Use the following procedure to authorize virtual machines to issue RACROUTE requests. This authorization applies to all RACROUTE requests that specify RELEASE=1.9 or any later release.
You should limit the number of virtual machines that are authorized to use the RACROUTE interface on VM. The performance of RACF/VM may be affected if many virtual machines are issuing RACROUTE requests to the RACF/VM service machine.
This section gives an outline of the actions. For more information about this topic, refer to External Security Interface (RACROUTE) - Macro Reference for MVS and VM.
See the RACF System Programmer's Guide for more information.
You must enable the CBDIODSP service machine for DIAGNOSE X‘88’ access. If RACF is being used to control DIAGNOSE X‘88’ access, enable DIAGNOSE X‘88’ access for CBDIODSP by completing the following steps:
Step 1. Enable RACF/VM profile protection for DIAGNOSE X‘88’:
RDEFINE VMCMD DIAG088 UACC(NONE)
SETROPTS CLASSACT(VMCMD)
Step 2. Give the CBDIODSP server permission to perform password validation using DMSPASS (which uses DIAGNOSE X‘88’ subcode 8):
PERMIT DIAG088 CLASS(VMCMD) ID(CBDIODSP) ACCESS(READ)
For more information, see the z/OS Security Server RACF Security Administrator's Guide
.See z/VM: CP Planning and Administration for more information.
PERMIT ICHCONN CLASS(FACILITY) ID(user-ID|group-ID) ACCESS(UPDATE)
Update
access to profile ICHCONN allows the z/VM HCD TCP/IP dispatcher service
machine to issue certain RACROUTE requests on VM./* RPIUCMS INIT */
If the APPL class for the security product is active, a profile can be defined to allow only certain users to log on to the HCD Dispatcher. You can manage access to the HCD application by profile CBDSERVE in the APPL class. Users who are allowed to use HCD need READ access to this profile. Sample definitions for user HCDUSER for RACF would look like:
RDEFINE APPL CBDSERVE UACC(NONE)
PERMIT CBDSERVE CLASS(APPL) ID(HCDUSER) ACCESS(READ)