z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for preparing RACF

z/OS UNIX System Services Planning
GA32-0884-00

Before you begin: You need to have installed a z/OS system and to be aware that a SAMPLIB member, BPXISEC1, is provided with z/OS UNIX. This sample TSO/E CLIST provides all the RACF® commands needed for the security setup. Use this sample member to set up your security environment.

Perform the following steps to prepare RACF for z/OS UNIX.

  1. The OMVS cataloged procedure runs a program that initializes the kernel. Issue ADDGROUP and ADDUSER commands to define the user ID and group ID specified for OMVS. For example:
    ADDGROUP OMVSGRP OMVS(GID(1))
ADDUSER OMVSKERN DFLTGRP(OMVSGRP)
        OMVS(UID(0) HOME('/') PROGRAM('/bin/sh'))
        NOPASSWORD
    • When you create the RACF user ID for OMVSKERN, use the NOPASSWORD option to create it as a protected user ID. Protected user IDs cannot be used to log on to the system or be revoked by incorrect password or passphrase attempts.
    • Specify the RACF name for the group: OMVSGRP in the example. Because the processes created by /usr/sbin/init inherit the GID of the BPXOINIT, do not permit OMVSGRP to any resources, unless programs you start using /etc/rc need to be permitted to these resources. For more information, see Customizing /etc/rc.

      In this example, the GID is 1. However, OMVSGRP can have any group ID. The GID assigned to this group should be consistent with the GID assigned to the basic files that are installed in the root directory. ServerPac assumes that the default of GID(1) will be used.  If you want to change the GID value, then you must also change all files and directories in the entire z/OS® UNIX file system that currently has GID(1) to the new GID value.

    • The TSO/E segment is not needed because NOPASSWORD prevents the OMVSKERN user ID from being used with TSO/E. This prevents a user logon from interfering with the OMVSKERN user ID.
    • Assign UID(0) to the kernel user ID (OMVSKERN). Any programs forked by /etc/rc receive their authority from the user ID assigned to the BPXOINIT process. Use the same user ID for BPXOINIT as you assigned to the kernel (OMVS). The BPXOINIT process and any programs forked by the kernel's descendants have superuser authority.
    • Specify the home directory for the kernel: the root (/).
    • To define the default shell for processes run with the OMVSKERN user ID, specify:
      PROGRAM('/bin/sh')
    • The initialization process BPXOINIT controls the accounting information for /usr/sbin/init, /etc/rc, and any other programs it starts. If you want to tailor accounting information for the kernel and startup processes, consider the following:
      • OMVS and BPXOINIT get their account data independently. You can control the account data in the same way that you set up accounting data for any cataloged procedure.
      • The accounting data for /usr/sbin/init, /etc/rc, and any processes created by /etc/rc is obtained from the security product database for user OMVSKERN (the same user ID should be assigned to the BPXOINIT cataloged procedure).
      • The account data for a process started by /etc/rc can be set with the _BPX_ACCOUNT environment variable. For example: 
        HOME('/') export _BPX_ACCOUNT=AccountingData

    _______________________________________________________________

  2. Add the OMVS procedure either to the RACF STARTED class or to the RACF started procedures table, module ICHRIN03. When deciding which method to use, keep in mind that the STARTED class profiles are checked before ICHRIN03, and that any changes made to ICHRIN03 do not take effect until the next IPL. The entry for the OMVS cataloged procedure defines the user ID and group name that the OMVS address space will be assigned.
    • You must decide whether to mark OMVS (the kernel) trusted for access. Making the kernel trusted is useful for giving the kernel access to any local data set that it wants to mount. If you do not mark the kernel trusted for local access, set up profiles so that the kernel user ID has access to any local data set that it needs to mount. For information about trusted attributes, read about associating started procedures with user IDs in z/OS Security Server RACF System Programmer's Guide
    • Give the entry for the BPXOINIT started procedure the same identity as OMVS. Do not mark BPXOINIT trusted.
    • If you have decided to add OMVS as a trusted procedure, give the kernel the trusted attribute. With the trusted attribute, the kernel can work with the local data sets containing the file systems. Use one of these methods:
      • Add it to the RACF STARTED class: 
        SETROPTS GENERIC(STARTED)
RDEFINE STARTED OMVS.* STDATA(USER(OMVSKERN) GROUP(OMVSGRP)
TRUSTED(YES))
SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
        If you add any other entries after this, you issue SETROPTS RACLIST(STARTED) REFRESH and they will be picked up on the next START.

        This defines the BPXOINIT task to run under the user ID OMVSKERN, which should be NOPASSWORD.

      • Add the following entries to ICHRIN03. 
        DC CL8'OMVS'     PROCEDURE NAME
DC CL8'OMVSKERN' USERID (ANY RACF-DEFINED USER ID)
DC CL8'OMVSGRP'  GROUP NAME OR BLANKS FOR USER'S DEFAULT GROUP
DC XL1'40'       TRUSTED ATTRIBUTE BIT
DC XL7'00'       RESERVED
    • If OMVS is not a trusted procedure, add OMVS without making it trusted, using one of the following methods. (See step 5 for additional measures needed if the kernel is not trusted.)
      • Add it to the RACF STARTED class: 
        SETROPTS GENERIC(STARTED)
RDEFINE STARTED OMVS.* STDATA(USER(OMVSKERN) GROUP(OMVSGRP)
TRUSTED(NO))
SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
        If you add any other entries after this, issue
        SETROPTS RACLIST(STARTED) REFRESH
        They will be picked up on the next START.
      • Add it to ICHRIN03, as shown in the following example: 
        DC CL8'OMVS'     PROCEDURE NAME
DC CL8'OMVSKERN' USERID (ANY RACF-DEFINED USER ID)
DC CL8'OMVSGRP'  GROUP NAME OR BLANKS FOR USER'S DEFAULT GROUP
DC XL1'00'       NOT TRUSTED
DC    XL7'00'       RESERVED

    _______________________________________________________________

  3. Add the BPXOINIT procedure (it runs the initialization process) without making it trusted, using either one of these methods:
    • Add it to the RACF STARTED class: 
      SETROPTS GENERIC(STARTED)
RDEFINE STARTED BPXOINIT.* STDATA(USER(OMVSKERN) GROUP(OMVSGRP)
TRUSTED(NO))
SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
    • Add it to ICHRIN03: 
      DC CL8'BPXOINIT' PROCEDURE NAME
DC CL8'OMVSKERN' USERID (ANY RACF-DEFINED USER ID)
DC CL8'OMVSGRP'  GROUP NAME OR BLANKS FOR USER'S DEFAULT GROUP
DC    XL1'00'       NOT TRUSTED
DC    XL7'00'       RESERVED

    _______________________________________________________________

  4. Add the BPXAS procedure without making it trusted. (When programs issue fork or spawn requests, the BPXAS procedure is used to provide a new address space.) Use one of the following methods:
    • Add it to the RACF STARTED class: 
      SETROPTS GENERIC(STARTED)
RDEFINE STARTED BPXAS.* STDATA(USER(OMVSKERN)
TRUSTED(NO))
SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
    • Add it to ICHRIN03: 
      DC CL8'BPXAS' PROCEDURE NAME
DC CL8'OMVSKERN' USERID (ANY RACF-DEFINED USER ID)
DC CL8'OMVSGRP'  GROUP NAME OR BLANKS FOR USER'S DEFAULT GROUP
DC    XL1'00'       NOT TRUSTED
DC    XL7'00'       RESERVED

    _______________________________________________________________

  5. If you did not make the kernel address space trusted, you need to give the kernel access to the local data sets in one of two ways.
    You will need to either fulfill the three following conditions:
    • Use consistent qualifiers for the local data set names. For example, use OMVS.xxxxxxxx, where OMVS.xxxxxxxx is the name for a data set.
    • Create a generic RACF profile for the OMVS.* data sets, giving the kernel's user ID (that is, OMVSKERN) ALTER authority. For example: 
      ADDUSER OMVS
ADDSD ('OMVS.*') OWNER(OMVSKERN) UACC(NONE)
PERMIT 'OMVS.*' ACCESS(ALTER) ID(OMVSKERN)
    • Authorize administrators who will be allocating local data sets by adding their user IDs to the OMVS.* access list in the data set profile and giving them ALTER authority.
    or:
    • Make sure your administrators who create local data sets give the kernel permission before having the file system mounted. For each local data set, the creator defines a data set profile with UACC(NONE) and gives the kernel address space ALTER authority. For example: 
      ADDUSER SMORG 
ADDSD ('SMORG.HFS') 
UACC(NONE) OWNER(SMORG) PERMIT 'SMORG.HFS' 
ACCESS(ALTER) ID(OMVSKERN)

    _______________________________________________________________

  6. If you are defining colony address spaces for a physical file system (for example, for the NFS Client), set up the security by adding an entry to the RACF STARTED class or to the RACF started procedures table for each colony address space. The procedure name specified in the entry must match the ASNAME specified on the FILESYSTYPE statement in the BPXPRMxx member. For example, if you specified the following: 
    FILESYSTYPE  TYPE(...) ENTRYPOINT(...) ASNAME(OMVSCOL1)
    Then use one of these methods to specify the procedure name:
    • Add it to the RACF STARTED class: 
      SETROPTS GENERIC(STARTED)
RDEFINE STARTED OMVSCOL1.* STDATA(USER(OMVSKERN) GROUP(OMVSGRP)
TRUSTED(NO))
SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
    • Add the following entry to ICHRIN03, to allow the colony address space to be dubbed as a process with UID(0): 
      DC CL8'OMVSCOL1'       PROCEDURE NAME
DC CL8'OMVSKERN'       USERID
DC CL8'OMVSGRP'        GROUP NAME
DC XL1'00'             NOT TRUSTED
DC XL7'00'             RESERVED

    _______________________________________________________________

When you are done, you have prepared RACF for z/OS UNIX.

Parent topic: Preparing RACF

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014