The Liberty Profile on z/OS® offers the ability for your applications to take advantage
of z/OS authorized services
for System Authorization Facility (SAF) authorization, Workload Manager
(WLM), resource recovery services (RRS), and SVCDUMP. If your application
requires these services, set up a Liberty angel process grant access
for your Liberty profile server to use these services.
About this task
To use the z/OS Authorized Services, you can set upthe following types of profiles
using a SAF security product such as RACF®:
- SAF STARTED profile is required if you plan on running the Liberty
Profile server or the Liberty angel process as a z/OS Started Task. For more information about
the Liberty angel process, see Liberty profile: Process types on z/OS.
- SAF SERVER profile is required if you plan on having the Liberty
Profile server access any of the z/OS Authorized Services for your applications. You can find
the description of each service in the following content.
Note: You do not need to set up RACF if you are not planning to run the Liberty profile server
as a Started Task and you are not planning to use any of the authorized
services.
Procedure
- Create STARTED profiles for the PROCs for the angel and
Liberty server processes. This action enables the angel and Liberty
server to run as Started Tasks.
- To cause the angel to run under the user ID WLPUSER0:
rdef started bbgzangl.* uacc(none) stdata(user(WLPUSER0) group(wasuser) privileged(no) trusted(no) trace(yes))
- To cause a server running under the BBGZSRV procedure name to
run under the user ID WLPUSER1:
rdef started bbgzsrv.* uacc(none) stdata(user(WLPUSER1) group(wasuser) privileged(no) trusted(no) trace(yes))
- Create a SERVER profile for the angel process and permit
the WLPUSER1 user ID. This
action grants a Liberty server access to the angel process, which
is required for the z/OS authorized
services. To enable a server running as WLPUSER1 to connect to the angel:
rdef server bbg.angel uacc(none)
permit bbg.angel class(server) access(read) id(wlpuser1)
- Create a SERVER profile for the authorized module BBGZSAFM
and permit the Started Task user ID of the Liberty server to the profile.
This action enables a Liberty server to use the z/OS Authorized services. To enable a server
running as WLPUSER1 to access the authorized module:
rdef server bbg.authmod.bbgzsafm uacc(none)
permit bbg.authmod.bbgzsafm class(server) access(read) id(wlpuser1)
- Create SERVER profiles for the individual authorized services
provided for the z/OS platform.
These profiles enable the server to invoke the individual authorized
services and these services are grouped by function:
- To enable the SAF authorized user registry services and SAF authorization
services (SAFCRED):
rdef server bbg.authmod.bbgzsafm.safcred uacc(none)
permit bbg.authmod.bbgzsafm.safcred class(server) access(read) id(wlpuser1)
- To enable the WLM services (ZOSWLM):
rdef server bbg.authmod.bbgzsafm.zoswlm uacc(none)
permit bbg.authmod.bbgzsafm.zoswlm class(server) access(read) id(wlpuser1)
- To enable the RRS transaction services (TXRRS):
rdef server bbg.authmod.bbgzsafm.txrrs uacc(none)
permit bbg.authmod.bbgzsafm.txrrs class(server) access(read) id(wlpuser1)
- To enable the SVCDUMP services (ZOSDUMP):
rdef server bbg.authmod.bbgzsafm.zosdump uacc(none)
permit bbg.authmod.bbgzsafm.zosdump class(server) access(read) id(wlpuser1)
To enable the IFAUSAGE services (PRODMGR):rdef server bbg.authmod.bbgzsafm.prodmgr uacc(none)
permit bbg.authmod.bbgzsafm.prodmgr class(server) access(read) id(wlpuser1)