z/OS Common Information Model User's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Enabling the must-stay-clean feature

z/OS Common Information Model User's Guide
SC34-2671-00

Enabling the must-stay-clean feature

To add additional system integrity to the CIM server, z/OS provides the optional must-stay-clean feature. To benefit from the feature, you must enable it explicitly.

Must-stay-clean provides additional system integrity: 

  • Provider libraries are loaded dynamically during runtime by the CIM server. The must-stay-clean feature prevents uncontrolled libraries to be loaded on behalf of a dynamic provider.
  • Providers using the out-of-process support can be managed in separate address spaces rather than loading and calling provider libraries directly within the CIM server process. This converts the CIM server process into a daemon process that starts off several server processes (provider agent processes). Providers are then run in threads by the provider agents.

    Must-stay-clean secures the trust base between both address spaces.

To enable the must-stay-clean feature, 

  • _ define the BPX.DAEMON FACILITY class in your security product

    Defining BPX.DAEMON enforces program control. The following sample shows the according RACF® commands:

    Example: 

    SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST (FACILITY)
RDEFINE FACILITY BPX.DAEMON UACC(NONE)
SETROPTS RACLIST(FACILITY) REFRESH
    Note:
    The definition of BPX.DAEMON is not specific for the CIM server, but has system wide implications for all programs running on the z/OS system. Refer to Setting up the BPX.* FACILITY class profiles and Setting up security procedures for daemons in z/OS UNIX System Services Planning for additional information.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014