Setting up z/OS security

Decide on the broker's and User Name Server's started task names. These names are used to set up started task authorizations, and to manage your system performance.

Decide on a data set naming convention for your WebSphere Business Integration Event Broker PDSEs. A typical name might be WMQI.MQP1BRK.CNTL or MQS.MQP1UNS.BIPCNTL, where MQP1 is the queue manager name. You need to give the WebSphere Business Integration Event Broker, WebSphere MQ, DB2, and z/OS administrators access to these data sets. You can give these professionals control access in several ways, for example:
  • Give each user individual access to the specific data set.
  • Define a generic data set profile, defining a group that contains the user IDs of the administrators. Grant the group control access to the generic data set profile.

If you intend to use Publish/Subscribe, define a group called MQBRKRS and connect the started task user IDs to this group. Define an OMVS group segment for this group so that the User Name Server can extract information from the External Security Manager (ESM) database to enable you to use Publish/Subscribe security.

Each broker needs a unique ID for its DB2 tables. This can be:
  • A unique started task user ID; you could use the broker name as the started task user ID.
  • A shared started task user ID and a unique group specified to identify the DB2 tables to be used with the ODBC interface. Use the broker name as the group name.
Define an OMVS segment for the started task user ID and give its home directory sufficient space for any WebSphere Business Integration Event Broker dumps. Consider using the started task procedure name as the started task user ID. Check that your OMVS segment is defined by using the following TSO command:
LU userid OMVS
The command output includes the OMVS segment, for example:
USER=MQP1BRK NAME=SMITH, JANE OWNER=TSOUSER
CREATED=99.342 DEFAULT-GROUP=TSOUSER PASSDATE=01.198
PASS-INTERVAL=30
......
OMVS INFORMATION
----------------
UID=0000070594
HOME=/u/MQP1BRK
PROGRAM=/bin/sh
CPUTIMEMAX=NONE
ASSIZEMAX=NONE
FILEPROCMAX=NONE
PROCUSERMAX=NONE
THREADSMAX=NONE
MMAPAREAMAX=NONE
The command:
df -P /u/MQP1BRK
displays the amount of space used and available, where /u/MQP1BRK is the value from HOME above. This command shows you how much space is currently available in the file system. Check with your data administrators that this is sufficient. You need a minimum of 400 000 blocks free; this is needed if a dump is taken.

Associate the started task procedure with the user ID to be used. For example, you can use the STARTED class in RACF®. The WebSphere Business Integration Event Broker and z/OS administrators must agree on the name of the started task.

WebSphere Business Integration Event Broker administrators need an OMVS segment and a home directory. Check the setup described above.

The started task user IDs and the WebSphere Business Integration Event Broker administrators need access to the install executables, the component specific files, and the home directory of the started task. During customization the file ownership can be changed to alter group access. This might require super user authority.

When the service user ID is root, all libraries loaded by the broker, including all user-written plug-in libraries and all shared libraries that they might access, also have root access to all system resources (for example, filesets). Review and assess the risk involved in granting this level of authorization.

Related tasks
Security considerations

Related reference
Customization tasks and roles (z/OS)
Summary of required access (z/OS)