Step 3: Setting up security

This task will be performed by a security administrator.

About this task

After you have run the IZPINST job, the next step is to run the IZPSECUR job. The IZPINST job generates the IZPSECUR job and stores it in RUNHLQ.JCLLIB(IZPSECUR).

The IZPSECUR job performs the following tasks:

  • Defines a new class that will be called IZP
  • Defines a new profile in IZP
  • Refreshes or rebuilds IZP(RACF and ACF2 only)
  • Creates a non-login user:
    • with a password (ACF2 only)
    • without a password (RACF and Top Secret only)
  • Defines a data set profile
  • Grants access to a profile in IZP
  • Associates a user with a started task
  • Defines a new profile in CRYPTOZ
  • Grants access to a profile in CRYPTOZ
  • Creates the user and team list data sets, and populates the user list with initial content
Note: The IZPSECUR JCL can be found in the RUNHLQ.JCLLIB data set. If you want to review the details of the security setup or want to manually complete the security setup without using the IZPSECUR job, see the JCL and refer to Setting up security for UMS.

Procedure

To set up the security task, perform the following steps:

  1. Edit the RUNHLQ.JCLLIB(IZPSECUR) job.
    Note: If there was an error when running the IZPSECUR job, please fix the error and resubmit the job to continue. Your place will be saved up until the last successfully completed step.
    The return code of IZPSECUR job will determine which step you are on, so a nonzero return code is acceptable. Refer to the following table to see what steps correspond to which return codes:
    Important: The return codes specified in the table are for the entire job. The return code of the job tells you which script was in error. For example, if the script returned an error code of 1024, it means that the script is stuck at ADDSUP, and you must resolve the issue with that step for the script to continue.
    Table 1. Steps, description, and return codes
    Steps Description Return codes
    IZPGRP Creates <SURROGRP> and <IZPSTGRP> and connect <IZPOWNER> to both of them. 256
    IZPALODS Allocates teamlist and userlist data sets. 512
    RUN Creates and modifies resources in SAF and configures resources created in the previous steps. 768
    ADDSUP Adds initial super administrators. 1024
    ADDADM Adds initial team administrators or team members. 1280
    IZPTOKL and IZPTOKA Lists token and adds if it does not already exist. 1536
    DONE Successful completion of the job. 0
  2. If a value below has not been replaced by IZPINST, then you must fill it in. If all of the values have been replaced, you should ensure that the data entered is correct before proceeding.
    SYSESM = #izp_esm
    where SYSESM represents the external security manager (ESM) installed on your system. SYSESM can be the following values: RACF,TSS,ACF2.
    IZPOWNER = #izp_resource_owner
    where IZPOWNER represents the entity that will own any resources (classes, profiles, roles) created while this job is run. IZPOWNER must be a user, group, or department, depending on your SYSESM. IZPOWNER must be the user running this job, unless you have Top Secret for SYSESM, in which case, IZPOWNER must be a department. Additionally, the user running this job must have authority over the department specified. This variable is not replaced by IZPINST.
    SURROGRP = #izp_surr_grp
    where SURROGRP represents the default group that the created surrogate user IDs will be associated with. This group is created during the execution of this job. This group must not already exist. This should be a different value than IZPSTGRP.
    IZPSTUID = #izp_stc_uid
    where IZPSTUID represents the user ID that will be associated with the UMS started task. This variable is not replaced by IZPINST.
    IZPSTGRP = #izp_stc_grp
    where IZPSTGRP represents the default group that the IZPSTUID is associated with. This group is created during the execution of this job. This group must not already exist. This should be a different value than SURROGRP.
    TOKEN = #izp_pkcs11_token_name
    where TOKEN represents the name of a PKCS11 token that will be used to encrypt passwords.
    USERDSN = #izp_userlistdsn
    where USERDSN represents the data set name of the user list data set.
    TEAMDSN = #izp_teamlistdsn
    where TEAMDSN represents the data set name of the team list data set.
  3. (For RACF® only) POSITNO=608
    For migrating to a different POSITNO number, see section Migrating to a different POSIT number.
  4. (For ACF2) INITINC='#placeholder'
    where INITINC represents the initial include for the IZPSUPER, IZPADMIN, and IZPUSER ACF2 roles and the replacement value should also remove the single quotation marks.
    Note: If you have ACF2 installed as the external security manager on your system, you must replace this with a value appropriate to your system.
  5. (For ACF2) INITPW='#placeholder'
    where INITPW represents the initial password for the super, admin, and user surrogate IDs and the replacement value should also remove the single quotes.
    Note: If you have ACF2 installed as the external security manager on your system, you must replace this with a value appropriate to your system.
  6. Set the following values for adding users to the newly created User List and Team List data sets.
    1. INSTLOC, which represents the install location of the UMS.
    2. SUPUSRS, which represents the initial set of super users. Valid values are users and/or groups, space separated.

      Example: SUPUSRS='USER1 SUPGRP USER2'

    3. ADMUSRS: represents the initial set of admin users. Valid values are users and/or groups, space separated.

      Example: ADMUSRS='USER1 ADMGRP USER2'

  7. Submit the IZPSECUR job.
    For more information on the IZPSECUR job, see Setting up security for UMS.