You can change the user ID under which an integration server
runs so that it can access resources according to the permissions
assigned to it, rather than the permissions assigned to the main integration
node user ID.
Before you begin
Before starting this task, read the following topics:
About this task
Complete the following steps to specify an alternative
user ID for the integration server, to be used instead of the integration
node's user ID:
Procedure
- Create the new RACF® started
task profile with a new user ID, which will be used to run the integration
server.
Consider the following points when you are creating
the new started task:
- The new started task must be created with an OMVS segment including
a unique UID, home directory, and the ability to create data sets
under the integration node's HLQ and alias.
- The started task procedure name to be used for the integration
server address space must start with the same four characters
as the main integration node started task. For example, if
the main integration node started task is
IB01NODE
,
the started task name for the integration server could be IB01EG1
but
not IB02EG2
. As a result, consistency is
maintained between the main integration node started task,
the integration server, and the queue manager, which helps to identify
the relationship between them. If the first four characters are not
the same, the integration server is started using the main integration
node started task JCL.
- Ensure that the new user ID associated with the new started
task JCL has the same RACF primary
group as the existing integration node user ID, so that they can access
shared resources. Also ensure that the new user ID has the required
privileges to the existing integration node filesystem and dataset
(which it should have through the primary group access).
- Ensure that the MQ and SMF authorizations are updated for
the new user ID; for more information, see Summary of required access (z/OS).
- Copy the existing integration node started task JCL to
the new started task JCL in the PROCLIB.
- Ensure that the main integration node user ID has been
granted permission to the SUPERUSER.PROCESS.KILL RACF profile. This permission is required so
that the main control address space can recover any existing integration
server address spaces in the event of a failure.
- Refresh the started RACF classes
to implement the updates.
- Change the user ID by adding the appropriate environment
variable to the integration node's profile.
- The integration server name specified in the environment variable
is the last 8 characters of the integration server, after any overrides
have been applied. This is the same 8-character name that is displayed
as the STEPNAME against the integration server address space in SDSF.
- Ensure that the integration server name contains only characters
that are valid in the environment variable. If invalid characters
are used, the user ID cannot be overridden.
- If you specify more than one environment variable, they are read
in the following order (with MQSI_STARTEDTASK_FIXED_integrationServerName taking precedence):
- MQSI_STARTEDTASK_FIXED_integrationServerName
- MQSI_STARTEDTASK_MULTI_integrationServerName
- MQSI_STARTEDTASK_DEFAULT
where
integrationServerName is
the name of your integration server. For example:
export MQSI_STARTEDTASK_FIXED_DEFAULT=IB01EG1
changes
any integration server which has the last 8 characters equal to DEFAULT
to
started task IB01EG1
export MQSI_STARTEDTASK_MULTI_TEST=IB01EG2
changes
any integration server which has the last 8 characters starting with TEST
to
started task IB01EG2
export MQSI_STARTEDTASK_DEFAULT=IB01EG3
changes
all integration servers which are not overridden by MQSI_STARTEDTASK_FIXED_integrationServerName
or MQSI_STARTEDTASK_MULTI_integrationServerName
to started
task IB01EG3
.
- Submit BIPGEN to the integration node's ENVFILE.
- Restart the integration node.