Liberty on z/OS® offers the ability for your applications to take advantage of z/OS authorized services for System Authorization Facility (SAF)
authorization, Workload Manager (WLM), Resource Recovery services (RRS), and SVCDUMP. If your
application requires these services, set up an Liberty angel process and grant access for your
Liberty server to use these
services.
About this task
To use the z/OS Authorized Services, you can set up the
following types of profiles by using a SAF security product such as RACF®:
- SAF STARTED profile is required if you plan on running the Liberty server or the Liberty angel process as a z/OS Started Task. For more information about the Liberty angel process, see Process types on z/OS.
- SAF SERVER profile is required if you plan on having the Liberty server access any of the z/OS Authorized Services for your applications. You can find the description
of each service in the following content.
Note: If you are not planning to run the Liberty server as a Started Task and are not
planning to use any of the authorized services, RACF need not
be set up.
Procedure
- Create STARTED profiles for users WLPUSER0 and WLPUSER1
- Create a SERVER profile for the authorized module BBGZSAFM
- Create a SERVER profile for the authorized module BBGZSAFM and permit the Started Task user ID
of the Liberty server to the profile. This
action enables a Liberty server to use the
z/OS Authorized services. To enable a server that is running
as WLPUSER1 to access the authorized
module:
RDEF SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- Create SERVER profiles for the individual authorized services provided for the z/OS operating system. These profiles enable the server to invoke the
individual authorized services and these services are grouped by function:
- To enable the SAF authorized user registry services and SAF authorization services
(SAFCRED):
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- To enable the WLM services
(ZOSWLM):
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- To enable the RRS transaction services
(TXRRS):
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- To enable the SVCDUMP services
(ZOSDUMP):
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- To enable optimized local adapter
services:
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.LOCALCOM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.LOCALCOM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.WOLA UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.WOLA CLASS(SERVER)ACCESS(READ) ID(wlpuser1)
- To enable the IFAUSAGE services
(PRODMGR):
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.PRODMGR UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.PRODMGR CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- To enable the AsyncIO services
(ZOSAIO):
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSAIO UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSAIO CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
Note: During server startup, Liberty checks all authorized services for access. Specifying the
SAFLOG=Y JCL parameter on the angel PROC causes SAF error messages for all authorized services that
a server is not allowed to use.
- Create a SERVER profile for the authorized client module BBGZSCFM
- Create a SERVER profile for the authorized client module BBGZSCFM and permit the Started Task
user ID of the Liberty server to the profile.
This action enables a Liberty server to load
the z/OS Authorized client services.
To enable a server
that is running as
WLPUSER1 to access the authorized client
module:
RDEF SERVER BBG.AUTHMOD.BBGZSCFM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSCFM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- Create SERVER profiles for the individual authorized client services provided for the z/OS operating system. These profiles enable clients to invoke
the individual authorized services provided by the server.
These services are grouped by function: