Program Control authorization
The RSEAPI server requires the z/OS® Explorer components and its specific security components that provide core services such as server startup security profile check, client authentication, and specific services operation on the host. It must run program controlled to be able to perform tasks such as switching to the user ID of the client.
The z/OS UNIX program control bit is set during SMP/E install where needed, except for the Java™ interface to your security product, as documented in Security considerations. This permission bit might get lost if you did not preserve it during a manual copy of the z/OS Explorer directories.
/usr/lpp/IBM/rseapi/tomcat.base/binfekfomvs
/usr/lpp/IBM/rseapi/tomcat.base/lib/fekfdir64.dlllibfekdcore64.solibfekfmain64.solibrseapicore64.so
Use z/OS
UNIX command ls –E to list the extended
attributes, in which the program control bit is marked with the letter p, as shown
in the following sample ($ is the z/OS
UNIX prompt):
$ cd /usr/lpp/IBM/rseapi/tomcat.base/bin
$ ls –E fekfomvs
-rwxr-xr-x aps- ... fekfomvs
$ cd /usr/lpp/IBM/rseapi/tomcat.base/lib
$ ls -E *.so *.dll
-rwxr-xr-x -ps- ... fekfdir64.dll
-rwxr-xr-x -ps- ... libfekdcore64.so
-rwxr-xr-x -ps- ... libfekfmain64.so
-rwxr-xr-x -ps- ... librseapicore64.so
$ cd /usr/lpp/IBM/rseapi/tomcat.base/bin
$ su
# extattr +ap fekfomvs
# exit
$ ls –E fekfomvs
-rwxr-xr-x aps- fekfomvs
BPX.FILEATTR.PROGCTL profile in the FACILITY class of your
security software, or be a superuser (UID 0) if this profile is not defined. For more information,
refer to UNIX System Services Planning
(GA22-7800).