Establishing ESM user IDs for RTCS address spaces
The following examples apply to the ESM that is executing on the z/OS image. Depending on the data set naming conventions, existing profiles, and rules, you might require some modifications to the following examples.
We recommend that you check with your system administrator before proceeding. The members OSZ$RACF, OSZ$ACF2, or OSZ$TSS in the TOSZCNTL target library contains the sample JCL.
RACF example
/* These commands are intended as EXAMPLES ONLY, to be edited by the */
/* customer system programmer or security administrator for each MVS */
/* image or shared ESM data base, as required by your configuration. */
/* The commands provided may not work at your site exactly as they */
/* have been illustrated here, or they may not even be necessary. */
/* Define data set profiles for the PDSE libraries & System Registry. */
/* We define them initially with UACC(ALTER) so that the current ID */
/* does not have to have the SPECIAL attribute to issue the PERMIT */
/* commands that immediately follow. We will alter the UACC in the */
/* data set profiles after ALTER access by the current user is set. */
ADDSD 'SYS2.RTCS.POSZRTCS' -
GENERIC UACC(ALTER)
ADDSD 'SYS2.RTCS.POSZLINK' -
GENERIC UACC(ALTER)
ADDSD 'SYS2.RTCS.POSZHTML' -
GENERIC UACC(ALTER)
ADDSD 'SYS2.RTCS.POSZPSWD' -
GENERIC UACC(ALTER)
ADDSD 'SYS2.RTCS.REGISTRY' -
GENERIC UACC(ALTER)
/* Ensure that the system programmer executing the RTCS configuration */
/* JOBs has ALTER access to the RTCS Subsystem and Product Libraries, */
/* the Hypertext Document Library, and the RTCS System Registry VLDS. */
/* The absence of OWNER(id) does not grant such access unless the '*' */
/* UserID has the SPECIAL attribute, anyway. The point of all of this */
/* convolution is to obviate the requirement that a system programmer */
/* running these JOBs have the SPECIAL attribute in the first place. */
PERMIT 'SYS2.RTCS.POSZRTCS' -
GENERIC ID(*) ACCESS(ALTER)
PERMIT 'SYS2.RTCS.POSZLINK' -
GENERIC ID(*) ACCESS(ALTER)
PERMIT 'SYS2.RTCS.POSZHTML' -
GENERIC ID(*) ACCESS(ALTER)
PERMIT 'SYS2.RTCS.POSZPSWD' -
GENERIC ID(*) ACCESS(ALTER)
PERMIT 'SYS2.RTCS.REGISTRY' -
GENERIC ID(*) ACCESS(ALTER)
/* Update data set profiles for the PDSE libraries & System Registry. */
/* We set the minimum UACC needed by a typical, non-strict, customer. */
ALTDSD 'SYS2.RTCS.POSZRTCS' -
GENERIC UACC(NONE)
ALTDSD 'SYS2.RTCS.POSZLINK' -
GENERIC UACC(READ)
ALTDSD 'SYS2.RTCS.POSZHTML' -
GENERIC UACC(READ)
ALTDSD 'SYS2.RTCS.POSZPSWD' -
GENERIC UACC(READ)
ALTDSD 'SYS2.RTCS.REGISTRY' -
GENERIC UACC(NONE)
/* Define an STC UserID for use by RTCS Initiator AND RTCS Subsystem. */
/* Take care to customize this properly for your RACF configuration. */
/* In particular, take care to properly specify the OMVS parameters. */
ADDUSER OSZRTCS -
NAME('RTCS Subsystem') -
NOPASSWORD -
DFLTGRP(SYS1) -
UACC(READ) -
LANGUAGE(PRIMARY(ENU)) -
OMVS( UID(10010) HOME('/home') PROGRAM('/bin/sh') )
/* Define an STC UserID for use by RTCS Generalized Server (products).*/
/* Take care to customize this properly for your RACF configuration. */
/* In particular, take care to properly specify the OMVS parameters. */
ADDUSER OSZEXEC -
NAME('RTCS General Server') -
NOPASSWORD -
DFLTGRP(SYS1) -
UACC(READ) -
LANGUAGE(PRIMARY(ENU)) -
OMVS( UID(10011) HOME('/home') PROGRAM('/bin/sh') )
/* Connect these two new STC UserIDs to the STC PROCs used by them. */
SETROPTS GENERIC(STARTED) /* We assume this is in effect already. */
RDEFINE STARTED OSZINIT.* STDATA( USER(OSZRTCS) )
RDEFINE STARTED OSZRTCS.* STDATA( USER(OSZRTCS) )
RDEFINE STARTED OSZEXEC.* STDATA( USER(OSZEXEC) )
SETROPTS RACLIST(STARTED) REFRESH
/* Allow READ access by the RTCS Subsystem to RTCS Subsystem Library, */
/* the RTCS Product Library, and Hypertext Document Library PDSEs. */
PERMIT 'SYS2.RTCS.POSZRTCS' -
GENERIC ID(OSZRTCS) ACCESS(READ)
PERMIT 'SYS2.RTCS.POSZLINK' -
GENERIC ID(OSZRTCS) ACCESS(READ)
PERMIT 'SYS2.RTCS.POSZHTML' -
GENERIC ID(OSZRTCS) ACCESS(READ)
/* Allow READ access by the RTCS Subsystem to the */
/* Product Authorization (License) Table Library. */
PERMIT 'SYS2.RTCS.POSZPSWD' -
GENERIC ID(OSZRTCS) ACCESS(READ)
/* Allow UPDATE access by RTCS Subsystem to the RTCS System Registry. */
PERMIT 'SYS2.RTCS.REGISTRY' -
GENERIC ID(OSZRTCS) ACCESS(UPDATE)
/* Allow READ access by RTCS Client Product Generalized Server STCs */
/* to the RTCS Product Library and Hypertext Document Library PDSEs. */
PERMIT 'SYS2.RTCS.POSZLINK' -
GENERIC ID(OSZEXEC) ACCESS(READ)
PERMIT 'SYS2.RTCS.POSZHTML' -
GENERIC ID(OSZEXEC) ACCESS(READ)
/* Allow SYSLOG access by RTCS Client Product Generalized Server STCs */
RDEFINE JESSPOOL -
&RACLNDE.+MASTER+.SYSLOG.*.*.? UACC(READ)
PERMIT &RACLNDE.+MASTER+.SYSLOG.*.*.? -
CLASS(JESSPOOL) ID(OSZEXEC) ACCESS(READ)
/* Identify applications defined by RTCS and RTCS client products */
/* and allow access by all users in general. */
RDEFINE APPL (RTCSHTTP) UACC(READ)
RDEFINE APPL (EXPLORER) UACC(READ)
/* Define profiles for modules defined and loaded by Dynamic LPA ADD */
/* Permit RTCS Initiator and RTCS Subsystem to add OSZ modules to LPA */
SETROPTS GENERIC(FACILITY)
RDEFINE FACILITY CSVDYLPA.ADD.OSZ* UACC(NONE)
PERMIT CSVDYLPA.ADD.OSZ* -
CLASS(FACILITY) ID(OSZRTCS) ACCESS(UPDATE)
SETROPTS RACLIST(FACILITY) REFRESH
/* Allow access to certain TCP/IP resources by the RTCS */
/* Subsystem and the RTCS HTTP Server which runs in the */
/* RTCS Generalized Server address space. */
SETROPTS CLASSACT(SERVAUTH)
RDEFINE SERVAUTH EZB.STACKACCESS.* UACC(READ)
RDEFINE SERVAUTH EZB.PORTACCESS.* UACC(READ)
RDEFINE SERVAUTH EZB.NETACCESS.* UACC(READ)
RDEFINE SERVAUTH EZB.TN3270.* UACC(READ)
PERMIT EZB.STACKACCESS.* -
CLASS(SERVAUTH) ID(OSZRTCS) ACCESS(READ)
PERMIT EZB.PORTACCESS.* -
CLASS(SERVAUTH) ID(OSZRTCS) ACCESS(READ)
PERMIT EZB.NETACCESS.* -
CLASS(SERVAUTH) ID(OSZRTCS) ACCESS(READ)
PERMIT EZB.TN3270.* -
CLASS(SERVAUTH) ID(OSZRTCS) ACCESS(READ)
PERMIT EZB.STACKACCESS.* -
CLASS(SERVAUTH) ID(OSZEXEC) ACCESS(READ)
PERMIT EZB.PORTACCESS.* -
CLASS(SERVAUTH) ID(OSZEXEC) ACCESS(READ)
PERMIT EZB.NETACCESS.* -
CLASS(SERVAUTH) ID(OSZEXEC) ACCESS(READ)
PERMIT EZB.TN3270.* -
CLASS(SERVAUTH) ID(OSZEXEC) ACCESS(READ)
SETROPTS RACLIST(SERVAUTH)
SETROPTS RACLIST(SERVAUTH) REFRESH
/* customer system programmer or security administrator for each MVS */
/* image or shared ESM data base, as required by your configuration. */
/* The commands provided may not work at your site exactly as they */
/* have been illustrated here, or they may not even be necessary. */
/* Define data set profiles for the PDSE libraries & System Registry. */
/* We define them initially with UACC(ALTER) so that the current ID */
/* does not have to have the SPECIAL attribute to issue the PERMIT */
/* commands that immediately follow. We will alter the UACC in the */
/* data set profiles after ALTER access by the current user is set. */
ADDSD 'SYS2.RTCS.POSZRTCS' -
GENERIC UACC(ALTER)
ADDSD 'SYS2.RTCS.POSZLINK' -
GENERIC UACC(ALTER)
ADDSD 'SYS2.RTCS.POSZHTML' -
GENERIC UACC(ALTER)
ADDSD 'SYS2.RTCS.POSZPSWD' -
GENERIC UACC(ALTER)
ADDSD 'SYS2.RTCS.REGISTRY' -
GENERIC UACC(ALTER)
/* Ensure that the system programmer executing the RTCS configuration */
/* JOBs has ALTER access to the RTCS Subsystem and Product Libraries, */
/* the Hypertext Document Library, and the RTCS System Registry VLDS. */
/* The absence of OWNER(id) does not grant such access unless the '*' */
/* UserID has the SPECIAL attribute, anyway. The point of all of this */
/* convolution is to obviate the requirement that a system programmer */
/* running these JOBs have the SPECIAL attribute in the first place. */
PERMIT 'SYS2.RTCS.POSZRTCS' -
GENERIC ID(*) ACCESS(ALTER)
PERMIT 'SYS2.RTCS.POSZLINK' -
GENERIC ID(*) ACCESS(ALTER)
PERMIT 'SYS2.RTCS.POSZHTML' -
GENERIC ID(*) ACCESS(ALTER)
PERMIT 'SYS2.RTCS.POSZPSWD' -
GENERIC ID(*) ACCESS(ALTER)
PERMIT 'SYS2.RTCS.REGISTRY' -
GENERIC ID(*) ACCESS(ALTER)
/* Update data set profiles for the PDSE libraries & System Registry. */
/* We set the minimum UACC needed by a typical, non-strict, customer. */
ALTDSD 'SYS2.RTCS.POSZRTCS' -
GENERIC UACC(NONE)
ALTDSD 'SYS2.RTCS.POSZLINK' -
GENERIC UACC(READ)
ALTDSD 'SYS2.RTCS.POSZHTML' -
GENERIC UACC(READ)
ALTDSD 'SYS2.RTCS.POSZPSWD' -
GENERIC UACC(READ)
ALTDSD 'SYS2.RTCS.REGISTRY' -
GENERIC UACC(NONE)
/* Define an STC UserID for use by RTCS Initiator AND RTCS Subsystem. */
/* Take care to customize this properly for your RACF configuration. */
/* In particular, take care to properly specify the OMVS parameters. */
ADDUSER OSZRTCS -
NAME('RTCS Subsystem') -
NOPASSWORD -
DFLTGRP(SYS1) -
UACC(READ) -
LANGUAGE(PRIMARY(ENU)) -
OMVS( UID(10010) HOME('/home') PROGRAM('/bin/sh') )
/* Define an STC UserID for use by RTCS Generalized Server (products).*/
/* Take care to customize this properly for your RACF configuration. */
/* In particular, take care to properly specify the OMVS parameters. */
ADDUSER OSZEXEC -
NAME('RTCS General Server') -
NOPASSWORD -
DFLTGRP(SYS1) -
UACC(READ) -
LANGUAGE(PRIMARY(ENU)) -
OMVS( UID(10011) HOME('/home') PROGRAM('/bin/sh') )
/* Connect these two new STC UserIDs to the STC PROCs used by them. */
SETROPTS GENERIC(STARTED) /* We assume this is in effect already. */
RDEFINE STARTED OSZINIT.* STDATA( USER(OSZRTCS) )
RDEFINE STARTED OSZRTCS.* STDATA( USER(OSZRTCS) )
RDEFINE STARTED OSZEXEC.* STDATA( USER(OSZEXEC) )
SETROPTS RACLIST(STARTED) REFRESH
/* Allow READ access by the RTCS Subsystem to RTCS Subsystem Library, */
/* the RTCS Product Library, and Hypertext Document Library PDSEs. */
PERMIT 'SYS2.RTCS.POSZRTCS' -
GENERIC ID(OSZRTCS) ACCESS(READ)
PERMIT 'SYS2.RTCS.POSZLINK' -
GENERIC ID(OSZRTCS) ACCESS(READ)
PERMIT 'SYS2.RTCS.POSZHTML' -
GENERIC ID(OSZRTCS) ACCESS(READ)
/* Allow READ access by the RTCS Subsystem to the */
/* Product Authorization (License) Table Library. */
PERMIT 'SYS2.RTCS.POSZPSWD' -
GENERIC ID(OSZRTCS) ACCESS(READ)
/* Allow UPDATE access by RTCS Subsystem to the RTCS System Registry. */
PERMIT 'SYS2.RTCS.REGISTRY' -
GENERIC ID(OSZRTCS) ACCESS(UPDATE)
/* Allow READ access by RTCS Client Product Generalized Server STCs */
/* to the RTCS Product Library and Hypertext Document Library PDSEs. */
PERMIT 'SYS2.RTCS.POSZLINK' -
GENERIC ID(OSZEXEC) ACCESS(READ)
PERMIT 'SYS2.RTCS.POSZHTML' -
GENERIC ID(OSZEXEC) ACCESS(READ)
/* Allow SYSLOG access by RTCS Client Product Generalized Server STCs */
RDEFINE JESSPOOL -
&RACLNDE.+MASTER+.SYSLOG.*.*.? UACC(READ)
PERMIT &RACLNDE.+MASTER+.SYSLOG.*.*.? -
CLASS(JESSPOOL) ID(OSZEXEC) ACCESS(READ)
/* Identify applications defined by RTCS and RTCS client products */
/* and allow access by all users in general. */
RDEFINE APPL (RTCSHTTP) UACC(READ)
RDEFINE APPL (EXPLORER) UACC(READ)
/* Define profiles for modules defined and loaded by Dynamic LPA ADD */
/* Permit RTCS Initiator and RTCS Subsystem to add OSZ modules to LPA */
SETROPTS GENERIC(FACILITY)
RDEFINE FACILITY CSVDYLPA.ADD.OSZ* UACC(NONE)
PERMIT CSVDYLPA.ADD.OSZ* -
CLASS(FACILITY) ID(OSZRTCS) ACCESS(UPDATE)
SETROPTS RACLIST(FACILITY) REFRESH
/* Allow access to certain TCP/IP resources by the RTCS */
/* Subsystem and the RTCS HTTP Server which runs in the */
/* RTCS Generalized Server address space. */
SETROPTS CLASSACT(SERVAUTH)
RDEFINE SERVAUTH EZB.STACKACCESS.* UACC(READ)
RDEFINE SERVAUTH EZB.PORTACCESS.* UACC(READ)
RDEFINE SERVAUTH EZB.NETACCESS.* UACC(READ)
RDEFINE SERVAUTH EZB.TN3270.* UACC(READ)
PERMIT EZB.STACKACCESS.* -
CLASS(SERVAUTH) ID(OSZRTCS) ACCESS(READ)
PERMIT EZB.PORTACCESS.* -
CLASS(SERVAUTH) ID(OSZRTCS) ACCESS(READ)
PERMIT EZB.NETACCESS.* -
CLASS(SERVAUTH) ID(OSZRTCS) ACCESS(READ)
PERMIT EZB.TN3270.* -
CLASS(SERVAUTH) ID(OSZRTCS) ACCESS(READ)
PERMIT EZB.STACKACCESS.* -
CLASS(SERVAUTH) ID(OSZEXEC) ACCESS(READ)
PERMIT EZB.PORTACCESS.* -
CLASS(SERVAUTH) ID(OSZEXEC) ACCESS(READ)
PERMIT EZB.NETACCESS.* -
CLASS(SERVAUTH) ID(OSZEXEC) ACCESS(READ)
PERMIT EZB.TN3270.* -
CLASS(SERVAUTH) ID(OSZEXEC) ACCESS(READ)
SETROPTS RACLIST(SERVAUTH)
SETROPTS RACLIST(SERVAUTH) REFRESH
CA ACF2 example
ACF
* These commands are intended as EXAMPLES ONLY, to be edited by the
* customer system programmer or security administrator for each MVS
* image or shared ESM data base, as required by your configuration.
* The commands provided may not work at your site exactly as they
* have been illustrated here, or they may not even be necessary.
* Define a started task LOGONID for use by the RTCS Initiator.
* Take care to customize this properly for your ACF2 configuration.
* In particular, take care to properly specify the OMVS parameters.
SET LID
INSERT USING(ACFSTCID) OSZINIT -
STC NOJOB NOTSO -
NAME(RTCS Initiator) -
RESTRICT -
GROUP(SYS1)
SET PROFILE(USER) DIV(OMVS)
INSERT OSZINIT UID(07827) HOME(/) OMVSPGM(/BIN/SH)
SET PROFILE(GROUP) DIV(OMVS)
INSERT OSZINIT GID(07827)
* Define a started task LOGONID for use by the RTCS Subsystem.
* Take care to customize this properly for your ACF2 configuration.
* In particular, take care to properly specify the OMVS parameters.
SET LID
INSERT USING(ACFSTCID) OSZRTCS -
STC NOJOB NOTSO -
NAME(RTCS Subsystem) -
RESTRICT -
GROUP(SYS1)
SET PROFILE(USER) DIV(OMVS)
INSERT OSZRTCS UID(17827) HOME(/) OMVSPGM(/BIN/SH)
SET PROFILE(GROUP) DIV(OMVS)
INSERT OSZRTCS GID(17827)
* Define an STC ACID for use by RTCS Generalized Server (products).
* Take care to customize this properly for your ACF2 configuration.
* In particular, take care to properly specify the OMVS parameters.
SET LID
INSERT USING(ACFSTCID) OSZEXEC -
STC NOJOB NOTSO -
NAME(RTCS General Server) -
MUSASS -
RESTRICT -
GROUP(SYS1)
SET PROFILE(USER) DIV(OMVS)
INSERT OSZEXEC UID(27827) HOME(/) OMVSPGM(/BIN/SH)
SET PROFILE(GROUP) DIV(OMVS)
INSERT OSZEXEC GID(27827)
* The following command needs to be entered at the operator console:
*
* F ACF2,REBUILD(USR),CLASS(P)
* The following items document potential additions to existing data
* set rules that may be necessary for RTCS and RTCS-based products.
* The RTCS Initiator and the RTCS Subsystem need READ access to the
* RTCS Subsystem Library: SYS2.RTCS.POSZRTCS
*
* SYS2.RTCS.POSZRTCS UID(OSZINIT) R(A)
* SYS2.RTCS.POSZRTCS UID(OSZRTCS) R(A)
* The RTCS Subsystem needs READ access to the RTCS Product (License)
* Authorization Table Library: SYS2.RTCS.POSZPSWD
*
* SYS2.RTCS.POSZPSWD UID(OSZINIT) R(A)
* SYS2.RTCS.POSZPSWD UID(OSZRTCS) R(A)
* All three RTCS Started Task LOGONIDs need READ access to the
* RTCS Product Library: SYS2.RTCS.POSZLINK
*
* SYS2.RTCS.POSZLINK UID(OSZINIT) R(A)
* SYS2.RTCS.POSZLINK UID(OSZRTCS) R(A)
* SYS2.RTCS.POSZLINK UID(OSZEXEC) R(A)
* All three RTCS Started Task LOGONIDs need READ access to the
* Hypertext Doc. Library: SYS2.RTCS.POSZHTML
*
* SYS2.RTCS.POSZHTML UID(OSZINIT) R(A)
* SYS2.RTCS.POSZHTML UID(OSZRTCS) R(A)
* SYS2.RTCS.POSZHTML UID(OSZEXEC) R(A)
* The RTCS Initiator and the RTCS Subsystem need ALLOC access to the
* RTCS System Registry: SYS2.RTCS.REGISTRY
*
* SYS2.RTCS.REGISTRY UID(OSZINIT) R(A) W(A) A(A)
* SYS2.RTCS.REGISTRY UID(OSZRTCS) R(A) W(A) A(A)
* The RTCS Client Product Generalized Server Started Task LOGONID
* needs READ access to the standard JESSPOOL SYSLOG SYSOUT data set:
*
* sysname.-.SYSLOG UID(OSZEXEC) SERVICE(READ) ALLOW
* Identify APPLications defined by RTCS and RTCS client products.
* Allow access by all users in general. NOTE: By default, ACF2
* maps SAF Resource CLASS 'APPL' to ACF2 Resource Rule TYPE(SAF).
*
* SET RESOURCE(SAF)
* COMPILE * LIST STORE
* $KEY(RTCSHTTP) TYPE(SAF)
* UID(-) ALLOW
* END
* COMPILE * LIST STORE
* $KEY(EXPLORER) TYPE(SAF)
* UID(-) ALLOW
* END
* Permit RTCS Initiator and RTCS Subsystem to add OSZ modules to LPA
* using Dynamic LPA faility. NOTE: The following assumes that ACF2
* maps SAF Resource CLASS 'FACILITY' to ACF2 Resource Rule TYPE(FAC).
*
* SET RESOURCE(FAC)
* COMPILE * LIST STORE
* $KEY(CSVDYLPA) TYPE(FAC)
* ADD.OSZ- UID(OSZRTCS) ALLOW
* END
* Allow access to certain TCP/IP resources by the RTCS
* Subsystem and the RTCS HTTP Server which runs in the
* RTCS Generalized Server address space.
*
* SET RESOURCE(SER)
* COMPILE * LIST STORE
* $KEY(EZB) TYPE(SER)
* NETACCESS.- UID(OSZRTCS) SERVICE(READ) ALLOW
* NETACCESS.- UID(OSZEXEC) SERVICE(READ) ALLOW
* STACKACCESS.- UID(OSZRTCS) SERVICE(READ) ALLOW
* STACKACCESS.- UID(OSZEXEC) SERVICE(READ) ALLOW
* PORTACCESS.- UID(OSZRTCS) SERVICE(READ) ALLOW
* PORTACCESS.- UID(OSZEXEC) SERVICE(READ) ALLOW
* TN3270.- UID(OSZRTCS) SERVICE(READ) ALLOW
* TN3270.- UID(OSZEXEC) SERVICE(READ) ALLOW
* END
* In order to use the SERVAUTH SAF resource CLASS, which is
* assumed to be mapped to ACF2 rule type SER in the example
* above, the rule set for rule type 'SER' must be resident.
*
* SET Control(GSO)
* INSERT CLASMAP.SERVAUTH RESOURCE(SERVAUTH) +
* RSRCTYPE(SER) +
* ENTITYLN(64)
* CHANGE INFODIR REP TYPES(R-RSER)
* The following commands need to be entered at the operator console:
*
* F ACF2,REFRESH(GSO)
* F ACF2,REBUILD(SER)
END
* These commands are intended as EXAMPLES ONLY, to be edited by the
* customer system programmer or security administrator for each MVS
* image or shared ESM data base, as required by your configuration.
* The commands provided may not work at your site exactly as they
* have been illustrated here, or they may not even be necessary.
* Define a started task LOGONID for use by the RTCS Initiator.
* Take care to customize this properly for your ACF2 configuration.
* In particular, take care to properly specify the OMVS parameters.
SET LID
INSERT USING(ACFSTCID) OSZINIT -
STC NOJOB NOTSO -
NAME(RTCS Initiator) -
RESTRICT -
GROUP(SYS1)
SET PROFILE(USER) DIV(OMVS)
INSERT OSZINIT UID(07827) HOME(/) OMVSPGM(/BIN/SH)
SET PROFILE(GROUP) DIV(OMVS)
INSERT OSZINIT GID(07827)
* Define a started task LOGONID for use by the RTCS Subsystem.
* Take care to customize this properly for your ACF2 configuration.
* In particular, take care to properly specify the OMVS parameters.
SET LID
INSERT USING(ACFSTCID) OSZRTCS -
STC NOJOB NOTSO -
NAME(RTCS Subsystem) -
RESTRICT -
GROUP(SYS1)
SET PROFILE(USER) DIV(OMVS)
INSERT OSZRTCS UID(17827) HOME(/) OMVSPGM(/BIN/SH)
SET PROFILE(GROUP) DIV(OMVS)
INSERT OSZRTCS GID(17827)
* Define an STC ACID for use by RTCS Generalized Server (products).
* Take care to customize this properly for your ACF2 configuration.
* In particular, take care to properly specify the OMVS parameters.
SET LID
INSERT USING(ACFSTCID) OSZEXEC -
STC NOJOB NOTSO -
NAME(RTCS General Server) -
MUSASS -
RESTRICT -
GROUP(SYS1)
SET PROFILE(USER) DIV(OMVS)
INSERT OSZEXEC UID(27827) HOME(/) OMVSPGM(/BIN/SH)
SET PROFILE(GROUP) DIV(OMVS)
INSERT OSZEXEC GID(27827)
* The following command needs to be entered at the operator console:
*
* F ACF2,REBUILD(USR),CLASS(P)
* The following items document potential additions to existing data
* set rules that may be necessary for RTCS and RTCS-based products.
* The RTCS Initiator and the RTCS Subsystem need READ access to the
* RTCS Subsystem Library: SYS2.RTCS.POSZRTCS
*
* SYS2.RTCS.POSZRTCS UID(OSZINIT) R(A)
* SYS2.RTCS.POSZRTCS UID(OSZRTCS) R(A)
* The RTCS Subsystem needs READ access to the RTCS Product (License)
* Authorization Table Library: SYS2.RTCS.POSZPSWD
*
* SYS2.RTCS.POSZPSWD UID(OSZINIT) R(A)
* SYS2.RTCS.POSZPSWD UID(OSZRTCS) R(A)
* All three RTCS Started Task LOGONIDs need READ access to the
* RTCS Product Library: SYS2.RTCS.POSZLINK
*
* SYS2.RTCS.POSZLINK UID(OSZINIT) R(A)
* SYS2.RTCS.POSZLINK UID(OSZRTCS) R(A)
* SYS2.RTCS.POSZLINK UID(OSZEXEC) R(A)
* All three RTCS Started Task LOGONIDs need READ access to the
* Hypertext Doc. Library: SYS2.RTCS.POSZHTML
*
* SYS2.RTCS.POSZHTML UID(OSZINIT) R(A)
* SYS2.RTCS.POSZHTML UID(OSZRTCS) R(A)
* SYS2.RTCS.POSZHTML UID(OSZEXEC) R(A)
* The RTCS Initiator and the RTCS Subsystem need ALLOC access to the
* RTCS System Registry: SYS2.RTCS.REGISTRY
*
* SYS2.RTCS.REGISTRY UID(OSZINIT) R(A) W(A) A(A)
* SYS2.RTCS.REGISTRY UID(OSZRTCS) R(A) W(A) A(A)
* The RTCS Client Product Generalized Server Started Task LOGONID
* needs READ access to the standard JESSPOOL SYSLOG SYSOUT data set:
*
* sysname.-.SYSLOG UID(OSZEXEC) SERVICE(READ) ALLOW
* Identify APPLications defined by RTCS and RTCS client products.
* Allow access by all users in general. NOTE: By default, ACF2
* maps SAF Resource CLASS 'APPL' to ACF2 Resource Rule TYPE(SAF).
*
* SET RESOURCE(SAF)
* COMPILE * LIST STORE
* $KEY(RTCSHTTP) TYPE(SAF)
* UID(-) ALLOW
* END
* COMPILE * LIST STORE
* $KEY(EXPLORER) TYPE(SAF)
* UID(-) ALLOW
* END
* Permit RTCS Initiator and RTCS Subsystem to add OSZ modules to LPA
* using Dynamic LPA faility. NOTE: The following assumes that ACF2
* maps SAF Resource CLASS 'FACILITY' to ACF2 Resource Rule TYPE(FAC).
*
* SET RESOURCE(FAC)
* COMPILE * LIST STORE
* $KEY(CSVDYLPA) TYPE(FAC)
* ADD.OSZ- UID(OSZRTCS) ALLOW
* END
* Allow access to certain TCP/IP resources by the RTCS
* Subsystem and the RTCS HTTP Server which runs in the
* RTCS Generalized Server address space.
*
* SET RESOURCE(SER)
* COMPILE * LIST STORE
* $KEY(EZB) TYPE(SER)
* NETACCESS.- UID(OSZRTCS) SERVICE(READ) ALLOW
* NETACCESS.- UID(OSZEXEC) SERVICE(READ) ALLOW
* STACKACCESS.- UID(OSZRTCS) SERVICE(READ) ALLOW
* STACKACCESS.- UID(OSZEXEC) SERVICE(READ) ALLOW
* PORTACCESS.- UID(OSZRTCS) SERVICE(READ) ALLOW
* PORTACCESS.- UID(OSZEXEC) SERVICE(READ) ALLOW
* TN3270.- UID(OSZRTCS) SERVICE(READ) ALLOW
* TN3270.- UID(OSZEXEC) SERVICE(READ) ALLOW
* END
* In order to use the SERVAUTH SAF resource CLASS, which is
* assumed to be mapped to ACF2 rule type SER in the example
* above, the rule set for rule type 'SER' must be resident.
*
* SET Control(GSO)
* INSERT CLASMAP.SERVAUTH RESOURCE(SERVAUTH) +
* RSRCTYPE(SER) +
* ENTITYLN(64)
* CHANGE INFODIR REP TYPES(R-RSER)
* The following commands need to be entered at the operator console:
*
* F ACF2,REFRESH(GSO)
* F ACF2,REBUILD(SER)
END
CA-Top Secret example
/* These commands are intended as EXAMPLES ONLY, to be edited by the */
/* customer system programmer or security administrator for each MVS */
/* image or shared ESM data base, as required by your configuration. */
/* The commands provided may not work at your site exactly as they */
/* have been illustrated here, or they may not even be necessary. */
/* Select an available Top Secret Facility Matrix entry for use by */
/* the RTCS Subsystem and Generalized Server address spaces. It is */
/* renamed to FACILITY(RTCS), and required attributes established. */
/* In this EXAMPLE, we illustrate that the USER69 Facility Matrix */
/* entry is not already in use and has been selected for renaming. */
/* Note that a Facility Matrix entry you may already have defined */
/* (such as BBI3) for the BMC AMI OPs CAS and PASs can also be used. */
TSS MODIFY(FACILITY(USER69=NAME=RTCS))
TSS MODIFY(FACILITY(RTCS=PGM=OSZ))
TSS MODIFY(FACILITY(RTCS=KEY=0))
TSS MODIFY(FACILITY(RTCS=MULTIUSER))
TSS MODIFY(FACILITY(RTCS=NOABEND))
TSS MODIFY(FACILITY(RTCS=ACTIVE))
TSS MODIFY(FACILITY(RTCS=SIGN(M))
TSS MODIFY(FACILITY(RTCS=NONPWR))
TSS MODIFY(FACILITY(RTCS=NOTSOC))
TSS MODIFY(FACILITY(RTCS=NOPROMPT))
TSS MODIFY(FACILITY(RTCS=RES))
TSS MODIFY(FACILITY(RTCS=MAXUSER=500))
TSS MODIFY(FACILITY(RTCS=ASUBM))
TSS MODIFY(FACILITY(RTCS=MODE=FAIL))
TSS MODIFY(FACILITY(RTCS=WARNPW))
TSS MODIFY(FACILITY(RTCS=DORMPW))
TSS MODIFY(FACILITY(RTCS=NORNDPW))
TSS MODIFY(FACILITY(RTCS=SHRPRF))
TSS MODIFY(FACILITY(RTCS=LUMSG))
TSS MODIFY(FACILITY(RTCS=STMSG))
TSS MODIFY(FACILITY(RTCS=TRACE))
TSS MODIFY(FACILITY(RTCS=LCFCMD))
/* This FACILITY Matrix Entry definition should be put in TSSPARMS */
/* to ensure that it is always defined, but MODIFY works to define */
/* the entry temporarily so that TSS does not have to be REINITed. */
/* Define an STC ACID for use by RTCS Initiator and RTCS Subsystem. */
/* Take care to customize this properly for your TSS configuration. */
TSS CREATE(OSZRTCS) +
NAME('RTCS Subsystem') +
FACILITY(STC) +
TYPE(USER) +
PASSWORD(NOPW,0) +
MASTFAC(RTCS) +
DEPT(STCPROCS)
TSS ADDTO(OSZRTCS) +
UID(17827) HOME(/) +
OMVSPGM(/BIN/SH) +
DFLTGRP(OMVSGRP) +
GROUP(OMVSGRP)
/* Define an STC ACID for use by RTCS Generalized Server (products).*/
/* Take care to customize this properly for your TSS configuration. */
TSS CREATE(OSZEXEC) +
NAME('RTCS General Server') +
FACILITY(STC) +
TYPE(USER) +
PASSWORD(NOPW,0) +
MASTFAC(RTCS) +
DEPT(STCPROCS)
TSS ADDTO(OSZEXEC) +
UID(27827) HOME(/) +
OMVSPGM(/BIN/SH) +
DFLTGRP(OMVSGRP) +
GROUP(OMVSGRP)
/* Connect these two new STC UserIDs to the STC PROCs used by them. *
TSS ADDTO(STC) PROCNAME(OSZINIT) ACID(OSZRTCS)
TSS ADDTO(STC) PROCNAME(OSZRTCS) ACID(OSZRTCS)
TSS ADDTO(STC) PROCNAME(OSZEXEC) ACID(OSZEXEC)
/* Allow READ access by the RTCS Subsystem to RTCS Subsystem Library, */
/* the RTCS Product Library, and Hypertext Document Library PDSEs. */
TSS PERMIT(OSZRTCS) DSN(SYS2.RTCS.POSZRTCS) ACC(READ)
TSS PERMIT(OSZRTCS) DSN(SYS2.RTCS.POSZLINK) ACC(READ)
TSS PERMIT(OSZRTCS) DSN(SYS2.RTCS.POSZHTML) ACC(READ)
/* Allow READ access by the RTCS Subsystem to the */
/* Product Authorization (License) Table Library. */
TSS PERMIT(OSZRTCS) DSN(SYS2.RTCS.POSZPSWD) ACC(READ)
/* Allow ALL access by RTCS Subsystem to the RTCS System Registry. */
TSS PERMIT(OSZRTCS) DSN(SYS2.RTCS.REGISTRY) ACC(ALL)
/* Allow READ access by RTCS Client Product Generalized Server STCs */
/* to the RTCS Product Library and Hypertext Document Library PDSEs. */
TSS PERMIT(OSZEXEC) DSN(SYS2.RTCS.POSZLINK) ACC(READ)
TSS PERMIT(OSZEXEC) DSN(SYS2.RTCS.POSZHTML) ACC(READ)
/* Allow SYSLOG access by RTCS Client Product Generalized Server STCs */
TSS PERMIT(OSZEXEC) JESSPOOL(sysname.+MASTER+.SYSLOG) ACC(READ)
/* Establish minimal access for the PDSE libraries & System Registry. */
/* We set the minimum access needed by a typical non-strict customer. */
TSS PERMIT(ALL) DSN(SYS2.RTCS.POSZRTCS) ACC(NONE)
TSS PERMIT(ALL) DSN(SYS2.RTCS.POSZLINK) ACC(READ)
TSS PERMIT(ALL) DSN(SYS2.RTCS.POSZHTML) ACC(READ)
TSS PERMIT(ALL) DSN(SYS2.RTCS.POSZPSWD) ACC(READ)
TSS PERMIT(ALL) DSN(SYS2.RTCS.REGISTRY) ACC(NONE)
/* Identify applications defined by RTCS and RTCS client products */
/* and allow access by all users in general. */
TSS ADDTO(OSZRTCS) APPL(RTCSHTTP)
TSS ADDTO(OSZEXEC) APPL(EXPLORER)
TSS PERMIT(ALL) APPL(RTCSHTTP)
TSS PERMIT(ALL) APPL(EXPLORER)
/* Permit RTCS Initiator and RTCS Subsystem to add OSZ modules to */
/* LPA using Dynamic LPA faility. */
TSS PERMIT(OSZRTCS) IBMFAC(CSVDYLPA.ADD.OSZ) ACC(UPDATE)
/* Permit access to certain TCP/IP resources by the RTCS */
/* Subsystem and the RTCS HTTP Server which runs in the */
/* RTCS Generalized Server address space. */
TSS PERMIT(OSZRTCS) SERVAUTH(EZB.NETACCESS) ACC(READ)
TSS PERMIT(OSZEXEC) SERVAUTH(EZB.NETACCESS) ACC(READ)
TSS PERMIT(OSZRTCS) SERVAUTH(EZB.STACKACCESS) ACC(READ)
TSS PERMIT(OSZEXEC) SERVAUTH(EZB.STACKACCESS) ACC(READ)
TSS PERMIT(OSZRTCS) SERVAUTH(EZB.PORTACCESS) ACC(READ)
TSS PERMIT(OSZEXEC) SERVAUTH(EZB.PORTACCESS) ACC(READ)
TSS PERMIT(OSZRTCS) SERVAUTH(EZB.TN3270) ACC(READ)
TSS PERMIT(OSZEXEC) SERVAUTH(EZB.TN3270) ACC(READ)
/* customer system programmer or security administrator for each MVS */
/* image or shared ESM data base, as required by your configuration. */
/* The commands provided may not work at your site exactly as they */
/* have been illustrated here, or they may not even be necessary. */
/* Select an available Top Secret Facility Matrix entry for use by */
/* the RTCS Subsystem and Generalized Server address spaces. It is */
/* renamed to FACILITY(RTCS), and required attributes established. */
/* In this EXAMPLE, we illustrate that the USER69 Facility Matrix */
/* entry is not already in use and has been selected for renaming. */
/* Note that a Facility Matrix entry you may already have defined */
/* (such as BBI3) for the BMC AMI OPs CAS and PASs can also be used. */
TSS MODIFY(FACILITY(USER69=NAME=RTCS))
TSS MODIFY(FACILITY(RTCS=PGM=OSZ))
TSS MODIFY(FACILITY(RTCS=KEY=0))
TSS MODIFY(FACILITY(RTCS=MULTIUSER))
TSS MODIFY(FACILITY(RTCS=NOABEND))
TSS MODIFY(FACILITY(RTCS=ACTIVE))
TSS MODIFY(FACILITY(RTCS=SIGN(M))
TSS MODIFY(FACILITY(RTCS=NONPWR))
TSS MODIFY(FACILITY(RTCS=NOTSOC))
TSS MODIFY(FACILITY(RTCS=NOPROMPT))
TSS MODIFY(FACILITY(RTCS=RES))
TSS MODIFY(FACILITY(RTCS=MAXUSER=500))
TSS MODIFY(FACILITY(RTCS=ASUBM))
TSS MODIFY(FACILITY(RTCS=MODE=FAIL))
TSS MODIFY(FACILITY(RTCS=WARNPW))
TSS MODIFY(FACILITY(RTCS=DORMPW))
TSS MODIFY(FACILITY(RTCS=NORNDPW))
TSS MODIFY(FACILITY(RTCS=SHRPRF))
TSS MODIFY(FACILITY(RTCS=LUMSG))
TSS MODIFY(FACILITY(RTCS=STMSG))
TSS MODIFY(FACILITY(RTCS=TRACE))
TSS MODIFY(FACILITY(RTCS=LCFCMD))
/* This FACILITY Matrix Entry definition should be put in TSSPARMS */
/* to ensure that it is always defined, but MODIFY works to define */
/* the entry temporarily so that TSS does not have to be REINITed. */
/* Define an STC ACID for use by RTCS Initiator and RTCS Subsystem. */
/* Take care to customize this properly for your TSS configuration. */
TSS CREATE(OSZRTCS) +
NAME('RTCS Subsystem') +
FACILITY(STC) +
TYPE(USER) +
PASSWORD(NOPW,0) +
MASTFAC(RTCS) +
DEPT(STCPROCS)
TSS ADDTO(OSZRTCS) +
UID(17827) HOME(/) +
OMVSPGM(/BIN/SH) +
DFLTGRP(OMVSGRP) +
GROUP(OMVSGRP)
/* Define an STC ACID for use by RTCS Generalized Server (products).*/
/* Take care to customize this properly for your TSS configuration. */
TSS CREATE(OSZEXEC) +
NAME('RTCS General Server') +
FACILITY(STC) +
TYPE(USER) +
PASSWORD(NOPW,0) +
MASTFAC(RTCS) +
DEPT(STCPROCS)
TSS ADDTO(OSZEXEC) +
UID(27827) HOME(/) +
OMVSPGM(/BIN/SH) +
DFLTGRP(OMVSGRP) +
GROUP(OMVSGRP)
/* Connect these two new STC UserIDs to the STC PROCs used by them. *
TSS ADDTO(STC) PROCNAME(OSZINIT) ACID(OSZRTCS)
TSS ADDTO(STC) PROCNAME(OSZRTCS) ACID(OSZRTCS)
TSS ADDTO(STC) PROCNAME(OSZEXEC) ACID(OSZEXEC)
/* Allow READ access by the RTCS Subsystem to RTCS Subsystem Library, */
/* the RTCS Product Library, and Hypertext Document Library PDSEs. */
TSS PERMIT(OSZRTCS) DSN(SYS2.RTCS.POSZRTCS) ACC(READ)
TSS PERMIT(OSZRTCS) DSN(SYS2.RTCS.POSZLINK) ACC(READ)
TSS PERMIT(OSZRTCS) DSN(SYS2.RTCS.POSZHTML) ACC(READ)
/* Allow READ access by the RTCS Subsystem to the */
/* Product Authorization (License) Table Library. */
TSS PERMIT(OSZRTCS) DSN(SYS2.RTCS.POSZPSWD) ACC(READ)
/* Allow ALL access by RTCS Subsystem to the RTCS System Registry. */
TSS PERMIT(OSZRTCS) DSN(SYS2.RTCS.REGISTRY) ACC(ALL)
/* Allow READ access by RTCS Client Product Generalized Server STCs */
/* to the RTCS Product Library and Hypertext Document Library PDSEs. */
TSS PERMIT(OSZEXEC) DSN(SYS2.RTCS.POSZLINK) ACC(READ)
TSS PERMIT(OSZEXEC) DSN(SYS2.RTCS.POSZHTML) ACC(READ)
/* Allow SYSLOG access by RTCS Client Product Generalized Server STCs */
TSS PERMIT(OSZEXEC) JESSPOOL(sysname.+MASTER+.SYSLOG) ACC(READ)
/* Establish minimal access for the PDSE libraries & System Registry. */
/* We set the minimum access needed by a typical non-strict customer. */
TSS PERMIT(ALL) DSN(SYS2.RTCS.POSZRTCS) ACC(NONE)
TSS PERMIT(ALL) DSN(SYS2.RTCS.POSZLINK) ACC(READ)
TSS PERMIT(ALL) DSN(SYS2.RTCS.POSZHTML) ACC(READ)
TSS PERMIT(ALL) DSN(SYS2.RTCS.POSZPSWD) ACC(READ)
TSS PERMIT(ALL) DSN(SYS2.RTCS.REGISTRY) ACC(NONE)
/* Identify applications defined by RTCS and RTCS client products */
/* and allow access by all users in general. */
TSS ADDTO(OSZRTCS) APPL(RTCSHTTP)
TSS ADDTO(OSZEXEC) APPL(EXPLORER)
TSS PERMIT(ALL) APPL(RTCSHTTP)
TSS PERMIT(ALL) APPL(EXPLORER)
/* Permit RTCS Initiator and RTCS Subsystem to add OSZ modules to */
/* LPA using Dynamic LPA faility. */
TSS PERMIT(OSZRTCS) IBMFAC(CSVDYLPA.ADD.OSZ) ACC(UPDATE)
/* Permit access to certain TCP/IP resources by the RTCS */
/* Subsystem and the RTCS HTTP Server which runs in the */
/* RTCS Generalized Server address space. */
TSS PERMIT(OSZRTCS) SERVAUTH(EZB.NETACCESS) ACC(READ)
TSS PERMIT(OSZEXEC) SERVAUTH(EZB.NETACCESS) ACC(READ)
TSS PERMIT(OSZRTCS) SERVAUTH(EZB.STACKACCESS) ACC(READ)
TSS PERMIT(OSZEXEC) SERVAUTH(EZB.STACKACCESS) ACC(READ)
TSS PERMIT(OSZRTCS) SERVAUTH(EZB.PORTACCESS) ACC(READ)
TSS PERMIT(OSZEXEC) SERVAUTH(EZB.PORTACCESS) ACC(READ)
TSS PERMIT(OSZRTCS) SERVAUTH(EZB.TN3270) ACC(READ)
TSS PERMIT(OSZEXEC) SERVAUTH(EZB.TN3270) ACC(READ)
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*