000035576 - Setting the umask value in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Oct 22, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035576
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
 
TasksIn Linux, the umask command is used to determine the settings of a mask that controls how file permissions are set for newly created files.
This article provides some general information about the 'umask' command and how exactly its relevant to RSA Identity Governance and Lifecycle.
The questions below about the umask command will be addressed in the article.
  • Does the umask value always need to be set to '0022' in RSA Identity Governance and Lifecycle? Or, does it need to be set to this value only for a specific set of users?
  • Does the umask value only need to be changed for the installation? Can it be changed back after the installation or is there a process which requires it? 
  • Does the installer check .bashrc or any other configuration files?
ResolutionThe umask command is nothing but a four-digit octal number used to control the default file permissions of newly created files.
You can setup umask in /etc/bashrc or /etc/profile file for all users.  By default in most Linux system it is set to 0022 (022) or 0002 (002).
In RSA Identity Governance & Lifecycle, you are only concerned about below three OS users : (Below mentioned are OS users, not DB users)
  • root
  • oracle (the RSA Identity Governance and Lifecycle application runs as oracle)
  • admin
In RSA Identity Governance & Lifecycle you can see from the /etc/profile or ~/.bashrc files that all of the above mentioned users have umask set to 0022. (022)
 
Does the umask value always need to be set to '0022' in RSA Identity Governance and Lifecycle? Or, does it need to be set to this value only for a specific set of users?
The umask value need not be changed while installing RSA Identity Governance & Lifecycle. It is usually set to default value (0022) for OS users.
Does the umask value only need to be changed for the installation? Can it be changed back after the installation or is there a process which requires it?
The umask value can be changed if required after installation.  If you want all the directories/files to be created with specific permissions then the umask value needs to be changed. However, it is not recommended to change it, specifically when it is an RSA Identity Governance & Lifecycle environment. (i.e. keep it as 0022 which is the default value)
Does the installer check .bashrc or any other configuration files?
Every time you log in to a Linux system, a .bash_profile file is executed.  The .bash_profile file is nothing but a combination of environment variable scripts and the umask command as seen in the output below.

. ~/setAFXEnv.sh
 . ./setDeployEnv.sh
umask 022

 
You can also see below that the installer checks and performs all of these tests. 

Running test :  checkTotalMemory
Running test :  checkOracleRPMsPreReqs
Running test :  checkEtcHosts
Running test :  checkFqdnHasDomainFormat
Running test :  checkSwapSpace
Running test :  checkMinDiskSizes
Running test :  checkEntitlementPrereqs passwd oracle 500
Running test :  checkEntitlementMatchingId passwd oracle 500 1
Running test :  checkEntitlementPrereqs group oinstall 500
Running test :  checkEntitlementPrereqs group dba 501
Running test :  checkASMKernelDriver /opt/appliancePatches/asmlib
Running test :  checkUserInGroups oracle groupArray[@]
Running test :  checkRunLevel expectedRunlevels[@]
Running test :  checkEtcSecurityLimits oracle hard nofile 65536
Running test :  checkEtcSecurityLimits oracle soft nofile 1024
Running test :  checkEtcSecurityLimits oracle hard nproc 16384
Running test :  checkEtcSecurityLimits oracle soft nproc 2047
Running test :  checkEntitlementMatchingId passwd root 0 1
Running test :  checkUserNotInGroup oracle root
Running test :  checkUMASK 0022
Running test :  checkDNSResolution
Running test :  checkShmMount
Running test :  checkBootMount
Running test :  checkAFXPermissions oracle /home/oracle/AFX

From the above explanation it is clear that the installer does check .bashrc and any other configuration files necessary to perform the installation.
NotesIn order to understand how the umask value can be calculated and to understand the umask octal modes and other details, please refer to the following website:  https://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html
For more details about the umask command, refer to the following link: https://askubuntu.com/questions/44542/what-is-umask-and-how-does-it-work/276958
If a new user is created in the environment, it is the customer's responsibility to decide what the umask value needs to be as they would not be one of the three RSA-supplied users for use with RSA Governance & Lifecycle.
The Aveksa Installer always checks Aveksa_System.cfg.

Attachments

    Outcomes