Liberty on z/OS® offers the ability for your applications to take advantage of z/OS authorized services for System Authorization Facility (SAF)
authorization, Workload Manager (WLM), Resource Recovery services (RRS), and SVCDUMP. If your
application requires these services, set up a Liberty angel process and grant access for your
Liberty server to use these
services.
About this task
To use the z/OS Authorized Services, you can set up the
following types of profiles by using a SAF security product such as RACF®:
- SAF STARTED profile is required if you plan on running the Liberty server or the Liberty angel process as a z/OS Started Task. For more information about the Liberty angel process, see Process types on z/OS.
- SAF SERVER profile is required if you plan on having the Liberty server access any of the z/OS Authorized Services for your applications. You can find the description
of each service in the following content.
Note: You do not need to set up RACF if you are not
planning to run the Liberty server as a
Started Task and you are not planning to use any of the authorized services.
Procedure
- Create STARTED profiles for the PROCs for the angel and Liberty server processes. This action enables the
angel and Liberty server to run as Started
Tasks.
- To cause the angel to run under the user ID
WLPUSER0:
rdef started bbgzangl.* uacc(none) stdata(user(WLPUSER0) group(wasuser) privileged(no) trusted(no) trace(yes))
- To cause a server that is running under the BBGZSRV procedure name to run under the user ID
WLPUSER1:
rdef started bbgzsrv.* uacc(none) stdata(user(WLPUSER1) group(wasuser) privileged(no) trusted(no) trace(yes))
- Create a SERVER profile for the angel process and permit the
WLPUSER1 user ID.
This action grants a Liberty server access
to the angel process, which is required for the z/OS
authorized services. To create an unnamed angel server profile and enable a server that is running
as WLPUSER1 to connect to it, issue the following commands:
RDEF SERVER BBG.ANGEL UACC(NONE)
PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
![[16.0.0.4 and later]](../ng_v16004plus.gif)
To create a named angel server profile and enable a
server that is running as
WLPUSER1 to connect to it, issue the following
commands:
RDEF SERVER BBG.ANGEL.namedAngelName UACC(NONE)
PERMIT BBG.ANGEL.namedAngelName CLASS(SERVER) ACCESS(READ) ID(WLPUSER1)
The
profile name that you specify for the
namedAngelName variable is the name of the
new angel.
Tip: You can use generic profiles such as
BBG.ANGEL.* to grant a user ID access to multiple angels.
- Create a SERVER profile for the authorized module BBGZSAFM and permit the Started Task user ID
of the Liberty server to the profile. This
action enables a Liberty server to use the
z/OS Authorized services. To enable a server that is running
as WLPUSER1 to access the authorized module:
RDEF SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- Create SERVER profiles for the individual authorized services
provided for the z/OS platform.
These profiles enable the server to invoke the individual authorized
services and these services are grouped by function:
- To enable the SAF authorized user registry services and SAF authorization services
(SAFCRED):
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- To enable the WLM services
(ZOSWLM):
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSWLM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSWLM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- To enable the RRS transaction services
(TXRRS):
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.TXRRS UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.TXRRS CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- To enable the SVCDUMP services
(ZOSDUMP):
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSDUMP UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSDUMP CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- To enable optimized local adapter
services:
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.LOCALCOM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.LOCALCOM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.WOLA UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.WOLA CLASS(SERVER)ACCESS(READ) ID(wlpuser1)
- To enable the IFAUSAGE services
(PRODMGR):
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.PRODMGR UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.PRODMGR CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- To enable the AsyncIO services
(ZOSAIO):
RDEF SERVER BBG.AUTHMOD.BBGZSAFM.ZOSAIO UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.ZOSAIO CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- Create a SERVER profile for the authorized client module BBGZSCFM and
permit the Started Task user ID of the Liberty server to the profile. This action enables a Liberty server to load the z/OS Authorized client services. To enable a server that is running as WLPUSER1 to
access the authorized client
module:
RDEF SERVER BBG.AUTHMOD.BBGZSCFM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSCFM CLASS(SERVER) ACCESS(READ) ID(wlpuser1)
- Create SERVER profiles for the individual authorized client services provided for the z/OS platform. These profiles enable clients to invoke the individual authorized services provided by the server. These services are grouped
by function: