Configuring the Liberty server angel process

The angel process provides authorized services to WebSphere® Application Server WebSphere Liberty Profile servers.

The angel process is started from the MVS™ console, and you can start an angel process that is dedicated for zRule Execution Server for z/OS instances using the WebSphere Liberty Profile capability known as named angels. This topic will show you how to start an angel using the name HBRZANGL.
Note: The zRule Execution Server for z/OS should specify the property HBRWLPANGELNAME=HBRZANGL so that it uses the named angel as described in this topic.

The angel process started task

The angel process started task JCL procedure is shipped with Operational Decision Manager for z/OS in the ++HBRINSTPATH++ directory.

Procedure

  1. Copy the JCL to a JES procedure library, for example: 
    cp -S d=.jcl ++HBRINSTPATH++/zexecutionserver/wlp/templates/zos/procs/bbgzangl.jcl. "//'SYS1.PROCLIB(HBRZANGL)'"
  2. Edit the JCL and change:
    1. The Job name from BBGZANGL to HBRZANGL
    2. The ROOT variable to the value ++HBRINSTPATH++/zexecutionserver/wlp. For example: SET ROOT='/usr/lpp/zDM/V8R10MX/zexecutionserver/wlp'

The angel process started task SAF rules

The WebSphere Liberty Profile server requires multiple SAF profiles in the STARTED and SERVER classes. Proceed as follows to create them.

Procedure

  1. The user ID that the angel process runs under needs the SAF STARTED profile, for example:
    RDEFINE STARTED HBRZANGL.* UACC(NONE) STDATA(USER(<WLPUSER>) GROUP(<WLPGROUP>) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
SETROPTS RACLIST(STARTED) REFRESH

    The Operational Decision Manager for z/OS zRule Execution Server for z/OS embedded WebSphere Liberty server runs under the authority of the zRule Execution Server for z/OS started task user ID. This user ID needs to be able to connect to the angel process to use authorized services.

  2. To allow the zRule Execution Server for z/OS embedded WebSphere Liberty server to connect to the angel process, create a profile for the angel process in the SERVER class. Give the zRule Execution Server for z/OS started task user ID (<HBRSSID_USER>) authority to access it, for example, in RACF®: 
    RDEFINE SERVER BBG.ANGEL.HBRZANGL UACC(NONE)
PERMIT BBG.ANGEL.HBRZANGL CLASS(SERVER) ACCESS(READ) ID(<HBRSSID_USER>)
  3. To allow a WebSphere Liberty server to use the z/OS® authorized services, create a SERVER profile for the authorized module BBGZSAFM and allow the zRule Execution Server for z/OS started task user ID (<HBRSSID_USER>) to the profile. This action allows a WebSphere Liberty server to use the z/OS Authorized services, for example, in RACF: 
    RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(<HBRSSID_USER>)
  4. To allow the zRule Execution Server for z/OS WebSphere Liberty server to access the services necessary for security, create a profile for the SAF authorized user registry services and SAF authorization services (SAFCRED) in the SERVER class. Give the zRule Execution Server for z/OS started task user ID (<HBRSSID_USER>) authority to access it, for example, in RACF:
    RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(<HBRSSID_USER>)
  5. When you use a type 2 JDBC driver, you must enable the RRS transaction services (TXRRS) in RACF:
    RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)      
PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) ACCESS(READ) ID(<HBRSSID_USER>)
  6. Refresh the SERVER resource: 
    SETROPTS RACLIST(SERVER) REFRESH

For more information, see: Enabling z/OS authorized services in Liberty for z/OS

Starting the angel process started task

  1. The angel process must be running before the zRule Execution Server for z/OS starts in CONSOLE, HTDS, or TEST mode when security is enabled. To start or stop the angel process, give the following operator commands: 
    START HBRZANGL,NAME='HBRZANGL'
    STOP HBRZANGL
  2. To display the WebSphere Liberty servers that are connected to the angel process, give the following operator command: 
    MODIFY HBRZANGL,DISPLAY,SERVERS