Prerequisites and security considerations

Edit online

To submit JCL to the Job Monitor, the Job Monitor must be running on the same system as the build agent.

When JCL is submitted using the build agent and Job Monitor, you can control what user the JCL is submitted under by whether the build agent is started by a super user or non-super user and by which configuration parameters you use in bfagent.conf.

The following bfagent.conf parameters apply to JCL submission:
  • jcl_submit_user
  • job_monitor_port
  • enable_credential_retention

To configure the communication between the Job Monitor and the build agent, you can use either the jcl_submit_user parameter or the enable_credential_retention parameter and thejob_monitor_port parameter set to appropriate values in the bfagent.conf configuration file.

The jcl_submit_user parameter provides a single set of credentials that will be used by Job Monitor when you submit jobs to JES. Add the following line to the bfagent.conf file:
jcl_submit_user userid:encrypted_password
where userid is the system ID of the user submitting jobs, and encrypted_password is an encrypted version of that user password. You can find the encrypted form of the password by running the following line at the z/OS® UNIX System Services command prompt:
bfagent –e password
where password is the password to be encrypted. The command will print a text string containing the encrypted value. The result will be similar to the following:
050405aaeb43166a00f763716b989f26651e2448ce309b72680a
The job_monitor_port parameter specifies the port with which Job Monitor is communicating. Add the following line to the bfagent.conf file:
job_monitor_port XXXX
where XXXX is the Job Monitor port. This port should match your SERV_PORT setting for Job Monitor, which is set to 6716 in the hlq.SBLZSAMP(BLZJNCFG) file, or it should match your existing IBM® Developer for z/OS Job Monitor port.

If you want to be able to submit JCL with the credentials of different users, use the enable_credential_retention option instead of jcl_submit_user. When the enable_credential_retention bfagent.conf option is enabled the agent reuses the credentials used to authenticate with the agent when the agent authenticates with the Job Monitor. Individual users can submit JCL builds under their authority by using the Build Agent Authentication Overrides options when submitting the build. To use the enable_credential_retention option, the build agent must be started by a super user.

If you have both enable_credential_retention and jcl_submit_user enabled, then jcl_submit_user takes precedence. In either case, you can still explicitly specify the user ID and password using the -u option to .submitJCL.

For submitting JCL, the user ID and password used to authenticate with the Job Monitor will be determined in the following order:
  1. -u option to .submitJCL, specified as: 
    -u userid:password
  2. jcl_submit_user data in bfagent.conf
  3. Credentials used to authenticate with the agent either listed on the Build Agent tab of the build engine definition or from the Build Agent Authentication Overrides if enable_credential_retention is enabled in bfagent.conf
If the build agent is started by a super user:
  • The build agent definition can use a super user or non-super user
  • The priority for evaluating JCL submission is:
    1. -u user specified
    2. jcl_submit_user
    3. enable_credential_retention
  • The enable_credential_retention will allow you to override the user using Build Agent Authentication Overrides
If the build agent is started by a non-super user:
  • You can use -u and jcl_submit_user
  • If you enable magic_login and enable_credential_retention, JCL will run under the magic_login user but you cannot override