Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Ops Monitor for Java Environments 4.1.

Security requirements

This topic lists IBM RACF security requirements for MainView for Java Environments. If you are running a security product other than IBM RACF, see your security product documentation for more information.

MainView for Java Environments requires the following security resources:

  • OMVS segment for the user ID that runs the MainView for Java Environments PAS
  • Superuser authority for the OMVS segment
  • Read access to the BPX.JOBNAME Facility
  • Read access to IBM z/OS Connect  Enterprise Edition  (z/OS Connect EE) 
  • Read access to the IBM WebSphere Liberty server
  • Program control access to MainView for Java Environments
  • JMX access to an IBM CICS WLP server

Use the following procedures to meet these requirements.

To grant superuser authority for the OMVS segment

Click here to expand...

Use one of the following methods:

  • For the user ID, grant authorized read access to BPX.SUPERUSER (the Facility class resource).

    Example
    permit BPX.SUPERUSER CLASS(FACILITY) ACCESS(READ) ID(<userID>)

  • For the user ID, grant authorized read access to SUPERUSER.PROCESS.GETPSENT (the UNIXPRIV class resource).

    Example
    permit SUPERUSER.PROCESS.GETPSENT CLASS(UNIXPRIV) ACCESS(READ) ID(<userID>)

Note

The following conditions apply to assigning UID:

  • To activate the new definitions, you might need to refresh the updated class.
  • The segment requires a nonzero user ID and a home path.

For more information, see OMVS-segment-requirements-and-ESM-definitions

To grant read access to BPX.JOBNAME

Click here to expand...

For the user ID, grant authorized read access to BPX.JOBNAME (the Facility class resource).

Example
permit BPX.JOBNAME CLASS(FACILITY) ACCESS(READ) ID(<userID>)

Note

To activate the new definitions, you might need to refresh the updated class.

For more information, see Managing security for MainView products.

To grant read access to z/OS Connect EE

Click here to expand...

  1. For the z/OS Connect EE user ID, grant authorized read access to BPX.SMF (the Facility class resource).

    PERMIT BPX.SMF CLASS(FACILITY) ACCESS(READ) ID(<userID>)

    Note

    For userID, specify the z/OS Connect EE user ID.

  2. For the MainView for Java Environments user ID, grant authorized read access to BBGZDFLT.ZOS (the Facility class resource).

    PE <BBGZDFLT> ID(<userID>) CLASS(APPL) ACCESS(READ

    Notes

    For userID, specify the PAS user ID. The PAS must have the appropriate security certificates associated with its user ID.

    For BBGZDFLT, specify the APPL class security prefix for the server.

To grant read access to the Liberty server

Click here to expand...

For the MainView for Java Environments user ID, grant authorized read access to the Liberty server (the EJBROLE class resource).

PERMIT <serverProfilePrefix>.com.ibm.ws.management.security.resource.Administrator ID(<userID>) ACCESS(READ) CLASS(EJBROLE)
PERMIT <serverProfilePrefix>.com.ibm.ws.management.security.resource.Reader ID(<userID>) ACCESS(READ) CLASS(EJBROLE)

Notes

For userID, specify the PAS user ID. The PAS must have the appropriate security certificates associated with its user ID.

For serverProfilePrefix, specify profile prefix for the Liberty server.

GUID-47E5A770-A760-442A-9F5A-06872981813D-low.png

To grant program control access to MainView for Java Environments

Click here to expand...

Issue the following commands:

RALTER PROGRAM * ADDMEM(‘<bblinkdsn>’//NOPADCHK)
SETROPTS WHEN(PROGRAM) REFRESH

Note

For <bblinkdsn>, specify the BBLINK data set name.

To grant JMX access to a CICS WLP server

Click here to expand...

To access JMX CICS in a CICS Liberty server, the PAS makes an HTTP request. The request uses the DFHJSJTHP program to perform a pthread create in the server. The MVJE PAS must be allowed to access the transaction that runs the program. The default transaction is CJSA.

Depending on the value specified for the SECPRFX parameter in the system initialization table (SIT), specify the one of the following RACF permits:

  • If you specified SECPRFX=NO, specify the following command:

    Permit CJSA CLASS(TCICSTRN) ID(<userId>) ACCESS(READ)

  • If you specified SECPRFX=secprfx, specify the following command:

    Permit <secprfx>.CJSA CLASS(TCICSTRN) ID(<userId>) ACCESS(READ)


Related topics

Planning


 


 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*