Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Ops Monitor for UNIX System Services 6.4.

Defining a user ID for the PAS

To access UNIX System Services data, the MainView for UNIX System Services product address space (PAS) must have superuser authority.

The PAS requires that a user ID be defined to the security system (such as IBM RACF) and assigned to the PAS STC by the security system’s facilities.

For RACF, update either the RACF started procedure table (ICHRIN03) or the STARTED class definition. The user ID that is assigned must have an OMVS segment with a home directory of / and UID=0 assigned.

Note

If the user ID has an OMVS segment with a non-zero UID assigned, the user ID must have READ access to security resource BPX.SUPERUSER in class FACILITY.

Subsequently, the PAS switches to a UID of 0 at startup.

For more information, see OMVS segment requirements and ESM definitions.

Following is an example of how an OMVS segment might be defined for user MVUSSD:

ADDUSER MVUSSD
DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/')
PROGRAM('/bin/sh')) NOPASSWORD

The NOPASSWORD option indicates that the user ID is a protected ID that cannot be used to enter the system by using a password or password phrase. The user ID will not be revoked due to invalid logon attempts.

Note

If the BPX.DAEMON FACILITY class profile is defined, the user ID needs READ access to security resource BPX.DAEMON, as follows:

PERMIT BPX.DAEMON CLASS(FACILITY) ID(MVUSSD) ACCESS(READ)

The PAS requires daemon authority to switch user IDs when running UNIX actions.

If one of your loadlibs is not program controlled, you may get a JREnvDirty error message. You can check your PAS joblog to see if you're getting any ICH420I messages like the following:

ICH420I PROGRAM BBM9DACT FROM LIBRARY SYS1.BBI.BBLINK CAUSED THE ENVIRONMENT TO BECOME UNCONTROLLED.
 BPXP014I ENVIRONMENT MUST BE CONTROLLED FOR DAEMON (BPX.DAEMON) PROCESSING.

You can add the PROGRAM CONTROL status to the library containing BBM9DACT by using the following RACF commands:

RALTER PROGRAM * ADDMEM('SYS1.BBI.BBLINK'//NOPADCHK)
SETROPTS WHEN(PROGRAM) REFRESH

Alternatively, you can also bypass the module access checking from USS for non-USS datasets (regular load libraries).

Though this approach reduces the security for these modules, access to the profile that allows this is controlled. It can be implemented as follows:

RDEFINE FACILITY BPX.DAEMON.HFSCTL UACC(NONE) OWNER(IBMUSER)
PERMIT BPX.DAEMON.HFSCTL CLASS(FACILITY) ID(pas_userid) ACCESS(READ)

Tip

For the purposes of keeping the environment clean, you do not need to worry about defining programs in the system link pack area (LPA, PLPA, FLPA, MLPA,dynamic LPA) because RACF always considers those programs controlled.


Related topic

Customizing-after-installation



 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*