Setting up multilevel security (MLS) support

In a conventional CIM server setup, all providers are processed in the CIM server’s address space. If the CIM server is running in a multilevel secure (MLS) z/OS system, providers are executed in several provider agent processes depending on the user's security classification and port of entry, independent of the CIM server configuration.

Additional setup for an MLS environment: 

• _ If the Enhanced Security model is enabled (that is, the CIM server user ID is not privileged), make sure that he CIM server user ID has READ access to security resource BPX.POE in the FACILITY class.

  This allows the CIM server to use the z/OS XL C/C++ Run-Time Library function __poe() to retrieve information on the security classification and the port of entry of a user.

  Example for the security product RACF®:

  RDEFINE FACILITY BPX.POE UACC(NONE)
  PERMIT BPX.POE CL(FACILITY) ACCESS(READ) ID(CFZSRV)
  SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) REFRESH

  where CFZSRV is the CIM server user ID.

For general information on MLS, please refer to z/OS® Planning for Multilevel Security and the Common Criteria.

If the CIM server is not running in an MLS z/OS system, and you want to run providers in processes separate from the CIM server process for stability reasons or for debugging purposes, use the out-of-process support for providers. For more information, see Running providers in separate address spaces.