Security for zCX

Started task ID

Define a GLZ started procedure in the PROCLIB concatenation. zCX provides a sample GLZ procedure in SYS1.PROCLIB. You can have multiple procedures to eliminate the need for CONF= and JOBNAME= parameters on each START GLZ command.

Update the security server:
  1. Define a z/OS user ID under which the zCX instances will run, and permit the user ID to the GLZ started procedure(s). This can be a single user ID for all zCX instances or a set of user IDs.
  2. Permit the user ID to create zCX Dynamic VIPAs (EZB.MODDVIPA.*.*). This is required in the following cases:
    • If the EZB.MODDVIPA.*.* SERVAUTH class profile is defined to restrict access to all VIPARANGE DVIPAs. If an existing user id is being used for this zCX instance, then no additional definitions are needed.
    • If the SAF keyword was specified when creating the VIPARANGE zCX statement in the TCP/IP profile. If the SAF keyword specifies a new resource name, then you may need to also create a unique profile if there is not a generic profile already covering that resource name.
If SAF-based security is not enabled for DVIPA creation, then the user ID associated with the zCX started task will require one of the following:
  • A UID(0) specification in its OMVS segment
  • READ access to a BPX.SUPERUSER profile if that is defined on the system

Local and LDAP user management

User management for the zCX Docker CLI can be optionally integrated with your z/OS defined users using LDAP-based authentication. There is also the option for user management through a local registry. LDAP-based authentication can be integrated with RACF or other compliant security manager products by using the IBM® Tivoli® Directory Server for z/OS®. You should decide what method of user management you will use for zCX prior to provisioning, although you can switch between the types after implementation. More information can be found in the User Management chapter.

Setting up pervasive encryption for zCX data sets

Pervasive encryption is recommended for the root file systems, swap data volumes, configuration, user data, and diagnostics data VSAM LDS, and for the zCX instance directory zFS file system using VSAM encryption support provided by DFSMS. You can associate an encryption key label with the above data sets either by adding they key label to the DFP segment of the data set’s security profile, or by adding the key label to the data set’s SMS data class.

Protecting the high level qualifier (HLQ) for zCX VSAM linear data sets: Use security manager product data set profiles to protect zCX linear VSAM data sets. See Table 1.

Table 1. Required level of access to zCX data sets
User ID Required level of access
z/OS system programmers provisioning, de-provisioning, re-configuring or upgrading zCX instances ALTER
zCX started task user ID CONTROL
Note: Defining these sets of user IDs in different groups might make the security administration easier to manage.

VSAM linear data sets will use the encryption key labels if specified with one of the above methods before the data set is created.

In addition to providing the encryption key label, the zCX instance directory zFS file system must be enabled for encryption in one of three ways:
  • Use the global format_encryption=on option in the IOEFSPRM configuration.
  • Set the zCX z/OSMF variable ZCX_ZFS_ENCRYPT to TRUE in the zCX provisioning workflow.
  • Manually issue the zfsadm encrypt command after successfully provisioning the zCX instance.

Only VSAM data sets defined with the extended format option are eligible to be encrypted. While zFS does not require aggregates to be defined with the extended format option to be encryption-eligible, zCX does. For zFS filesystem encryption, all members of the system's sysplex must be z/OS V2R3 or higher.

Use the following resource for more information on getting started with encryption: