Configuring the Liberty server angel process

The angel process provides authorized services to WebSphere® Application Server Liberty Profile servers.

The angel process is started from the MVS console. All the WebSphere Application Server Liberty Profile servers that are running on a z/OS® image can share a single angel process. This is regardless of the level of code that the servers are running or whether they are running inside the zRule Execution Server for z/OS.

If you have not enabled security for the zRule Execution Server for z/OS, you do not need to run an angel process or implement the associated security rules. zRule Execution Server for z/OS security is only enabled when you create the HBRADMIN SAF class and you have not created any <HBRSSID_NAME>.NO.SUBSYS.SECURITY profiles.

The angel process started task

The angel process started task JCL procedure is shipped with Operational Decision Manager for z/OS in the ++HBRINSTPATH++ directory.

Procedure

Copy the JCL to a JES procedure library, for example:

cp -S d=.jcl ++HBRINSTPATH++/zexecutionserver/wlp/templates/zos/procs/bbgzangl.jcl. "//'SYS1.PROCLIB'"

Edit the JCL and change the ROOT variable to the value ++HBRINSTPATH++/zexecutionserver/wlp, for example:
```
SET ROOT='/usr/lpp/zDM/V8R8M1/zexecutionserver/wlp'
```

Results

The returned message lists the zRule Execution Server for z/OS instances that have an active Liberty server and other non-Operational Decision Manager for z/OS Liberty servers that are connected to the angel process.

The angel process started task SAF rules

About this task

The Liberty Profile server requires multiple SAF profiles in the STARTED and SERVER classes. Proceed as follows to create them.

Procedure

The user ID that the angel process runs under needs the SAF STARTED profile, for example:
```
RDEFINE STARTED BBGZANGL.* UACC(NONE) STDATA(USER(<WLPUSER>))
SETROPTS RACLIST(STARTED) REFRESH
```
The Operational Decision Manager for z/OS zRule Execution Server for z/OS Liberty server runs under the authority of the zRule Execution Server for z/OS started task user ID. This user ID needs to be able to connect to the angel process to use authorized services.
To allow the zRule Execution Server for z/OS Liberty server to connect to the angel process, create a profile for the angel process (BBG.ANGEL) in the SERVER class. Give the zRule Execution Server for z/OS started task user ID (<HBRSSID_USER>) authority to access it, for example, in RACF:
```
RDEFINE SERVER BBG.ANGEL UACC(NONE)
PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(<HBRSSID_USER>)
```
To allow a Liberty server to use the z/OS authorized services, create a SERVER profile for the authorized module BBGZSAFM and allow the zRule Execution Server for z/OS started task user ID (<HBRSSID_USER>) to the profile. This action allows a Liberty server to use the z/OS Authorized services, for example, in RACF:
```
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(<HBRSSID_USER>)
```
To allow the zRule Execution Server for z/OS Liberty server to access the services necessary for security, create a profile for the SAF authorized user registry services and SAF authorization services (SAFCRED) in the SERVER class. Give the zRule Execution Server for z/OS started task user ID (<HBRSSID_USER>) authority to access it, for example, in RACF:
```
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(<HBRSSID_USER>)
```
Refresh the SERVER resource:
```
SETROPTS RACLIST(SERVER) REFRESH
```

What to do next

For more information, see: Enabling z/OS authorized services in Liberty for z/OS

Starting the angel process started task

Procedure

The angel process must be running before the zRule Execution Server for z/OS starts in CONSOLE, HTDS, or TEST mode. To start or stop the angel process, give the following operator commands:
```
START BBGZANGL
```
```
STOP BBGZANGL
```
To display the Liberty servers that are connected to the angel process, give the following operator command:
```
MODIFY BBGZANGL,DISPLAY,SERVERS
```