Activate the security settings and classes

z/OS® Explorer utilizes a variety of security mechanisms to ensure a secure and controlled host environment for the client. To do so, several classes and security settings must be active, as shown with the following sample RACF® commands:
  • Display current settings 
    • SETROPTS LIST
  • Activate facility class for z/OS UNIX and digital certificate profiles 
    • SETROPTS GENERIC(FACILITY)
    • SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
  • Activate started task definitions 
    • SETROPTS GENERIC(STARTED)
    • RDEFINE STARTED ** STDATA(USER(=MEMBER) GROUP(STCGROUP) TRACE(YES))
    • SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
  • Activate console security for JES Job Monitor 
    • SETROPTS GENERIC(CONSOLE)
    • SETROPTS CLASSACT(CONSOLE) RACLIST(CONSOLE)
  • Activate operator command protection for JES Job Monitor 
    • SETROPTS GENERIC(OPERCMDS)
    • SETROPTS CLASSACT(OPERCMDS) RACLIST(OPERCMDS)
  • Activate application protection for RSE 
    • SETROPTS GENERIC(APPL)
    • SETROPTS CLASSACT(APPL) RACLIST(APPL)
  • Activate secured signon using PassTickets for RSE 
    • SETROPTS GENERIC(PTKTDATA)
    • SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
  • Activate program control to ensure that only trusted code can be loaded by RSE 
    • RDEFINE PROGRAM ** ADDMEM('SYS1.CMDLIB'//NOPADCHK) UACC(READ)
    • SETROPTS WHEN(PROGRAM)
      Note: Do not create the ** profile if you already have a * profile in the PROGRAM class. The ** profile obscures and complicates the search path used by your security software. If a * profile exists, merge the existing * and the new ** definitions. IBM® recommends to use the ** profile, as documented in Security Server RACF Security Administrator's Guide (SA22-7683).
      Attention: Some products, such as FTP, require to be program controlled if "WHEN PROGRAM" is active. Test this before activating it on a production system.