Caché provides a special emergency access mode that can be used under certain dire circumstances, such as if there is severe damage to security configuration information or if no users with the %Admin_Manage:Use or %Admin_Security:Use privileges are available (that is, if all users are locked out). Although Caché attempts to prevent this situation by ensuring that there is always at least one user with the %All role, that user may not be available or may have forgotten the password.
When Caché is running in emergency access mode, only a single user (called the “ emergency user ” ) is permitted. This username does not have to be previously defined within Caché. In fact, even if the username is defined in Caché, the emergency user is conceptually a different user. The emergency username and password are only valid for the single invocation of emergency mode.
12.9.1 Invoking Emergency Access Mode
To start Caché in emergency access mode, you must have the appropriate operating-system privileges:
• On Windows systems, the user must be a member of the Administrators group.
• On UNIX® and Mac systems, the user must be root.
• On OpenVMS systems, the user must have a system UIC.
Caché performs authentication by checking operating-system-level characteristics.
12.9.1.1 Invoking Emergency Access Mode on Windows
To start Caché in emergency access mode:
1. Start the Windows Command Prompt program. (On certain versions of Windows, such as Vista, you must run the Command Prompt as an administrator; to do this, right-click the Command Prompt choice in the menu and then choose
Run as Administrator.)
2. Go to the bin directory for your Caché installation.
3. In that directory, invoke Caché at the command line using the appropriate switch and passing in the username and password for the emergency user.
./ccontrol start <cache-instance-name> /EmergencyId=<username>,<password>
This starts an emergency-mode Caché session with only one allowed user where:
• <cache-instance-name> specifies the instance being started in emergency mode
Emergency Access
• <username> is the sole user of the system
• <password> is <username>’s password
Note: On Windows, unlike other operating systems, the EmergencyId switch is preceded by a slash ( “ / ” ).
For example, at the instance MyCache, to start Caché in emergency mode with user Eugenia with the password 52601, the command would be:
./ccontrol start MyCache /EmergencyId=Eugenia,52601
The only user who can then log in is the emergency user, using the appropriate password, such as:
Username: Eugenia Password: *****
Warning, bypassing system security, running with elevated privileges
Once Caché has started, you can start the Terminal from the Caché cube or run any CSP application. This provides access to the System Management Portal and all character-based utilities. Using this access, you can change any settings as necessary and then restart Caché in its normal mode.
12.9.1.2 Invoking Emergency Access Mode on UNIX® and Mac OS
To start Caché in emergency access mode, invoke Caché at the command line using the appropriate switch and passing in the username and password for the emergency user:
ccontrol start <cache-instance-name> EmergencyId=<username>,<password>
This starts an emergency-mode Caché session with only one allowed user where:
• <cache-instance-name> specifies the instance being started in emergency mode
• <username> is the sole user of the system
• <password> is <username>’s password
Note: If going from one of these operating systems to Windows, remember that on Windows only, the EmergencyId switch is preceded by a slash ( “ / ” ).
For example, at the instance MyCache, to start Caché in emergency mode with user Eugenia with the password 5262001, the command would be:
ccontrol start MyCache EmergencyId=Eugenia,52601
The only user who can then log in is the emergency user, using the appropriate password, such as:
Username: Eugenia Password: *****
Warning, bypassing system security, running with elevated privileges
Once Caché has started, you can run Caché Terminal or any CSP application. This provides access to the System Management Portal and all character-based utilities. Using this access, you can change any settings as necessary and then restart Caché in its normal mode.
12.9.1.3 Invoking Emergency Access Mode on OpenVMS
To start Caché in emergency access mode, invoke Caché at the command line using the appropriate switch and passing in the username and password for the emergency user, where the username and password are in quotation marks:
ccontrol start <cache-instance-name> EmergencyId="<username>,<password>"
140 Caché Security Administration Guide System Management and Security
This starts an emergency-mode Caché session with only one allowed user where:
• <cache-instance-name> specifies the instance being started in emergency mode
• <username> is the sole user of the system
• <password> is <username>’s password
Note: If going from OpenVMS to Windows, remember that on Windows only, the EmergencyId switch is preceded by a slash ( “ / ” ).
For example, at the instance MyCache, to start Caché in emergency mode with user Eugenia with the password 5262001, the command would be:
ccontrol start MyCache EmergencyId="Eugenia,52601"
The only user who can then log in is the emergency user, using the appropriate password, such as:
Username: Eugenia Password: *****
Warning, bypassing system security, running with elevated privileges
Once Caché has started, you can run Caché Terminal or any CSP application. This provides access to the System Management Portal and all character-based utilities. Using this access, you can change any settings as necessary and then restart Caché in its normal mode.
12.9.2 Emergency Access Mode Behavior
In emergency access mode, Caché has the following constraints and behaviors:
• The emergency user is the only permitted user. Any attempt by another user to log in will fail.
• The emergency user has the %ALL role.
• Console, Terminal and CSP are the only services that are enabled. All other services are disabled. This does not affect the enabled or disabled status of services when Caché starts in non-emergency mode; only the current (emergency), in-memory information about services is affected.
• For the enabled services, only authenticated access is permitted. Caché uses its own password authentication for the services, where the emergency access username and password must be used.
• After emergency access login, Caché attempts to audit all events for the active process; Caché start-up proceeds even if this is not possible. Login failures in emergency access mode are not audited.
• The emergency user can make changes to the Caché configuration, but these changes are not activated until the next time that Caché is started in normal (not emergency) mode. This is in contrast to the normal operation of Caché, in which configuration changes are primarily activated without restarting Caché.
Emergency Access