Automatic security management for Cloud Provisioning

During regular operations with Cloud Provisioning, your installation periodically adds or removes users for domains and tenants. Such changes require immediate updates to your security setup. If you select automatic security for Cloud Provisioning in the Resource Management task, or accept the default, these changes are performed for you automatically.

Start of changeThis topic describes the options that are available for enabling automatic security management for IBM Cloud® Provisioning and Management for z/OS®.End of change

Automatic security management can be performed by using Start of changeeither ofEnd of change the following methods:
  • Start of changeXML security descriptor. Cloud Provisioning will generate an XML request that identifies the required security operations for your external security manager (ESM) to process.End of change
  • Security REXX exec that is provided by the vendor of the ESM. For example, IBM supplies the REXX exec izu.provisioning.security.config.rexx for use with RACF.

Start of changeAutomatic security is enabled by default. It uses the z/OS service R_SecMgtOper to perform security operations directly and synchronously. In contrast, the REXX exec is run by a Resource Management workflow.End of change

Start of changeBoth of these methods require that a valid user ID be specified for the CLOUD_SEC_ADMIN keyword in the IZUPRMxx parmlib member.End of change

Start of change

Using the XML descriptor support for automatic security processing

This method of automatic security uses the R_SecMgtOper service (module IRRSMO00) in z/OS to process an IBM-supplied XML document. The contents of the XML document are processed by the external security manager (ESM). For information about the R_SecMgtOper service, see z/OS Security Server RACF Callable Services.

Use of IRRSMO00 by z/OSMF requires that the external security manager (ESM) is defined to your system. For a RACF installation, this means that the RACF subsystem is defined to your system, such as by using either of the following techniques:
  • Add the following statement to IEFSSNxx:
    SUBSYS SUBNAME(RACF) INITRTN(IRRSSI00) INITPARM('<')
  • A temporary alternative is to enter the following command. This change does not persist across an IPL of the system. 
    SETSSI ADD,SUBNAME=RACF,INITRTN=IRRSSI00,INITPARM='<'
To enable automatic security processing based on XML security descriptors, do the following:
  1. Ask your security administrator to do the following:
    1. Locate the security configuration properties file on your system: 
      /global/zosmf/configuration/workflow/izu.provisioning.security.config.properties
      Locate the following property: 
      security-configuration-directsecurity-enabled=

      If this property is not present, add it.

    2. To use XML security descriptors, ensure that the property is set to true: 
      security-configuration-directsecurity-enabled=true
    3. Save the properties file.
  2. Restart the z/OSMF server. From the operator console, enter the START command for the z/OSMF server started task: START IZUSVR1
When the server initializes, the following message is written to the IZUG0.log to indicate that the R_SecMgtOper service is used for automatic security processing: 
Cloud Provisioning and Management will use direct security processing via R_SecMgtOper 
for automatic security domains.
End of change

Using a REXX exec for automatic security processing

This method of automatic security uses the security REXX exec from IBM or one that you have obtained from another vendor. When installed, the security REXX exec is owned by the z/OSMF server user ID (by default, IZUSVR) and is intended for use by security administrators only. The exec can be updated only by users in the z/OSMF security administrator group (by default, IZUSECAD).

If your installation uses a security manager other than RACF, you must obtain a REXX exec with equivalent security commands from your vendor and store it on your system.

Then, do the following:
  1. Ensure that a security REXX exec is installed on your system. The IBM-supplied REXX exec for RACF is already included in the following directory on your system: 
    /global/zosmf/configuration/workflow/izu.provisioning.security.config.rexx

    For other security managers, you must obtain an equivalent REXX exec from your vendor and install it on your system.

  2. Recycle the z/OSMF server to ensure that the security configuration properties file is created with the default IBM content and the correct ownership and permission settings.

    From the operator console, enter the operator commands in the following sequence: STOP IZUSVR1 > START IZUSVR1 > STOP IZUSVR1.

    It is not necessary to stop or restart the z/OSMF angel process (IZUANG1).

  3. With the z/OSMF server stopped, ask your security administrator to do the following:
    1. Locate the security configuration properties file on your system: 
      /global/zosmf/configuration/workflow/izu.provisioning.security.config.properties
      Locate the following property: 
      security-configuration-rexx-location=

      By default, the property identifies the location of the IBM-supplied security REXX exec.

    2. To use a different REXX exec, edit the property so that it refers to the location of the replacement REXX exec. The location can be a sequential data set, partitioned data set (PDS), or z/OS UNIX path and file name.
      If the REXX exec resides in a data set, observe the following naming conventions:
      • Enter the fully qualified data set name, including the member name if you are using a PDS.
      • Do not enclose the data set name in quotation marks.
      Example: 
      security-configuration-rexx-location=SYS1.REXX(ZOSMFSEC)
      If the REXX exec resides in a z/OS UNIX file, observe the following naming conventions:
      • Enter the full path name, beginning with the forward slash (/) and including the file name, or a relative path.
      • The name cannot contain any path segments, such as /./ or /../
      Example: 
      security-configuration-rexx-location=/u/cloud/zosmf/workflow/izu.provisioning.security.config.rexx
    3. Save the properties file.
  4. Restart the z/OSMF server. From the operator console, enter the START command for the z/OSMF server started task: START IZUSVR1
Start of changeWhen the server initializes, the following message is written to the IZUG0.log to indicate that REXX processing is used for automatic security processing: 
Cloud Provisioning and Management will use REXX processing for automatic security domains.
End of change

Applying service to the IBM-supplied REXX exec

IBM can ship service updates to Cloud Provisioning, which might include updates to the izu.provisioning.security.config.rexx exec. If you use the IBM exec, it is recommended that you apply the PTFs to stay current with the latest level of the exec.

If your installation uses a modified version of the IBM-supplied security REXX exec for RACF security:
  • Ensure that the security configuration properties file identifies the location of the exec on your system. See the procedure for updating the properties file in Using a REXX exec for automatic security processing.
  • Work with your security administrator to reconcile any differences between your copy of the exec and a new version from IBM.

When you are working with service updates, always check the PTF ++HOLD action for specific instructions for deploying the updated code, such as the need to restart the z/OSMF server to have the updates take effect.