External security considerations
Task 4.3.1: Strobe Started Tasks
Your site’s z/OS security administrator should review and implement the following security requirements:
The STRTSM started task requires a user ID defined to your security product and ALTER access to the Strobe Log data set. The Session Manager must be able to read and write to the Strobe Queue, System Message and Request Group data sets. For the Strobe Log data set, the session manager must have WRITE access and be able to create a data set (when Log data sets defined as GDGs). To use the automatic Performance Profile option, the session manager must have the authority to:
- Submit jobs on behalf of any Strobe user.
- Read sample data sets created by any Strobe user.
- Create a print file on behalf of any Strobe user.
For z/OS systems, the Session Manager address space must also have UPDATE access to the BPX.SERVER profile in the FACILITY class so that Strobe can display the USS processes on the Active Process Section List panel. The Session Manager Address Space must have a UID of zero (UID(0)) specified in the rules of the security package (RACF, CA Top Secret, CA ACF2) you are using. This rule gives Strobe the authority to collect process information for all processes. For more information, refer to the IBM manual z/OS UNIX System Services Planning.
To enable the Strobe Session Manager (running as a superuser) to successfully call the z/OS UNIX System Service BPX1SEU, define user BPXROOT to RACF, ACF2, or CA Top Secret. This action prevents Strobe from issuing message STR6429W.
Always define the Strobe Session Manager to CA ACF2 as a Multiple-User Single Address Space System (MUSASS).The STRTMSAS started task requires a user ID/ACF2 logon ID defined to your security product; and if using RACF, it must have a RACF ID in the RACF started task group. Create an associated owner ID with an OMVS segment to allow use of TCP/IP for communications for the MSAS. Sample data sets are dynamically allocated and cataloged from this address space. Define any prefix used for the sample data sets to be allocated, read, written, and cataloged from the MSAS.
Upon measurement initiation, the MSAS started task creates a data set and requires authority of ACC(ALL) if using CA Top Secret or ALTER ACCESS under RACF. The data set name is composed of two Strobe parameter values found in the hlq.SSTRPARM library, plus the job name of the job being measured.DSNAME=TSOESA /* SAMPLE DATASET NAME PREFIX */
DSNSUFX=ACME1 /* SAMPLE DATASET NAME SUFFIX */Use DSNAME=STROBE to specify the first node of the data set name and DSNSUFX= to specify the last node of the data set name. If the measured job name is ABC1234Z, then ABC1234Z is used as the second level node for the data set name.
- The STRTSSA started task requires a user ID/ACF2 logon ID defined to your security product; and if using RACF, it must have a RACF ID in the RACF started task group (required for Strobe for Db2 licensed users).
- The STRTMNAS started task requires a user ID/ACF2 logon ID defined to your security product; and if using RACF, it must have a RACF ID in the RACF started task group. Create an associated owner ID with an OMVS segment to allow use of TCP/IP for communications for the MNAS.
Task 4.3.2: User IDs
- Any user ID that plans to generate Strobe Performance Profiles requires ALLOCATE, READ, WRITE, and CATALOG access to the sample data set naming conventions, similar to the STRTMSAS started task.
- Strobe users require READ access to the Strobe Log data set and the Strobe unauthorized load library (hlq.SSTRLOAD). They must also be able to read and write to the Strobe History and AutoStrobe data sets.
- To further control user access to Strobe, see the section entitled Access-checking. This security interface allows you to control security considerations such as the following:
- Who can use Strobe to measure jobs
- Systems on which those measurement requests can run
- Whether users can measure any job or just their own
- Who is authorized to start Strobe as a batch job
- Who has privileges to administer Strobe.