Configuring the Liberty server angel process
The angel process provides authorized services to WebSphere® Application Server WebSphere Liberty Profile servers.
HBRZANGL
.HBRWLPANGELNAME=HBRZANGL
so that it uses the named
angel as described in this topic.The angel process started task
The angel process started task JCL procedure is shipped with Operational Decision Manager for z/OS in the ++HBRINSTPATH++ directory.
Procedure
- Copy the JCL to a JES procedure library, for example:
cp -S d=.jcl ++HBRINSTPATH++/zexecutionserver/wlp/templates/zos/procs/bbgzangl.jcl. "//'SYS1.PROCLIB(HBRZANGL)'"
- Edit the JCL and change:
- The Job name from
BBGZANGL
toHBRZANGL
- The ROOT variable to the value ++HBRINSTPATH++/zexecutionserver/wlp. For example: SET ROOT='/usr/lpp/zDM/V8R10MX/zexecutionserver/wlp'
- The Job name from
The angel process started task SAF rules
The WebSphere Liberty Profile server requires
multiple SAF profiles in the STARTED
and SERVER
classes. Proceed
as follows to create them.
Procedure
- The user ID that the angel process runs under needs the
SAF STARTED
profile, for example:RDEFINE STARTED HBRZANGL.* UACC(NONE) STDATA(USER(<WLPUSER>) GROUP(<WLPGROUP>) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) SETROPTS RACLIST(STARTED) REFRESH
The Operational Decision Manager for z/OS zRule Execution Server for z/OS embedded WebSphere Liberty server runs under the authority of the zRule Execution Server for z/OS started task user ID. This user ID needs to be able to connect to the angel process to use authorized services.
- To allow the zRule Execution Server for z/OS embedded WebSphere Liberty server to connect to the angel process, create
a profile for the angel process in the
SERVER
class. Give the zRule Execution Server for z/OS started task userID (<HBRSSID_USER>)
authority to access it, for example, in RACF®:RDEFINE SERVER BBG.ANGEL.HBRZANGL UACC(NONE) PERMIT BBG.ANGEL.HBRZANGL CLASS(SERVER) ACCESS(READ) ID(<HBRSSID_USER>)
- To allow a WebSphere Liberty server to use the z/OS® authorized services, create a
SERVER
profile for the authorized moduleBBGZSAFM
and allow the zRule Execution Server for z/OS started task userID (<HBRSSID_USER>)
to the profile. This action allows a WebSphere Liberty server to use the z/OS Authorized services, for example, in RACF:RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE) PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(<HBRSSID_USER>)
- To allow the zRule Execution Server for z/OS
WebSphere Liberty server to access the services
necessary for security, create a profile for the SAF authorized user registry services and SAF
authorization services
(SAFCRED)
in theSERVER
class. Give the zRule Execution Server for z/OS started task userID (<HBRSSID_USER>)
authority to access it, for example, in RACF:RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE) PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(<HBRSSID_USER>)
- When you use a type 2 JDBC driver, you must enable the RRS transaction services (TXRRS) in
RACF:
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE) PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) ACCESS(READ) ID(<HBRSSID_USER>)
- Refresh the
SERVER
resource:SETROPTS RACLIST(SERVER) REFRESH
For more information, see: Enabling z/OS authorized services in Liberty for z/OS
Starting the angel process started task
- The angel process must be running before the zRule Execution
Server for z/OS starts in CONSOLE, HTDS, or TEST mode when
security is enabled. To start or stop the angel process, give the following operator commands:
START HBRZANGL,NAME='HBRZANGL'
STOP HBRZANGL
- To display the WebSphere Liberty servers that are
connected to the angel process, give the following operator command:
MODIFY HBRZANGL,DISPLAY,SERVERS