Working with the Agent Controller security feature

The following list contains hints and tips for using the Agent Controller security feature on all platforms.

Authentication is provided by the operating system. Only users specified at installation time are allowed to authenticate. If the user name ANY is provided, any valid user name and password pairs are forwarded to the operation system for authentication, otherwise only listed pairs are forwarded.
When security is enabled, the users you specified at installation time are required to authenticate with the operating system before any information can be exchanged with Agent Controller. The workbench user must provide a valid user name and password combination that is an operating system user name and password.
(Windows only) Passwords for domain names are not authenticated. You must provide local user name and password pairs.
There are no key management capabilities provided. Agent Controller uses Java™ keystores for security.
A default keystore and exported certificate are in the Agent Controller directory <rac_install_dir>\security for Windows, and <rac_install_dir>/security, where <rac_install_dir> is the installation directory of Agent Controller. Replace these samples with a keystore containing meaningful certificates.

Additional security configuration for z/OS

If security is enabled in the agent controller configuration, then BPX.DAEMON privileges are required for the agent controller. Speak with your system administrator to ensure that the Agent Controller binaries and libraries have the appropriate privileges. The following set of files typically require program-control privileges in order to allow security to run. (extattr +p)

<RAC_INSTALL_DIR>/bin/ACServer
<RAC_INSTALL_DIR>/bin/tptpProcessController (all files, including libTPTPUtil and libtptpCCTL)
<RAC_INSTALL_DIR>/lib/*
<XML_TOOLKIT_INSTALL_DIR>/xml4c-5_7/lib/* (all files)
<JAVA_INSTALL_DIR>/jre/J6.0/bin/classic/* (all files in this directory)
<JAVA_INSTALL_DIR>/jre/J6.0/lib/* (or, more generally, the lib directory of the JVM specified in the serviceconfig.xml file)
<JAVA_INSTALL_DIR>/jre/J6.0/lib/s390/j9vm/* (where s390 is either s390 or 390x, for 31or 64 bit.)
<JAVA_INSTALL_DIR>/jre/J6.0/lib/s390/* (where s390 is either s390 or 390x, for 31 or 64 bit.)
<JAVA_INSTALL_DIR>/jre/J6.0/lib/s390/default/* (where s390 is either s390 or 390x, for 31 or 64 bit.)

If you do not set this configuration, then you will get messages in the z/OS® log similar to the following example when the user ID and password is entered in the workbench when it performs "Attach to Agent" in the Profiling and Logging Perspective:BPXP015I HFS PROGRAM /opt/racv822/bin/ACServer IS NOT MARKED PROGRAM CONTROLLED. BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.

Feedback