Enabling security validation on a z/OS hub

If security validation is enabled on a z/OS® hub monitoring server, Tivoli Enterprise Portal user IDs and valid passwords must be defined to the security system used by the Tivoli Enterprise Monitoring Server.

A hub Tivoli Enterprise Monitoring Server running on z/OS validates user IDs and passwords using either the product-provided security feature, Network Access Method (NAM), or one of the following system authorization facility products:

RACF®
CA-ACF2
CA-TOP SECRET

Before you begin

Before you enable security, your security administrator must define to the selected security system each logon ID that will be allowed to access the Tivoli Enterprise Portal Server, and the Tivoli Enterprise Portal administrator must create user accounts for those IDs. You do not have to define and authorize additional user IDs before you enable security, but you must define and authorize one administrative ID such as the sysadmin user ID.

Tip: To create additional user IDs after security validation is enabled, use one of the following methods:

Create a new Tivoli Enterprise Portal user whose user ID matches a new or existing user defined to the security program. This is the preferred method.
Define a Tivoli Enterprise Portal user ID to the security program.

About this task

Complete the following steps to enable security on a z/OS hub monitoring server:

Procedure

If you have not already done so, define the security system to be used.
1. In the runtime environment that contains the hub monitoring server, set the value of the RTE_SECURITY_USER_LOGON parameter to specify the security system to be used for the runtime environment: RACF, ACF2, TSS, SAF, NAM, or NONE.
2. If you specified ACF2, provide the name of the ACF2 macro library as the value of the GBL_DSN_ACF2_MACLIB parameter.
Enable security validation on the hub.
1. Set the value of the KDS_TEMS_SECURITY_KDS_VALIDATE parameter to Y.
2. Uncomment or add the RTE_SECURITY_KAES256_KEY parameter, and either accept the IBM®-supplied default value "IBMTivoliMonitoringEncryptionKey" or specify a unique 32-byte password encryption key. The value is case-sensitive, and the same key must be used for all components that communicate with the hub.
  
  Tip: The encryption key is shown in plain text in the configuration profile, so that the value can used as input to create the KAES256 encryption key file. For this reason, ensure that the rhilev.rte_name.WCONFIG library (for PARMGEN), or the RTEDEF (rte_name) file (for Configuration Manager) is secured.
3. Depending on whether you use PARMGEN or Configuration Manager, do the following:
  - For PARMGEN, run either the KCIJVSEC (if system variables are enabled) or KCIJPSEC (if system variables are not enabled) job in the rhilev.rte_name.WKANSAMU library to create the security-related members of the runtime libraries. Alternatively, you can run the either the KCIJVSUB or KCIJPSUB composite job, which creates all the runtime members.
  - For Configuration Manager, use the GENERATE action to create the runtime members.
4. Set the GBL_DSN_CSF_SCSFMOD0 parameter as described below:
  - For PARMGEN, this parameter can be found in WCONFIG($GBL$USR).
  - For Configuration Manager, use or edit the RTEDEF(GBL$PARM or GBL$lpar) members as needed.
5. If you are enabling security after the RTE has already been configured, do one of the following:
  - For PARMGEN, recreate the runtime environment as described in Scenario RTE03: Changing parameters in an RTE.
  - For Configuration Manager, use the GENERATE action to recreate the runtime environment.
Implement security, following the instructions in the appropriate section:
Verify that the user account you created can log on to the Tivoli Enterprise Portal.