Security requirements on IBM z/OS computers

To deploy applications to an IBM® z/OS® environment, the user accounts on the agent computer must have adequate access permissions. You must also identify specific directories and data sets to the authorized program facility.

Agent user accounts

If you run the agent from a UNIX command line, the agent user account is the account that you use to log on to the UNIX shell. If you run the agent as a started task, the agent user account is assigned by the Resource Access Control Facility (RACF®) by using the started procedures table (ICHRIN03) or the STARTED class. To learn more about RACF, see the z/OS Security Server RACF System Programmer's Guide, SA23-2287-00.

The agent user account must have the following prerequisites:
  • Access to the Time Sharing Option (TSO) and Interactive System Productivity Facility (ISPF) environments.
  • The ability to create temporary data sets. By default, IBM UrbanCode™ Deploy uses the data-set prefix that is stored in the TSO profile. Otherwise, IBM UrbanCode Deploy uses the user ID as a temporary data-set prefix. You can specify a different prefix by setting the BUZ_TMP_DSN_PREFIX environment variable in setenv-zos.sh.
  • Sufficient virtual memory to run Java™ in the OMVS address space. The amount of memory that is required can vary based on which plug-ins are used in deployment processes. The following list includes typical values for RACF configuration parameters that specify virtual memory.
  • Sufficient virtual memory to run Java™ in the OMVS address space is required. The amount of required memory can vary based on which plug-ins are used in deployment processes. The following list includes typical values for RACF configuration parameters that specify virtual memory:
    • ASSIZEMAX= 2147483647
    • FILEPROCMAX= 00524287
    • PROCUSERMAX= 00032767
    • THREADSMAX= 00100000
  • Sufficient virtual storage limits, if the agent is running as a started task. To set the virtual storage limits, specify the REGION=0M parameter in the EXEC PGM=BPXBATCH statement.
  • A protected ID (which can not be used to log in) can be used as the agent ID. Because of the limitation of protected IDs, the ID cannot be used in steps that require a password or password phrase, for example, the Submit Job step or the CICS TS plug-in steps.
The agent user account must have access to the following UNIX directories and files, and MVS™ data sets.
Table 1. Agent user account permissions
Directories, files, and data sets Required access permissions
The /tmp directory or the agent/var/temp directory. RW
The agent/var/work directory. RW
The agent/var/repository directory. The directory to store artifacts when an HFS CodeStation is used. R
The agent/var/deploy directory. The directory where backup data and deployment results are stored . RW
The agent/var/log/ispf directory. The directory where ISPF gateway log files are stored. RW
The HLQ.SBUZAUTH, HLQ.SBUZEXEC, HLQ.SBUZMENU, and HLQ.SBUZSAMP data sets R
The access permissions are set up when you install the agent. If you use a different user account to run the agent, the access permissions must be set correctly for that account.

User accounts to import component versions

Component versions are imported from the build LPAR by using the buzltool.sh command line or by submit a JCL to execute BUZTOOL. The user account used to import versions must have the following prerequisites:
  • Access to the Time Sharing Option (TSO) and Interactive System Productivity Facility (ISPF) environments
  • Sufficient virtual memory to run Java in the OMVS address space. A minimum of 200 MB of virtual memory is required. The following list includes typical values for RACF configuration parameters that specify virtual memory:
    • ASSIZEMAX= 2147483647
    • FILEPROCMAX= 00524287
    • PROCUSERMAX= 00032767
    • THREADSMAX= 00100000
The user account that runs the deployment tools must have access to the following UNIX directories and files, and MVS data sets.
Table 2. Deployment tools user account permissions
Directories, files, and data sets Required access permissions

The agent/var/repository directory. The directory to store artifacts in when an HFS CodeStation is used.

 RW

The agent/var/log/ispf directory. The directory where ISPF gateway log files are stored

 RW
The HLQ.SBUZAUTH, HLQ.SBUZEXEC, HLQ.SBUZMENU, and HLQ.SBUZSAMP data sets R
The agent/conf/agent directory. RW

Authorized program facility

The following directories and data sets must be authorized by the authorized program facility (APF).
Table 3. APF-authorized directories and data sets
Directories and data sets Required access permissions
The HLQ.SBUZAUTH data set The load module BUZJMON must be APF-authorized.
agent/bin/checkaccess The extended attributes must be set so that the checkaccess utility is APF-authorized. To set the extended attributes, type extattr +a at a command prompt.

Tokens

Tokens are used to authenticate with the IBM UrbanCode Deploy server when z/OS component versions are imported. Tokens are stored in the installed.properties file and can be updated when a new token must be used. Tokens are encrypted after the first time they are used. To learn more about tokens, see Tokens.

Related concepts:
Managing security
Token expiration settings
Related tasks:
Checking and resetting the API key and certificate for agents
Feedback