Use the BPX.SERVER profile to set the scope of z/OS resources
that the server can access when acting as a surrogate for its clients.
BPX.SERVER UPDATE access lets the server establish a thread level
(task-level) security environment for clients connecting to the server.
When the IBM® RACF
identity of the application server is granted UPDATE authority to
BPX.SERVER in the IBM RACF
FACILITY class, the server can act as a surrogate for the client.
This procedure contains sample IBM RACF commands. For
more information, refer to IBM RACF manuals. For
more information about how to define SURROGAT in other external security
products, such as ACF2 or CA-TOP SECRET, refer to the manuals of the
specific vendor.
- Make sure that the Stage 2 Security exit can verify if
Stage 1 has set the dummy password in SQCB. The DGASECUR macro contains
label STG1NPW which includes the following instruction:
OI SQFLAG,SQDUMMY DUMMY PASSWORD USED P768101
|
- Identify all user IDs that will access HFS without supplying
their password.
- To activate the SURROGAT class support in IBM RACF, if it has
not already been set up on your system, issue the following command:
SETROPTS CLASSACT(SURROGAT)
|
Note: You only have to activate this feature one time.
- If you want to cache the SURROGAT profiles in storage to
enable you to refresh and immediately put all IBM RACF changes in
effect immediately, issue the following command:
SETROPTS RACLIST(SURROGAT)
|
Note: If you do not use the RACLIST option, the changes made
during this procedure will not take effect until the next IPL.
- To create the SURROGAT class profile for a particular user,
issue the following command:
RDEFINE SURROGAT BPX.SRV.UUUUUUUU UACC(NONE)
|
where UUUUUUUU is the user ID you are creating a profile
for.
- Repeat Step 5 for each user ID that requires HFS support
without a password with a SURROGAT profile.
Note: To define
all users in one command, you can specify BPX.SRV.* .
- To give a user the authority to create a thread-level security
environment for another user, issue the following command:
PERMIT BPX.SRV.UUUUUUUU CLASS(SURROGAT) ID(CDIRECT) ACCESS(READ)
|
where the DTF user called CDIRECT is the user you are granting
permission to create the security environment for another user called
UUUUUUUU.
- Repeat Step 8 for each user ID that requires HFS support
without a password with a SURROGAT profile.
Note: To define
all users in one command, you can specify BPX.SRV.* .
- Verify that the DTF User ID has sufficient access to HFS
files along with both IBM RACF
access and z/OS UNIX System
Services permissions.
- If you are using the RACLIST option, issue the following
command to refresh and put your changes in effect for the SURROGAT
class:
SETROPTS RACLIST(SURROGAT) REFRESH
|
- To check whether the DTF Userid has been defined to the
BPX.SRV.uuuuuuuu SURROGAT class profile, use the following RLIST command:
RLIST SURROGAT BPX.SRV.uuuuuuuu AUTHUSER
|
where uuuuuuuu is the user ID whose requests IBM Connect:Direct® needs
to process.
The system displays the user ID (which should be
the DTF Userid) and access rights of the user ID that can act as a
surrogate for uuuuuuuu.
CAUTION:
Be aware of the REMOTE.DUMMY.PASSWORD
and Adjacent Node settings for Node to Node communication.
SAFB022I – DGADABMB - Dummy password usage by Adjacent Node rejected.
An attempt was made by an Adjacent Node to use a dummy
password to authorize access to the Connect:Direct local
node. If the Init Parm REMOTE.DUMMY.PASSWORD setting is
INTERNAL, only Adjacent Nodes having the INTERNAL
attribute in the Netmap may use a dummy password for
this purpose.