To allow the OAM address space to access directories and files in the Unix file system hierarchy, the Security Server (RACF) or equivalent security product must be configured to provide both a Unix System Services group (with an associated group ID) and user (with an associated user ID) for the OAM started procedure. The following description assumes usage of the Security Server (RACF) and the examples assume the definition of the STARTED class which is the preferred method for assigning identities to started procedures such as the procedure that you use to start the OAM address space. If you currently have a group and user defined for the OAM started procedure, you will need to review your configuration to ensure it meets the criteria identified below, but minimally the group and user may need to be altered; the description below will outline the steps required to configure the Security Server (RACF) for the OAM started procedure.
The intent is that the user that is defined cannot be used to login to Unix System Services. Configuration for OAM within the Unix file system hierarchy will be performed by a superuser and after that point the OAM address space (by the OAM specific group and user) is the only entity that should have access to the directories and files containing OAM object data (other than a non-OAM backup mechanism, which typically relies upon superuser privileges to access directories and files and therefore membership in the OAM specific group is not required).
Complete the following steps:
With this Security Server (RACF) configuration in place, when an operator starts OAM, the OAM procedure name is used to find a matching resource profile and the resource profile then provides the group and user to be associated with the OAM address space. This group and user (and associated group ID and user ID), as well as any optional process level Unix System Services limits defined for the user, will be applied to the OAM usage of Unix System Services. The group and user associated with the OAM address space will be displayed in message IEF695I.
Although a process level limit also exists to specify the CPU time that a process can use (MAXCPUTIME), this limit does not apply to the OAM address space. Instead, the OAM address space is defined by default in MVS as well as in the Program Properties Table (PPT) by member SCHEDxx of PARMLIB to be a system task that will not time out so no CPU time limit will be applied to the OAM usage of Unix System Services
Table 1 provides examples of the commands that can be used to complete the Security Server (RACF) configuration.
Create | Update |
---|---|
Group | |
ADDGROUP oamgrp OMVS(GID(gid)) | ALTGROUP oamgrp OMVS(GID(gid)) |
User | |
ADDUSER oam DFLTGRP(oamgrp) |
ALTUSER oam OMVS(UID(uid)) |
or | or |
ADDUSER oam DFLTGRP(oamgrp) |
ALTUSER oam OMVS(UID(uid) |
Connecting User to Group (only if DFLTGRP was not originally specified on ADDUSER) | |
CONNECT oam GROUP(oamgrp) | |
Resource Profile for the OAM started task (assumes user name is "OAM") | |
RDEFINE STARTED OAM*.OAM* |
RALTER STARTED OAM*.OAM* |
Activate Sharing of the Resource Profile | |
SETROPTS RACLIST(STARTED) REFRESH |