Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Security configuration for the file system z/OS DFSMS OAM Planning, Installation, and Storage Administration Guide for Object Support SC23-6866-00 |
|||||||||||||||||||||||||||
To allow the OAM address space to access directories and files in the Unix file system hierarchy, the Security Server (RACF) or equivalent security product must be configured to provide both a Unix System Services group (with an associated group ID) and user (with an associated user ID) for the OAM started procedure. The following description assumes usage of the Security Server (RACF) and the examples assume the definition of the STARTED class which is the preferred method for assigning identities to started procedures such as the procedure that you use to start the OAM address space. If you currently have a group and user defined for the OAM started procedure, you will need to review your configuration to ensure it meets the criteria identified below, but minimally the group and user may need to be altered; the description below will outline the steps required to configure the Security Server (RACF) for the OAM started procedure. The group should:
The user:
The intent is that the user that is defined cannot be used to login to Unix System Services. Configuration for OAM within the Unix file system hierarchy will be performed by a superuser and after that point the OAM address space (by the OAM specific group and user) is the only entity that should have access to the directories and files containing OAM object data (other than a non-OAM backup mechanism, which typically relies upon superuser privileges to access directories and files and therefore membership in the OAM specific group is not required). Complete the following steps:
With this Security Server (RACF) configuration in place, when an operator starts OAM, the OAM procedure name is used to find a matching resource profile and the resource profile then provides the group and user to be associated with the OAM address space. This group and user (and associated group ID and user ID), as well as any optional process level Unix System Services limits defined for the user, will be applied to the OAM usage of Unix System Services. The group and user associated with the OAM address space will be displayed in message IEF695I. Although a process level limit also exists to specify the CPU time that a process can use (MAXCPUTIME), this limit does not apply to the OAM address space. Instead, the OAM address space is defined by default in MVS as well as in the Program Properties Table (PPT) by member SCHEDxx of PARMLIB to be a system task that will not time out so no CPU time limit will be applied to the OAM usage of Unix System Services Table 1 provides examples of the commands that can be used to complete the Security Server (RACF) configuration.
Note: Although the Security Server (RACF) group and user can be different
on each system within an OAMplex, the associated group ID in the OMVS
segment must be the same on all systems in the OAMplex and the associated
user ID in the OMVS segment must be the same on all systems in the
OAMplex.
|
Copyright IBM Corporation 1990, 2014
|