|
Before you begin: You need to have installed a z/OS system
and to be aware that a SAMPLIB member, BPXISEC1, is provided with z/OS UNIX. This sample
TSO/E CLIST provides all the RACF® commands
needed for the security setup. Use this sample member to set up your
security environment.
Perform the following steps to prepare RACF for z/OS UNIX.
- The OMVS cataloged procedure runs a program that initializes the
kernel. Issue ADDGROUP and ADDUSER commands to define the user ID
and group ID specified for OMVS. For example:
ADDGROUP OMVSGRP OMVS(GID(1))
ADDUSER OMVSKERN DFLTGRP(OMVSGRP)
OMVS(UID(0) HOME('/') PROGRAM('/bin/sh'))
NOPASSWORD
- When you create the RACF user
ID for OMVSKERN, use the NOPASSWORD option to create it as a protected
user ID. Protected user IDs cannot be used to log on to the system
or be revoked by incorrect password or passphrase attempts.
- Specify the RACF name for
the group: OMVSGRP in the example. Because the processes created by /usr/sbin/init inherit
the GID of the BPXOINIT, do not permit OMVSGRP to any resources, unless
programs you start using /etc/rc need to be permitted
to these resources. For more information, see Customizing /etc/rc.
In this example, the GID is 1. However, OMVSGRP can have
any group ID. The GID assigned to this group should be consistent
with the GID assigned to the basic files that are installed in the
root directory. ServerPac assumes that the default of GID(1) will
be used. If you want to change the GID value, then you must also
change all files and directories in the entire z/OS® UNIX file
system that currently has GID(1) to the new GID value.
- The TSO/E segment is not needed because NOPASSWORD prevents
the OMVSKERN user ID from being used with TSO/E. This prevents a user
logon from interfering with the OMVSKERN user ID.
- Assign UID(0) to the kernel user ID (OMVSKERN). Any programs forked
by /etc/rc receive their authority from the user
ID assigned to the BPXOINIT process. Use the same user ID for BPXOINIT
as you assigned to the kernel (OMVS). The BPXOINIT process and any
programs forked by the kernel's descendants have superuser authority.
- Specify the home directory for the kernel: the root (/).
- To define the default shell for processes run with the OMVSKERN
user ID, specify:
PROGRAM('/bin/sh')
- The initialization process BPXOINIT controls the accounting information
for /usr/sbin/init, /etc/rc,
and any other programs it starts. If you want to tailor accounting
information for the kernel and startup processes, consider the following:
_______________________________________________________________
- Add the OMVS procedure either to the RACF STARTED class or to the RACF started procedures table, module ICHRIN03.
When deciding which method to use, keep in mind that the STARTED class
profiles are checked before ICHRIN03, and that any changes made to
ICHRIN03 do not take effect until the next IPL. The entry for the
OMVS cataloged procedure defines the user ID and group name that the
OMVS address space will be assigned.
- You must decide whether to mark OMVS (the kernel) trusted for
access. Making the kernel trusted is useful for giving the kernel
access to any local data set that it wants to mount. If you do not
mark the kernel trusted for local access, set up profiles so that
the kernel user ID has access to any local data set that it needs
to mount. For information about trusted attributes, read about associating
started procedures with user IDs in z/OS Security Server RACF System Programmer's Guide
- Give the entry for the BPXOINIT started procedure the same identity
as OMVS. Do not mark BPXOINIT trusted.
- If you have decided to add OMVS as a trusted procedure, give the
kernel the trusted attribute. With the trusted attribute, the kernel
can work with the local data sets containing the file systems. Use
one of these methods:
- Add it to the RACF STARTED
class:
SETROPTS GENERIC(STARTED)
RDEFINE STARTED OMVS.* STDATA(USER(OMVSKERN) GROUP(OMVSGRP)
TRUSTED(YES))
SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
If you add
any other entries after this, you issue SETROPTS RACLIST(STARTED)
REFRESH and they will be picked up on the next START.This
defines the BPXOINIT task to run under the user ID OMVSKERN, which
should be NOPASSWORD.
- Add the following entries to ICHRIN03.
DC CL8'OMVS' PROCEDURE NAME
DC CL8'OMVSKERN' USERID (ANY RACF-DEFINED USER ID)
DC CL8'OMVSGRP' GROUP NAME OR BLANKS FOR USER'S DEFAULT GROUP
DC XL1'40' TRUSTED ATTRIBUTE BIT
DC XL7'00' RESERVED
- If OMVS is not a trusted procedure, add OMVS without making it
trusted, using one of the following methods. (See step 5 for additional measures needed if the
kernel is not trusted.)
- Add it to the RACF STARTED
class:
SETROPTS GENERIC(STARTED)
RDEFINE STARTED OMVS.* STDATA(USER(OMVSKERN) GROUP(OMVSGRP)
TRUSTED(NO))
SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
If you add
any other entries after this, issueSETROPTS RACLIST(STARTED) REFRESH
They
will be picked up on the next START.
- Add it to ICHRIN03, as shown in the following example:
DC CL8'OMVS' PROCEDURE NAME
DC CL8'OMVSKERN' USERID (ANY RACF-DEFINED USER ID)
DC CL8'OMVSGRP' GROUP NAME OR BLANKS FOR USER'S DEFAULT GROUP
DC XL1'00' NOT TRUSTED
DC XL7'00' RESERVED
_______________________________________________________________
- Add the BPXOINIT procedure (it runs the initialization process)
without making it trusted, using either one of these methods:
- Add it to the RACF STARTED
class:
SETROPTS GENERIC(STARTED)
RDEFINE STARTED BPXOINIT.* STDATA(USER(OMVSKERN) GROUP(OMVSGRP)
TRUSTED(NO))
SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
- Add it to ICHRIN03:
DC CL8'BPXOINIT' PROCEDURE NAME
DC CL8'OMVSKERN' USERID (ANY RACF-DEFINED USER ID)
DC CL8'OMVSGRP' GROUP NAME OR BLANKS FOR USER'S DEFAULT GROUP
DC XL1'00' NOT TRUSTED
DC XL7'00' RESERVED
_______________________________________________________________
- Add the BPXAS procedure without making it trusted. (When programs
issue fork or spawn requests, the BPXAS procedure is used to provide
a new address space.) Use one of the following methods:
- Add it to the RACF STARTED
class:
SETROPTS GENERIC(STARTED)
RDEFINE STARTED BPXAS.* STDATA(USER(OMVSKERN)
TRUSTED(NO))
SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
- Add it to ICHRIN03:
DC CL8'BPXAS' PROCEDURE NAME
DC CL8'OMVSKERN' USERID (ANY RACF-DEFINED USER ID)
DC CL8'OMVSGRP' GROUP NAME OR BLANKS FOR USER'S DEFAULT GROUP
DC XL1'00' NOT TRUSTED
DC XL7'00' RESERVED
_______________________________________________________________
- If you did not make the kernel address space trusted,
you need to give the kernel access to the local data sets in one of
two ways.
You will need to either fulfill the three following conditions:
or:
_______________________________________________________________
- If you are defining colony address spaces for a
physical file system (for example, for the NFS Client), set up the
security by adding an entry to the RACF STARTED
class or to the RACF started
procedures table for each colony address space. The procedure name
specified in the entry must match the ASNAME specified on the FILESYSTYPE
statement in the BPXPRMxx member. For example, if you specified the
following:
FILESYSTYPE TYPE(...) ENTRYPOINT(...) ASNAME(OMVSCOL1)
Then use one of
these methods to specify the procedure name: - Add it to the RACF STARTED
class:
SETROPTS GENERIC(STARTED)
RDEFINE STARTED OMVSCOL1.* STDATA(USER(OMVSKERN) GROUP(OMVSGRP)
TRUSTED(NO))
SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
- Add the following entry to ICHRIN03, to allow the colony address
space to be dubbed as a process with UID(0):
DC CL8'OMVSCOL1' PROCEDURE NAME
DC CL8'OMVSKERN' USERID
DC CL8'OMVSGRP' GROUP NAME
DC XL1'00' NOT TRUSTED
DC XL7'00' RESERVED
_______________________________________________________________
When you are done, you have prepared RACF for z/OS UNIX.
|