Steps for defining security for a user ID and associating the user ID with the Telnet procedure name

Before you can start Telnet, you must define security for a user ID and associate it with the Telnet procedure name. These steps use RACF® as the example security subsystem. If you are using another security product, see the documentation for that product to determine the appropriate procedure.

Before you begin

You need to know the name of the Telnet procedure that you are using.
Ensure that the MAXSOCKETS value is large enough to support the anticipated number of sockets that will be used by the system. If your system is IPv6 enabled, Telnet listening sockets are IPv6; set the IPv6 MAXSOCKETS value appropriately.
Ensure that the file descriptor limit for a process is large enough to support the anticipated number of sockets that will be used by Telnet. If your system MAXFILEPROC limit is adequate, you do not need to make a change. If you need a larger limit, you can configure a higher limit for Telnet using the FILEPROCMAX attribute in the OMVS SAF options for the Telnet user ID. If the Telnet user ID is a superuser ID or has READ access to the BPX.SUPERUSER resource, Telnet will dynamically increase its file descriptor limit to the maximum allowed by z/OS® UNIX System Services, currently 524,287. For more information about MAXFILEPROC, see z/OS UNIX System Services Planning.

Procedure

Perform the following steps to define security for a user ID and to associate it with the procedure name.

Use an existing user ID or create a new user ID:
- Define a user ID with a nonzero UID value and do not permit it to the BPX.SUPERUSER resource. You will see message EZZ6049I tnproc NON-ZERO OMVS UID IN EFFECT, indicating that you associated Telnet to a user ID that does not have superuser authority. The number of connections allowed on a single port will be the MAXFILEPROC value. The number of connections can be overridden on the ALTUSER command with the FILEPROCMAX option. For example, you can allow 150,000 connections using the following command:
```
ALTUSER TN3270E DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(23) FILEPROCMAX(150000) HOME('/')) 
```
  If connection failures occur (EZZ6012I tnproc BPX1AIO ACCEPT FAILED, RC = 0000007C RSN = 050B0146) followed by a port quiesce (EZZ6003I tnproc QUIESCED ON PORT 23), the MAXFILEPROC value has been reached.
  
  Tip: If your MAXFILEPROC value is less than your expected number of Telnet connections on a single port, you should use superuser authority or the FILEPROCMAX option on the RACF ALTUSER command. The FILEPROCMAX value will override the MAXFILEPROC value for processes associated with the user ID. If you do not use the FILEPROCMAX option and you do not give the associated user ID superuser authority by permitting the user ID to the BPX.SUPERUSER resource, Telnet is not able to increase the MAXFILEPROC value on the listener socket and will support the number of connections specified by the MAXFILEPROC value instead of the OMVS maximum.
- Permit a user ID with a nonzero UID value to the BPX.SUPERUSER resource in the FACILITY class:
  1. Add the user to RACF:
```
ADDUSER TN3270E
```
  2. Permit the user ID:
    1. Create a BPX.SUPERUSER FACILITY class profile:
```
RDEFINE FACILITY BPX.SUPERUSER
```
    2. If this is the first class profile, activate the FACILITY class:
```
SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY)
```
    3. Permit the user to the class:
```
ALTUSER TN3270E DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(23) HOME('/'))
PERMIT BPX.SUPERUSER CLASS(FACILITY) ID(TN3270E) ACCESS(READ)
```
      In this example, the user ID is TN3270E and the UID is 23. The UID can be any nonzero number. UID 23 was used to match the well-known Telnet port number.
    4. Refresh the FACILITY class:
```
SETROPTS RACLIST(FACILITY) REFRESH
```
  This example uses TN3270E for the user ID, but you can use any name.
  
  Tip: You can combine the ADDUSER and ALTUSER commands into one command by putting the OMVS parameter on the ADDUSER command line. The ADDUSER and ALTUSER commands are performed separately in case the user ID already exists. Even if the ADDUSER command fails, the ALTUSER command is successful.
- Use an existing superuser ID to associate with the job name.
- Define a superuser ID to associate with the job name.
  To define a superuser ID, add a user ID to RACF and alter it to superuser status:
```
ADDUSER TN3270E
ALTUSER TN3270E DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(0) HOME('/'))
```
  Sample statements for defining a superuser ID are in SEZAINST(EZARACF). For more information, see z/OS UNIX System Services Planning, z/OS Security Server RACF Security Administrator's Guide, and z/OS Security Server RACF Command Language Reference.
Add the procedure name to the RACF STARTED class and associate the user ID from step 1 with the name. For example, code the following statements:
```
RDEFINE STARTED TELNET*.*  STDATA(USER(TN3270E))
SETROPTS RACLIST(STARTED) REFRESH
```
Sample statements for adding the procedure to the STARTED class are in SEZAINST(EZARACF). For more information, see z/OS UNIX System Services Planning, z/OS Security Server RACF Security Administrator's Guide, and z/OS Security Server RACF Command Language Reference.
If you are using secure Telnet connections, make sure that the user ID that runs Telnet has access to the SSL key ring and certificates. Take one of the following actions:
- Create a new key ring and certificate that is owned by the user ID that runs Telnet.
- Share the existing key ring and certificates with Telnet. For more information about implementation scenarios, see z/OS Security Server RACF Security Administrator's Guide.
If you are using hardware encryption, ensure that the Telnet user ID has read access to the RACF CSFSERV class resources. For details, see Encryption algorithms.

Results

You know you are done when you can start Telnet without receiving errors.

If your job ends abnormally with system completion code EC6 and a register 15 value of 0F01C008, you did not associate a valid user ID with the started job name.