Updating your system for the z/OS console REST interface
z/OSMF requires that a default TSO logon procedure be included in your configuration. The procedure is used internally by the z/OS® console REST interface, and z/OSMF users must be authorized to it.
For your planning purposes, this topic describes the configuration settings and security set-up that are required for the logon procedure during the configuration process. As described in Installing the z/OSMF cataloged procedures, IBM supplies a default procedure named IZUFPROC, which should be sufficient for use at most installations.
Specifying the z/OS console REST interface properties during configuration
The topic Optionally creating a IZUPRMxx parmlib member describes the options for configuring z/OSMF. Included are options for the TSO logon procedure that is used by the z/OS console REST interface. Your installation can customize the options for the logon procedure by using the COMMON_TSO statement in the IZUPRMxx parmlib member.
The configuration process supplies default values; you can accept the defaults or supply installation-supplied alternative values in the IZUPRMxx parmlib member. You can specify the TSO logon procedure name, along with a corresponding TSO account number and address space region size.
It is recommended that you accept the defaults, which should be adequate for most z/OS installations. If you specify alternative values, you must ensure that the z/OSMF users and z/OSMF administrators security groups are authorized to the logon procedure name and account number that you specify. Also, ensure that the address space region size is at least 50000 (kilobytes) and that this setting is acceptable in your environment, to avoid a possible system memory exception error.
All z/OSMF users must have a TSO segment defined in your installation’s security database. Failure to have a TSO segment causes some z/OSMF functions not to work.
Authorizing users to the z/OS console REST interface
- Defining the TSO logon procedure and the associated account number to the TSOPROC and ACCTNUM classes, respectively.
- Authorizing z/OSMF users to the TSO logon procedure and account number.
- Authorizing z/OSMF users and the z/OSMF server to CEA TSO/E address space services.
Resource class | Resource name | Who needs access? | Type of access required | Why |
---|---|---|---|---|
ACCTNUM | IZUACCT | IZUADMIN IZUUSER | READ | Allows callers to access the account number that is used for the procedure for the z/OS console REST interface services. |
SERVAUTH | CEA.CEATSO.TSOREQUEST | IZUADMIN IZUUSER | READ | Allows callers to access the CEA TSO/E address space services. This setting allows HTTP client applications on your z/OS system to start and manage TSO/E address spaces. |
SERVAUTH | CEA.CEATSO.TSOREQUEST | IZUSVR | READ | Allows the z/OSMF server to access the CEA TSO/E address space services. This setting allows the z/OSMF server to start and manage TSO/E address space services. |
TSOPROC | IZUFPROC | IZUADMIN IZUUSER | READ | Allows callers to access the procedure for the z/OS console REST interface services. |