Author Topic: Key store permissions  (Read 8044 times)

skiwi

  • EA Practitioner
  • ***
  • Posts: 1979
  • Karma: +44/-82
    • View Profile
Key store permissions
« on: February 08, 2011, 08:00:31 am »
We are installing the Keystore Service, and our practice is to run services under dedicated Active Directory accounts (instead of Local System for example)

Can anyone please tell us the minimum permission set they found were required for the service account on the Server where the Service is installed to

(Our Active Directory created service accounts all belong to the Domain Users group only – so further permissions will be required on the server where the service is installed)
« Last Edit: February 08, 2011, 08:01:51 am by skiwi »
Orthogonality rules
Using EA15.2 (1555) on Windows 10 Enterprise/64 bit. Repositories in SQLServer2019 & Access2003/JET4.0. WebEA on Pro Cloud Server 4.2.64

skiwi

  • EA Practitioner
  • ***
  • Posts: 1979
  • Karma: +44/-82
    • View Profile
Re: Key store permissions
« Reply #1 on: February 09, 2011, 06:45:23 am »
Sparx support have been unable to help us on this one,
so if any of you could get your SysAdmins who have installed this on a corporate server to tell us what the minimum permissions they set the service account up with I'd appreciate it

tia
Orthogonality rules
Using EA15.2 (1555) on Windows 10 Enterprise/64 bit. Repositories in SQLServer2019 & Access2003/JET4.0. WebEA on Pro Cloud Server 4.2.64

skiwi

  • EA Practitioner
  • ***
  • Posts: 1979
  • Karma: +44/-82
    • View Profile
Re: Key store permissions - help needed
« Reply #2 on: February 21, 2011, 02:17:51 pm »
Please, does anyone run the Key Store on a network server ?

Our situation:

The Key server fails to run when configured with a domain (AD) service account without full administrative privileges.
The domain service account is a member of the standard Microsoft Domain Users AD group.
 On the server where the service is installed, the service account is also ‘Log on as a Service’, ‘Act as part of the operating system’ and ‘Log on as a batch job’ user rights assignment (through Local Security Settings)
Note that using the local system account it works but does not meet our internal security requirements.

We need to be able to run the application using a domain (AD) service account and without full administrative privileges


When we run the Keystore as a service the service appears to terminate with any messages or logs generated to send to Sparx.
« Last Edit: February 21, 2011, 02:19:06 pm by skiwi »
Orthogonality rules
Using EA15.2 (1555) on Windows 10 Enterprise/64 bit. Repositories in SQLServer2019 & Access2003/JET4.0. WebEA on Pro Cloud Server 4.2.64

skiwi

  • EA Practitioner
  • ***
  • Posts: 1979
  • Karma: +44/-82
    • View Profile
Re: Key store permissions
« Reply #3 on: March 14, 2011, 01:27:33 pm »
The permissions we gave to the service


The service start message


The event log
Code: [Select]
Event Type:     Information
Event Source:  Service Control Manager
Event Category:          None
Event ID:        7035
Date:               7/03/2011
Time:               10:41:28 a.m.
User:                ***\***
Computer:       *******
Description:
The Sparx Systems Keystore Service service was successfully sent a start control.
Followed by
Code: [Select]
Event Type:     Information
Event Source:  Service Control Manager
Event Category:          None
Event ID:        7036
Date:               7/03/2011
Time:               10:41:28 a.m.
User:                N/A
Computer:       *******
Description:
The Sparx Systems Keystore Service service entered the stopped state.

Note how it terminates immediately without any message.

Please, I really need some help on this one.
« Last Edit: March 14, 2011, 01:28:20 pm by skiwi »
Orthogonality rules
Using EA15.2 (1555) on Windows 10 Enterprise/64 bit. Repositories in SQLServer2019 & Access2003/JET4.0. WebEA on Pro Cloud Server 4.2.64

skiwi

  • EA Practitioner
  • ***
  • Posts: 1979
  • Karma: +44/-82
    • View Profile
Re: Key store permissions
« Reply #4 on: March 23, 2011, 08:07:26 am »
Is there anyone at all out there who is using the key server and has it installed on a Windows network in an AD environment?
Orthogonality rules
Using EA15.2 (1555) on Windows 10 Enterprise/64 bit. Repositories in SQLServer2019 & Access2003/JET4.0. WebEA on Pro Cloud Server 4.2.64

Graham_Moir

  • EA User
  • **
  • Posts: 746
  • Karma: +9/-15
    • View Profile
Re: Key store permissions
« Reply #5 on: March 31, 2011, 08:04:01 pm »
Why can't Sparx help with this - after all it's their software !  

We run with the Key Store on a network server,  but we don't run the key store service.  Everyone just picks up a shared key from the key store file.   This works OK.


skiwi

  • EA Practitioner
  • ***
  • Posts: 1979
  • Karma: +44/-82
    • View Profile
Re: Key store permissions
« Reply #6 on: April 01, 2011, 06:31:24 am »
Quote
Why can't Sparx help with this - after all it's their software !
I wish I knew, the response I get is
Quote
As seen in your screenshots - your service account appears to have full permissions to the key store directory in the file system.  This would suggest that your problem is most likely with your Local Security Policy configuration.

Unfortunately our response is still the same as before -

There is no documentation currently available regarding the specific permissions required in the Local Security Policy configuration and unfortunately we do not have the resources available at this time to investigate these security configuration requirements.
which is not unreasonable, but I have a situation where I have no diagnostics available from the product that allow us to determine the issue, or provide further information to Sparx.
So our SysAdmins say they don't know what to do next, and Sparx say they can't help!
(and did I mention that we just upgraded 8 of our licences to floating,
all I can say is that after three months we are not getting value for money)

Hence my requests to the community ...
« Last Edit: April 01, 2011, 09:47:25 am by skiwi »
Orthogonality rules
Using EA15.2 (1555) on Windows 10 Enterprise/64 bit. Repositories in SQLServer2019 & Access2003/JET4.0. WebEA on Pro Cloud Server 4.2.64

qwerty

  • EA Guru
  • *****
  • Posts: 12819
  • Karma: +366/-295
  • I'm no guru at all
    • View Profile
Re: Key store permissions
« Reply #7 on: April 01, 2011, 07:16:49 am »
Isn't there any escalation procedure? For a standard product service there should be one! A supporter (New Zealand isn't too far from Australia) should come and fix it at the customer site. And if it's too far they need to send someone from an affiliate company. Well....

I guess the problem is the price here. Above is valid for licenses where a single one is above $10.000. Maybe it's an idea for Sparx to offer payed premier support?

q.

mrf

  • EA User
  • **
  • Posts: 311
  • Karma: +0/-0
    • View Profile
Re: Key store permissions
« Reply #8 on: April 04, 2011, 10:15:27 pm »
Do the logs tell you anything? The user you run the service as will require file system access to the directory that the service is installed under (and any subdirectories).

The service user will also need permission to create COM objects.

If there's no entries in the logs, I'd hazard a guess that it's a file system issue, otherwise I'd go with COM.

Michael
PS No longer working for Sparx so any further correspondence may be sporadic!
Best Regards,

Michael

support@sparxsystems.com
"It is more complicated than you think." - RFC 1925, Section 2.8

mrf

  • EA User
  • **
  • Posts: 311
  • Karma: +0/-0
    • View Profile
Re: Key store permissions
« Reply #9 on: April 04, 2011, 10:16:19 pm »
And apparently I still have a red account....
Best Regards,

Michael

support@sparxsystems.com
"It is more complicated than you think." - RFC 1925, Section 2.8

qwerty

  • EA Guru
  • *****
  • Posts: 12819
  • Karma: +366/-295
  • I'm no guru at all
    • View Profile
Re: Key store permissions
« Reply #10 on: April 04, 2011, 10:33:59 pm »
I wonder wether your former colleagues have read RFC 1925 thoroughly. Funny it fits not only for networking...

q.

KP

  • EA Administrator
  • EA Expert
  • *****
  • Posts: 2901
  • Karma: +52/-3
    • View Profile
Re: Key store permissions
« Reply #11 on: April 05, 2011, 09:37:47 am »
Quote
And apparently I still have a red account....
Of course if it were up to me, you'd be [size=72]B&[/size]
8-)


PS See you Sunday...
The Sparx Team
support@sparxsystems.com

RoyC

  • EA Administrator
  • EA Practitioner
  • *****
  • Posts: 1297
  • Karma: +21/-4
  • Read The Help!
    • View Profile
Re: Key store permissions
« Reply #12 on: April 05, 2011, 11:47:14 am »
And told to shut up.

But before you do shut up, you only have another 5300-odd postings to catch up with Midnight, who now appears to be back and upping the ante (welcome back David!). So come on lad, hop to it!
Best Regards, Roy

skiwi

  • EA Practitioner
  • ***
  • Posts: 1979
  • Karma: +44/-82
    • View Profile
Re: Key store permissions
« Reply #13 on: May 06, 2011, 07:33:11 am »
Just to close this, in our case this was fixed by providing the correct permissions to access COM, and by changing the SysAdmin  [smiley=cry.gif]
Orthogonality rules
Using EA15.2 (1555) on Windows 10 Enterprise/64 bit. Repositories in SQLServer2019 & Access2003/JET4.0. WebEA on Pro Cloud Server 4.2.64