Verify that security is set up for the domain administrator
You can verify that security is set up correctly for the domain administrator role in IBM Cloud® Provisioning and Management for z/OS®. To do so, you can add an IBM-supplied template to the Software Services catalog and test run the template. This verification is referred to as performing the installation verification procedure or IVP for IBM Cloud Provisioning and Management for z/OS.
Before you begin
The IVP is supplied by IBM in the following location on your system: /usr/lpp/samples/cpm-sample-ivp/
- cloud-provisioning-ivp-workflow.xml
- Workflow definition file for the provisioning workflow.
- cloud-provisioning-ivp.properties
- Contains values for the console command and unsolicited message.
- cloud-provisioning-ivp-actions.xml
- Actions file that defines only a deprovision action.
- cloud-provisioning-ivp-AdministratorDoc.pdf
- Documentation file for the IVP.
- cloud-provisioning-ivp.mf
- Manifest file. This file provides a shortcut when you create the template. Rather than specifying each of the aforementioned files in the template individually, you can specify just the manifest file, then click Load to supply values for the other files.
About this task
The IVP contains a template that runs a provisioning workflow under your user ID.
- If Step 1 completes successfully, your user ID is set up correctly for issuing operator commands. This step issues the START command to start a non-existent job (IZUTEST), which results in an unsolicited message (IEFC452I) when the job is not found. To issue the command, the step uses a REST service.
- If Step 2 completes successfully, your user ID is set up correctly for reading messages that are written to the operations console. This step checks the result of the previous step for the presence of unsolicited message IEFC452I.
To perform the IVP, your user ID must be authorized as a domain administrator. If your installation defined security as described in Steps for setting up security or by using the IZUPRSEC sample job, the user IDs in the IZUADMIN group are authorized as domain administrators.
Procedure
What to do next
For a more advanced test of your security setup, you can create and test run a template that requires approval from a specified approver. In a production environment, the approver might be a middleware system programmer or a security administrator.
To perform this test, you create a new template based on the one you created previously. This time, you modify the workflow input variable file that was supplied with the IVP to add a performer (a runAsUser) and an approver for the template. You repeat some of the steps you performed in the previous procedure.
- In the Templates table, select your template.
- Create another template based on the one you created previously:
- Click Based on.
- For Template name, specify the name of a new template, for example
SampleIVP2
. - For Target file path, specify the name of an empty or non-existent directory, for example: /tmp/xxx. If the directory does not exist, z/OSMF attempts to create it.
- For Domain, select default to use the default domain.
- For Template name, specify the name of a new template, for example
- Click OK to create the template. The template is created in a draft state.
- Click Based on.
- Associate the template with the default tenant and create a resource pool, as you did in Step 2 of the previous procedure. If message IYURP0013I is displayed, click OK to continue.
- Specify a run-as-user and an approver for the template, as follows:
- Select , which opens the Workflow Editor.
- In the Workflow Editor, click the Input Properties tab, then specify your own user ID for the
properties CONSOLE_ADMIN and CONSOLE_APPROVER. Tip: In Cloud Provisioning, when a template specifies a user ID under which a step must be performed, an approval record is created. Here, the user ID is referred to as the runAsUser ID for the step. Approval records must be approved by the approvers before the template can be run or published.In the example that follows, IBMUSER is specified for both properties.
# Licensed Materials - Property of IBM # 5650-ZOS # Copyright IBM Corp. 2018 # # Status = HSMA230 #------------------------------------------------------------------------------- # # This is the command that will be issued # via the z/OSMF REST Consoles API # CONSOLE_CMD = S IZUTEST# # This is the unsolicited keyword that # z/OSMF REST Consoles API should expect # in the response to the CONSOLE_CMD. # UNSOL_KEY_TO_DETECT = IEFC452I# # This is the console Administrator user ID # that should be used to issue the # z/OSMF REST Consoles API if the user ID # running the template does not have appropriate # authorization. # CONSOLE_ADMIN = ibmuser # # This is the console Approval user ID used # for approving the usage of the console # Administrator user ID specified by # the ADMIN_CONSOLE variable. # CONSOLE_APPROVER = ibmuser
- Click Save to save the input properties file.
- Close the Workflow Editor window.
- In the OK. page, click
- In the Templates table, check the state of the template:
- If the template state is Pending security update, click Refresh to refresh the table display.
- If the state is Draft pending approval, the template requires approval. Resolving this state requires the approver user ID that you specified earlier to approve the template.
- Approve the template:
- In the Templates table, select the template that is in Draft pending approval state, then click .
- In the Approvals window, review the item to approve.
- To approve the template, select the row, then click .
- Return to the Templates table. Notice that the template is now Draft approved.
- Test run the template by clicking Actions, then Test Run.
- In the Instances table, check the state of your instance:
- If the template state is Being Provisioned, click Refresh to refresh the table display. Provisioning might take several minutes to complete.
- If the template state is Provisioning-Failed, resolve the errors for any failed steps and test run the template again.
- If the template state is Provisioned, you started the instance successfully.
- Deprovision the instance.
You can remove the template from the software services catalog when you are done.
Exploring this function further: Try running the IVP with other user IDs specified for the CONSOLE_ADMIN and CONSOLE_APPROVER properties. When these user IDs do not match, Cloud Provisioning automatically generates an additional approval record for your security administrator to approve. This behavior helps to ensure that security is maintained when provisioning is performed under different user IDs.
- For CONSOLE_ADMIN, specify the user ID under which the template is to run. This user ID requires the authority to enter commands from the z/OS operations console. Typically, this person is a middleware system programmer who provisions templates at your company.
- For CONSOLE_APPROVER, specify the user ID of the person who must approve the provisioning of the template.
Avoid using a functional user ID for the approver. The approver user ID must be able to log in to z/OSMF.