z/OS TSO/E Customization
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Activating base TSO/E functions

z/OS TSO/E Customization
SA32-0976-00

To activate specific functions of base TSO/E, perform the following:
  • If you have not already done so, add the subcommands of the TSO/E TEST command (AND, OR, LISTVSR, and UNALLOC) to the SMF CSECT IEEMB846. If the subcommands are not in IEEMB846, they are recorded as *OTHER on Type 32 SMF records. See for the SMF record format.
  • If your installation plans to record CONSOLE subcommands, add the subcommands to the SMF CSECT IEEMB846. If the subcommands are not in IEEMB846, they are recorded as *OTHER on Type 32 SMF records. For information about SMF record format, see .
  • Reinstall your installation's versions of TSO/E exit routines that were deleted or replaced when you installed TSO/E. See Considerations for installing TSO/E for information about the exit routines that are deleted or replaced when you install TSO/E.
  • For the TESTAUTH, TESTA, and MVSSERV commands to work under ISPF, you must update the ISPF command table, ISPTCM. For information about updating the table, see .
  • To use security labels to protect system resources, do the following:
    • Use RACF® to define security labels and to activate security label checking.
    • Define all TSO/E users through RACF and specify a security label (SECLABEL) for each user's user ID. Each user may have a TSO segment created within that user's RACF profile.
    Note: If you want to use security labels, do not activate the Information Center Facility. The Information Center Facility does not support the security enhancements.
  • If your installation plans to use the RACF resource classes JESJOBS and JESSPOOL, you should reinstall the OUTPUT/CANCEL/STATUS sample exit, IKJEFF53, supplied in SYS1.SAMPLIB. For more information about the sample exit, see Customizing the SUBMIT command and job output processing.
  • To protect the security classification of messages, do the following:
    • Change the SEND PARMLIB parameter by editing the IKJTSOxx member of SYS1.PARMLIB (where xx is a member name suffix) to:
      • Set the LOGNAME operand to the high-level qualifiers for the user log data set name, which must be other than SYS1.BRODCAST or *.
      • Set the MSGPROTECT operand to ON so that the logname.userid user log is protected and the message can be viewed only if the user is logged on with the proper security label. With this setting, the user log data set naming convention is logname.userid and the sender's security label is associated with the message.
      • Set the USEBROD operand to OFF so that messages are not stored in the broadcast data set. Instead, they are stored in the logname.userid user log. Users can only view their logname.userid user log by using the TSO/E LISTBC command or logging on.

      For more information about the USEBROD and MSGPROTECT operands, see Customizing how users send and retrieve messages.

  • During IPL, the IKJTSO00 member is read. Edit the IKJTSO00 member, so that security protection is automatically activated at each IPL time.

    If you do not update IKJTSO00, you need to issue the dynamic PARMLIB command using the UPDATE operand and specify the suffix of the member (xx) you have edited. You must have UPDATE authority to the RACF security resource class, TSOAUTH, to issue the dynamic PARMLIB command.

  • If you are using security labels, create a generic profile for logname.* (user-log data-set name) with a universal access of NONE, and specify SYSHIGH for the SECLABEL to protect each user's individual user log, which contains protected messages. Creating this generic profile prevents other users from viewing the contents of the user's user log and defines the user log as system-high because it may contain any level of information.
  • Define the broadcast data set to RACF with UACC(READ) and SECLABEL(SYSLOW). This allows system notices to be stored in and retrieved from the broadcast data set.
  • To control the use of the TSO/E SEND and LISTBC commands when using the security enhancements, see .
  • To control and audit the use of the TSO/E SEND command, define the RACF security resource class, SMESSAGE, for your users. For more information about using SMESSAGE to control the use of the TSO/E SEND command, see .
Parent topic: Using specific functions of TSO/E

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014