Configuring user IDs, group IDs, and security product
You must create user IDs and group IDs with necessary permissions to run the Z Common Data Provider Configuration Tool.
About this task
A default properties file /usr/lpp/IBM/zcdp/v5r1m0/UI/LIB/cdpui.properties is provided with default user IDs and group IDs to run the Configuration Tool. You can run the defracf.cmd script to change the default values. The new values are saved in /var/cdp-uiconfig/cdpui.properties for the savingpolicy.sh script to use in the next task. If you are using RACF® as your SAF product, you can allow the script to run necessary RACF commands to create the IDs and permissions. If you do not use RACF, you can exit the script after verifying or changing the values and continue with the configuration.
To run the defracf.cmd script, you must be logged in to the z/OS® system with a user ID that has the
Run the following script under UNIX System Services to start verifying the default values or changing the values. Only the default z/OS shell is supported.
- If necessary, change the user IDs and group IDs to meet your requirements. All user IDs and group IDs that you specify must be unique. If AUTOID is set to OFF, the UIDs and GIDs that are specified must be unique.
- The user ID that is assigned to the Configuration Tool server started task procedure. The
default value is
HBOSTCID.Tip: If you want to change this user ID after it is created by running the defracf.cmd script, you must first delete the profiles
HBOCFGT.*, then you can rerun the defracf.cmd script to change values. Otherwise, you will see the following messages when you rerun the defracf.cmd script, and you will not be able to start the Liberty server:
ICH10102I HBOCFGA.* ALREADY DEFINED TO CLASS STARTED. ICH10102I HBOCFGT.* ALREADY DEFINED TO CLASS STARTED.
- The group that contains STC_USRID. The default value is
- The group that is granted the permission of logging in and using the Configuration Tool. The
default value is
- The user ID that is used by Liberty for accessing the Configuration Tool login page. The default
- The group that contains GUEST_USER. The default value is
- The user ID that is granted the permission of logging in and using the Configuration Tool. The
default value is
HBOUSER. You must specify an existing user for this parameter. If you don't specify any value for this parameter, no user is able to access the Configuration Tool. To allow a user to use the Configuration Tool, you must connect the user to the AUTHORIZED_GROUP as instructed in Allowing users to use the Configuration Tool.
- Determines whether the UID and GID are automatically assigned. The default value is
OFF, and you must set values for the following parameters. Make sure that the
UIDs and GIDs that you specify meet the requirements of your environment. If the UIDs and GIDS are
not accepted by your security product, the Configuration Tool cannot be installed successfully.
- The UID for STC_USRID.
- The GID for STC_GROUP.
- The GID for AUTHORIZED_GROUP.
- The UID for GUEST_USER.
- The GID for GUEST_GROUP.
- The host name of the system. The default value is the output of the UNIX System Services command
hostnamefor your system. Usually the format of the host name is
- When you are prompted to choose exit or go, if you are using RACF as your SAF product and you want the script to run RACF commands to create the IDs and permissions, enter GO.
Otherwise, enter EXIT to end the script.
Tip: If the user ID of AUTHORIZED_USER is not found after you run the script, see the troubleshooting topic User ID of parameter AUTHORIZED_USER is not found for solution.Important: If you run the script again to change the user ID and group ID for the started task, you must first delete the certificate authority, the certificate, and the keyring that are created this time.
- If you enter GO, check the output from the RACF commands in the /var/cdp-uiconfig/defracf.log file and verify that all commands are
successfully issued by the script.
- There should be no RACF error messages from the UNIX System Services issued to the terminal after the script finishes running.
- If you see the messages ICH10006I, ICH06011I, and IRRD175I indicating that RACLISTED PROFILES
must be refreshed before they are effective, and a message
All related RACLIST CLASS are refreshed successfullyafter the script finishes running, it means that the RACLISTED PROFILES are refreshed by the script and are effective.
- Message ICH10102I that says BBG.AUTHMOD.BBGZSAFM, and BBG.AUTHMOD.BBGZSAFM.SAFCRED are already defined, can be safely ignored. These profiles are shared with other Liberty Angel Servers, and they might be defined by a Liberty Angel Server that was created before.
- If you enter EXIT, you must configure your security product by using the information that is saved in /var/cdp-uiconfig/cdpui.properties. If you are using RACF as your SAF product, you can use the commands in Configuring the security product by running commands. If you are not using RACF, you can use these commands to compose equivalent commands for your SAF product.
- If you enter GO, check the output from the RACF commands in the /var/cdp-uiconfig/defracf.log file and verify that all commands are successfully issued by the script.