Automatic security management for Cloud Provisioning

During regular operations with Cloud Provisioning, your installation periodically adds or removes users for domains and tenants. Such changes require immediate updates to your security setup. If you select automatic security for Cloud Provisioning in the Resource Management task, or accept the default, these changes are performed for you automatically.

Automatic security management can be performed by using the following methods:
  • Security REXX exec that is provided by the vendor of the ESM. For example, IBM supplies the REXX exec izu.provisioning.security.config.rexx for use with RACF.

Automatic security is enabled by default. It uses the z/OS service R_SecMgtOper to perform security operations directly and synchronously. In contrast, the REXX exec is run by a Resource Management workflow.

This method requires that a valid user ID be specified for the CLOUD_SEC_ADMIN keyword in the IZUPRMxx parmlib member.

Using a REXX exec for automatic security processing

This method of automatic security uses the security REXX exec from IBM or one that you have obtained from another vendor. When installed, the security REXX exec is owned by the z/OSMF server user ID (by default, IZUSVR) and is intended for use by security administrators only. The exec can be updated only by users in the z/OSMF security administrator group (by default, IZUSECAD).

If your installation uses a security manager other than RACF, you must obtain a REXX exec with equivalent security commands from your vendor and store it on your system.

Then, do the following:
  1. Ensure that a security REXX exec is installed on your system. The IBM-supplied REXX exec for RACF is already included in the following directory on your system: 
    /global/zosmf/configuration/workflow/izu.provisioning.security.config.rexx

    For other security managers, you must obtain an equivalent REXX exec from your vendor and install it on your system.

  2. Recycle the z/OSMF server to ensure that the security configuration properties file is created with the default IBM content and the correct ownership and permission settings.

    From the operator console, enter the operator commands in the following sequence: STOP IZUSVR1 > START IZUSVR1 > STOP IZUSVR1.

    It is not necessary to stop or restart the z/OSMF angel process (IZUANG1).

  3. With the z/OSMF server stopped, ask your security administrator to do the following:
    1. Locate the security configuration properties file on your system: 
      /global/zosmf/configuration/workflow/izu.provisioning.security.config.properties
      Locate the following property: 
      security-configuration-rexx-location=

      By default, the property identifies the location of the IBM-supplied security REXX exec.

    2. To use a different REXX exec, edit the property so that it refers to the location of the replacement REXX exec. The location can be a sequential data set, partitioned data set (PDS), or z/OS UNIX path and file name.
      If the REXX exec resides in a data set, observe the following naming conventions:
      • Enter the fully qualified data set name, including the member name if you are using a PDS.
      • Do not enclose the data set name in quotation marks.
      Example: 
      security-configuration-rexx-location=SYS1.REXX(ZOSMFSEC)
      If the REXX exec resides in a z/OS UNIX file, observe the following naming conventions:
      • Enter the full path name, beginning with the forward slash (/) and including the file name, or a relative path.
      • The name cannot contain any path segments, such as /./ or /../
      Example: 
      security-configuration-rexx-location=/u/cloud/zosmf/workflow/izu.provisioning.security.config.rexx
    3. Save the properties file.
  4. Restart the z/OSMF server. From the operator console, enter the START command for the z/OSMF server started task: START IZUSVR1

Applying service to the IBM-supplied REXX exec

IBM can ship service updates to Cloud Provisioning, which might include updates to the izu.provisioning.security.config.rexx exec. If you use the IBM exec, it is recommended that you apply the PTFs to stay current with the latest level of the exec.

If your installation uses a modified version of the IBM-supplied security REXX exec for RACF security:
  • Ensure that the security configuration properties file identifies the location of the exec on your system. See the procedure for updating the properties file in Using a REXX exec for automatic security processing.
  • Work with your security administrator to reconcile any differences between your copy of the exec and a new version from IBM.

When you are working with service updates, always check the PTF ++HOLD action for specific instructions for deploying the updated code, such as the need to restart the z/OSMF server to have the updates take effect.