CIM server security setup
The z/OS implementation of the CIM server requires each requestor to have a real z/OS user ID. Only users who have been successfully authenticated with the z/OS security product and who have been granted access to the CIM server, will be able to execute requests against the CIM server. This topic describes the details on how to set up these features.
Setting up security for the CIM server includes the following steps:
- Define a RACF® class and profile for the CIM server .
- Define a user ID for the CIM server and grant it access to the RACF profile of the CIM server
- Configure the resource authorization model of the CIM server
(see Configuring the resource authorization model of the CIM server)
- Grant client users and administrators access to the CIM server
(see Granting clients and administrators access to the CIM server)
- Allow the CIM server to surrogate for a client ID
- Optionally configure secure connections (HTTPS) for the CIM server
(see Configuring the CIM server HTTPS connection using AT-TLS).
- If the APPL class for your security product is active, optionally define the CFZAPPL profile
- For PassTicket usage define an encryption key for the application ID CFZAPPL
- If multilevel security (MLS) is active on your system and the CIM server UID≠0, grant the CIM server user ID READ access to security resource BPX.POE in the FACILITY class
- If the CIM server is configured to use the Automatic Restart Manager (ARM) in a sysplex, you must ensure that the XCF address space has the proper authorization to perform a restart
- If you intend to run providers out-of-process, grant the CIM server user ID READ access to the profile BPX.JOBNAME defined in the FACILITY class