Enable security for the OMEGAMON enhanced 3270 user interface

Enable security for the OMEGAMON enhanced 3270 user interface by specifying the name of the SAF general resource class (or classes) to use for the runtime environment.

Before you begin

Authentication and authorization for users of the enhanced 3270 user interface is provided using the system authorization facility (SAF) interface. Security is enabled by specifying the name of a SAF general resource class for the runtime environment (RTE) in which the enhanced 3270 user interface is configured. A security administrator must define the general resource class if it does not already exist and define profiles to control access to the interface, the data queries issued by the interface, and the actions performed by the interface. Users or user groups must be given access to the profiles.

About this task

Security for the enhanced 3270 user interface is configured by specifying the name of a SAF general resource class for the RTE_SECURITY_CLASS parameter in the RTE configuration.
Attention: At a minimum, to use the enhanced 3270UI, the user must have SAF read authority for all data sets that are specified in the enhanced 3270UI started task procedure (except for STEPLIB). For more advanced use, the user must have SAF write authority for certain user data sets. For example, saving user settings in a profile requires write access to the runtime profile data set (RKOBPFSV DD), and modifying workspaces requires write access to the user workspace data set (UKANWENU DD). For more information, see Define profiles for additional interface activities.

If the name of the global security class was specified during configuration of the runtime environment, no further configuration of the environment is required. If no security class was specified at the time the RTE was configured, modify the RTE by completing the steps provided in the procedure in this section.

If more granular security definitions are required, you can override the global SAF class for logon, queries, or Take Action commands. You cannot override the RTE_SECURITY_CLASS value for other enhanced user interface activities: for example, controlling auto update and access to particular hubs. You cannot override the SAF resource name prefix used for other enhanced user interface activities; the prefix is always KOBUI.

To override the RTE_SECURITY_CLASS value, add the following parameters to the rte_plib_hilev.rte_name.WCONFIG(KOB$PENV) member (for PARMGEN) or to the rte_plib_hilev.rte_name.EMBEDS(KOB$PENV) member (for Configuration Manager).
KOB_SAF_LOGON_CLASS_NAME
Specifies a specific security class name that is to be used for interface logon authentication. This parameter defaults to the RTE_SECURITY_CLASS parameter value. This parameter should only be specified if the RTE_SECURITY_CLASS is not being specified or a unique security class name is required for logon authorization.
KOB_SAF_QUERY_CLASS_NAME
Specifies a specific security class name that is to be used for authorization of an interface query (data retrieval). This parameter defaults to the RTE_SECURITY_CLASS parameter value. This parameter should only be specified if the RTE_SECURITY_CLASS is not being specified or a unique security class name is required for data retrieval authorization
KOB_SAF_ACTION_CLASS_NAME
Specifies a specific security class name that is to be used for Take Action authorization. This parameter defaults to the RTE_SECURITY_CLASS parameter value. This parameter should only be specified if a unique security class name is required for take action authorization.
KOB_SAF_LOGON_RESOURCE_PREFIX
Authorization to log on to the enhanced 3270 user interface is verified by checking for access to a SAF resource named in the following pattern:
KOB.LOGON.
where KOB.LOGON. is the logon resource prefix. This prefix can be changed by setting this parameter to another value.
Important: Remember to run the PARMGEN $PARSE job or the Configuration Manager GENERATE action after the customization above has been done.

The enhanced 3270 user interface provides a pseudo security class named OMEGDEMO. This class name is used to implement Demo mode. In Demo mode, no authorization checks are performed. This mode should be used only at the instruction of IBM Support. To activate Demo mode, see Using Demo mode.

Procedure

Choose the steps that apply to your installation, depending on whether you use Configuration Manager or PARMGEN.

  • For Configuration Manager, perform the following steps:
    1. Edit the rtePlibHilev.rte_name.RTEDEF(rte_name) member to specify the resource class name for the RTE_SECURITY_CLASS parameter.
    2. Run the GENERATE action.
  • For PARMGEN, perform the following steps:
    1. Edit the RTE configuration profile to specify the resource class name for the RTE_SECURITY_CLASS parameter.
    2. Resubmit the $PARSE (or $PARSESV) job to recreate the profile.
    3. Submit the following jobs to update the runtime environment:
      • KCIJPLOD
      • KCIJPCPR (backs up the RKAN* user libraries)
      • KCIJPW2R (copies WKAN* to RKAN)
    See Scenario RTE03: Changing parameters in an RTE for more information.

What to do next

To complete the security setup for the OMEGAMON enhanced 3270 user interface, the following tasks must be completed by a security administrator:

If no z/OS® UNIX System Services ID has been created for the address space, one must be created.