Security configuration for the file system

To allow the OAM address space to access directories and files in the Unix file system hierarchy, the Security Server (RACF) or equivalent security product must be configured to provide both a Unix System Services group (with an associated group ID) and user (with an associated user ID) for the OAM started procedure. The following description assumes usage of the Security Server (RACF) and the examples assume the definition of the STARTED class which is the preferred method for assigning identities to started procedures such as the procedure that you use to start the OAM address space. If you currently have a group and user defined for the OAM started procedure, you will need to review your configuration to ensure it meets the criteria identified below, but minimally the group and user may need to be altered; the description below will outline the steps required to configure the Security Server (RACF) for the OAM started procedure.

The group should:

Be unique and used only by OAM
Consist of a single user used only by OAM, where this single user is the owner of the group
Have an associated Unix System Services Group ID (GID) defined in the OMVS segment that is not assigned to any other group.

The user:

Should result in a definition with the PROTECTED attribute (accomplished by specifying the NOPASSWORD attribute).
Should have an associated Unix System Services User ID (UID) defined in the OMVS segment that is nonzero and not assigned to any other user.
Can optionally include limits for OAM usage of Unix System Services in the OMVS segment.
Must be connected to the unique group for OAM usage, be the only user connected to the group, and be the owner of the group.

The intent is that the user that is defined cannot be used to login to Unix System Services. Configuration for OAM within the Unix file system hierarchy will be performed by a superuser and after that point the OAM address space (by the OAM specific group and user) is the only entity that should have access to the directories and files containing OAM object data (other than a non-OAM backup mechanism, which typically relies upon superuser privileges to access directories and files and therefore membership in the OAM specific group is not required).

Complete the following steps:

Create or update the group specifically for OAM usage
Create or update the user specifically for OAM usage (optionally specify Unix System Services process level limits for PROCUSERMAX and FILEPROCMAX).
Connect the user to the group (if not already connected).
Create or update a resource profile to associate the name of the OAM started procedure with the OAM specific group and user

With this Security Server (RACF) configuration in place, when an operator starts OAM, the OAM procedure name is used to find a matching resource profile and the resource profile then provides the group and user to be associated with the OAM address space. This group and user (and associated group ID and user ID), as well as any optional process level Unix System Services limits defined for the user, will be applied to the OAM usage of Unix System Services. The group and user associated with the OAM address space will be displayed in message IEF695I.

Although a process level limit also exists to specify the CPU time that a process can use (MAXCPUTIME), this limit does not apply to the OAM address space. Instead, the OAM address space is defined by default in MVS as well as in the Program Properties Table (PPT) by member SCHEDxx of PARMLIB to be a system task that will not time out so no CPU time limit will be applied to the OAM usage of Unix System Services

Table 1 provides examples of the commands that can be used to complete the Security Server (RACF) configuration.

Table 1. Commands for completing the security configuration
Create	Update
Group
ADDGROUP oamgrp OMVS(GID(gid))	ALTGROUP oamgrp OMVS(GID(gid))
User
ADDUSER oam DFLTGRP(oamgrp) OWNER(oamgrp) NAME('OAM Address Space') NOPASSWORD OMVS(UID(uid))	ALTUSER oam OMVS(UID(uid))
or	or
ADDUSER oam DFLTGRP(oamgrp) OWNER(oamgrp) NAME('OAM Address Space') NOPASSWORD OMVS(UID(uid) FILEPROCMAX(fff) PROCUSERMAX(ppp))	ALTUSER oam OMVS(UID(uid) FILEPROCMAX(fff) PROCUSERMAX(ppp))
Connecting User to Group (only if DFLTGRP was not originally specified on ADDUSER)
CONNECT oam GROUP(oamgrp)
Resource Profile for the OAM started task (assumes user name is "OAM")
RDEFINE STARTED OAM.OAM STDATA(USER(=MEMBER) GROUP(oamgrp))	RALTER STARTED OAM.OAM STDATA(USER(=MEMBER) GROUP(oamgrp))
Activate Sharing of the Resource Profile
SETROPTS RACLIST(STARTED) REFRESH

Note: Although the Security Server (RACF) group and user can be different on each system within an OAMplex, the associated group ID in the OMVS segment must be the same on all systems in the OAMplex and the associated user ID in the OMVS segment must be the same on all systems in the OAMplex.