Defining IMS Connect security

Properly defining security for IMS Connect using RACF®, and assigning IMS Connect z/OS® UNIX System Services superuser privileges ensures that IMS Connect can open ports.

You can start IMS Connect as a job or as a procedure. If the data store (which is IMS) is RACF-protected, you have to start IMS Connect as a job with the JOB statement specifying a valid USERID to make the connection from IMS Connect to IMS, or you can use the RACF-started procedure table. The USERID=&userid parameter specified in the JOB card of the IMS Connect job JCL is used as the security vehicle to ensure IMS Connect access to IMS. &USERID must have READ access to IMSXCF.group.member. IMS OTMA provides security for the IMS z/OS cross-system coupling facility connection by defining and permitting IMSXCF.group.member in the RACF FACILITY class.

The IMS Connect MAXSOC parameter is related to the MAXFILEPROC parameter of UNIX System Services, which can be overridden by the FILEPROCMAX field of the OMVS segment of a user’s profile. The values of MAXSOC and MAXFILEPROC must be compatible. If the values of each parameter are not compatible, IMS Connect cannot open any ports.

You can ensure the compatibility between MAXSOC and MAXFILEPROC by using one of the following methods:
  1. The recommended method is to use the ALTUSER command to assign the desired value to the FILEPROCMAX field of the OMVS segment of the user ID that is used to start IMS Connect.
    For example, the user ID USRID01 (not a super user) is used to start IMS Connect with MAXSOC=20000. MAXFILEPROC=999 is set in the BPXPRMxx member of the z/OS SYS1.PARMLIB data set. Since MAXSOC is greater than MAXFILEPROC, IMS Connect would fail to open any of its ports. To avoid this failure, specify FILEPROCMAX with a value at least equal to MAXSOC by using the following command: 
    ALTUSER USRID01 OMVS(FILEPROCMAX(20000))
    The new FILEPROCMAX=20000 specification overrides the MAXFILEPROC=999 for user ID USRID01.

    For more information about the ALTUSER (Alter user profile) command, see ALTUSER (Alter user profile).

  2. Before you start IMS Connect, make sure the value that is specified for MAXSOC is less than or equal to the value of MAXFILEPROC. Alternatively, your UNIX System Services administrator can directly adjust the value of MAXFILEPROC in the BPXPRMxx member of the z/OS SYS1.PARMLIB data set.
  3. This option is no longer recommended but is retained for historical purposes. You could grant UNIX System Services superuser privileges to IMS Connect by using the RACF command ALTERUSER to assign an OMVS segment with a UID of 0 to the user ID of the IMS Connect started task.
Related reading: For more details about OTMA and IMS Connect security, see IMS Version 15.4 Communications and Connections.