Security on z/OS systems

When you install Jazz® Team Server and the other IBM Engineering Lifecycle Management applications on z/OS systems, several tasks are required to make the Engineering Lifecycle Management functions secure and available.

These instructions are intended for people who are installing a combination of the Jazz Team Server, any of the Engineering Lifecycle Management applications, the Engineering Workflow Management Build System Toolkit, and the Rational Build Agent on z/OS .

When you are setting up security for an installation on z/OS , include these topics in your planning:

Data set protection

Security is needed for z/OS data sets that are associated with Jazz Team Server, the Engineering Lifecycle Management applications, the Engineering Workflow Management Build System Toolkit, and Rational Build Agent.

RACF general resource profiles, GROUPs, and USERs

Several Resource Access Control Facility (RACF) resources must be configured in order to use the Engineering Lifecycle Management components on z/OS .

z/OS UNIX System Services directory protection

To install and configure the Engineering Lifecycle Management components on z/OS , you use three main directories and associated subdirectories that need appropriate user and group-level permissions:

Product binary files: Installed by SMP/E, typically to a directory such as /usr/lpp/jazz/v7.0.3
Configuration directories: Created by running sample configuration jobs to create and populate a directory such as /etc/jazz703
Working directories: Created by running sample configuration jobs to create and populate a directory such as /u/jazz703

Database access

If you are running Jazz Team Server and Engineering Lifecycle Management applications on z/OS , you must provide access from the server to Db2® z/OS databases for the applications and data warehouse.

Started tasks

Started tasks and associated user IDs can be defined for use with the IBM WebSphere® Liberty server profile, the daemon used to support the ISPF client, and Rational Build Agent.

Additional server profile requirements and EJBROLEs

Additional RACF requirements are defined if you are running the server on z/OS as well as RACF EJBROLEs to control user access

Three sample members are provided from the hlq.SBLZSAMP library, where hlq is the high-level qualifier that was specified during the SMP/E installation:

BLZRACFL: This sample member is intended for when you are also planning to use the IBM WebSphere Liberty on z/OS for the application server and is installed with HRWL703.
BLZRACFT: This sample member is for the Build System Toolkit and Rational Build Agent, and is installed with SMP/E FMID HRBT703.

You can customize these sample members and submit the jobs to perform the RACF updates.

The security considerations for your deployment vary based on which components you installed. Depending on your setup, see one or more of these topics:

RACF security on z/OS systems: Read this topic if you have Jazz Team Server or the Build System Toolkit installed on z/OS .
Jazz Team Server security on z/OS systems: Read this topic if you are deploying Jazz Team Server and the Engineering Lifecycle Management applications on z/OS .
Security for the Build System Toolkit and Rational Build Agent on z/OS systems: Read this topic if you are deploying the Build System Toolkit or Rational Build Agent on z/OS .