CIM server security setup

The z/OS implementation of the CIM server requires each requestor to have a real z/OS user ID. Only users who have been successfully authenticated with the z/OS security product and who have been granted access to the CIM server, will be able to execute requests against the CIM server. This topic describes the details on how to set up these features.

Setting up security for the CIM server includes the following steps:

  1. Define a RACF® class and profile for the CIM server

    (see Defining a RACF class and profile for the CIM server)

    .
  2. Define a user ID for the CIM server and grant it access to the RACF profile of the CIM server

    (see Defining a CIM server user ID)

  3. Configure the resource authorization model of the CIM server

    (see Configuring the resource authorization model of the CIM server)

  4. Grant client users and administrators access to the CIM server

    (see Granting clients and administrators access to the CIM server)

  5. Allow the CIM server to surrogate for a client ID

    (see Switching identity (surrogate))

  6. Optionally configure secure connections (HTTPS) for the CIM server

    (see Configuring the CIM server HTTPS connection using AT-TLS).

  7. If the APPL class for your security product is active, optionally define the CFZAPPL profile

    (see Defining the CFZAPPL profile for the APPL class)

  8. For PassTicket usage define an encryption key for the application ID CFZAPPL

    (see Defining an encryption key for PassTicket validation)

  9. If multilevel security (MLS) is active on your system and the CIM server UID≠0, grant the CIM server user ID READ access to security resource BPX.POE in the FACILITY class

    (see Setting up multilevel security (MLS) support)

  10. If the CIM server is configured to use the Automatic Restart Manager (ARM) in a sysplex, you must ensure that the XCF address space has the proper authorization to perform a restart

    (see Considering Automatic Restart Manager security).

  11. If you intend to run providers out-of-process, grant the CIM server user ID READ access to the profile BPX.JOBNAME defined in the FACILITY class

    (see Running providers in separate address spaces)