Considerations

The security model implemented for the Dynamic Workload Console is similar to that already implemented by other Tivoli® products that have been ported to z/OS® (namely Tivoli User Administration and Tivoli Security Management).

All versions of the Dynamic Workload Console use WebSphere® Application Server to handle the initial user verification. In all cases, however, it is necessary to obtain a valid corresponding RACF® user ID to be able to work with the security environment in z/OS.

Note:

| |

You cannot control the port from which the Dynamic Workload Console server |started task replies to a request from the z/OS connector. The response |ports are randomly selected. Therefore, if there is a firewall between |the Dynamic Workload Console server and the z/OS Connector, |that firewall must permit outgoing traffic from all ports above 1023.

To optimize the thread handling between z/OS connector and the scheduler server, you can group console users by RACF user ID. To define this grouping, associate a list of console users to the same RACF user ID, by editing the TWSZOSConnConfig.properties file in the TWSInstallationPath\eWAS\profiles\TIPProfile\properties directory and setting the last two properties as follows:

com.ibm.tws.zconn.usr.mapping.enable=true
com.ibm.tws.zconn.usr.mapping.file=mapping_file_path\mapping_file

where mapping_file is the name of the file that contains the mapping between console user and RACF user ID, as in the following example:

engine=zos1919 user=twsuser1,twsuser2 zosuser=zos1919user1
               user=twsuser3,twsuser4 zosuser=zos1919user2