Configuring user IDs, group IDs, and security product

You must create user IDs and group IDs with necessary permissions to run the Z Common Data Provider Configuration Tool.

About this task

A default properties file /usr/lpp/IBM/zcdp/v5r1m0/UI/LIB/cdpui.properties is provided with default user IDs and group IDs to run the Configuration Tool. You can run the defracf.cmd script to change the default values. The new values are saved in /var/cdp-uiconfig/cdpui.properties for the savingpolicy.sh script to use in the next task. If you are using RACF® as your SAF product, you can allow the script to run necessary RACF commands to create the IDs and permissions. If you do not use RACF, you can exit the script after verifying or changing the values and continue with the configuration.

To run the defracf.cmd script, you must be logged in to the z/OS® system with a user ID that has the RACF SPECIAL authority.

Important: If this is not the first time you run the script and you are trying to change the user ID and group ID for the started task, before you run the script, you must delete the certificate authority, the certificate, and the keyring that were created last time.

Procedure

  1. Run the following script under UNIX System Services to start verifying the default values or changing the values. Only the default z/OS shell is supported. 
    /usr/lpp/IBM/zcdp/v5r1m0/UI/LIB/defracf.cmd
  2. If necessary, change the user IDs and group IDs to meet your requirements.
    All user IDs and group IDs that you specify must be unique. If AUTOID is set to OFF, the UIDs and GIDs that are specified must be unique.
    STC_USRID
    The user ID that is assigned to the Configuration Tool server started task procedure. The default value is HBOSTCID.
    Tip: If you want to change this user ID after it is created by running the defracf.cmd script, you must first delete the profiles HBOCFGA.* and HBOCFGT.*, then you can rerun the defracf.cmd script to change values. Otherwise, you will see the following messages when you rerun the defracf.cmd script, and you will not be able to start the Liberty server:
    ICH10102I HBOCFGA.* ALREADY DEFINED TO CLASS STARTED.
ICH10102I HBOCFGT.* ALREADY DEFINED TO CLASS STARTED.
    STC_GROUP
    The group that contains STC_USRID. The default value is HBOSTCGP.
    AUTHORIZED_GROUP
    The group that is granted the permission of logging in and using the Configuration Tool. The default value is HBOUSRGP.
    GUEST_USER
    The user ID that is used by Liberty for accessing the Configuration Tool login page. The default value is HBOGUEST.
    GUEST_GROUP
    The group that contains GUEST_USER. The default value is HBOUNGRP.
    AUTHORIZED_USER
    The user ID that is granted the permission of logging in and using the Configuration Tool. The default value is HBOUSER. You must specify an existing user for this parameter. If you don't specify any value for this parameter, no user is able to access the Configuration Tool. To allow a user to use the Configuration Tool, you must connect the user to the AUTHORIZED_GROUP as instructed in Allowing users to use the Configuration Tool.
    AUTOID
    Determines whether the UID and GID are automatically assigned. The default value is OFF, and you must set values for the following parameters. Make sure that the UIDs and GIDs that you specify meet the requirements of your environment. If the UIDs and GIDS are not accepted by your security product, the Configuration Tool cannot be installed successfully.
    STC_USRID_UID
    The UID for STC_USRID.
    STC_GROUP_GID
    The GID for STC_GROUP.
    AUTHORIZED_GROUP_GID
    The GID for AUTHORIZED_GROUP.
    GUEST_USER_UID
    The UID for GUEST_USER.
    GUEST_GROUP_GID
    The GID for GUEST_GROUP.
    If automatic assignment of UID and GID is enabled on your environment, you can change the value of this parameter to ON to have required UIDs and GIDs automatically assigned by the system. In this case, skip the UID and GID parameters that are listed previously.
    HOSTNAME
    The host name of the system. The default value is the output of the UNIX System Services command hostname for your system. Usually the format of the host name is XXXX.XXX.XXX.XXX.
  3. When you are prompted to choose exit or go, if you are using RACF as your SAF product and you want the script to run RACF commands to create the IDs and permissions, enter GO. Otherwise, enter EXIT to end the script.
    • If you enter GO, check the output from the RACF commands in the /var/cdp-uiconfig/defracf.log file and verify that all commands are successfully issued by the script.
      • There should be no RACF error messages from the UNIX System Services issued to the terminal after the script finishes running.
      • If you see the messages ICH10006I, ICH06011I, and IRRD175I indicating that RACLISTED PROFILES must be refreshed before they are effective, and a message All related RACLIST CLASS are refreshed successfully after the script finishes running, it means that the RACLISTED PROFILES are refreshed by the script and are effective.
      • Message ICH10102I that says BBG.AUTHMOD.BBGZSAFM, and BBG.AUTHMOD.BBGZSAFM.SAFCRED are already defined, can be safely ignored. These profiles are shared with other Liberty Angel Servers, and they might be defined by a Liberty Angel Server that was created before.
    • If you enter EXIT, you must configure your security product by using the information that is saved in /var/cdp-uiconfig/cdpui.properties. If you are using RACF as your SAF product, you can use the commands in Configuring the security product by running commands. If you are not using RACF, you can use these commands to compose equivalent commands for your SAF product.
    Tip: If the user ID of AUTHORIZED_USER is not found after you run the script, see the troubleshooting topic User ID of parameter AUTHORIZED_USER is not found for solution.
    Important: If you run the script again to change the user ID and group ID for the started task, you must first delete the certificate authority, the certificate, and the keyring that are created this time.