Authorizing daemon and user identities
IBM recommends that you assign unique z/OS and z/OS UNIX user identifiers (UIDs) to the daemons and applications that are authorized to use OCEP and OCSF services. This approach will maintain individual accountability for applications that are accessing cryptographic services on z/OS.
For example, assume that the following daemon application needs to use OCEP and OCSF services on z/OS. This daemon runs under the z/OS shell and the application is started by the daemon's profile.
UID | RACF Identity (User ID) | Home Directory |
---|---|---|
25 | G092799 | /u/apps/g092799 |
adduser g092799 omvs(uid(25) home('/u/apps/g092799') program('/bin/sh'))
For more information about how to define a RACF user ID, see the z/OS Security Server RACF Command Language Reference and the z/OS Security Server RACF Security Administrator's Guide.
In addition, IBM recommends that the OCEP installation and verification scripts (see Installing the OCEP code and Verifying OCEP installation are run from a superuser; that is, a user ID that has been defined with a UID of 0.
For more information about how to define entities for daemons and applications on z/OS, see z/OS UNIX System Services Planning.