Program Control authorization

Remote Systems Explorer (RSE) is the z/OS® Explorer component that provides core services such as connecting the client to the host. It must run program controlled in order to perform tasks such as switching to the user ID of the client.

The z/OS UNIX program control bit is set during SMP/E install where needed, except for the Java™ interface to your security product, as documented in Security considerations. This permission bit might get lost if you did not preserve it during a manual copy of the z/OS Explorer directories.

The following z/OS Explorer files must be program controlled:

/usr/lpp/IBM/zexpl/bin
- fekfdivp
- fekfomvs
- fekfrivp
/usr/lpp/IBM/zexpl/lib/
- fekfdir.dll
- fekfdir64.dll
- libfekdcore.so
- libfekdcore64.so
- libfekfmain.so
- libfekfmain64.so
- librseapicore.so
- librseapicore64.so
/usr/lpp/IBM/zexpl/lib/icuc/
- libicudata.dll
- libicudata50.1.dll
- libicudata50.dll
- libicudata64.50.1.dll
- libicudata64.50.dll
- libicudata64.dll
- libicuuc.dll
- libicuuc50.1.dll
- libicuuc50.dll
- libicuuc64.50.1.dll
- libicuuc64.50.dll
- libicuuc64.dll

Use z/OS UNIX command ls –E to list the extended attributes, in which the program control bit is marked with the letter p, as shown in the following sample ($ is the z/OS UNIX prompt):

$ cd /usr/lpp/IBM/zexpl
$ ls –E lib/fekf*
–rwxr–xr–x  –ps–  2 user     group      94208 Jul  8 12:31 lib/fekfdir.dll

Use z/OS UNIX command extattr +p to set the program control bit manually, as shown in the following sample ($ and # are the z/OS UNIX prompt):

$ cd /usr/lpp/IBM/zexpl
$ su
# extattr +p lib/fekf*
# exit
$ ls –E lib/fekf*
–rwxr–xr–x  –ps–  2 user     group      94208 Jul  8 12:31 lib/fekfdir.dll

Note: To be able to use the extattr +p command, you must have at least READ access to the BPX.FILEATTR.PROGCTL profile in the FACILITY class of your security software, or be a superuser (UID 0) if this profile is not defined. For more information, refer to UNIX System Services Planning (GA22-7800).