z/OS customization variables: Administrative agents
Specify values for the variables in the Profile Management Tool to create customization data and instructions that you can use to configure an administrative agent.
The Profile Management Tool creates customization data and instructions that are used to configure a WebSphere Application Server for z/OS runtime environment. A z/OS runtime profile is not created, however, until the actions listed in the generated instructions are performed on the target z/OS system.
Customization Definition Name
- Name that identifies the customization definition
This name is used on the workstation to identify the customization data and instructions that are created. The name chosen has no effect on the WebSphere Application Server for z/OS configuration.
- Full path name of a response file that contains the default values
to be used
When this value is specified, the input fields are preloaded with the values in the response file.
Tip: A response file is written each time that a customization definition is created. This response file contains all of the variable data that was used to create the customization definition, and it can be used to preload the default values when defining a similar customization definition. Normally, you should specify a response file from a customization definition of the same type as the definition that you are about to define; however, you can use a response file of a different customization-definition type to preload most of the default values for a similar type.
Server Type Selection
- Type of server to be created within this management profile
Default Values
Options for generating default values for this customization definition
Read Configuration Planning Spreadsheets for z/OS for more information.
If you specified a response file for setting default values, any default selected here will override the corresponding response file values.
- Set each default GID and UID value to indicate that operating-system
security is to assign an unused value
When this option is selected, each GID and UID value will be defaulted to allow operating-system security to assign an unused value. When this option is not selected, each GID and UID value will be defaulted to an IBM-provided number.
- Set default names and user IDs based on cell and system identifiers
When this option is selected, default cell, node, server, and procedure names as well as group names and user IDs are based on a cell and system identifiers.
- Two-character cell identifier to be used to create default names
and user IDsRule: The first character must be an alphabetic character and the second character must be an alphanumeric character. Alphabetic characters can be entered in lowercase or uppercase. The case of alphabetic characters will be adjusted as appropriate for each generated default value.
- Single-character system identifier to be used to create default
names and user IDsRule: The character must be an alphanumeric character. An alphabetic character can be entered in lowercase or uppercase. The case of the alphabetic character will be adjusted as appropriate for each generated default value.
- Two-character cell identifier to be used to create default names
and user IDs
- Select default port values from the following port range
When this option is not selected, each port value will default to an IBM-provided number. When this option is selected, each port default value will be selected from the following port number range.
The port range must contain at least 10 ports.
- Lowest number that may be assigned as a default port number
- Highest number that may be assigned as a default port number
Target Datasets
- High-level qualifier for the target z/OS datasets that will contain
the generated jobs and instructionsWhen a customization definition is uploaded to the target z/OS system, the customization jobs and files are written to a pair of partitioned datasets. While is it possible to reuse these datasets, it is safest to create separate datasets for each WebSphere Application Server for z/OS configuration. The best practice is to use the customization dataset name prefix (sometimes referred to as config_hlq) to indicate the version and release of WebSphere Application Server for z/OS, the task that you are performing, and the cell (as well as the node name in some cases) that you are configuring. For example, you might use the following dataset name prefix for configuring a standalone WebSphere Application Server cell named TESTCELL for Version 9.0:
In this example, the following two datasets will be created when the customization definition is uploaded to the target z/OS system:SYSPROG1.WAS90.TESTCELL.APPSERV
The CNTL dataset will be a partitioned dataset (PDS) with fixed block 80-byte records that will contain the customization jobs. The DATA dataset will be a PDS with variable length data to contain the other customization data.SYSPROG1.WAS90.TESTCELL.APPSERV.CNTL SYSPROG1.WAS90.TESTCELL.APPSERV.DATA
Rule: The high-level qualifier can consist of multiple qualifiers (up to 39 characters).The generated batch jobs and instructions will be uploaded to two z/OS partitioned datasets:- Partitioned dataset with fixed block 80-byte records to contain customization jobs
- Partitioned dataset with variable-length data to contain other data contained in the customization definition
Tip: A multilevel high-level qualifier can be specified as the dataset high-level qualifier.
Configure Common Groups
- Default group name for the WebSphere Application Server administrator
user ID and all server user IDs
- Select this option to have RACF assign an unused GID value.
- Select this option to specify a GID value.
- UNIX System Services GID number for the WebSphere Application
Server configuration groupRule: GID values must be unique numeric values between 1 and 2,147,483,647.
- UNIX System Services GID number for the WebSphere Application
Server configuration group
- Default group name for the WebSphere Application Server administrator
user ID and all server user IDs
- Connect all servant user IDs to this group
You can use this group to assign subsystem permissions, such as DB2 authorizations, to all servants in the security domain.
- Select this option to have RACF assign an unused GID value.
- Select this option to specify a GID value.
- UNIX System Services GID number for the servant groupRule: GID values must be unique numeric values between 1 and 2,147,483,647.
- UNIX System Services GID number for the servant group
- Connect all servant user IDs to this group
- Group of local clients and unauthorized user IDs
- Select this option to have RACF assign an unused GID value.
- Select this option to specify a GID value.
- UNIX System Services GID number for the local user groupRule: GID values must be unique numeric values between 1 and 2,147,483,647.
- UNIX System Services GID number for the local user group
- Group of local clients and unauthorized user IDs
Configure Common Users
- User ID associated with all the control regions and the daemon
This user ID will also own all of the configuration file systems.
If you are using a non-IBM security system, the user ID might have to match the procedure name. Refer to your security system's documentation.
- Select this option to have RACF assign an unused UID value.
- Select this option to specify a specific UID value.
- User identifier associated with the control region user IDRule: UIDs must be unique numbers between 1 and 2,147,483,647 within the system.
- User identifier associated with the control region user ID
- User ID associated with all the control regions and the daemon
- User ID associated with the servant region
If you are using a non-IBM security system, the user ID might have to match the procedure name. Refer to your security system's documentation.
- Select this option to have RACF assign an unused UID value.
- Select this option to allow to allow a user-specified ID.
- User identifier associated with the servant region user IDRule: UIDs must be unique numbers between 1 and 2,147,483,647 within the system.
- User identifier associated with the servant region user ID
- User ID associated with the servant region
- User ID of the initial WebSphere Application Server administrator
It must have the WebSphere Application Server configuration group as its default UNIX System Services group.
- Select this option to have RACF assign an unused UID value.
- Select this option to allow to allow a user-specified ID.
- User identifier associated with the administrator user IDRule: UIDs must be unique numbers between 1 and 2,147,483,647 within the system.
- User identifier associated with the administrator user ID
- User ID of the initial WebSphere Application Server administrator
- New or existing file system directory in which home directories
for WebSphere Application Server for z/OS user IDs will be created
by the customization process
This directory does not need to be shared among z/OS systems in a WebSphere Application Server cell.
Configure Additional Users
This panel only displays if you click Window > Preferences > Profile Management Tool in the WebSphere Customization Toolbox, select Enable unique user IDs for daemon and adjunct, and click Apply.- User ID associated with the daemon
- Select this option to have RACF assign an unused UID value.
- Select this option to allow to allow a user-specified ID.
- User identifier associated with the daemon user IDRule: UIDs must be unique numbers between 1 and 2,147,483,647 within the system.
- User identifier associated with the daemon user ID
- User ID associated with the daemon
System and Dataset Names
- System name for the target z/OS system
on which you will configure WebSphere Application Server
for z/OSTip: If you are not sure what the system name (&SYSNAME) is, use the console command D SYMBOLS on the target z/OS system to display it.
- Sysplex name for the target z/OS system
on which you will configure WebSphere Application Server
for z/OSTip: If you are not sure what the sysplex name (&SYSPLEX) is, use the console command D SYMBOLS on the target z/OS system to display it.
- Existing procedure library where the WebSphere Application Server for z/OS cataloged procedures are added
Cell, Node, and Server Names
- Note: Each management server (administrative agent, deployment manager, or job manager) should be assigned its own cell name that is different from that of any other WebSphere Application Server cell on the same z/OS sysplex.
- Name that identifies the cell to z/OS facilities
such as SAFRules:
- Primary external identification of this WebSphere Application
Server for z/OS cell
This name identifies the cell as displayed through the administrative console.
Rules:
- Name that identifies the cell to z/OS facilities
such as SAF
- Name that identifies the node to z/OS facilities
such as SAFRules:
- Primary external identification of this WebSphere Application
Server for z/OS node
This name identifies the node as displayed through the administrative console.
Rules:
- Name that identifies the node to z/OS facilities
such as SAF
- Name that identifies the server to z/OS facilities
such as SAF
The server short name is also used as the server JOBNAME.
Rule: Name must usually contain seven or fewer all-uppercase characters. - Name of the application server and the primary external identification
of this WebSphere Application Server for z/OS server
This name identifies the server as displayed through the administrative console.
Rules:
- Name that identifies the server to z/OS facilities
such as SAF
- WLM APPLENV (WLM application environment) name for this server
If this server is converted into a clustered server, this name becomes the cluster short name. The cluster short name is the WLM APPLENV name for all servers that are part of the same cluster. See z/OS JCL cataloged procedures for more information.
Rule: Name must be eight or fewer characters and all uppercase.
Configuration File System
- Read/write file system directory mount point where application
data and environment files are written
The customization process creates this mount point if it does not already exist.
- Relative path name of the directory within the configuration file system in which the configuration resides
- File system dataset that you will create and mount at the above
mount pointRule: You can specify up to 44 characters for the dataset name.
- Type of file system that will be used when creating the WebSphere for z/OS configuration
file system
- This will allocate and mount your configuration file system dataset using HFS.
- This will allocate and mount your configuration file system dataset using ZFS.
- DASD volume serial number to contain the above dataset or * to
let SMS select a volume
Using * requires that SMS automatic class selection (ACS) routines be in place to select the volume. If you do not have SMS set up to handle dataset allocation automatically, list the volume explicitly.
- Initial size allocation in cylinders for the configuration file
system datasetTip: The minimum suggested size is 420 cylinders.
- Size of each secondary extent in cylindersTip: The minimum suggested size is 100 cylinders.
WebSphere Application Server Product File System
- Name of the directory where WebSphere Application
Server for z/OS files reside after installation
This is the SMP/E installation directory.
Read Product file system for more information.
- Select this option to allow to set up an intermediate symbolic
link, and specify the path name of that link if you select it
If you specify an intermediate symbolic link, symbolic links are created from the configuration file system to the intermediate symbolic link; otherwise, they are created directly to the product file system.
Selecting this option will allow you to specify the path name of an intermediate symbolic link. This link will be created by the customization jobs, pointing to the product file system directory.- Path name of intermediate symbolic link
Error Log Stream and CTRACE Parmlib Member
This panel only displays if you click Window > Preferences > Profile Management Tool, select Enable error log stream and CTRACE parmlib member, and click Apply. Alternatively, you can use the administrative console to set these values.- Name of the error log stream that you createRules:
- Name of the error log stream that you create
- Value that is appended to CTIBBO to form the name of the CTRACE
parmlib member that is used by the associated WebSphere Application
Serve for z/OS daemon
The BBOCTIOO sample parmlib member in the SBBOJCL dataset can be used to create this CTRACE parmlib member.
- Value that is appended to CTIBBO to form the name of the CTRACE
parmlib member that is used by the associated WebSphere Application
Serve for z/OS daemon
Process Definitions
- Job name, specified in the MVS™ START
command JOBNAME parameter, associated with the control region
This is the same as the server short name and it cannot be changed through the tool.
- Name of member in your procedure library to start the control
regionRule: Name must be seven or fewer characters.
- Job name, specified in the MVS™ START
command JOBNAME parameter, associated with the control region
- Job name used by WLM to start the servant regions
This is set to the server short name followed by the letter S, and it cannot be changed through the tool.
- Name of member in your procedure library to start the servant
regionsRule: Name must be seven or fewer characters.
- Job name used by WLM to start the servant regions
Port Values Assignment
- IP name or address of the system on which the server is configured
This value is used by other WebSphere Application Server for z/OS functions to connect to this server.
Note: The node host name must always resolve to an IP stack on the system where the application server runs. The node host name cannot be a DVIPA or a DNS name that, in any other way, causes the direction of requests to more than one system.- Port number for the JMX HTTP connection to this server based on
the SOAP protocol (SOAP_CONNECTOR_ADDRESS)
JMX is used for remote administrative functions, such as invoking scripts through wsadmin.sh.
Rule: Value cannot be 0.
- Port number for the JMX HTTP connection to this server based on
the SOAP protocol (SOAP_CONNECTOR_ADDRESS)
- IP address on which the server's ORB listens for incoming IIOP
requests
The default is *, which instructs the ORB to listen on all available IP addresses.
- Port for IIOP requests that acts as the bootstrap port for this
server and also as the port through which the ORB accepts IIOP requests
(BOOTSTRAP_ADDRESS and ORB_LISTENER_ADDRESS)Rule: Value cannot be 0.
- Port for secure IIOP requests (ORB_SSL_LISTENER_ADDRESS)
The default is 0, which allows the system to choose this port.
- Port for IIOP requests that acts as the bootstrap port for this
server and also as the port through which the ORB accepts IIOP requests
(BOOTSTRAP_ADDRESS and ORB_LISTENER_ADDRESS)
- IP address on which the server's web container should listen for
incoming HTTP requests
The default is *, which instructs the web container to listen on all available IP addresses.
Note: The transport host name becomes the host name in the virtualhosts.xml file, which makes setting a specific IP address here less than ideal. If you do so, you are restricting yourself to that IP address until you go into the administrative console and add another virtual host.- Port for HTTP requests to the administrative console (WC_adminhost)
- Port for secure HTTP requests to the administrative console (WC_adminhost_secure)
- Port for the JMX connector that listens on the loopback adapter
(IPC_CONNECTOR_ADDRESS)
The connector uses local comm communications protocol, which means that the port is used only for communications that are local to the z/OS system image (or sysplex).
Location Service Daemon Definitions
The location service daemon is the initial point of client contact in WebSphere Application Server for z/OS. The server contains the CORBA-based location service agent, which places sessions in a cell. All RMI/IIOP IORs (for example, for enterprise beans) establish connections to the location service daemon first, then forward them to the target application server.- Directory in which the location service daemon resides
This is set to the configuration file system mount point/Daemon and cannot be changed.
- Specifies the job name of the location service daemon, specified
in the JOBNAME parameter of the MVS start
command used to start the location service daemonCaution: When configuring a new cell, be sure to choose a new daemon job name value.Note: A server automatically starts the location service daemon if it is not already running.
- Name of the member in your procedure library to start the location
service daemonRule: Name must be seven or fewer characters.
- The fully qualified IP name, registered with the Domain Name Server
(DNS), that the location service daemon usesThe default value is your node host name.Notes:
- Address at which the daemon listens
Select either * or a dotted decimal IP address for this value.
The default value is *.
Choose the value carefully. It is difficult to change, even in the middle of customization.
- Port number on which the location service daemon listensNote: Select the port number for the location service daemon carefully. You can choose any value you want; but once chosen, it is difficult to change, even in the middle of customization.
- The port number on which the location service daemon listens for SSL connections
- If you use the WLM DNS (connection optimization), you must select
this option to register your location service daemon with it. Otherwise,
do not select it.Note: Only one location service daemon per LPAR can register its domain name with WLM DNS. If you have multiple cells in the same LPAR and register one location service daemon and then a second, the second will fail to start.
SSL Customization
- Name of the key label that identifies the certificate authority (CA) to be used in generating server certificates
- Select this option to generate a new CA certificate. Deselect this option to have an existing CA certificate generate server certificates.
- Expiration date used for any X509 Certificate Authority certificates,
as well as the expiration date for the personal certificates generated
for WebSphere Application Server for z/OS servers
You must specify this even if you did not select the option to generate a certificate authority (CA) certificate.
- Default name given to the RACF® key ring used by WebSphere Application Server for z/OS
The key ring names created for repertoires are all the same within a cell.
- Select this option if you want to enable z/OS SSL clients using SAF Virtual Key Ring to connect to this WebSphere Application Server node without requiring each user to have the WebSphere Application Server keyring or the WebSphere Application Server CA certificate connected to it.
- Select this option if you want to support secure communications using Inter-ORB Request Protocol (IIOP) to the location service daemon using SSL. If you do not select this option, a RACF key ring will be generated for the location service daemon to use.
Administrative Security Selection
- Use the z/OS system's SAF-compliant security database
to define WebSphere Application Server users
Choose this option if you plan to use the SAF security database as your WebSphere Application Server user registry or if you plan to set up an LDAP or custom user registry whose identities will be mapped to SAF user IDs for authorization checking.
- Use built-in facilities of WebSphere Application Server to manage
users, groups, and authorization policy
Choose this option if you plan to use an LDAP or custom user registry without mapping of identities to SAF user IDs. The simple file-based user registry is not recommended for production use.
- Do not configure or enable administrative security.
This option is not recommended because it allows anyone to make changes to the WebSphere Application Server configuration.
Your WebSphere Application Server environment will not be secured until you configure and enable security manually.
Security Managed by the z/OS Product
- SAF profile prefix
To distinguish between APPL or EJBROLE profiles based on SAF profile prefix, provide an alphanumeric SAF profile prefix of one to eight characters.
All servers in the cell will prepend the SAF profile prefix that you specify to the application-specific J2EE role name to create the SAF EJBROLE profile for checking.
Note: The SAF profile prefix is not used, however, if role checking is performed using WebSphere Application Server for z/OS bindings.The SAF profile prefix is also used as the APPL profile name and inserted into the profile name used for CBIND checks. The RACF jobs create and authorize the appropriate RACF profiles for the created nodes and servers.
If you do not want to use a SAF profile prefix, leave this field blank.
- User ID associated with unauthenticated client requests
This user ID is sometimes referred to as the guest user ID. It should be given the RESTRICTED attribute in RACF to prevent it from inheriting UACC-based access privileges.
- Select this option to have RACF assign an unused UID value.
- Select this option to specify a specific UID value.
- UNIX System Services UID number for the user ID that will be associated
with unauthenticated client requestsRule: UID values must be unique numeric values between 1 and 2,147,483,647.
- UNIX System Services UID number for the user ID that will be associated
with unauthenticated client requests
- User ID associated with unauthenticated client requests
- Select this option if you want to enable writable SAF key ring support
Security Managed by the WebSphere Family Product
- User name for the administrator
- Password for the administratorRule: This password must not be blank.
Security Certificate
- Identifier of the personal certificateIt can be customized if necessary. The default syntax for the distinguished name is:
cn=<host>,ou=<cell>,ou=<node>,o=<company>,c=<country>
- Identifier of the root signing certificateIt can be customized if necessary. The default syntax for the distinguished name is
cn=<host>,ou=Root Certificate,ou=<cell>,ou=<node>, o=<company>,c=<country>
- The default personal certificate is valid for one year. The maximum expiration is ten years.
- Identifier of the personal certificate
- The default signing (root) certificate is a self-signed certificate. It has a default validation period of twenty years. The maximum validation period is twenty-five years.
- Default password for all key stores
It should be changed to protect the security of the keystore files and SSL configuration.
Double-byte characters as well as certain ASCII characters such as the asterisk (*) and ampersand (&) are invalid characters for the keystore password.
Job Information
- All the customization jobs that will be tailored for you will
need a job statement. Enter a valid job statement for your installation.
The customization process will update the job name for you in all
the generated jobs, so you need not be concerned with that portion
of the job statement. If continuation lines are needed, replace the
comment lines with continuation lines.