Skip to Content
Information
Limited support BMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Ops Monitor for Java Environments 4.1.

Security requirements

This topic lists IBM RACF security requirements for 

BMC AMI Ops Monitor for Java Environments

. If you are running a security product other than IBM RACF, see your security product documentation for more information.

BMC AMI OpsMJE requires the following security resources:

  • OMVS segment for the user ID that runs the BMC AMI OpsMJE PAS
  • Superuser authority for the OMVS segment
  • Read access to the BPX.JOBNAME Facility
  • Read access to IBM z/OS Connect  Enterprise Edition  (z/OS Connect EE) 
  • Read access to the IBM WebSphere Liberty server

Use the following procedures to meet these requirements.

To grant superuser authority for the OMVS segment

Click here to expand...

Use one of the following methods:

  • For the user ID, grant authorized read access to BPX.SUPERUSER (the Facility class resource).

    Information
    Example
    permit BPX.SUPERUSER CLASS(FACILITY) ACCESS(READ) ID(<userID>)

  • For the user ID, grant authorized read access to SUPERUSER.PROCESS.GETPSENT (the UNIXPRIV class resource).

    Information
    Example
    permit SUPERUSER.PROCESS.GETPSENT CLASS(UNIXPRIV) ACCESS(READ) ID(<userID>)
Warning

Important

The following conditions apply to assigning UID:

  • To activate the new definitions, you might need to refresh the updated class.
  • The segment requires a nonzero user ID and a home path.

For more information, see OMVS-segment-requirements-and-ESM-definitions

To grant read access to BPX.JOBNAME

Click here to expand...

For the user ID, grant authorized read access to BPX.JOBNAME (the Facility class resource).

Information
Example
permit BPX.JOBNAME CLASS(FACILITY) ACCESS(READ) ID(<userID>)
Warning

Important

To activate the new definitions, you might need to refresh the updated class.

For more information, see Managing security for BMC AMI Ops products.

To grant read access to z/OS Connect EE

Click here to expand...

  1. For the z/OS Connect EE user ID, grant authorized read access to BPX.SMF (the Facility class resource).

    PERMIT BPX.SMF CLASS(FACILITY) ACCESS(READ) ID(<userID>)
    Warning

    Important

    For userID, specify the z/OS Connect EE user ID.

  2. For the BMC AMI Ops Monitor for Java Environments user ID, grant authorized read access to BBGZDFLT.ZOS (the APPL class resource).

    PE <BBGZDFLT> ID(<userID>) CLASS(APPL) ACCESS(READ
    Warning

    Important

    For userID, specify the PAS user ID. The PAS must have the appropriate security certificates associated with its user ID.

    For BBGZDFLT, specify the APPL class security prefix for the server.

To grant read access to the Liberty server

Click here to expand...

For the BMC AMI Ops Monitor for Java Environments user ID, grant authorized read access to the Liberty server (the EJBROLE class resource).

PERMIT <serverProfilePrefix>.com.ibm.ws.management.security.resource.Administrator ID(<userID>) ACCESS(READ) CLASS(EJBROLE)
PERMIT <serverProfilePrefix>.com.ibm.ws.management.security.resource.Reader ID(<userID>) ACCESS(READ) CLASS(EJBROLE)
Warning

Important

For userID, specify the PAS user ID. The PAS must have the appropriate security certificates associated with its user ID.

For serverProfilePrefix, specify profile prefix for the Liberty server.

GUID-47E5A770-A760-442A-9F5A-06872981813D-low.png

To grant RACF read access to MVS.MCSOPER.** CL(OPERCMDS)

Click here to expand...

For the user ID, grant authorized read access to MVS.MCSOPER.** CL(OPERCMDS):

PERMIT MVS.MCSOPER.** CL(OPERCMDS) ID(<userID>) ACCESS(READ

Specifying ** grants general access to MVS.MCSOPER.

Alternatively, you can grant specific access to the BMC AMI OpsMJE console. The default console name is OPSMJExx where:

  • The default console name prefix is OPSMJE. The console name prefix is specified in the EMCSPREF keyword in MJEINIxx.
  • The console name suffix given by a PAS (xx) is a value from 01 through 99.

Related topics

Defining-product-initialization-parameters

Planning

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Ops Monitor for Java Environments 3.3