Previous Topic Next topic Print topic


Define started tasks to RACF and ACF2

Each of the started tasks needs to be defined to the security product. We recommend that you run all z/Server STCs using the same ID. Work done for the client is run using the TSO user ID credentials of the client (task level security). All user IDs to be used with z/Server need a valid OMVS segment (required by TCP/IP).

READ access to the z/Server datasets is needed.

Depending on your installation, there may be more authorization needed (see User authorizations).

Assuming that RACF is the security product, the definitions could look like this:

AU usrname DATA('z/SERVER Userid') NOPASSWORD DFLTGRP(grpname) OWNER(grpname) OMVS(AUTOUID HOME('/u/usrname'))  
	 
	 
ALU usrname NOPASSPHRASE 
RDEF STARTED TAURHLD.* STDATA(USER(usrname)) OWNER(grpname) 
RDEF STARTED TAURISPF.* STDATA(USER(usrname)) OWNER(grpname) 
RDEF STARTED IVPUSRT.* STDATA(USER(usrname)) OWNER(grpname) 
SETR RACLIST(STARTED) REFRESH
ADDSD 'hlq.ZSERVER.**' OWNER(grpname) UACC(NONE) 
PE 'hlq.ZSERVER.**' ACCESS(READ) CLASS(DATASET) ID(usrname)

The RACF definitions for a CEA scheduler could look like this:

RDEFINE TSOPROC CEAPROC OWNER(SYS1) UACC(NONE) 
PE CEAPROC CLASS(TSOPROC) ACCESS(READ) ID(all-required-groups)  
SETROPTS RACLIST(TSOPROC) REFRESH

If ACF2 is the security product, to allow READ access to the z/Server datasets, the equivalent definitions for class STARTED could look like this:

SET CONTROL(GSO)
INSERT STC.TAURHLD  LOGONID(usrname)
INSERT STC.TAURISPF LOGONID(usrname)
INSERT STC.IVPUSRT  LOGONID(usrname)  STCID(********) 
F ACF2,REFRESH(ALL)

The holder address space administers the port range to be used for the scheduler and the user servers, but does not use them. The default port range specified in the configuration files that come with z/Server is 1100 to 1200. This port range needs to be opened in the firewall protecting the z/OS host system.

The scheduler address space listens for incoming requests from clients on the port designated as PORT in the scheduler configuration file. PORT=1111 is set as default. The scheduler assigns ports to different user servers from the port range defined for that scheduler (TSOE_FIRST_PORT .. TSOE_LAST_PORT).

Since the holder address space starts and stops the scheduler and stops user servers, and the scheduler address space starts and stops user servers, the associated user ID needs the appropriate access rights in the OPERCMDS class to these system commands.

Previous Topic Next topic Print topic