Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Ops Infrastructure 7.1.

Setting up IBM RACF

If RACF is your primary ESM, you must perform the following procedures to support the Security interface:

  • Authorize the CAS and PAS started tasks.
  • Add a SAF resource class (optional).

For complete information about administering RACF, refer to your RACF documentation.

To authorize the CAS and PAS started tasks

  1. Define user IDs for the CAS and PAS by using RACF commands, such asADDUSER BBMCAS DFLTGRP(SYSMGMT) OWNER(SYSPROG)

    ADDUSER BBMPAS DFLTGRP(SYSMGMT) OWNER(SYSPROG)

    Note

    To access UNIX System Services data, the MainView for Unix System Services PAS must have superuser authority. The PAS requires that a user ID be defined to the security system (such as RACF) and assigned to the PAS STC by the security system’s facilities.

    For RACF, this means updating either the RACF started procedure table (ICHRIN03) or the STARTED class definition. The user ID that is assigned must have an OMVS segment with a home directory of / and one of the following UID assignments:

    • UID=0 specifically assigned (superuser authority)
    • A non-zero UID assigned, but the user ID permitted READ access to security resource BPX.SUPERUSER in class FACILITY

    The PAS will then switch to an effective UID of 0 at startup.

  2. Define the CAS and PAS started tasks.The following RACF commands show how to associate the user IDs that were defined in Step 1 with a specific started task procedure name. In this example, the procedure names are BBICAS and BBIPAS:

    RDEFINE STARTED BBICAS.* OWNER(SYSPROG)+
       STDATA(USER(BBMCAS) GROUP(SYSMGMT))
    RDEFINE STARTED BBIPAS.* OWNER(SYSPROG)+
       STDATA(USER(BBMPAS) GROUP(SYSMGMT)) SETROPTS
    RACLIST(STARTED) REFRESH

To add a SAF resource class (optional)

Note

  • If you are using the resource CLASS name FACILITY, you can skip this step.
  • If you want to specify a resource CLASS name other than FACILITY (as described in Identifying-the-security-class), you must add the SAF resource CLASS name to the RACF class descriptor table (ICHRRCDE) and the RACF router table (ICHRFR01).

  1. Define the new resource CLASS name in the RACF dynamic class descriptor table (CDT), by issuing the following command:

    RDEFINE CDT class                                      -
               CDTINFO( MAXLENGTH(64) DEFAULTUACC(NONE)       -
                        FIRST(ALPHA)  CASE(UPPER)             -
                        OTHER(ALPHA,NUMERIC,NATIONAL,SPECIAL) -
                        POSIT(301) RACLIST(REQUIRED)          -
                        GENERIC(ALLOWED) GENLIST(ALLOWED)     -
                        OPERATIONS(YES)                       -
                      ) UACC(NONE)

    Guidelines for this command are as follows:

    • BMC suggests MAXLENGTH(64). The required minimum length is 39. Some product resource names, however, are longer when using certain options.
    • BMC suggests CASE(UPPER). Some products generate resource ENTITY names with lowercase characters. If you monitor subsystems that have resources and objects defined in mixed case, you should specify CASE(ASIS).
    • The value used for the POSIT() parameter must be selected appropriately for each MVS system and RACF database.

  2. Activate the dynamic CDT (if it is not already active) or refresh the CDT by using one of the following commands:SETROPTS CLASSACT(CDT) RACLIST(CDT)

    SETROPTS RACLIST(CDT) REFRESH

  3. Activate a new resource class by issuing the following RACF commands for each resource class name:SETROPTS GENERIC(class) GENCMD(class)

    SETROPTS CLASSACT(class) RACLIST(class)

Related topic

How-to-set-up-your-ESM-for-windows-mode

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*