326525eb334_add_non_admin_to_user_group

    Rgds,

    Rajesh B




  • 3.  RE: Converting DX UIM installation to non-admin user

    Posted 16 days ago

    Hi Rajesh,

    Thanks for the additional info.  I'll give this a go in Dev next week.

    Larry




  • 4.  RE: Converting DX UIM installation to non-admin user

    Posted 16 days ago

    If you remove the Nimsoft service admin user, I think that an upgrade of Cabi will fail.

    I had this while upgrading to cu2:

    aug 16 12:40:42:484 [Thread-1, cabi]      [exec] [create-ks] A new encryption key and a new keystore are about to be created. Any previously created key and keystore will become invalid and the corresponding passwords unusable. If you think this JasperReports Server instance already has a keystore configured by another OS user, stop this process and configure the path in keystore.init.properties file, then run this command again. See the JasperReports Server Security Guide for details. Do you want to continue? (y/N) 
    aug 16 12:40:42:484 [Thread-1, cabi]      [exec] 
    aug 16 12:40:42:484 [Thread-1, cabi]      [exec] BUILD FAILED
    aug 16 12:40:42:484 [Thread-1, cabi]      [exec] C:\Nimsoft\c\buildomatic\build.xml:44: The following error occurred while executing this line:
    aug 16 12:40:42:485 [Thread-1, cabi]      [exec] C:\Nimsoft\c\buildomatic\bin\setup.xml:354: Keystore creation was canceled.




  • 5.  RE: Converting DX UIM installation to non-admin user

    Posted 16 days ago

    Thanks for the reply Luc.  So, what did you end up doing?  Removing cabi and wasp probe and deploy again?

    Larry




  • 6.  RE: Converting DX UIM installation to non-admin user

    Posted 16 days ago
    I changed the nimsoft service back to use the administrator account (= the userid that i used during initial install) and redeployed cabi.
    That install/upgrade worked without problems.
    Afterwards i removed the logon with a userid for the service and everything continued to work fine.




  • 7.  RE: Converting DX UIM installation to non-admin user

    Posted 15 days ago

    Also if robot not in local admin group some probes (eg processes) don't work properly as they need some elevated/special privileges to access the OS.  The actual privileges are not documented  as Broadcom assumes the robot is running with local admin privileges.  To overcome this we moved from using a user/service account to MSA for the robots, and left local admin privileges if needed, as well as doing Luc's style workaround with enabling elevated privileges during upgrades.

    Not fun I agree but made our security team much happier about our privileged access stance.



    ------------------------------
    Knows a little about UIM/DXim, AE, Automic
    ------------------------------



  • 8.  RE: Converting DX UIM installation to non-admin user

    Posted 14 days ago

    Thanks for the feedback Andrew.  I'll be on the lookout for items like you mentioned during the process of converting in Dev.  If it comes down to having to elevate the account privileges for upgrades, we may just leave as is.  I'll have to see what the pain level of doing that in our environment would be.




  • 9.  RE: Converting DX UIM installation to non-admin user

    Posted 13 days ago

    Larry

    Don't get me wrong for at least 95% of our infrastructure we have no issue/hassle using an account with no local admin privileges.  We don't use the processes probe on windows except for special cases for example.  And again apply patches no change was required, it is only the cumulative patches on the primary hub/cabi that we had an extra step at the beginning and end to add and then remove the local admin privileges, it didn't add much to the effort or time to the maintenance window.

    Regards, Andrew



    ------------------------------
    Knows a little about UIM/DXim, AE, Automic
    ------------------------------