You need to define and authorize the DMD user ID, permit
the DMD user ID to SYS1.PARMLIB, and define the SERVAUTH profiles
necessary to be able to add, update, delete, and display defensive
filters
Before you begin
RACF® is used as the
external security manager in the following examples. However, you
can use any SAF-compliant security product. RACF commands shown in these examples are also
provided in the EZARACF member of the SEZAINST data set. In these
examples, it is assumed that the DMD is running under the user ID
DMD.
Procedure
Perform the following steps to authorize access to the
appropriate resources:
- Define and authorize the DMD user ID. The DMD
is a z/OS® UNIX application that you can start from the z/OS UNIX shell or from an MVS™ started procedure. Before starting the DMD, you must define the
DMD user ID to the external security manager. If you start the DMD
from an MVS started procedure,
the DMD user ID must also be authorized to the STARTED class. In the
following example, the DMD user ID is defined with UID 0:
ADDUSER DMD DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(0) HOME('/'))
RDEFINE STARTED DMD.* STDATA(USER(DMD))
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED) REFRESH
You can define the
DMD with a nonzero UID. For additional steps that you must take when
the DMD UID is nonzero, see Steps for configuring the DMD.
- Permit the DMD user ID to SYS1.PARMLIB. The
DMD uses the TCP/IP component trace (CTRACE) to perform service-level
tracing. The default DMD component trace parmlib member is stored
in SYS1.PARMLIB. The DMD user ID must be permitted to access SYS1.PARMLIB.
Issue the following command:
PERMIT SYS1.PARMLIB ID(DMD) ACCESS(READ)
- Define SERVAUTH profiles to control the users that are
allowed to manage defensive filters. For information about
defining the SERVAUTH profiles needed for a user to be able to add,
update, delete, and display defensive filters, see Step 4: Authorizing the ipsec command to the external security manager. Additional information
about command security and the SERVAUTH profile is available in z/OS Communications Server: IP System Administrator's Commands.