Define the z/OS Explorer started tasks

The following sample RACF® commands create the JMON, and RSED started tasks, with protected user IDs (STCJMON and STCRSE) and the STCGROUP group assigned to them.

  • ADDGROUP STCGROUP OMVS(AUTOGID)
DATA('GROUP WITH OMVS SEGMENT FOR STARTED TASKS')
  • ADDUSER STCJMON DFLTGRP(STCGROUP) NOPASSWORD NAME('JES JOBMONITOR')
OMVS(AUTOUID HOME(/tmp) PROGRAM(/bin/sh) )
DATA('IBM Explorer for z/OS')  
  • ADDUSER STCRSE DFLTGRP(STCGROUP) NOPASSWORD NAME('RSE DAEMON') 
OMVS(AUTOUID HOME(/tmp) PROGRAM(/bin/sh) ASSIZEMAX(2147483647) ) 
DATA('IBM Explorer for z/OS')
  • RDEFINE STARTED JMON.* DATA('JES JOBMONITOR')
STDATA(USER(STCJMON) GROUP(STCGROUP) TRUSTED(NO))
  • RDEFINE STARTED RSED.* DATA('RSE DAEMON')
STDATA(USER(STCRSE) GROUP(STCGROUP) TRUSTED(NO))
  • SETROPTS RACLIST(STARTED) REFRESH
Note:
  • Ensure that the started tasks user IDs are protected by specifying the NOPASSWORD keyword.
  • Ensure that RSE daemon has a unique OMVS uid due to the z/OS® UNIX related privileges granted to this uid.
  • RSE daemon requires a large address space size (2GB) for proper operation. Set this value in the ASSIZEMAX variable of the OMVS segment for user ID STCRSE. Setting this value ensures that RSE daemon gets the required region size, regardless of changes to MAXASSIZE in SYS1.PARMLIB(BPXPRMxx).
  • RSE also requires a large number of threads for proper operation. You can set the limit in the THREADSMAX variable of the OMVS segment for user ID STCRSE. Setting the limit ensures that RSE gets the required thread limit, regardless of changes to MAXTHREADS or MAXTHREADTASKS in SYS1.PARMLIB(BPXPRMxx). To determine the correct value for the thread limit, see "Tuning considerations" in the Host Configuration Reference Guide (SC27-8438).
  • User ID STCJMON is another good candidate for setting THREADSMAX in the OMVS segment, because JES Job Monitor uses a thread per client connection.
Consider making the STCRSE user ID restricted. Users with the RESTRICTED attribute cannot access protected (MVS) resources that they are not specifically authorized to access. 
ALTUSER STCRSE RESTRICTED

To ensure that restricted users do not gain access to z/OS UNIX file system resources through the “other” permission bits, define the RESTRICTED.FILESYS.ACCESS profile in the UNIXPRIV class with UACC(NONE). For more information about restricting user IDs, see Security Server RACF Security Administrator's Guide (SA22-7683).

Attention: If you use restricted user IDs, explicitly add the permission to access a resource by using the TSO PERMIT or the z/OS UNIX setfacl commands. The resources include those resources where the z/OS Explorer documentation uses UACC(READ), such as the ** profile in the PROGRAM class, or where it relies on common z/OS UNIX conventions, such as everyone having read and execute permission for Java™ libraries. Test the access before activating it on a production system.

Execute as user job

RSE API servers verify that they are started as started tasks. This allows you to use the standard security profiles for operator commands to ensure only authorized users can start them. If access to console commands is restricted, the user requires console access and the UPDATE permission to profile MVS.START.STC.mbrname.** in the OPERCMDS class.

For more information on operator command protection, see Security Server RACF® Security Administrator's Guide (SA22-7683).

A server can also be started as a batch job if the user ID used to run the server has explicit permission to the related profile documented in table 1.
Table 1. Server batch startup profile
Server Default class Profile Permission
server FACILITY HUH.START.BATCH.jobname.port READ
Table 2. Substitution
Name Substitution
jobname Name of the job
port Server port number
Note: servers assume a user has no access authorization when the security software indicates that it cannot determine whether the user is authorized to a profile. An example of this is when the profile is not defined.

Although JES Job Monitor is recommended to be executed as a started task, it can also be executed as a user job. When not active as a started task, JES Job Monitor will query your security product for explicit permission to start.

Table 3. JMON batch startup profile
Security profile Required access
FEJ.START.BATCH.jobname.port READ
Table 4. Substitutions
Name Substitution
Jobname Name of the job
Port port number (SERV_PORT in FEJJCNFG)

The security class where this profile resides can be specified with variable SAF_CLASS in the FEJJCNFG configuration file, and is defined as FACILITY by default. When the profile is not defined or the class is not active, permission is denied and batch startup will fail.

Use the following sample RACF commands to allow user ID IBMUSER to start JES Job Monitor in batch with job name JMON and port 6715:
  • RDEFINE FACILITY FEJ.START.BATCH.JMON.6715 UACC(NONE) DATA('start JMON in batch')
  • PERMIT FEJ.START.BATCH.JMON.6715 CLASS(FACILITY) ACCESS(READ) ID(IBMUSER)
  • SETROPTS RACLIST(FACILITY) REFRESH

Although RSE daemon is recommended to be executed as a started task, it can also be executed as a user job. When not active as a started task, RSE daemon will query your security product for explicit permission to start.

Table 5. RSED batch startup profile
Security profile Required access
FEK.START.BATCH.jobname.port READ
Table 6. Substitutions
Name Substitution
Jobname Name of the job
Port Port number(_RSE_RSED_PORT in rse.env)

The security class where this profile resides can be specified with variable _RSE_FEK_SAF_CLASS in the rse.env configuration file, and is defined as FACILITY by default. When the profile is not defined or the class is not active, permission is denied and batch startup will fail.

Use the following sample RACF commands to allow user ID STCRSE to start RSE daemon in batch with job name RSED and port 4035:

  • RDEFINE FACILITY FEK.START.BATCH.RSED.4035 UACC(NONE) DATA('start RSED in batch')
  • PERMIT FEK.START.BATCH.RSED.4035 CLASS(FACILITY) ACCESS(READ) ID(STCRSE)
  • SETROPTS RACLIST(FACILITY) REFRESH