Performing required z/OS system configurations

Before starting IBM® HTTP Server, you must set required z/OS® system configurations.

• Requirements for integrating with System Management Facility (SMF)

  The IBM HTTP Server user ID must have read authority to the BPX.SMF facility. For more information, see Configuring IBM HTTP Server for SMF recording.

• Requirements for using the zEnterprise® Data Compression (zEDC) feature

  When you configure the mod_deflate module, zEDC is automatically used when it is available on the system.

• Verify the MEMLIMIT parameter.
  The MEMLIMIT parameter controls the amount of virtual memory higher than 2 gigabytes for a particular address space. The default setting for the MEMLIMIT parameter is 2 GB in z/OS V1R10 and later and is sufficient for the default server configuration. However, if the ThreadsPerChild directive is increased from the default of 100, increase the MEMLIMIT parameter by the same factor.

  • The MEMLIMIT parameter can be set in the OMVS segment of the user ID that is used to run the server:

    ALTUSER WWWSERV OMVS(MEMLIMIT(2048M))

  • The MEMLIMIT parameter can also be set in the SMFPRMxx parmlib member. Set the SMFPRMxx parmlib member to establish the system-wide MEMLIMIT parameter default.

  For a complete description of how to set the MEMLIMIT parameter, see Limiting the use of memory objects in z/OS V1R10.0 MVS Programming: Extended Addressability Guide (SA22-7614-06).

  IBM HTTP Server requires a minimum of 5.4 MB of 64-bit virtual memory per thread. The minimum recommended MEMLIMIT setting for proper IBM HTTP Server operation is (ThreadsPerChild + 3) × 12 MB.

• Configure a mechanism for allowing access to low ports.
  The Web server user ID must have access to the TCP ports on which it will handle client connections. If port values less than 1024 are used, such as Web server ports 80 and 443, special configuration is required to allow the Web server to bind to the port.

  You can use one of the following mechanisms to allow access to low ports:

  • Set the PORT directive in the TCP/IP configuration.
  • Disable RESTRICTLOWPORTS in the TCP/IP configuration.
  • Code the Web server job name on a PORT statement in the TCP/IP configuration.
  • Code a wildcard for the job name on a PORT statement in the TCP/IP configuration.
  • Code SAF and a safname value on the PORT statement in the TCP/IP configuration, and permit the Web server user ID read access to the SAF FACILITY class profile EZB.PORTACCESS.sysname.stackname.safname.

  For more information on configuration methods for allowing access to low ports, refer to the sections Port access control and Setting up reserved port number definitions in PROFILE.TCPIP in z/OS Communications Server IP Configuration Guide (SC31-8775). You can link to this document from the z/OS Internet Library.

  For an explanation of how Unix System Services jobnames (such as those for IBM HTTP Server instances) are determined, refer to the section Generating jobnames for OMVS address spaces in z/OS UNIX System Services Planning (GA22-7800). Link to this document from the z/OS Internet Library.

• Required System Authorization Facility (SAF) configurations.
  • Create a user ID and group for IBM HTTP Server.
    You can use a new or existing user ID. It must have an OMVS segment and the UID cannot be zero. The following example contains RACF® commands to create a new user and group.

    Password example
    
    ADDGROUP WWWGROUP OMVS(GID(999))
    ADDUSER  WWWSERV  DFLTGRP(WWWGROUP) OMVS(UID(999)) PASSWORD(password)

    Password phrase example
    
    ADDGROUP WWWGROUP OMVS(GID(999))
    ADDUSER  WWWSERV  DFLTGRP(WWWGROUP) OMVS(UID(999)) PHRASE('my0users@99#701_workgroup')

    The security administrator should define the password for the Web server user ID, instead of allowing it to default, to prevent an unauthorized user from being able to log in with that user ID. The ALTUSER command can be used to modify the password of an existing user ID.
    Note: If you use a JCL cataloged procedure to start an IBM HTTP Server instance, create a SAF STARTED profile to assign the server user ID and group ID to the server started task. For example, to use a cataloged procedure named WEBSRV1:

    RDEFINE STARTED WEBSRV1.* STDATA(USER(WWWSERV) GROUP(WWWGROUP) TRACE(YES))

  • Set program control for required MVS data sets.
    Ensure that program control is turned on for the following MVS data sets. For hlq, enter the high level qualifier for your system installation, for example: SYS1.LINKLIB.

    • hlq.LINKLIB
    • hlq.SCEERUN
    • hlq.SCEERUN2
    • hlq.SCLBDLL
    The following example shows how to turn on program control using RACF commands with a high level qualifier of SYS1. If you are using another security product, refer to that product's documentation for instructions. If you are turning on program control for the first time, you should use RDEFINE statements instead of RALTER statements:

    RALTER PROGRAM * ADDMEM('SYS1.LINKLIB'//NOPADCHK) UACC(READ)
    RALTER PROGRAM * ADDMEM('SYS1.SCEERUN'//NOPADCHK) UACC(READ)
    RALTER PROGRAM * ADDMEM('SYS1.SCEERUN2'//NOPADCHK) UACC(READ)
    RALTER PROGRAM * ADDMEM('SYS1.SCLBDLL') UACC(READ)
    SETROPTS WHEN(PROGRAM) REFRESH

    In this example, an asterisk (*) is used to specify all programs in the data set.
  • Set program control for HFS files.
    The SMP/E installation logic enables the program control bit for the provided libraries and executable files that need it. If you install custom plug-in modules, use the extattr command to enable the APF and Program Control flags. For example:

    # extattr +ap /opt/IBM/HTTPServer/modules/mod_jauth.so

    In this example, substitute the IBM HTTP Server installation location for /opt/IBM/HTTPServer/. (You can build custom plug-in modules using the apxs script that is provided.)
  • Set program control for z/OS System SSL.
    If you set up your IBM HTTP Server to provide secure communications over the Internet, IBM HTTP Server uses z/OS System Secure Sockets Layer (SSL) to establish the secure connections. Before IBM HTTP Server can use System SSL, you must:

    • Add the System SSL load library (hlq.SIEALNKE) to the system link list or to the STEPLIB DD concatenation in the HTTP Server cataloged procedure
    • Set program control hlq.SIEALNKE in RACF.

    The hlq variable is the high level qualifier for your system installation, for example: SYS1.SIEALNKE.
    To turn on program control using RACF, issue the following command:

    RALTER PROGRAM * ADDMEM('hlq.SIEALNKE'//NOPADCHK) UACC(READ)
    SETROPTS WHEN(PROGRAM) REFRESH

    If you are turning on program control for the first time, use the RDEFINE statements instead of the RALTER statements. If you are using another security product, refer to that product's documentation for instructions.
  • Access to SAF key rings.
    The SSL and LDAP authentication support can optionally use certificates stored in SAF key rings. This requires that the Web server user ID have certain SAF permissions. Specifically, the Web server user ID must be permitted to the IRR.DIGTCERT.LISTRING facility in order to use key rings. Here are the general steps required:

    1. Define the IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING resources with universal access of None.
    2. Permit the Web server user ID read access to the IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING resources in the FACILITY class.
    3. Activate the FACILITY general resource class.
    4. Refresh the FACILITY general resource class.
    The following commands are RACF commands. Replace WWWSERV with the actual user ID under which IBM HTTP Server is started.

    RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
    PE IRR.DIGTCERT.LIST CLASS(FACILITY) ID(WWWSERV) ACCESS(READ)
    RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
    PE IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(WWWSERV) ACCESS(READ)
    SETR CLASSACT(FACILITY)
    SETR RACLIST(FACILITY) REFRESH

    For a complete guide to RACF commands, refer to z/OS Security Server RACF Security Administrator's Guide (SA22-7683). You can link to this document from the z/OS Internet Library.
  • Permitting user IDs to CSFSERV for System SSL:

    Integrated Cryptographic Services Facility (ICSF) is the software interface to both cryptographic hardware and to modern TLS ciphers. If a system is configured to restrict access to the CSFSERV profiles necessary to call ICSF, modern TLS support will require permitting the webserver to these profiles, as they are accessed indirectly via System SSL on behalf of the webserver.

    In typical TLS configurations, the webservers userid must have read access to at least the following profiles: CSFRNG, CSFIQA, CSFPKE, CSFPKD, CSF1KGP, CSF1SKE, and CSF1SKD. If the SAFRunAs directive is used, all client or surrogate user should have access to at least CSF1SKD and CSF1SKE.

    CSFSERV permissions vary from situation to situation depending on the cipher suites involved. To ensure that the IBM HTTP Server userid can access cryptographic operations in the hardware, the IBM HTTP Server userid needs READ access to the CSFSERV resources outlined in the tables presented in RACF CSFSERV resource requirements .

    The following command example illustrates how to permit the CSF resource for the WWWSERV ID to resource CSFSERVresource.

    SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV)
    RDEFINE CSFSERV CSFSERVresource UACC(NONE)
    PERMIT CSFSERVresource CLASS(CSFSERV) ID(WWWSERV) ACCESS(READ)
    SETROPTS CLASSACT(CSFSERV)
    SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) REFRESH

    The following command example illustrates how to permit the WWWSERV ID to resource CSFPKE.

    SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV)
    RDEFINE CSFSERV CSFPKE UACC(NONE)
    PERMIT CSFPKE CLASS(CSFSERV) ID(WWWSERV) ACCESS(READ)
    SETROPTS CLASSACT(CSFSERV)
    SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) REFRESH

  • Using cryptographic hardware for key storage (optional):

    To perform key storage on cryptographic devices refer to the section Integrated Cryptographic Service Facility (ICSF) Considerations in z/OS Security Server RACF Security Administrator's Guide (SA22-7683).

    For information on ICSF options refer to the section Using Hardware Cryptographic Features with System SSL in z/OS Cryptographic Services System Secure Sockets Layer (SSL) Programming (SC24-5901).

    These documents are available from the z/OS Internet Library.

• Setting environment variable * _BPX_JOBNAME (optional):
  IBM HTTP Server provides the file <installroot>/bin/envvars for setting environment variables for the httpd processes. You can set the environmental variable * _BPX_JOBNAME to give the server a distinct jobname. This allows you to:

  • See the server in MVS operator commands and System Display and Search Facility (SDSF).
  • Categorize the server in workload management (WLM) to give web traffic adequate priority.
  • Use syslogd isolation for the server.
  • Use PORT statements in the TCP/IP configuration that select by job name.

  A typical setting is: export _BPX_JOBNAME=HTTPD. The default is to append an incrementing integer to your jobname, such as HTTPD1, HTTPD2, HTTPD3. For more information refer to the section Generating jobnames for OMVS address spaces in z/OS UNIX System Services Planning (GA22-7800). Link to this document from the z/OS Internet Library.

  If you use the _BPX_JOBNAME variable to set the jobname, the user ID which you use to run the server must have read access to the SAF FACILITY profile BPX.JOBNAME. For example:

  RDEFINE FACILITY BPX.JOBNAME  UACC(NONE)
  SETROPTS RACLIST(FACILITY) REFRESH 
  PERMIT BPX.JOBNAME CLASS(FACILITY) ACCESS(READ) ID(WWWSERV) 
  SETROPTS RACLIST(FACILITY) REFRESH 
  RLIST FACILITY BPX.JOBNAME ALL

  For more information refer to the section Setting up the BPX.* FACILITY class profiles in z/OS UNIX System Services Planning (GA22-7800). Link to this document from the z/OS Internet Library.