When you create your integration nodeson z/OS®, you must set up security
by configuring integration node user IDs with the appropriate permissions.
About this task
The following steps guide you through configuring an integration
node user ID on z/OS:
Procedure
- Decide on the started task name of the integration node.
This name is used to set up started task authorizations, and to manage
your system performance.
- Decide on a dataset naming convention for your IBM® Integration Bus PDSE. A typical name might
be
WMQI.MQP1BRK.CNTL
, where MQP1
is
the queue manager name. You must give the IBM Integration Bus, WebSphere® MQ, and z/OS administrators access to these
data sets. You can control access in several ways, for example:
- Give each user individual access to the specific data set
- Define a generic dataset profile, defining a group that contains
the user IDs of the administrators. Grant the group control access
to the generic data set profile
- Configure access to components and resources on z/OS. For more information, see Summary of required access (z/OS).
- Define an OMVS group segment for this group so that information
can be extracted from the External Security Manager (ESM) database
to enable you to use Publish/Subscribe security.
- Define an OMVS segment for the started task user ID and
give its home directory sufficient space for any IBM Integration Bus memory dumps. Consider using
the started task procedure name as the started task user ID.
- Check that your OMVS segment is defined by using the following
TSO command:
LU userid OMVS
The
command output includes the OMVS segment, for example:
USER=MQP1BRK NAME=SMITH, JANE OWNER=TSOUSER
CREATED=99.342 DEFAULT-GROUP=TSOUSER PASSDATE=01.198
PASS-INTERVAL=30
......
OMVS INFORMATION
----------------
UID=0000070594
HOME=/u/MQP1BRK
PROGRAM=/bin/sh
CPUTIMEMAX=NONE
ASSIZEMAX=NONE
FILEPROCMAX=NONE
PROCUSERMAX=NONE
THREADSMAX=NONE
MMAPAREAMAX=NONE
The command:
df -P /u/MQP1BRK
displays
the amount of space used and available, where
/u/MQP1BRK
is
the value from
HOME
(on a previous line). This command
shows you how much space is currently available in the file system.
Check with your data administrator that this space is sufficient.
You require a minimum of 400 000 blocks available if a memory dump
is taken.
- Associate the started task procedure with the user ID to
be used. For example, you can use the STARTED class in RACF®. The IBM Integration Bus and z/OS administrators must agree on
the name of the started task.
- IBM Integration Bus administrators
require an OMVS segment and a home directory. Check the setup previously
described.
- The started task user IDs and the IBM Integration Bus administrators require access
to the install processing files, the component-specific files, and
the home directory of the started task. During customization, the
file ownership can be changed to alter group access. This change might
require superuser authority.
What to do next
When the service user ID is root,
all libraries loaded by the integration node, including all user-written
plug-in libraries, and all shared libraries that they might access,
also have root access to all system resources (for example, file sets).
Review and assess the risk involved in granting this level of authorization.