Automatic security management for Cloud Provisioning
During regular operations with Cloud Provisioning, your installation periodically adds or removes users for domains and tenants. Such changes require immediate updates to your security setup. If you select automatic security for Cloud Provisioning in the Resource Management task, or accept the default, these changes are performed for you automatically.
This topic describes the options that are available for enabling automatic security management for IBM Cloud® Provisioning and Management for z/OS®.
- XML security descriptor. Cloud Provisioning will generate an XML request that identifies the required security operations for your external security manager (ESM) to process.
- Security REXX exec that is provided by the vendor of the ESM. For example, IBM supplies the REXX exec izu.provisioning.security.config.rexx for use with RACF.
Automatic security is enabled by default. It uses the z/OS service R_SecMgtOper to perform security operations directly and synchronously. In contrast, the REXX exec is run by a Resource Management workflow.
Both of these methods require that a valid user ID be specified for the CLOUD_SEC_ADMIN keyword in the IZUPRMxx parmlib member.
Using the XML descriptor support for automatic security processing
This method of automatic security uses the R_SecMgtOper service (module IRRSMO00) in z/OS to process an IBM-supplied XML document. The contents of the XML document are processed by the external security manager (ESM). For information about the R_SecMgtOper service, see z/OS Security Server RACF Callable Services.
- Add the following statement to
IEFSSNxx:
SUBSYS SUBNAME(RACF) INITRTN(IRRSSI00) INITPARM('<')
- A temporary alternative is to enter the following command. This change does not persist across
an IPL of the system.
SETSSI ADD,SUBNAME=RACF,INITRTN=IRRSSI00,INITPARM='<'
- Ask your security administrator to do the following:
- Locate the security configuration properties file on your system:
/global/zosmf/configuration/workflow/izu.provisioning.security.config.properties
Locate the following property:security-configuration-directsecurity-enabled=
If this property is not present, add it.
- To use XML security descriptors, ensure that the property is set to true:
security-configuration-directsecurity-enabled=true
- Save the properties file.
- Locate the security configuration properties file on your system:
- Restart the z/OSMF server. From the operator console, enter the START command for the z/OSMF
server started task:
START IZUSVR1
Cloud Provisioning and Management will use direct security processing via R_SecMgtOper
for automatic security domains.
Using a REXX exec for automatic security processing
This method of automatic security uses the security REXX exec from IBM or one that you have obtained from another vendor. When installed, the security REXX exec is owned by the z/OSMF server user ID (by default, IZUSVR) and is intended for use by security administrators only. The exec can be updated only by users in the z/OSMF security administrator group (by default, IZUSECAD).
If your installation uses a security manager other than RACF, you must obtain a REXX exec with equivalent security commands from your vendor and store it on your system.
- Ensure that a security REXX exec is installed on your system. The IBM-supplied REXX exec for
RACF is already included in the following directory on your system:
/global/zosmf/configuration/workflow/izu.provisioning.security.config.rexx
For other security managers, you must obtain an equivalent REXX exec from your vendor and install it on your system.
- Recycle the z/OSMF server to ensure that the security configuration properties file is created
with the default IBM content and the correct ownership and permission settings.
From the operator console, enter the operator commands in the following sequence:
.It is not necessary to stop or restart the z/OSMF angel process (IZUANG1).
- With the z/OSMF server stopped, ask your security administrator to do the following:
- Locate the security configuration properties file on your system:
/global/zosmf/configuration/workflow/izu.provisioning.security.config.properties
Locate the following property:security-configuration-rexx-location=
By default, the property identifies the location of the IBM-supplied security REXX exec.
- To use a different REXX exec, edit the property so that it refers to the location of the
replacement REXX exec. The location can be a sequential data set, partitioned data set (PDS), or
z/OS UNIX path and file name. If the REXX exec resides in a data set, observe the following naming conventions:
- Enter the fully qualified data set name, including the member name if you are using a PDS.
- Do not enclose the data set name in quotation marks.
Example:security-configuration-rexx-location=SYS1.REXX(ZOSMFSEC)
If the REXX exec resides in a z/OS UNIX file, observe the following naming conventions:- Enter the full path name, beginning with the forward slash (/) and including the file name, or a relative path.
- The name cannot contain any path segments, such as
/./
or/../
Example:security-configuration-rexx-location=/u/cloud/zosmf/workflow/izu.provisioning.security.config.rexx
- Save the properties file.
- Locate the security configuration properties file on your system:
- Restart the z/OSMF server. From the operator console, enter the START command for the z/OSMF
server started task:
START IZUSVR1
Cloud Provisioning and Management will use REXX processing for automatic security domains.
Applying service to the IBM-supplied REXX exec
IBM can ship service updates to Cloud Provisioning, which might include updates to the izu.provisioning.security.config.rexx exec. If you use the IBM exec, it is recommended that you apply the PTFs to stay current with the latest level of the exec.
- Ensure that the security configuration properties file identifies the location of the exec on your system. See the procedure for updating the properties file in Using a REXX exec for automatic security processing.
- Work with your security administrator to reconcile any differences between your copy of the exec and a new version from IBM.
When you are working with service updates, always check the PTF ++HOLD action for specific instructions for deploying the updated code, such as the need to restart the z/OSMF server to have the updates take effect.