Defining a user ID for the PAS
Make sure that PAS has a user ID defined to the security system (such as IBM RACF) and assigned to the PAS STC by the security system’s facilities. For RACF, update either the RACF started procedure table (ICHRIN03) or the STARTED class definition.
IBM recommends not running with UID=0. We recommend that the user ID have an OMVS segment with an assigned home directory of /. A user ID that has an OMVS segment with a non-zero UID must have authorized READ access to one of the following class resources:
- Facility class resource BPX.SUPERUSER and UNIXPRIV class resource
SUPERUSER.PROCESS.GETPSENT
- UNIXPRIV class resources:
SUPERUSER.PROCESS.GETPSENT
SUPERUSER.FILESYS.VREGISTER
If the PAS user ID has BPX.SUPERUSER authority, it switches to UID=0 during startup.
If the PAS user ID has only the UNIXPRIV authorities, it switches to the default superuser ID (BPXROOT unless otherwise defined) when it requires superuser authority.
For more information, see Administering.
The following example shows how an OMVS segment might be defined for user USER1:
DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/')
PROGRAM('/bin/sh')) NOPASSWORD
The NOPASSWORD option indicates that the user ID is a protected ID that cannot be used to enter the system by using a password or password phrase. The user ID is not revoked following invalid logon attempts.
If one of your loadlibs is not program controlled, you may get a JREnvDirty error message. You can check your PAS joblog to see if you're getting any ICH420I messages like the following:
ICH420I PROGRAM BBM9DACT FROM LIBRARY SYS1.BBI.BBLINK CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED.
BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.
You can add the PROGRAM CONTROL status to the library containing BBM9DACT by using the following RACF commands:
SETROPTS WHEN(PROGRAM) REFRESH
Alternatively, you can also bypass the module access checking from USS for non-USS datasets (regular load libraries).
Though this approach reduces the security for these modules, access to the profile that allows this is controlled. It can be implemented as follows:
PERMIT BPX.DAEMON.HFSCTL CLASS(FACILITY) ID(pas_userid) ACCESS(READ)