Before you can start Telnet, you must define security for
a user ID and associate it with the Telnet procedure name. These steps
use RACF® as the example security
subsystem. If you are using another security product, see the documentation
for that product to determine the appropriate procedure.
Before you begin
- You need to know the name of the Telnet procedure that you are
using.
- Ensure that the MAXSOCKETS value is large enough to support the
anticipated number of sockets that will be used by the system. If
your system is IPv6 enabled, Telnet listening sockets are IPv6; set
the IPv6 MAXSOCKETS value appropriately.
- Ensure that the file descriptor limit for a process is large enough
to support the anticipated number of sockets that will be used by
Telnet. If your system MAXFILEPROC limit is adequate, you do not need
to make a change. If you need a larger limit, you can configure a
higher limit for Telnet using the FILEPROCMAX attribute in the OMVS
SAF options for the Telnet user ID. If the Telnet user ID is a superuser
ID or has READ access to the BPX.SUPERUSER resource, Telnet will dynamically
increase its file descriptor limit to the maximum allowed by z/OS® UNIX System
Services, currently 524,287. For more information about MAXFILEPROC,
see z/OS UNIX System Services Planning.
Procedure
Perform the following steps to define security for a
user ID and to associate it with the procedure name.
- Use an existing user ID or create a new user ID:
- Define a user ID with a nonzero UID value and do not permit it
to the BPX.SUPERUSER resource. You will see message EZZ6049I tnproc NON-ZERO
OMVS UID IN EFFECT, indicating that you associated Telnet
to a user ID that does not have superuser authority. The number of
connections allowed on a single port will be the MAXFILEPROC value.
The number of connections can be overridden on the ALTUSER command
with the FILEPROCMAX option. For example, you can allow 150,000 connections
using the following command:
ALTUSER TN3270E DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(23) FILEPROCMAX(150000) HOME('/'))
If
connection failures occur (EZZ6012I tnproc BPX1AIO
ACCEPT FAILED, RC = 0000007C RSN = 050B0146) followed by
a port quiesce (EZZ6003I tnproc QUIESCED
ON PORT 23), the MAXFILEPROC value has been reached.
Tip: If your MAXFILEPROC value is less than your expected number
of Telnet connections on a single port, you should use superuser authority
or the FILEPROCMAX option on the RACF ALTUSER
command. The FILEPROCMAX value will override the MAXFILEPROC value
for processes associated with the user ID. If you do not use the FILEPROCMAX
option and you do not give the associated user ID superuser authority
by permitting the user ID to the BPX.SUPERUSER resource, Telnet is
not able to increase the MAXFILEPROC value on the listener socket
and will support the number of connections specified by the MAXFILEPROC
value instead of the OMVS maximum.
- Permit a user ID with a nonzero UID value to the BPX.SUPERUSER
resource in the FACILITY class:
- Add the user to RACF:
ADDUSER TN3270E
- Permit the user ID:
- Create a BPX.SUPERUSER FACILITY class profile:
RDEFINE FACILITY BPX.SUPERUSER
- If this is the first class profile, activate the FACILITY class:
SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY)
- Permit the user to the class:
ALTUSER TN3270E DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(23) HOME('/'))
PERMIT BPX.SUPERUSER CLASS(FACILITY) ID(TN3270E) ACCESS(READ)
In
this example, the user ID is TN3270E and the UID is 23. The UID can
be any nonzero number. UID 23 was used to match the well-known Telnet
port number.
- Refresh the FACILITY class:
SETROPTS RACLIST(FACILITY) REFRESH
This example uses TN3270E for the user ID, but you can use
any name.
Tip: You can combine the ADDUSER and ALTUSER
commands into one command by putting the OMVS parameter on the ADDUSER
command line. The ADDUSER and ALTUSER commands are performed separately
in case the user ID already exists. Even if the ADDUSER command fails,
the ALTUSER command is successful.
- Use an existing superuser ID to associate with the job name.
- Define a superuser ID to associate with the job name.
To define
a superuser ID, add a user ID to RACF and
alter it to superuser status:
ADDUSER TN3270E
ALTUSER TN3270E DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(0) HOME('/'))
Sample
statements for defining a superuser ID are in SEZAINST(EZARACF). For
more information, see z/OS UNIX System Services Planning, z/OS Security Server RACF Security Administrator's
Guide, and z/OS Security Server RACF Command Language Reference.
- Add the procedure name to the RACF STARTED class and associate the user ID
from step 1 with the name. For example, code the following
statements:
RDEFINE STARTED TELNET*.* STDATA(USER(TN3270E))
SETROPTS RACLIST(STARTED) REFRESH
Sample statements
for adding the procedure to the STARTED class are in SEZAINST(EZARACF).
For more information, see z/OS UNIX System Services Planning, z/OS Security Server RACF Security Administrator's
Guide, and z/OS Security Server RACF Command Language Reference.
- If you are using secure Telnet connections, make sure that
the user ID that runs Telnet has access to the SSL key ring and certificates. Take one of the following actions:
- If you are using hardware encryption, ensure that the Telnet
user ID has read access to the RACF CSFSERV
class resources. For details, see Encryption algorithms.
Results
You know you are done when you can start Telnet without receiving
errors.
If your job ends abnormally with system completion code
EC6 and a register 15 value of 0F01C008, you did not associate a valid
user ID with the started job name.