Activate the security settings and classes

z/OS® Explorer uses a variety of security mechanisms to ensure a secure and controlled host system environment for the client. To do so, several classes and security settings must be active, as shown with the following sample RACF® commands:
  • Display current settings
    • SETROPTS LIST
  • Activate facility class for z/OS UNIX, and digital certificate profiles
    • SETROPTS GENERIC(FACILITY)
    • SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
  • Activate started task definitions
    • SETROPTS GENERIC(STARTED)
    • RDEFINE STARTED ** STDATA(USER(=MEMBER) GROUP(STCGROUP) TRACE(YES))
    • SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
  • Activate console security for JES Job Monitor
    • SETROPTS GENERIC(CONSOLE)
    • SETROPTS CLASSACT(CONSOLE) RACLIST(CONSOLE)
  • Activate operator command protection for JES Job Monitor
    • SETROPTS GENERIC(OPERCMDS)
    • SETROPTS CLASSACT(OPERCMDS) RACLIST(OPERCMDS)
  • Activate z/OS UNIX file access permission for RSE
    • SETROPTS GENERIC(UNIXPRIV)
    • SETROPTS CLASSACT(UNIXPRIV) RACLIST(UNIXPRIV)
  • Activate application protection for RSE
    • SETROPTS GENERIC(APPL)
    • SETROPTS CLASSACT(APPL) RACLIST(APPL)
  • Activate secured signon using PassTickets for RSE
    • SETROPTS GENERIC(PTKTDATA)
    • SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
  • Activate ICSF usage permission for cryptographic administrator
    • SETROPTS GENERIC(CRYPTOZ)
    • SETROPTS CLASSACT(CRYPTOZ) RACLIST(CRYPTOZ)
  • Activate SAF JSON Web Token (JWT) definitions for usage by RSE
    • SETROPTS GENERIC(IDTDATA)
    • SETROPTS CLASSACT(IDTDATA) RACLIST(IDTDATA)
  • Activate program control to ensure that only trusted code can be loaded by RSE
    • RDEFINE PROGRAM ** ADDMEM('SYS1.CMDLIB'//NOPADCHK) UACC(READ)
    • SETROPTS WHEN(PROGRAM)
      Note: Do not create the ** profile if you already have a * profile in the PROGRAM class. It obscures and complicates the search path used by the security software. In this case, you must merge the existing * and the new ** definitions. Use the ** profile, as documented in Security Server RACF Security Administrator's Guide (SA22-7683).
      Attention: Some products, such as FTP, require being program controlled if "WHEN PROGRAM" is active. Test this program control before activating it on a production system.
  • (Optional) Activate X.509 HostIdMappings and extended Port Of Entry (POE) support
    • SETROPTS GENERIC(SERVAUTH)
    • SETROPTS CLASSACT(SERVAUTH) RACLIST(SERVAUTH)