Configuring the IWNRACF jobs

Starting with Copy Services Manager Version 6.1.4, you can complete five new postinstallation IWNRACF jobs: IWNRACF1, IWNRACF2, IWNRACF3, IWNRACF4, and IWNRACF5. These jobs provide the necessary security settings and write permissions for the file system, address spaces, user IDs, and login authorities to run the Copy Services Manager application. You can find these jobs in the SYS1.SAMPLIB data set.

About this task

It can be useful to define several different user IDs when you install Copy Services Manager. These IDs are needed for the IBM Resource Access Control Facility (RACF®) security program on your target system.

Extra user IDs are required if you plan to install Copy Services Manager on z/OS to enable HyperSwap, or if you plan to use the HyperSwap Sockets Server, or both. To define these user IDs, you must run several IWNRACF jobs.
Note: You need to run the IWNRACF jobs after either the z/OS file system (zFS), or the hierarchical file system (HFS) is created, the mount job is run, and before you submit the IWNINSTL job. For more information, see Configuring the IWNINSTL job.
These IWNRACF jobs define the following items:
IWNRACF1 job
Defines the Copy Services Manager default administrator and additional user IDs. The default admin ID is used for the IWNINSTL job CSM_USER=#csm_user variable. This default admin user is the one that can first be used to log in to the Copy Services Manager GUI or CLI. This user has administrative privileges, and can add access to other users defined in RACF that have an OMVS segment.
IWNRACF2 job
Defines the user ID that is associated with the Copy Services Manager IWNSRV address space. This ID requires access to the OMVS production directory at <path_prefix>/opt/IBM/CSM as set in the IWNINSTL job.
IWNRACF3 job
Defines the user IDs that are associated with the HyperSwap address spaces (HSIBAPI and HSIB). The user and group that are specified require access to OMVS when the HyperSwap Socket Server is being used.
IWNRACF4 job
Defines the user IDs that are associated with the HyperSwap Sockets Server address space (BHIHSRV). This job is only necessary if you are going to manage HyperSwap from a system outside of the sysplex. For example from another z/OS sysplex, or from a distributed server.
IWNRACF5 job
Defines the Copy Services Manager host connection ID.

RACF group, OMVS GID, and OMVS UID assignment:

In general, RACF group names and OMVS group IDs (GIDs) need to be unique when they are associated with different user IDs (UIDs). Any authorities that are granted to the group are inherited by the users in that group. Groups can be shared when it is permitted for all of the user IDs in that group to have the same authorities that are granted to that group. For example, you might consider using the same group for the two HyperSwap address spaces, HSIBAPI (that is, IOSHSAPI) and HSIB (that is, IOSHMCTL), the HyperSwap Sockets Server address space (BHIHSRV), and the Copy Services Manager address space (IWNSRV). However, it is best to only grant access to ANT.REPLICATIONMANAGER to the user IDs for BHIHSRV and IWNSRV because the user IDs for HSIBAPI and HSIB do not require that authority.

The OMVS ID needs to be unique for all user IDs.

Configuring the IWNRACF job (deprecated)

You configure the IWNRACF job to provide the necessary security and write permissions for the file system to run the Copy Services Manager application. This job (now deprecated) is found in the SYS1.SAMPLIB data set.

About this task

Important: The following procedure corresponds to the original, single RACF job for Copy Services Manager installation, which is now being deprecated. If you are installing Copy Services Manager for the first time, run the IWNRACF jobs 1-5 as detailed in the sections later on. If you installed Copy Services Manager in the past and ran this single RACF job (IWNRACF), you do not need to run any of the new 1-5 RACF jobs.
Deprecated IWNRACF job procedure: Configure the following items for the IWNRACF job:
  • User for Copy Services Manager
  • User ID number
  • Group ID number
  • Home directory for the Copy Services Manager user
  • Group for the Copy Services Manager ID
These items are needed for the RACF security program on your target system.

Use the following steps to configure, and then submit the IWNRACF job:

Procedure

  1. Locate the IWNRACF job in the SYS1.SAMPLIB data set and open it.
  2. Modify the following procedure to meet the system requirements for the RACF security program in your environment. See the job header comments for the definition of the variables that are used in this job. 
    //IWNRACF    JOB <job parameters>
//*********************************************************************
//*  LICENSED MATERIALS - PROPERTY OF IBM                             *
//*  THIS PRODUCT CONTAINS "RESTRICTED MATERIALS OF IBM"              *
//*   (C) COPYRIGHT IBM CORPORATION 2007,2016.                        *
//*  ALL RIGHTS RESERVED.                                             *
//*                                                                   *
//*  IBM Copy Services Manager for z/OS                               *
//*                                                                   *
//*  CAUTION: This is neither a JCL procedure nor a complete job.     *
//*  Before using this job step, you will have to make the following  *
//*  modifications:                                                   *
//*                                                                   *
//*   THIS JOB IS BEING DEPRECATED. NEW INSTALLS SHOULD UTILIZE       *
//*   THE NEW IWNRACF1-5 JOBS, AS APPROPRIATE TO YOUR ENVIRONMENT.    *
//*                                                                   *
//*  1) Change the job card to meet your system requirements.         *
//*  2) Replace the following variables:                              *
//*           #csm_id  - User for CSM                                 *
//*           #csm_grp - Group for the CSM id to belong to            *
//*           #gid      - Group id number                             *
//*           #uid      - User id number                              *
//*           #ussPath  - Home directory for #csm_id                  *
//*                                                                   *
//*********************************************************************
/*
//ANTRAC  EXEC PGM=IKJEFT01
//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
  /* Define CSM user and group */
  ADDGROUP #csm_grp OMVS(GID(#gid))
  ADDUSER #csm_id DFLTGRP(#csm_grp) OMVS(UID(#uid) +
      HOME(#ussPath) +             
      PROGRAM(/bin/sh)) NAME('Liberty') NOPASSWORD NOOIDCARD
  ALU #csm_id PASSWORD(#csm_id) NOEXPIRE

  /* Define Started profiles */
  RDEF STARTED IWNSRV.* UACC(NONE) STDATA(USER(#csm_id) +
      GROUP(#csm_grp) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
  SETROPTS RACLIST(STARTED) GENERIC(STARTED) REFRESH

  /* Define ANT.REPLICATIONMANAGER */
  RDEFINE FACILITY ANT.REPLICATIONMANAGER UACC(NONE)
  PERMIT ANT.REPLICATIONMANAGER CLASS(FACILITY) +
      ID(#csm_id) ACCESS(CONTROL)
  SETROPTS RACLIST(FACILITY) REFRESH
/*
  3. After you replace the variables, submit the IWNRACF job.

Configuring the IWNRACF1 job: Copy Services Manager default administrator and additional IDs

The IWNRACF1 job defines the Copy Services Manager default administrator and additional user IDs.

About this task

The IWNRACF1 job must be run at least one time when Copy Services Manager is installed on z/OS. This job creates the default Copy Services Manager administrator user ID that is used to log in to the Copy Services Manager GUI.
Note: It is suggested that you use CSMUSER as the default Copy Services Manager administrator user ID. This default user ID must also be specified in the #csm_user parameter in the IWNINSTL job. For more information, see Configuring the IWNINSTL job.

You can run this job again if you want to have more than one user ID to log in to Copy Services Manager. Having multiple Copy Services Manager user IDs provides an audit trail to identify who issues replication commands. With multiple user IDs, you can also customize the restrictions that are placed on each user.

The auditing capabilities on the z/OS HyperSwap side are limited because HyperSwap only authenticates the Copy Services Manager server that is connecting to it. However, Copy Services Manager provides auditing at the command level.

User IDs are required to log in to the Copy Services Manager server through the GUI. Three different user roles can be associated with a Copy Services Manager login ID: monitor, operator, or administrator. For more information, see User roles.

If you do not install the Copy Services Manager server on a z/OS platform, then this job is not necessary, even if the Copy Services Manager server is connected to HyperSwap over the Sockets Server. The HyperSwap function does not receive or require information about each Copy Services Manager login ID. HyperSwap only authenticates to the Copy Services Manager server that is connecting to it. The Copy Services Manager installation ensures that only commands that are authorized to each Copy Services Manager user are forwarded to HyperSwap for processing.

Each Copy Services Manager user ID needs to have the following attributes:
  • No Time Sharing Option (TSO) segment. No one should ever log in to TSO with this user ID.
  • An associated password.
  • An OMVS segment with both a valid OMVS ID and OMVS GID. This segment is required for the user ID to be located and displayed on the Add User page.

Use the following steps to configure, and then submit the IWNRACF1 job:

Procedure

  1. Locate the IWNRACF1 job in the SYS1.SAMPLIB data set and open it.
  2. Modify the following procedure to meet the system requirements for the RACF security program in your environment. See the job header comments for the definition of the variables that are used in this job. 
    //IWNRACF1   JOB <job parameters>
//*********************************************************************
//*  LICENSED MATERIALS - PROPERTY OF IBM                             *
//*  THIS PRODUCT CONTAINS "RESTRICTED MATERIALS OF IBM"              *
//*   (C) COPYRIGHT IBM CORPORATION 1999, 2016.                       *
//*  ALL RIGHTS RESERVED.                                             *
//*                                                                   *
//*  Copy Services Manager for z Systems                              *
//*                                                                   *
//*  CAUTION: This is neither a JCL procedure nor a complete job.     *
//*  Before you use this job step, make the following modifications:  *
//*                                                                   *
//*  This job defines the user IDs that are associated with the       *
//*  default Copy Services Manager login ID, and can                  *
//*  be used to create additional Copy Services Manager login IDs.    *
//*                                                                   *
//*                                                                   *
//*  1) Change the job card to meet your system requirements.         *
//*  2) Replace the following variables:                              *
//*           #csm_user - User ID that is used for the Copy Services  *
//*                       Manager login.                              *
//*                     - It is suggested that you use "CSMUSER"      *
//*                       as the default Copy Services Manager        *
//*                       administrator user ID.                      *
//*                     - Set the CSM_USER parameter in the IWNINSTL  *
//*                       job to the default Copy Services Manager    *
//*                       administrator ID that is specified here.    *
//*                     - Subsequent users can be created and added   *
//*                       by using this job.                          *
//*           #group_name - Group name for Copy Services Manager.     *
//*                     - Set the CSM_GRP parameter in the IWNINSTL   *
//*                       job to the group name that is specified     *
//*                       here.                                       *
//*           #csm_pw   - Initial password for Copy Services Manager. *
//*           #gid      - Group ID number.                            *
//*           #uid      - User ID number.                             *
//*           #ussPath  - Home directory for #csm_user, for example   *
//*                       <-path_prefix>/opt/IBM/CSM                  *
//*                       as set in the IWNINSTL job.                 *
//*           #interval - The number of days before the password must *
//*                       be changed. Specify NOINTERVAL if you       *
//*                       never want the password to expire.          *
//*                                                                   *
//*********************************************************************
/*
//CSMLOGON EXEC PGM=IKJEFT01
//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
  /* Define Copy Services Manager login user ID                      */
  ADDGROUP #group_name OMVS(GID(#gid))
  ADDUSER #csm_user DFLTGRP(#group_name) OMVS(UID(#uid) +
      HOME(#ussPath) +
      PROGRAM(/bin/sh)) +
      NAME('Copy Services Manager User ID')
  ALU #csm_user PASSWORD(#csm_pw) NOEXPIRED
  PASSWORD INTERVAL(#interval) USER(#csm_user)
/*
  3. After you replace the variables, submit the IWNRACF1 job.

Configuring the IWNRACF2 job: Copy Services Manager address space

The IWNRACF2 job specifies the user ID that is associated with the Copy Services Manager address space (IWNSRV).

About this task

The IWNRACF2 job must be run at least one time when Copy Services Manager is installed on z/OS. The IWNSRV user ID is associated with the Copy Services Manager address spaces (IWNSRV and IWNAUTH) and needs to have the following attributes:
  • No TSO segment. No one should ever log in to TSO with this user ID.
  • Be given the PROTECTED attribute by specifying the NOPASSWORD keyword. The PROTECTED attribute means that the password cannot be revoked because no password exists. Therefore, it is protected from someone who attempts to get the user ID revoked by repeated failed password attempts.
  • Authorized to the ANT.REPLICATIONMANGER RACF Facility because this user ID is used by the HyperSwap Java Native Interface (JNI) to authenticate Copy Services Manager.
  • An OMVS segment with both a valid OMVS ID and OMVS GID because the Copy Services Manager address space uses z/OS UNIX System Services (USS).
  • Specified in the CSM_ADDR_OWNER parameter in the IWNINSTL job. For more information, see Configuring the IWNINSTL job.

Use the following steps to configure, and then submit the IWNRACF2 job:

Procedure

  1. Locate the IWNRACF2 job in the SYS1.SAMPLIB data set and open it.
  2. Modify the following procedure to meet the system requirements for the RACF security program in your environment. See the job header comments for the definition of the variables that are used in this job. 
    //IWNRACF2   JOB <job parameters>
//*********************************************************************
//*  LICENSED MATERIALS - PROPERTY OF IBM                             *
//*  THIS PRODUCT CONTAINS "RESTRICTED MATERIALS OF IBM"              *
//*   (C) COPYRIGHT IBM CORPORATION 1999, 2016.                       *
//*  ALL RIGHTS RESERVED.                                             *
//*                                                                   *
//*  IBM Copy Services Manager for z/OS                               *
//*                                                                   *
//*  CAUTION: This is neither a JCL procedure nor a complete job.     *
//*  Before you use this job step, make the following modifications:  *
//*                                                                   *
//*  This job defines the user IDs that are associated with the       *
//*  Copy Services Manager address spaces - IWNSRV and                *
//*  optionally IWNAUTH.                                              *
//*                                                                   *
//*  1) Change the job card to meet your system requirements.         *
//*  2) Replace the following variables:                              *
//*           #user_id  - User ID for the Copy Services Manager       *
//*                       started tasks.                              *
//*                     - It is suggested that you use "IWNSRV"       *
//*                       as the user ID.                             *
//*           #group_name - Group name for the IWNSRV and             *
//*                       optional IWNAUTH                            *
//*                       address spaces.                             *
//*           #gid      - Group ID number for the IWNSRV and          *
//*                       optional IWNAUTH                            *
//*                       address spaces.                             *
//*           #uid      - User ID number.                             *
//*           #ussPath  - Home directory for #user_id, for example    *
//*  	                  <-path_prefix>/opt/IBM/CSM              *
//*                       as set in the IWNINSTL job.                 *
//*                                                                   *
//*********************************************************************
/*
//IWNSRV   EXEC PGM=IKJEFT01
//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
  /* Define the Copy Services Manager address space user ID.         */
  ADDGROUP #group_name OMVS(GID(#gid))
  ADDUSER #user_id DFLTGRP(#group_name) OMVS(UID(#uid) +
  	  HOME(#ussPath) +
      PROGRAM(/bin/sh)) +
      NAME('Copy Services Manager Address Spaces') +
      NOPASSWORD
 
  /* Define the started profiles.                                    */
  RDEF STARTED IWNSRV.* UACC(NONE) STDATA(USER(#user_id) +
      GROUP(#group_name) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
  RDEF STARTED IWNAUTH.* UACC(NONE) STDATA(USER(#user_id) +
      GROUP(#group_name) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))

  /* If you plan on utilizing LDAP on the system uncomment the       */
     following lines                                                 
  RDEF STARTED IWNAUTH.* UACC(NONE) STDATA(USER(#user_id) +       
      GROUP(#group_name) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))    
  
  SETROPTS RACLIST(STARTED) GENERIC(STARTED) REFRESH              

  /* Permit access to ANT.REPLICATIONMANAGER.                        */
  RDEFINE FACILITY ANT.REPLICATIONMANAGER UACC(NONE)
  PERMIT ANT.REPLICATIONMANAGER CLASS(FACILITY) +
      ID(#user_id) ACCESS(CONTROL)
 
  /* If the user is running a Liberty Angel server uncomment        */
  /* the following 2 lines                                          */
  /* RDEF SERVER BBG.ANGEL UACC(NONE)                               */
  /* PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(#user_id)       */
                               
  SETROPTS RACLIST(FACILITY) REFRESH                                           
  /*
  3. After you replace the variables, submit the IWNRACF2 job.

Configuring the IWNRACF3 job: HyperSwap address spaces

The IWNRACF3 job defines the user ID that is associated with the HyperSwap address spaces.

About this task

You need to define user IDs for the two HyperSwap address spaces. The two HyperSwap address spaces are HyperSwap API address space (HSIBAPI), and HyperSwap management address space (HSIB).
You need to run this job in the following situations:
  • If Copy Services Manager is used to manage a session with the z/OS HyperSwap function, or Metro Mirror with the Hardened Freeze option.
  • Any time that Copy Services Manager connects to z/OS through the HyperSwap Sockets Server.
Even if no sessions are enabled for either HyperSwap or Hardened Freeze, the HyperSwap address spaces allow channel command words (CCWs) to be issued.
The user IDs associated with the two HyperSwap address spaces (HSIBAPI and HSIB) need to have the following attributes:
  • No TSO segment. No one should ever log in to TSO with this user ID.
  • Be given the PROTECTED attribute by specifying the NOPASSWORD keyword. The PROTECTED attribute means that the password cannot be revoked because no password exists. Therefore, it is protected from someone who attempts to get the user ID revoked by repeated failed password attempts.
  • An OMVS segment with both a valid OMVS ID and OMVS GID because the HyperSwap address spaces use z/OS UNIX System Services (USS). Technically, you do not need the OMVS segment if you do not specify the SOCKPORT parameter on the EXEC card for HSIB (IOSHMCTL). However, it is best to define the OMVS segment now in case you later decide to use the HyperSwap Sockets Server.
Notes: It is suggested that you use HSIBAPI and HSIB for the HyperSwap started tasks. When you define the STARTED class, you must specify the member name.
  • Some customers place the started task for the HyperSwap management address space in SYS1.PROCLIB as IOSHMCTL. In that case, either you must rename the member of SYS1.PROCLIB to HSIB, or the JCL must specify “RDEF STARTED IOSHMCTL.*” instead.
  • Some customers place the started task for the HyperSwap API address space in SYS1.PROCLIB as IOSHSAPI. In that case, either you must rename the member of SYS1.PROCLIB to HSIBAPI, or the JCL must specify “RDEF STARTED IOSHSAPI.*” instead.

Use the following steps to configure, and then submit the IWNRACF3 job:

Procedure

  1. Locate the IWNRACF3 job in the SYS1.SAMPLIB data set and open it.
  2. Modify the following procedure to meet the system requirements for the RACF security program in your environment. See the job header comments for the definition of the variables that are used in this job. 
    //IWNRACF3   JOB <job parameters>
//*********************************************************************
//*  LICENSED MATERIALS - PROPERTY OF IBM                             *
//*  THIS PRODUCT CONTAINS "RESTRICTED MATERIALS OF IBM"              *
//*   (C) COPYRIGHT IBM CORPORATION 1999, 2016.                       *
//*  ALL RIGHTS RESERVED.                                             *
//*                                                                   *
//*  IBM Copy Services Manager for z/OS                               *
//*                                                                   *
//*  CAUTION: This is neither a JCL procedure nor a complete job.     *
//*  Before you use this job step, make the following modifications:  *
//*                                                                   *
//*  This job defines the user IDs that are associated with the two   *
//*  HyperSwap address spaces:                                        *
//*  - HyperSwap API address space - HSIBAPI                          *
//*  - HyperSwap Management address space - HSIB                      *
//*                                                                   *
//*                                                                   *
//*  1) Change the job card to meet your system requirements.         *
//*  2) Replace the following variables:                              *
//*           #user_id  - User ID for the HyperSwap address spaces.   *
//*                     - It is suggested that you use "HSIB" as the  *
//*                       user ID.                                    *
//*           #group_name - Group name for the HyperSwap address      *
//*                       spaces.                                     *
//*           #gid      - Group ID number.                            *
//*           #uid      - User ID number.                             *
//*********************************************************************
/*
//HSIB     EXEC PGM=IKJEFT01
//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
  /* Define the HyperSwap address space user ID and group.           */
  ADDGROUP #group_name OMVS(GID(#gid))
  ADDUSER #user_id DFLTGRP(#group_name) OMVS(UID(#uid) +
      HOME('/')) +
      NAME('HyperSwap Address Spaces') +
      NOPASSWORD

  /* Define the started profiles.                                    */
  RDEF STARTED HSIBAPI.* UACC(NONE) STDATA(USER(#user_id)         +
      GROUP(#group_name) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
  RDEF STARTED HSIB.* UACC(NONE) STDATA(USER(#user_id)         +
      GROUP(#group_name) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
  SETROPTS RACLIST(STARTED) GENERIC(STARTED) REFRESH
/*
  3. After you replace the variables, submit the IWNRACF3 job.

Configuring the IWNRACF4 job: HyperSwap Sockets Server address space

The IWNRACF4 job defines the user ID associated with the HyperSwap Sockets Server address space (BHIHSRV).

About this task

You only need to run this job if Copy Services Manager connects to z/OS by using the HyperSwap Sockets Server.
The user ID associated with the HyperSwap Sockets Server address space (BHIHSRV) needs to have the following attributes:
  • No TSO segment. No one should ever log in to TSO with this user ID.
  • Be given the PROTECTED attribute by specifying the NOPASSWORD keyword. The PROTECTED attribute means that the password cannot be revoked because no password exists. Therefore, it is protected from someone who attempts to get the user ID revoked by repeated failed password attempts.
  • Authorized to the ANT.REPLICATIONMANGER RACF Facility. You might need to create (RDEFINE) the ANT.REPLICATIONMANGER RACF Facility if Copy Services Manager is not installed on z/OS, and you have not already run the IWNRACF2 job.
  • An OMVS segment with both a valid OMVS ID and OMVS GID because the HyperSwap Sockets Server uses z/OS UNIX System Services (USS).

Use the following steps to configure, and then submit the IWNRACF4 job:

Procedure

  1. Locate the IWNRACF4 job in the SYS1.SAMPLIB data set and open it.
  2. Modify the following procedure to meet the system requirements for the RACF security program in your environment. See the job header comments for the definition of the variables that are used in this job. 
    //IWNRACF4   JOB <job parameters>
//*********************************************************************
//*  LICENSED MATERIALS - PROPERTY OF IBM                             *
//*  THIS PRODUCT CONTAINS "RESTRICTED MATERIALS OF IBM"              *
//*   (C) COPYRIGHT IBM CORPORATION 1999, 2016.                       *
//*  ALL RIGHTS RESERVED.                                             *
//*                                                                   *
//*  IBM Copy Services Manager for z/OS                               *
//*                                                                   *
//*  CAUTION: This is neither a JCL procedure nor a complete job.     *
//*  Before you use this job step, make the following modifications:  *
//*                                                                   *
//*  This job defines the user ID that is associated with the         *
//*  HyperSwap Sockets Server address space - BHIHSRV.                *
//*                                                                   *
//*                                                                   *
//*  1) Change the job card to meet your system requirements.         *
//*  2) Replace the following variables:                              *
//*           #user_id  - User ID for the HyperSwap Sockets Server    *
//*                       address space.                              *                       
//*                     - It is suggested that you use "BHIHSRV"      *
//*                       as the user ID.                             *
//*           #group_name - Group name for the HyperSwap address      *
//*                       space.                                      *
//*           #gid      - Group ID number.                            *
//*           #uid      - User ID number.                             *
//*                                                                   *
//*********************************************************************
/*
//BHIHSRV  EXEC PGM=IKJEFT01
//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
  /* Define the HyperSwap Sockets Server address space               */
  /* user ID and group.                                              */
  ADDGROUP #group_name OMVS(GID(#gid))
  ADDUSER #user_id DFLTGRP(#group_name) OMVS(UID(#uid)  +
      HOME('/') +
      PROGRAM(/bin/sh)) +
      NAME('HyperSwap Sockets Server') +
      NOPASSWORD

  /* Define the started profile.                                     */
  RDEF STARTED BHIHSRV.* UACC(NONE) STDATA(USER(#user_id) +
      GROUP(#group_name) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
  SETROPTS RACLIST(STARTED) GENERIC(STARTED) REFRESH

  /* Permit access to ANT.REPLICATIONMANAGER.                        */
  RDEFINE FACILITY ANT.REPLICATIONMANAGER UACC(NONE)
  PERMIT ANT.REPLICATIONMANAGER CLASS(FACILITY) +
      ID(#user_id) ACCESS(CONTROL)
  SETROPTS RACLIST(FACILITY) REFRESH
/*
  3. After you replace the variables, submit the IWNRACF4 job.

Configuring the IWNRACF5 job: Copy Services Manager z/OS host connection ID

The IWNRACF5 job defines the user ID associated with the Copy Services Manager z/OS host connection ID. This user ID is used to authenticate Copy Services Manager to the HyperSwap Sockets Server.

About this task

If you manage multiple sysplexes from one or more instances of Copy Services Manager, you might choose to have a single host connection ID for all Copy Services Manager to HyperSwap connections. However, you might choose to have different host connection IDs for each sysplex to the Copy Services Manager instance.

The Copy Services Manager active and standby servers use the same host connection IDs.

Note: The user ID specified on the sockets connection is used to authenticate a valid instance of Copy Services Manager that is attempting to connect to HyperSwap. However, it does not identify the specific user that is using the Copy Services Manager GUI. The three user roles in Copy Services Manager are monitor, operator, or administrator. For more information, see User roles. HyperSwap does not enforce user roles, only Copy Services Manager enforces them.
The Copy Services Manager host connection ID needs to have the following attributes:
  • No TSO segment. No one should ever log in to TSO with this user ID.
  • An associated password.
  • Authorized to the ANT.REPLICATIONMANGER RACF Facility. You might need to create (RDEFINE) the ANT.REPLICATIONMANGER RACF Facility if Copy Services Manager is not installed on z/OS, and you have not already run the IWNRACF2 job.

Use the following steps to configure, and then submit the IWNRACF5 job:

Procedure

  1. Locate the IWNRACF5 job in the SYS1.SAMPLIB data set and open it.
  2. Modify the following procedure to meet the system requirements for the RACF security program in your environment. See the job header comments for the definition of the variables that are used in this job. 
    //IWNRACF5   JOB <job parameters>
//*********************************************************************
//*  LICENSED MATERIALS - PROPERTY OF IBM                             *
//*  THIS PRODUCT CONTAINS "RESTRICTED MATERIALS OF IBM"              *
//*   (C) COPYRIGHT IBM CORPORATION 1999, 2016.                       *
//*  ALL RIGHTS RESERVED.                                             *
//*                                                                   *
//*  IBM Copy Services Manager for z/OS                               *
//*                                                                   *
//*  CAUTION: This is neither a JCL procedure nor a complete job.     *
//*  Before you use this job step, make the following modifications:  *
//*                                                                   *
//*  This job defines the user ID that can be used to authenticate    *
//*  the Copy Services Manager to the HyperSwap Sockets Server.       *
//*                                                                   *
//*                                                                   *
//*  1) Change the job card to meet your system requirements.         *
//*  2) Replace the following variables:                              *
//*           #user_id  - User ID that is used for the Copy Services  *
//*                       Manager host connection.                    *
//*                     - Additional Copy Services Manager host       *
//*                       connection user IDs can be created and      *
//*                       added by using this job.                    *
//*           #group_name - Group name for the Copy Services Manager  *
//*                       host connection user ID.                    *
//*           #csm_pw   - Initial password for the Copy Services      *
//*                       Manager host connection user ID.            *
//*           #interval - The number of days before the password must *
//*                       be changed. Specify NOINTERVAL if you       *
//*                       never want the password to expire.          *
//*                                                                   *
//*********************************************************************
/*
//CSMHOST  EXEC PGM=IKJEFT01
//SYSLBC   DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSPRT DD SYSOUT=*
//SYSTSIN  DD *
  /* Define the Copy Services Manager host connection user.          */
  ADDGROUP #group_name
  ADDUSER #user_id DFLTGRP(#group_name) +
      NAME('Copy Services Manager Host Connection User ID')
  ALU #user_id PASSWORD(#csm_pw) NOEXPIRED
  PASSWORD INTERVAL(#interval) USER(#user_id)

  /* Permit access to ANT.REPLICATIONMANAGER.                        */
  RDEFINE FACILITY ANT.REPLICATIONMANAGER UACC(NONE)
  PERMIT ANT.REPLICATIONMANAGER CLASS(FACILITY) +
      ID(#user_id) ACCESS(CONTROL)
  SETROPTS RACLIST(FACILITY) REFRESH
/*
  3. After you replace the variables, submit the IWNRACF5 job.