Authorize the z/OSMF server to create PassTickets
Description
If your current (old) system includes the Capacity Provisioning plug-in or the Resource Monitoring plug-in, these functions might be using PassTickets for secure communication with a remote server, as an alternative to passwords. If so, you must ensure that the z/OSMF server user ID is authorized to create PassTickets in the same way that you did for the WebSphere servant user ID on previous systems. By default, this user ID is WSSRU1.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
| Product: | z/OSMF |
|---|---|
| When change was introduced: | z/OSMF V2R1. |
| Applies to migration from: | z/OSMF V1R13. |
| Timing: | Before installing z/OSMF V2R1. |
| Is the migration action required? | Yes, if your current (old) system includes the Capacity Provisioning plug-in or the Resource Monitoring plug-in, and these functions are using PassTickets for secure communication with a remote server. |
| Target system hardware requirements: | None. |
| Target system software requirements: | None. |
| Other system (coexistence or fallback) requirements: | None. |
| Restrictions: | None. |
| System impacts: | None. |
| Related IBM® Health Checker for z/OS® check: | None. |
Steps to take
Follow these steps:
- For the Capacity Provisioning plug-in,
determine whether your installation is using PassTickets to authenticate
requests against the CIM server on a remote system. If so, you defined
the profile IRRPTAUTH.CFZAPPL.* in the PTKTDATA class. To authorize
the z/OSMF server
to create PassTickets, grant the z/OSMF started task
user ID at least UPDATE access authority to this resource. For example:
where passticket_creator_userid is the z/OSMF started task user ID. By default, this is IZUSVR.PERMIT IRRPTAUTH.CFZAPPL.* CLASS(PTKTDATA) ID(passticket_creator_userid) ACCESS(UPDATE) SETROPTS RACLIST(PTKTDATA) REFRESH - For the Resource Monitoring plug-in,
determine whether your installation is using PassTickets to authenticate
requests against the RMF Distributed Data Server (DDS) on a remote
system. If so, you defined the profile IRRPTAUTH.GPMSERVE.* in the
PTKTDATA class. To enable PassTicket creation for the z/OSMF server, give
the z/OSMF started
task user ID at least UPDATE access authority. For example:
where passticket_creator_userid is the z/OSMF started task user ID. By default, this is IZUSVR.PERMIT IRRPTAUTH.GPMSERVE.* CLASS(PTKTDATA) ID(passticket_creator_userid) ACCESS(UPDATE) SETROPTS RACLIST(PTKTDATA) REFRESH
Reference information
For more information,
see the following references:
- For information about PassTickets, see z/OS Security Server RACF Security Administrator's Guide
- For information about clean-up actions for IBM WebSphere Application Server OEM Edition for z/OS, see Remove WebSphere constructs from previous releases.