Security for zCX
Started task ID
Define a GLZ started procedure in the PROCLIB concatenation. zCX provides a sample GLZ procedure
in SYS1.PROCLIB. You can have multiple procedures to eliminate the need for CONF=
and JOBNAME= parameters on each START GLZ
command.
- Define a z/OS user ID under which the zCX instances will run, and permit the user ID to the GLZ started procedure(s). This can be a single user ID for all zCX instances or a set of user IDs.
- Permit the user ID to create zCX Dynamic VIPAs (EZB.MODDVIPA.*.*). This is required in the
following cases:
- If the EZB.MODDVIPA.*.* SERVAUTH class profile is defined to restrict access to all VIPARANGE DVIPAs. If an existing user id is being used for this zCX instance, then no additional definitions are needed.
- If the SAF keyword was specified when creating the VIPARANGE zCX statement in the TCP/IP profile. If the SAF keyword specifies a new resource name, then you may need to also create a unique profile if there is not a generic profile already covering that resource name.
- A UID(0) specification in its OMVS segment
- READ access to a BPX.SUPERUSER profile if that is defined on the system
Local and LDAP user management
User management for the zCX Docker CLI can be optionally integrated with your z/OS defined users using LDAP-based authentication. There is also the option for user management through a local registry. LDAP-based authentication can be integrated with RACF or other compliant security manager products by using the IBM® Tivoli® Directory Server for z/OS®. You should decide what method of user management you will use for zCX prior to provisioning, although you can switch between the types after implementation. More information can be found in the User Management chapter.
Setting up pervasive encryption for zCX data sets
Pervasive encryption is recommended for the root file systems, swap data volumes, configuration, user data, and diagnostics data VSAM LDS, and for the zCX instance directory zFS file system using VSAM encryption support provided by DFSMS. You can associate an encryption key label with the above data sets either by adding they key label to the DFP segment of the data set’s security profile, or by adding the key label to the data set’s SMS data class.
Protecting the high level qualifier (HLQ) for zCX VSAM linear data sets: Use security manager product data set profiles to protect zCX linear VSAM data sets. See Table 1.
User ID | Required level of access |
---|---|
z/OS system programmers provisioning, de-provisioning, re-configuring or upgrading zCX instances | ALTER |
zCX started task user ID | CONTROL |
VSAM linear data sets will use the encryption key labels if specified with one of the above methods before the data set is created.
- Use the global
format_encryption=on
option in the IOEFSPRM configuration. - Set the zCX z/OSMF variable ZCX_ZFS_ENCRYPT to
TRUE
in the zCX provisioning workflow. - Manually issue the
zfsadm encrypt
command after successfully provisioning the zCX instance.
Only VSAM data sets defined with the extended format option are eligible to be encrypted. While zFS does not require aggregates to be defined with the extended format option to be encryption-eligible, zCX does. For zFS filesystem encryption, all members of the system's sysplex must be z/OS V2R3 or higher.
- Redbooks:
- IBM Documentation:
- Using the z/OS data set encryption enhancements in z/OS® DFSMS Using the New Functions