Before starting IBM® HTTP Server, there are required z/OS® system configurations that you must set up.
ALTUSER WWWSERV OMVS(MEMLIMIT(512M))
For a complete description of how to set MEMLIMIT, refer to the section Limiting the use of memory objects in z/OS MVS Programming Extended Addressability Guide (SA22-7614). You can link to this document from the z/OS Internet Library.
IBM HTTP Server requires approximately 5.4 megabytes of 64-bit virtual memory per thread. The minimum recommended MEMLIMIT setting for proper IBM HTTP Server operation is: 6 * (ThreadsPerChild + 3) megabytes.
For more information on configuration methods for allowing access to low ports, refer to the sections Port access control and Setting up reserved port number definitions in PROFILE.TCPIP in z/OS Communications Server IP Configuration Guide (SC31-8775). You can link to this document from the z/OS Internet Library.
For an explanation of how Unix System Services jobnames (such as those for IBM HTTP Server instances) are determined, refer to the section Generating jobnames for OMVS address spaces in z/OS UNIX System Services Planning (GA22-7800). Link to this document from the z/OS Internet Library.
You can use a new or existing user ID. It must have an OMVS segment and the UID cannot be zero. The following example contains RACF® commands to create a new user and group. For requirements, standard requirements terminology should be used, as suggested by RFC 2119 (http://www.ietf.org/rfc/rfc2119.txt). You can use a new or existing user ID. It must have an OMVS segment and the UTD must not be zero.
Password example
ADDGROUP WWWGROUP OMVS(GID(999))
ADDUSER WWWSERV DFLTGRP(WWWGROUP) OMVS(UID(999)) PASSWORD(password)
Password phrase example
ADDGROUP WWWGROUP OMVS(GID(999))
ADDUSER WWWSERV DFLTGRP(WWWGROUP) OMVS(UID(999)) PHRASE('my0users@99#701_workgroup')
The
security administrator should define the password for the Web server user ID, instead of allowing it
to default, to prevent an unauthorized user from being able to log in with that user ID. The ALTUSER
command can be used to modify the password of an existing user ID.RDEFINE STARTED WEBSRV1.* STDATA(USER(WWWSERV) GROUP(WWWGROUP) TRACE(YES))
RALTER PROGRAM * ADDMEM('hlq.LINKLIB'//NOPADCHK) UACC(READ)
RALTER PROGRAM * ADDMEM('hlq.SCEERUN'//NOPADCHK) UACC(READ)
RALTER PROGRAM * ADDMEM('hlq.SCLBDLL') UACC(READ)
SETROPTS WHEN(PROGRAM) REFRESH
In this example, an asterisk (*) is used to specify all programs in the data set. # extattr +ap /opt/IBM/HTTPServer/modules/mod_jauth.so
In
this example, substitute the IBM HTTP Server installation
location for /opt/IBM/HTTPServer/. (You can build custom plug-in modules using the
apxs script that is provided.)RALTER PROGRAM * ADDMEM('hlq.SIEALNKE'//NOPADCHK) UACC(READ)
SETROPTS WHEN(PROGRAM) REFRESH
If you are turning on program control for the first time, use the RDEFINE
statements instead of the RALTER statements. If you are using another security
product, refer to that product's documentation for instructions.RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
PE IRR.DIGTCERT.LIST CLASS(FACILITY) ID(WWWSERV) ACCESS(READ)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PE IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(WWWSERV) ACCESS(READ)
SETR CLASSACT(FACILITY)
SETR RACLIST(FACILITY) REFRESH
For
a complete guide to RACF commands, refer to z/OS
Security Server RACF Security Administrator's Guide
(SA22-7683). You can link to this document from the z/OS
Internet Library.Integrated Cryptographic Services Facility (ICSF) is the software interface to the cryptographic hardware. If you plan to run IBM HTTP Server with cryptographic hardware capability, you can restrict the use of ICSF services. To restrict the use of ICSF services, you can permit user IDs to certain profiles in the CSFSERV general resource class. CSFSERV controls the use of ICSF software. If you have defined your IBM HTTP Server to execute with a nonzero user ID, you can give the nonzero user ID READ access to CSFSERV. If you are using a security product other than RACF, refer to that product's documentation for instructions.
If you want to restrict the use of ICSF services, issue RACF commands similar to the commands in the following examples. If you have applications other than IBM HTTP Server that are using ICSF, you must customize the examples. Otherwise, the other applications will no longer have access to ICSF services.
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV)
RDEFINE CSFSERV CSF* UACC(NONE)
PERMIT CSF%%C CLASS(CSFSERV) ID(WWWSERV PUBLIC) ACCESS(READ)
PERMIT CSFPK% CLASS(CSFSERV) ID(WWWSERV PUBLIC) ACCESS(READ)
PERMIT CSFCK% CLASS(CSFSERV) ID(WWWSERV PUBLIC) ACCESS(READ)
SETROPTS CLASSACT(CSFSERV)
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) REFRESH
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV)
RDEFINE CSFSERV CSF%%C UACC(READ)
RDEFINE CSFSERV CSFPK% UACC(READ)
RDEFINE CSFSERV CSFCK% UACC(READ)
SETROPTS CLASSACT(CSFSERV)
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) REFRESH
To perform key storage on cryptographic devices refer to the section Integrated Cryptographic Service Facility (ICSF) Considerations in z/OS Security Server RACF Security Administrator's Guide (SA22-7683).
For information on ICSF options refer to the section Using Hardware Cryptographic Features with System SSL in z/OS Cryptographic Services System Secure Sockets Layer (SSL) Programming (SC24-5901).
You can link to both of these documents from the z/OS Internet Library.
A typical setting is: export _BPX_JOBNAME=HTTPD. The default is to append an incrementing integer to your jobname, such as HTTPD1, HTTPD2, HTTPD3. For more information refer to the section Generating jobnames for OMVS address spaces in z/OS UNIX System Services Planning (GA22-7800). Link to this document from the z/OS Internet Library.
RDEFINE FACILITY BPX.JOBNAME UACC(NONE)
SETROPTS RACLIST(FACILITY) REFRESH
PERMIT BPX.JOBNAME CLASS(FACILITY) ACCESS(READ) ID(WWWSERV)
SETROPTS RACLIST(FACILITY) REFRESH
RLIST FACILITY BPX.JOBNAME ALL
For
more information refer to the section Setting up the BPX.* FACILITY class profiles in
z/OS
UNIX System Services Planning (GA22-7800). Link to this
document from the z/OS Internet Library.