Configuring the IWNRACF jobs
Starting with Copy Services Manager Version 6.1.4, you can complete five new postinstallation IWNRACF jobs: IWNRACF1, IWNRACF2, IWNRACF3, IWNRACF4, and IWNRACF5. These jobs provide the necessary security settings and write permissions for the file system, address spaces, user IDs, and login authorities to run the Copy Services Manager application. You can find these jobs in the SYS1.SAMPLIB data set.
About this task
It can be useful to define several different user IDs when you install Copy Services Manager. These IDs are needed for the IBM Resource Access Control Facility (RACF®) security program on your target system.
- IWNRACF1 job
- Defines the Copy Services Manager default administrator and additional user IDs. The default admin ID is used for the IWNINSTL job CSM_USER=#csm_user variable. This default admin user is the one that can first be used to log in to the Copy Services Manager GUI or CLI. This user has administrative privileges, and can add access to other users defined in RACF that have an OMVS segment.
- IWNRACF2 job
- Defines the user ID that is associated with the Copy Services Manager IWNSRV address space. This ID requires access to the OMVS production directory at <path_prefix>/opt/IBM/CSM as set in the IWNINSTL job.
- IWNRACF3 job
- Defines the user IDs that are associated with the HyperSwap address spaces (HSIBAPI and HSIB). The user and group that are specified require access to OMVS when the HyperSwap Socket Server is being used.
- IWNRACF4 job
- Defines the user IDs that are associated with the HyperSwap Sockets Server address space (BHIHSRV). This job is only necessary if you are going to manage HyperSwap from a system outside of the sysplex. For example from another z/OS sysplex, or from a distributed server.
- IWNRACF5 job
- Defines the Copy Services Manager host connection ID.
RACF group, OMVS GID, and OMVS UID assignment:
In general, RACF group names and OMVS group IDs (GIDs) need to be unique when they are associated with different user IDs (UIDs). Any authorities that are granted to the group are inherited by the users in that group. Groups can be shared when it is permitted for all of the user IDs in that group to have the same authorities that are granted to that group. For example, you might consider using the same group for the two HyperSwap address spaces, HSIBAPI (that is, IOSHSAPI) and HSIB (that is, IOSHMCTL), the HyperSwap Sockets Server address space (BHIHSRV), and the Copy Services Manager address space (IWNSRV). However, it is best to only grant access to ANT.REPLICATIONMANAGER to the user IDs for BHIHSRV and IWNSRV because the user IDs for HSIBAPI and HSIB do not require that authority.
The OMVS ID needs to be unique for all user IDs.
Configuring the IWNRACF job (deprecated)
You configure the IWNRACF job to provide the necessary security and write permissions for the file system to run the Copy Services Manager application. This job (now deprecated) is found in the SYS1.SAMPLIB data set.
About this task
- User for Copy Services Manager
- User ID number
- Group ID number
- Home directory for the Copy Services Manager user
- Group for the Copy Services Manager ID
Use the following steps to configure, and then submit the IWNRACF job:
Procedure
Configuring the IWNRACF1 job: Copy Services Manager default administrator and additional IDs
The IWNRACF1 job defines the Copy Services Manager default administrator and additional user IDs.
About this task
You can run this job again if you want to have more than one user ID to log in to Copy Services Manager. Having multiple Copy Services Manager user IDs provides an audit trail to identify who issues replication commands. With multiple user IDs, you can also customize the restrictions that are placed on each user.
The auditing capabilities on the z/OS HyperSwap side are limited because HyperSwap only authenticates the Copy Services Manager server that is connecting to it. However, Copy Services Manager provides auditing at the command level.
User IDs are required to log in to the Copy Services Manager server through the GUI. Three different user roles can be associated with a Copy Services Manager login ID: monitor, operator, or administrator. For more information, see User roles.
If you do not install the Copy Services Manager server on a z/OS platform, then this job is not necessary, even if the Copy Services Manager server is connected to HyperSwap over the Sockets Server. The HyperSwap function does not receive or require information about each Copy Services Manager login ID. HyperSwap only authenticates to the Copy Services Manager server that is connecting to it. The Copy Services Manager installation ensures that only commands that are authorized to each Copy Services Manager user are forwarded to HyperSwap for processing.
- No Time Sharing Option (TSO) segment. No one should ever log in to TSO with this user ID.
- An associated password.
- An OMVS segment with both a valid OMVS ID and OMVS GID. This segment is required for the user ID to be located and displayed on the Add User page.
Use the following steps to configure, and then submit the IWNRACF1 job:
Procedure
Configuring the IWNRACF2 job: Copy Services Manager address space
The IWNRACF2 job specifies the user ID that is associated with the Copy Services Manager address space (IWNSRV).
About this task
- No TSO segment. No one should ever log in to TSO with this user ID.
- Be given the PROTECTED attribute by specifying the NOPASSWORD keyword. The PROTECTED attribute means that the password cannot be revoked because no password exists. Therefore, it is protected from someone who attempts to get the user ID revoked by repeated failed password attempts.
- Authorized to the ANT.REPLICATIONMANGER RACF Facility because this user ID is used by the HyperSwap Java Native Interface (JNI) to authenticate Copy Services Manager.
- An OMVS segment with both a valid OMVS ID and OMVS GID because the Copy Services Manager address space uses z/OS UNIX System Services (USS).
- Specified in the CSM_ADDR_OWNER parameter in the IWNINSTL job. For more information, see Configuring the IWNINSTL job.
Use the following steps to configure, and then submit the IWNRACF2 job:
Procedure
Configuring the IWNRACF3 job: HyperSwap address spaces
The IWNRACF3 job defines the user ID that is associated with the HyperSwap address spaces.
About this task
- If Copy Services Manager is used to manage a session with the z/OS HyperSwap function, or Metro Mirror with the Hardened Freeze option.
- Any time that Copy Services Manager connects to z/OS through the HyperSwap Sockets Server.
- No TSO segment. No one should ever log in to TSO with this user ID.
- Be given the PROTECTED attribute by specifying the NOPASSWORD keyword. The PROTECTED attribute means that the password cannot be revoked because no password exists. Therefore, it is protected from someone who attempts to get the user ID revoked by repeated failed password attempts.
- An OMVS segment with both a valid OMVS ID and OMVS GID because the HyperSwap address spaces use z/OS UNIX System Services (USS). Technically, you do not need the OMVS segment if you do not specify the SOCKPORT parameter on the EXEC card for HSIB (IOSHMCTL). However, it is best to define the OMVS segment now in case you later decide to use the HyperSwap Sockets Server.
- Some customers place the started task for the HyperSwap management address space in SYS1.PROCLIB as IOSHMCTL. In that case, either you must rename the member of SYS1.PROCLIB to HSIB, or the JCL must specify “RDEF STARTED IOSHMCTL.*” instead.
- Some customers place the started task for the HyperSwap API address space in SYS1.PROCLIB as IOSHSAPI. In that case, either you must rename the member of SYS1.PROCLIB to HSIBAPI, or the JCL must specify “RDEF STARTED IOSHSAPI.*” instead.
Use the following steps to configure, and then submit the IWNRACF3 job:
Procedure
Configuring the IWNRACF4 job: HyperSwap Sockets Server address space
The IWNRACF4 job defines the user ID associated with the HyperSwap Sockets Server address space (BHIHSRV).
About this task
- No TSO segment. No one should ever log in to TSO with this user ID.
- Be given the PROTECTED attribute by specifying the NOPASSWORD keyword. The PROTECTED attribute means that the password cannot be revoked because no password exists. Therefore, it is protected from someone who attempts to get the user ID revoked by repeated failed password attempts.
- Authorized to the ANT.REPLICATIONMANGER RACF Facility. You might need to create (RDEFINE) the ANT.REPLICATIONMANGER RACF Facility if Copy Services Manager is not installed on z/OS, and you have not already run the IWNRACF2 job.
- An OMVS segment with both a valid OMVS ID and OMVS GID because the HyperSwap Sockets Server uses z/OS UNIX System Services (USS).
Use the following steps to configure, and then submit the IWNRACF4 job:
Procedure
Configuring the IWNRACF5 job: Copy Services Manager z/OS host connection ID
The IWNRACF5 job defines the user ID associated with the Copy Services Manager z/OS host connection ID. This user ID is used to authenticate Copy Services Manager to the HyperSwap Sockets Server.
About this task
The Copy Services Manager active and standby servers use the same host connection IDs.
- No TSO segment. No one should ever log in to TSO with this user ID.
- An associated password.
- Authorized to the ANT.REPLICATIONMANGER RACF Facility. You might need to create (RDEFINE) the ANT.REPLICATIONMANGER RACF Facility if Copy Services Manager is not installed on z/OS, and you have not already run the IWNRACF2 job.
Use the following steps to configure, and then submit the IWNRACF5 job: