Enabling z/OS authorized services on Liberty for z/OS

Liberty on z/OS® offers the ability for your applications to take advantage of z/OS authorized services for System Authorization Facility (SAF) authorization, Workload Manager (WLM), Resource Recovery services (RRS), and SVCDUMP. If your application requires these services, set up an Liberty angel process and grant access for your Liberty server to use these services.

About this task

To use the z/OS Authorized Services, you can set up the following types of profiles by using a SAF security product such as RACF®:
  • SAF STARTED profile is required if you plan on running the Liberty server or the Liberty angel process as a z/OS Started Task. For more information about the Liberty angel process, see Process types on z/OS.
  • SAF SERVER profile is required if you plan on having the Liberty server access any of the z/OS Authorized Services for your applications. You can find the description of each service in the following content.
Note: If you are not planning to run the Liberty server as a Started Task and are not planning to use any of the authorized services, RACF need not be set up.

Procedure

  • Create STARTED profiles for users WLPUSER0 and WLPUSER1
    • Create STARTED profiles for the PROCs for the angel and Liberty server processes. This action enables the angel and Liberty server to run as Started Tasks.
      • To cause the angel to run under the user ID WLPUSER0:
        rdef started bbgzangl.* uacc(none) stdata(user(WLPUSER0) group(wasuser) privileged(no) trusted(no) trace(yes))
      • To cause a server that is running under the BBGZSRV procedure name to run under the user ID WLPUSER1:
        rdef started bbgzsrv.* uacc(none) stdata(user(WLPUSER1) group(wasuser) privileged(no) trusted(no) trace(yes))
    • Create a SERVER profile for the angel process and permit the WLPUSER1 user ID to the profile.
      This action grants a Liberty server access to the angel process, which is required for the z/OS authorized services. To create an unnamed angel server profile and enable a server that is running as WLPUSER1 to connect to it, use the following commands:
      RDEF SERVER BBG.ANGEL UACC(NONE)
PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
      To create a named angel server profile and enable a server that is running as WLPUSER1 to connect to it, use the following commands:
      RDEF SERVER BBG.ANGEL.namedAngelName UACC(NONE)
PERMIT BBG.ANGEL.namedAngelName CLASS(SERVER) ACCESS(READ) ID(WLPUSER1)
      The profile name that you specify for the namedAngelName variable is the name of the new angel.
      Tip: You can use generic profiles such as BBG.ANGEL.* to grant a user ID access to multiple angels.
  • Create a SERVER profile for the authorized module BBGZSAFM
    • Create a SERVER profile for the authorized module BBGZSAFM and permit the Started Task user ID of the Liberty server to the profile. This action enables a Liberty server to use the z/OS Authorized services. To enable a server that is running as WLPUSER1 to access the authorized module:
      RDEF SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
    • Create SERVER profiles for the individual authorized services provided for the z/OS operating system. These profiles enable the server to invoke the individual authorized services and these services are grouped by function:
      • To enable the SAF authorized user registry services and SAF authorization services (SAFCRED):
        RDEF SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)      
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
      • To enable the WLM services (ZOSWLM):
        RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)      
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
      • To enable the RRS transaction services (TXRRS):
        RDEF SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)      
PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
      • To enable the SVCDUMP services (ZOSDUMP):
        RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE)      
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
      • To enable optimized local adapter services:
        RDEF SERVER BBG.AUTHMOD.BBGZSAFM.LOCALCOM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.LOCALCOM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.WOLA UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.WOLA CLASS(SERVER)ACCESS(READ) ID(wlpuser1)
      • To enable the IFAUSAGE services (PRODMGR):
        RDEF SERVER BBG.AUTHMOD.BBGZSAFM.PRODMGR UACC(NONE)      
PERMIT BBG.AUTHMOD.BBGZSAFM.PRODMGR CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
      • To enable the AsyncIO services (ZOSAIO):
        RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSAIO UACC(NONE) 
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSAIO CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
      Note: During server startup, Liberty checks all authorized services for access. Specifying the SAFLOG=Y JCL parameter on the angel PROC causes SAF error messages for all authorized services that a server is not allowed to use.
  • Create a SERVER profile for the authorized client module BBGZSCFM
    • Create a SERVER profile for the authorized client module BBGZSCFM and permit the Started Task user ID of the Liberty server to the profile. This action enables a Liberty server to load the z/OS Authorized client services.
      To enable a server that is running as WLPUSER1 to access the authorized client module:
      RDEF SERVER BBG.AUTHMOD.BBGZSCFM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSCFM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
    • Create SERVER profiles for the individual authorized client services provided for the z/OS operating system. These profiles enable clients to invoke the individual authorized services provided by the server.
      These services are grouped by function:
      • To enable optimized local adapter services:
        RDEF SERVER BBG.AUTHMOD.BBGZSCFM.WOLA UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSCFM.WOLA CLASS(SERVER) ACCESS(READ) ID(wlpuser1)