Example 6 - Defining a Surrogate for User IDs with No Password

Use the BPX.SERVER profile to set the scope of z/OS resources that the server can access when acting as a surrogate for its clients. BPX.SERVER UPDATE access lets the server establish a thread level (task-level) security environment for clients connecting to the server. When the IBM® RACF identity of the application server is granted UPDATE authority to BPX.SERVER in the IBM RACF FACILITY class, the server can act as a surrogate for the client.

This procedure contains sample IBM RACF commands. For more information, refer to IBM RACF manuals. For more information about how to define SURROGAT in other external security products, such as ACF2 or CA-TOP SECRET, refer to the manuals of the specific vendor.

  1. Make sure that the Stage 2 Security exit can verify if Stage 1 has set the dummy password in SQCB. The DGASECUR macro contains label STG1NPW which includes the following instruction:
    OI SQFLAG,SQDUMMY DUMMY PASSWORD USED P768101
  2. Identify all user IDs that will access HFS without supplying their password.
  3. To activate the SURROGAT class support in IBM RACF, if it has not already been set up on your system, issue the following command:
    SETROPTS CLASSACT(SURROGAT)
    Note: You only have to activate this feature one time.
  4. If you want to cache the SURROGAT profiles in storage to enable you to refresh and immediately put all IBM RACF changes in effect immediately, issue the following command:
    SETROPTS RACLIST(SURROGAT)
    Note: If you do not use the RACLIST option, the changes made during this procedure will not take effect until the next IPL.
  5. To create the SURROGAT class profile for a particular user, issue the following command:
    RDEFINE SURROGAT BPX.SRV.UUUUUUUU UACC(NONE)

    where UUUUUUUU is the user ID you are creating a profile for.

  6. Repeat Step 5 for each user ID that requires HFS support without a password with a SURROGAT profile.
    Note: To define all users in one command, you can specify BPX.SRV.* .
  7. To give a user the authority to create a thread-level security environment for another user, issue the following command:
    PERMIT BPX.SRV.UUUUUUUU CLASS(SURROGAT) ID(CDIRECT) ACCESS(READ)

    where the DTF user called CDIRECT is the user you are granting permission to create the security environment for another user called UUUUUUUU.

  8. Repeat Step 8 for each user ID that requires HFS support without a password with a SURROGAT profile.
    Note: To define all users in one command, you can specify BPX.SRV.* .
  9. Verify that the DTF User ID has sufficient access to HFS files along with both IBM RACF access and z/OS UNIX System Services permissions.
  10. If you are using the RACLIST option, issue the following command to refresh and put your changes in effect for the SURROGAT class:
    SETROPTS RACLIST(SURROGAT) REFRESH
  11. To check whether the DTF Userid has been defined to the BPX.SRV.uuuuuuuu SURROGAT class profile, use the following RLIST command:
    RLIST SURROGAT BPX.SRV.uuuuuuuu AUTHUSER

    where uuuuuuuu is the user ID whose requests IBM Connect:Direct® needs to process.

    The system displays the user ID (which should be the DTF Userid) and access rights of the user ID that can act as a surrogate for uuuuuuuu.

    CAUTION:
    Be aware of the REMOTE.DUMMY.PASSWORD and Adjacent Node settings for Node to Node communication.
    SAFB022I – DGADABMB - Dummy password usage by Adjacent Node rejected.
               An attempt was made by an Adjacent Node to use a dummy
               password to authorize access to the Connect:Direct local
               node. If the Init Parm REMOTE.DUMMY.PASSWORD setting is
               INTERNAL, only Adjacent Nodes having the INTERNAL
               attribute in the Netmap may use a dummy password for
               this purpose.