Define the RSEAPI started tasks

The following sample RACF® commands create the RSEAPI started task, with a protected user ID ( STCAPI) and the STCGROUP group assigned to it.

  • ADDGROUP STCGROUP OMVS(AUTOGID)
DATA('GROUP WITH OMVS SEGMENT FOR STARTED TASKS')
  • ADDUSER STCAPI DFLTGRP(STCGROUP) NOPASSWORD NAME('RSE API') 
OMVS(AUTOUID HOME(/tmp) PROGRAM(/bin/sh) ASSIZEMAX(2147483647) ) 
DATA('IBM Remote System Explorer API (RSE API)')
  • RDEFINE STARTED RSEAPI.* DATA('ZEXPL – RSE API')
STDATA(USER(STCAPI) GROUP(STCGROUP) TRUSTED(NO))
  • SETROPTS RACLIST(STARTED) REFRESH
Note:
  • The sample commands assume that the setup for requisite product IBM Explorer for z/OS (FMID HALGxxx) is already completed.
  • Ensure that the started tasks user IDs are protected by specifying the NOPASSWORD keyword.
  • Ensure that RSE API has a unique OMVS uid due to the z/OS® UNIX related privileges granted to this uid.
  • RSE API requires a large address space size (2GB) for proper operation. Set this value in the ASSIZEMAX variable of the OMVS segment for user ID STCAPI. Setting this value ensures that RSE API gets the required region size, regardless of changes to MAXASSIZE in SYS1.PARMLIB(BPXPRMxx).
  • RSE API also requires a large number of threads for proper operation. You can set the limit in the THREADSMAX variable of the OMVS segment for user ID STCAPI. Setting the limit ensures that RSE API gets the required thread limit, regardless of changes to MAXTHREADS or MAXTHREADTASKS in SYS1.PARMLIB(BPXPRMxx).
Consider making the STCAPI user ID restricted. Users with the RESTRICTED attribute cannot access protected (MVS) resources that they are not specifically authorized to access. 
ALTUSER STCAPI RESTRICTED

To ensure that restricted users do not gain access to z/OS UNIX file system resources through the “other” permission bits, define the RESTRICTED.FILESYS.ACCESS profile in the UNIXPRIV class with UACC(NONE). For more information about restricting user IDs, see Security Server RACF Security Administrator's Guide (SA22-7683).

Attention: If you use restricted user IDs, explicitly add the permission to access a resource by using the TSO PERMIT or the z/OS UNIX setfacl commands. The resources include those resources where the RSE API documentation uses UACC(READ), or where it relies on common z/OS UNIX conventions, such as everyone having read and execute permission for Java™ libraries. Test the access before activating it on a production system.

Execute as user job

RSE API servers verify that they are started as started tasks. This allows you to use the standard security profiles for operator commands to ensure only authorized users can start them. If access to console commands is restricted, the user requires console access and the UPDATE permission to profile MVS.START.STC.mbrname.** in the OPERCMDS class.

For more information on operator command protection, see Security Server RACF® Security Administrator's Guide (SA22-7683).

A server can also be started as a batch job if the user ID used to run the server has explicit permission to the related profile documented in table 1.
Table 1. Server batch startup profile
Server Default class Profile Permission
RSE API server FACILITY HUH.START.BATCH.jobname.port READ
Table 2. Substitution
Name Substitution
jobname Name of the job
port Server port number
Note: RSE API servers assume a user has no access authorization when the security software indicates that it cannot determine whether the user is authorized to a profile. An example of this is when the profile is not defined.