action.skip

Configure RACF so DCAS Can Run as a System Daemon

In the sample RACF commands below, italicized items should be replaced with values appropriate for your environment.

Define a user ID as superuser to use OMVS Services

The DCAS server runs as a system daemon and must be started under a controlled user ID that has superuser authority (that is, not an end-user or system programmer user ID). To define the user ID to use OMVS services, use the following command:

ADDUSER dcasid DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/'))

where dcasid is the name of the user ID.

Provide a user ID with access to MVS.SERVMGR.DCAS

Starting DCAS from an MVS procedure requires that the user ID from which it is started have access to the MVS.SERVMGR.DCAS resource in the OPERCMDS class. To provide this access, use the following commands:

   RDEFINE OPERCMDS (MVS.SERVMGR.DCAS) UACC(NONE) 
   PERMIT MVS.SERVMGR.DCAS CLASS(OPERCMDS) ACCESS(CONTROL) ID

Provide a RACF definition for MVS Start-up

If DCAS is started as an MVS procedure, you will need the following RACF definition:

   RDEFINE STARTED DCAS.* STDATA(USER(dcasid)) 
   SETR RACLIST(STARTED) REFRESH

where dcasid is the name of the user ID.

If CLIENTAUTH LOCAL2 is coded in the DCAS configuration file, at a minimum, you must use RACF to associate the certificate with a valid user ID. You can do this using the RACDCERT ADD command. The user ID could be the one associated with DCAS itself or it could be any valid user ID. If you want additional checking, you must activate the SERVAUTH class and define an EZA.DCAS.cvtsysname profile with the user ID associated with the client certificate to access the profile.

More information