CICS® requires access
to directories and files in z/OS® UNIX.
During installation, each of your CICS regions
is assigned a z/OS UNIX user identifier (UID). The regions are
connected to a RACF® group that
is assigned a z/OS UNIX group identifier (GID). Use the UID and
GID to grant permission for the CICS region
to access the directories and files in z/OS UNIX.
Before you begin
Ensure that you are either a superuser on z/OS UNIX,
or the owner of the directories and files. The owner of directories
and files is initially set as the UID of the system programmer who
installs the product. The owner of the directories and files must
be connected to the RACF group
that was assigned a GID during installation. The owner can have that RACF group as their default group
(DFLTGRP) or can be connected to it as one of their supplementary
groups.
About this task
z/OS UNIX System Services treats each CICS region as a UNIX user.
You can grant user permissions to access z/OS UNIX directories and files in different
ways. For example, you can give the appropriate group permissions
for the directory or file to the RACF group
to which your CICS regions
connect. This option might be best for a production environment and
is explained in the following steps.
Procedure
- Identify the directories and files in z/OS UNIX to which your CICS regions require access.
JVM server options |
Default directories |
Permission |
Description |
JAVA_HOME |
/usr/lpp/java/J7.0_64/bin |
read and execute |
IBM® 64-bit SDK for z/OS, Java™ Technology Edition directories |
USSHOME |
/usr/lpp/cicsts/cicsts53 |
read and execute |
The installation directory for CICS files on z/OS UNIX. Files in this directory include
sample profiles and CICS-supplied JAR files. |
WORK_DIR |
/u/CICS region userid |
read, write, and execute |
The working directory for the CICS region. This directory contains input,
output, and messages from the JVMs. |
JVMPROFILEDIR |
USSHOME/JVMProfiles/ |
read and execute |
Directory that contains the JVM profiles for
the CICS region, as specified
in the JVMPROFILEDIR system initialization parameter. |
WLP_USER_DIR |
WORK_DIR/APPLID/JVMSERVER/wlp/usr/ |
read and execute |
Specifies the directory that contains the configuration
files for the Liberty JVM server. |
WLP_OUTPUT_DIR |
WLP_USER_DIR/servers |
read, write, and execute |
Specifies the output directory for the Liberty
JVM server. |
Note: WLP_USER_DIR needs additional x permissions
(read, write, execute) if Liberty JVM server autoconfigure is used
as CICS must be able to write
to server.xml.
- List the directories and files to show the permissions.
Go to the directory where you want to start, and issue the following UNIX command:
ls -la
If this command is issued in the z/OS UNIX System
Services shell environment when the current directory is the home
directory of
CICSHT##, you might see a list such
as the following example:
/u/cicsht##:>ls -la
total 256
drwxr-xr-x 2 CICSHT## CICSTS53 8192 Mar 15 2008 .
drwx------ 4 CICSHT## CICSTS53 8192 Jul 4 16:14 ..
-rw------- 1 CICSHT## CICSTS53 2976 Dec 5 2010 Snap0001.trc
-rw-r--r-- 1 CICSHT## CICSTS53 1626 Jul 16 11:15 dfhjvmerr
-rw-r--r-- 1 CICSHT## CICSTS53 0 Mar 15 2010 dfhjvmin
-rw-r--r-- 1 CICSHT## CICSTS53 458 Oct 9 14:28 dfhjvmout
/u/cicsht##:>
- If you are using the group permissions to give access,
check that the group permissions for each of the directories and files
give the level of access that CICS requires
for the resource.
Permissions are indicated, in three
sets, by the characters r, w, x
and -
.
These characters represent read, write, execute, and none, and are
shown in the left column of the command line, starting with the second
character. The first set are the owner permissions, the second set
are the group permissions, and the third set are other permissions.
In the previous example, the owner has read and write permissions
to dfhjvmerr, dfhjvmin,
and dfhjvmout, but the group and all others have
only read permissions.
- If you want to change the group permissions for a resource,
use the UNIX command
chmod
.
The following example sets the group permissions for the
named directory and its subdirectories and files to read, write, and
execute.
-R
applies permissions recursively to all
subdirectories and files:
chmod -R g=rwx directory
The
following example sets the group permissions for the named file to
read and execute:
chmod g+rx filename
The
following example turns off the write permission for the group on
two named files:
chmod g-w filename filename
In
all these examples,
g
designates group permissions.
If you want to correct other permissions,
u
designates
user (owner) permissions, and
o
designates other
permissions.
- Assign the group permissions for each resource to the RACF group that you chose for your CICS regions to access z/OS UNIX.
You must assign group permissions for each directory and its subdirectories,
and for the files in them.
Enter the following UNIX command:
chgrp -R GID directory
GID is
the numeric GID of the RACF group
and
directory is the full path of a directory to
which you want to assign the CICS regions
permissions.
For example, to assign the group permissions
for the
/usr/lpp/cicsts/cicsts53 directory,
use the following command:
chgrp -R GID /usr/lpp/cicsts/cicsts53
Because your CICS region
user IDs are connected to the RACF group,
the CICS regions have the appropriate
permissions for all these directories and files.
Results
You have ensured that CICS has
the appropriate permissions to access the directories and files in z/OS UNIX to
run Java applications.When
you change the CICS facility
that you are setting up, such as moving files or creating new files,
remember to repeat this procedure to ensure that your CICS regions have permission to access the new
or moved files.
What to do next
Verify that your Java support
is set up correctly using the sample programs and profiles.