Security requirements on IBM z/OS computers

To deploy applications to an IBM® z/OS® environment, the user accounts on the agent computer must have adequate access permissions. You must also identify specific directories and data sets to the authorized program facility.

Specific security definitions are used to secure the UCD deployment functions for the IBM z/OS environment. This document references articles in the KnowledgeCenter regarding the security configurations related to the agent started task, data sets, file systems, user IDs, impersonation and security configurations related to the z/OS Utility plugin.

This document does NOT cover the UCD server’s security model and the security configurations related to server agent communication. Visit the KnowledgeCenter for additional security information.

Agent started task and agent user ID

The UrbanCode Deploy IBM z/OS agent is a long running Java process in the IBM z/OS UNIX System Services. The UrbanCode Deploy server distributes work, known as deploy processes, to an agent to execute. For each step in the deploy process, the agent starts a separate work process. The work process inherits the agent user ID’s security environment, unless the process is configured to use impersonation.
Figure 1. z/OS Server-Agent Architecturez/OS architecture diagram

Agent impersonation

The su command is used to impersonate users. The following figure shows a deployment scenario where there are two logical environments, DEV and TEST, in the same LPAR. The deployment process is configured so that the agent impersonates USERA when deploying to DEV and USERB when deploying to TEST.
Figure 2. z/OS Agent Impersonationz/OS agent impersonation diagram

Limitations

  1. HardwareCryptography IBMJCECCA isnot supported.
  2. RACFdigital certificates arenot supported. UCD uses keystore and keytool provided by Java to generate and manage certifications to be used for the agent/server communication.

Links to security related plugin documents

UrbanCode Deploy provides deployment functions can be extended by the open plugin architecture. Some plugins have their own security requirement. The following is a list of links to some of the plugin documents that are security related.

Links to Knowledge Center topics for z/OS security configuration

Starting agents https://www.ibm.com/support/knowledgecenter/SS4GSP_7.0.0/com.ibm.udeploy.install.doc/topics/run_agent.html
[Optional] Agent impersonation https://www.ibm.com/support/knowledgecenter/SS4GSP_7.0.0/com.ibm.udeploy.doc/topics/arch_appx_impersonation_zos.html
[Optional] Authentication for job submission https://www.ibm.com/support/knowledgecenter/SS4GSP_7.0.0/com.ibm.udeploy.install.doc/topics/zos_using_job_monitor.html
Authenticating with user ID and Password https://www.ibm.com/support/knowledgecenter/SS4GSP_7.0.0/com.ibm.udeploy.install.doc/topics/zos_using_job_monitor.html
Authenticating with PassTickets https://www.ibm.com/support/knowledgecenter/SS4GSP_7.0.0/com.ibm.udeploy.install.doc/topics/zos_using_job_monitor.html
PassTicket profile examples https://www.ibm.com/support/knowledgecenter/SS4GSP_7.0.0/com.ibm.udeploy.install.doc/topics/zos_using_job_monitor.html
[Optional] Run MVS Command https://developer.ibm.com/urbancode/plugindoc/ibmucd/zos-utility-plug/1-2/usage/running-mvs-system-commands/
Related concepts:
Security requirements for IBM z/OS agent user accounts
Security requirements for IBM z/OS authorized program facility
Security requirements for IBM z/OS directories and data sets
Security requirements for IBM z/OS tokens
Security requirements for IBM z/OS component versions
Managing security
Token expiration settings
Related tasks:
Checking and resetting the API key and certificate for agents
Feedback