Specifying an alternative user ID to run an integration server on z/OS

You can change the user ID under which an integration server runs so that it can access resources according to the permissions assigned to it, rather than the permissions assigned to the main integration node user ID.

1. Create the new RACF® started task profile with a new user ID, which will be used to run the integration server.
   Consider the following points when you are creating the new started task:

   • The new started task must be created with an OMVS segment including a unique UID, home directory, and the ability to create data sets under the integration node's HLQ and alias.
   • The started task procedure name to be used for the integration server address space must start with the same four characters as the main integration node started task. For example, if the main integration node started task is IB01NODE, the started task name for the integration server could be IB01EG1 but not IB02EG2. As a result, consistency is maintained between the main integration node started task, the integration server, and the queue manager, which helps to identify the relationship between them. If the first four characters are not the same, the integration server is started using the main integration node started task JCL.
2. Ensure that the new user ID associated with the new started task JCL has the same RACF primary group as the existing integration node user ID, so that they can access shared resources. Also ensure that the new user ID has the required privileges to the existing integration node filesystem and dataset (which it should have through the primary group access).
3. Ensure that the MQ and SMF authorizations are updated for the new user ID; for more information, see Summary of required access (z/OS).
4. Copy the existing integration node started task JCL to the new started task JCL in the PROCLIB.
5. Ensure that the main integration node user ID has been granted permission to the SUPERUSER.PROCESS.KILL RACF profile. This permission is required so that the main control address space can recover any existing integration server address spaces in the event of a failure.
6. Refresh the started RACF classes to implement the updates.
7. Change the user ID by adding the appropriate environment variable to the integration node's profile.
   • The integration server name specified in the environment variable is the last 8 characters of the integration server, after any overrides have been applied. This is the same 8-character name that is displayed as the STEPNAME against the integration server address space in SDSF.
   • Ensure that the integration server name contains only characters that are valid in the environment variable. If invalid characters are used, the user ID cannot be overridden.
   • If you specify more than one environment variable, they are read in the following order (with MQSI_STARTEDTASK_FIXED_integrationServerName taking precedence):
     1. MQSI_STARTEDTASK_FIXED_integrationServerName
     2. MQSI_STARTEDTASK_MULTI_integrationServerName
     3. MQSI_STARTEDTASK_DEFAULT
     where integrationServerName is the name of your integration server. For example:

     • export MQSI_STARTEDTASK_FIXED_DEFAULT=IB01EG1 changes any integration server which has the last 8 characters equal to DEFAULT to started task IB01EG1
     • export MQSI_STARTEDTASK_MULTI_TEST=IB01EG2 changes any integration server which has the last 8 characters starting with TEST to started task IB01EG2
     • export MQSI_STARTEDTASK_DEFAULT=IB01EG3 changes all integration servers which are not overridden by MQSI_STARTEDTASK_FIXED_integrationServerName or MQSI_STARTEDTASK_MULTI_integrationServerName to started task IB01EG3.
8. Submit BIPGEN to the integration node's ENVFILE.
9. Restart the integration node.