Setting up security with RACF/VM

Use the following procedure to authorize virtual machines to issue RACROUTE requests. This authorization applies to all RACROUTE requests that specify RELEASE=1.9 or any later release.

You should limit the number of virtual machines that are authorized to use the RACROUTE interface on VM. The performance of RACF/VM may be affected if many virtual machines are issuing RACROUTE requests to the RACF/VM service machine.

This section gives an outline of the actions. For more information about this topic, refer to External Security Interface (RACROUTE) - Macro Reference for MVS and VM.

  1. Identify the RACF/VM service machine to which RACROUTE requests will be sent. Make sure the dispatcher virtual machine has access to the RACF SERVMACH file.

    See the RACF System Programmer's Guide for more information.

  2. Enable HCD/HCM to access DIAGNOSE X‘88’:

    You must enable the CBDIODSP service machine for DIAGNOSE X‘88’ access. If RACF is being used to control DIAGNOSE X‘88’ access, enable DIAGNOSE X‘88’ access for CBDIODSP by completing the following steps:

    Step 1. Enable RACF/VM profile protection for DIAGNOSE X‘88’:

    1. Confirm that there are no members called DIAG088/NOCTL in the active VMXEVENT profile.
    2. Create a profile called DIAG088 in the VMCMD class with a default access of NONE: 
      RDEFINE VMCMD DIAG088 UACC(NONE)
    3. Ensure that the VMCMD class is active: 
      SETROPTS CLASSACT(VMCMD)
    Note: If you do not enable RACF profile protection, the CBDIODSP server must be defined with OPTION DIAG88 in its directory entry.

    Step 2. Give the CBDIODSP server permission to perform password validation using DMSPASS (which uses DIAGNOSE X‘88’ subcode 8):

    PERMIT DIAG088 CLASS(VMCMD) ID(CBDIODSP) ACCESS(READ)

    For more information, see the z/OS Security Server RACF Security Administrator's Guide

    .
  3. Make sure the z/VM HCD TCP/IP dispatcher virtual machine has IUCV authorization by performing one of these two steps:
    • Update the RACF/VM service machine's CP directory entry by adding IUCV ALLOW to provide global IUCV authorization, so that any user in the system can connect to the RACF/VM service machine.
    • To give IUCV authorization to a single user, update the RACROUTE issuer's CP directory entry (for example, the default CBDIODSP z/VM HCD TCP/IP dispatcher) by adding an IUCV statement that specifies the RACF/VM service machine with which the RACROUTE issuer will be communicating, for example: IUCV RACFVM PRIORITY MSGLIMIT 255.

    See z/VM: CP Planning and Administration for more information.

  4. RACF-authorize a connection to the RACF/VM service machine with the following substeps:
    • Log on with a user ID having the system-SPECIAL attribute.
    • Create a profile named ICHCONN in the FACILITY class: RDEFINE FACILITY ICHCONN UACC(NONE).
    • Give UPDATE access authority to appropriate dispatcher service machines: 
      PERMIT ICHCONN CLASS(FACILITY) ID(user-ID|group-ID) ACCESS(UPDATE)
      Update access to profile ICHCONN allows the z/VM HCD TCP/IP dispatcher service machine to issue certain RACROUTE requests on VM.
    • Activate the FACILITY class (if this class is not already active): SETROPTS CLASSACT(FACILITY).
  5. In your PROFILE EXEC (see page How to set up required files), initialize the connection to the RACF/VM virtual machine by removing the comment characters in the following line: 
    /* RPIUCMS INIT */
  6. To access the HCD services remotely on z/VM, a user needs to logon to the HCD dispatcher. The logon is done with a user ID and password as defined to the external security manager, for example, IBM Security Server RACF. The user must have the same access rights as for using HCD directly in the operating system.

    If the APPL class for the security product is active, a profile can be defined to allow only certain users to log on to the HCD Dispatcher. You can manage access to the HCD application by profile CBDSERVE in the APPL class. Users who are allowed to use HCD need READ access to this profile. Sample definitions for user HCDUSER for RACF would look like:

    RDEFINE APPL CBDSERVE UACC(NONE)
PERMIT CBDSERVE CLASS(APPL) ID(HCDUSER) ACCESS(READ)
Parent topic: How to set up security using an external security manager