IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Configuring broker user IDs on z/OS

When you create your brokers on z/OS®, you must set up security by configuring broker user IDs with the appropriate permissions.

Before you start

Before starting this task, read Integration Bus server security and Creating a broker on z/OS.

The following steps guide you through configuring a broker user ID on z/OS:

Decide on the started task name of the broker. This name is used to set up started task authorizations, and to manage your system performance.
Decide on a dataset naming convention for your IBM® Integration Bus PDSE. A typical name might be WMQI.MQP1BRK.CNTL, where MQP1 is the queue manager name. You must give the IBM Integration Bus, WebSphere® MQ, and z/OS administrators access to these data sets. You can control access in several ways, for example:
- Give each user individual access to the specific data set
- Define a generic dataset profile, defining a group that contains the user IDs of the administrators. Grant the group control access to the generic data set profile
Configure access to components and resources on z/OS. For more information, see Summary of required access (z/OS).
Define an OMVS group segment for this group so that information can be extracted from the External Security Manager (ESM) database to enable you to use Publish/Subscribe security.
Define an OMVS segment for the started task user ID and give its home directory sufficient space for any IBM Integration Bus memory dumps. Consider using the started task procedure name as the started task user ID.
Check that your OMVS segment is defined by using the following TSO command:
```
LU userid OMVS
```
The command output includes the OMVS segment, for example:
```
USER=MQP1BRK NAME=SMITH, JANE OWNER=TSOUSER
CREATED=99.342 DEFAULT-GROUP=TSOUSER PASSDATE=01.198
PASS-INTERVAL=30
......
OMVS INFORMATION
----------------
UID=0000070594
HOME=/u/MQP1BRK
PROGRAM=/bin/sh
CPUTIMEMAX=NONE
ASSIZEMAX=NONE
FILEPROCMAX=NONE
PROCUSERMAX=NONE
THREADSMAX=NONE
MMAPAREAMAX=NONE
```
The command:
```
df -P /u/MQP1BRK
```
displays the amount of space used and available, where /u/MQP1BRK is the value from HOME (on a previous line). This command shows you how much space is currently available in the file system. Check with your data administrator that this space is sufficient. You require a minimum of 400 000 blocks available if a memory dump is taken.
Associate the started task procedure with the user ID to be used. For example, you can use the STARTED class in RACF®. The IBM Integration Bus and z/OS administrators must agree on the name of the started task.
IBM Integration Bus administrators require an OMVS segment and a home directory. Check the setup previously described.
The started task user IDs and the IBM Integration Bus administrators require access to the install processing files, the component-specific files, and the home directory of the started task. During customization, the file ownership can be changed to alter group access. This change might require superuser authority.

On z/OS, you can specify an alternative user ID to run an integration server so that it accesses resources according to the permissions assigned to it, rather than the permissions assigned to the main broker user ID; for more information, see Integration server user IDs on z/OS. For information about how to specify an integration server user ID, see Specifying an alternative user ID to run an integration server on z/OS.

When the service user ID is root, all libraries loaded by the broker, including all user-written plug-in libraries, and all shared libraries that they might access, also have root access to all system resources (for example, file sets). Review and assess the risk involved in granting this level of authorization.

be28920_.htm |

Last updated Friday, 21 July 2017