Setting up z/OS security

You need to complete some security configuration tasks before WebSphere Event Broker can work correctly. The steps you need to follow are described in this topic and also in the following topics:

Decide on the started task names of the broker, Configuration Manager, and User Name Server. These names are used to set up started task authorizations, and to manage your system performance.

Decide on a data set naming convention for your WebSphere Event Broker PDSEs. A typical name might be WMQI.MQP1BRK.CNTL or MQS.MQP1UNS.BIPCNTL, where MQP1 is the queue manager name. You need to give the WebSphere Event Broker, WebSphere MQ, DB2, and z/OS administrators access to these data sets. You can give these professionals control access in several ways, for example:
  • Give each user individual access to the specific data set.
  • Define a generic data set profile, defining a group that contains the user IDs of the administrators. Grant the group control access to the generic data set profile.

If you intend to use Publish/Subscribe, define a group called MQBRKRS and connect the started task user IDs to this group. Define an OMVS group segment for this group so that the User Name Server can extract information from the External Security Manager (ESM) database to enable you to use Publish/Subscribe security.

Each broker needs a unique ID for its DB2 tables. This can be:
  • A unique started task user ID; you could use the broker name as the started task user ID.

    A unique group for the broker (for example MQP1GRP) which has defined all necessary DB2 authorities. The broker started task user ID and the WebSphere Event Broker administrator are both members of this group.

  • A shared started task user ID and a unique group specified to identify the DB2 tables to be used with the ODBC interface. Use the broker name as the group name.
Define an OMVS segment for the started task user ID and give its home directory sufficient space for any WebSphere Event Broker dumps. Consider using the started task procedure name as the started task user ID. Check that your OMVS segment is defined by using the following TSO command:
LU userid OMVS
The command output includes the OMVS segment, for example:
USER=MQP1BRK NAME=SMITH, JANE OWNER=TSOUSER
CREATED=99.342 DEFAULT-GROUP=TSOUSER PASSDATE=01.198
PASS-INTERVAL=30
......
OMVS INFORMATION
----------------
UID=0000070594
HOME=/u/MQP1BRK
PROGRAM=/bin/sh
CPUTIMEMAX=NONE
ASSIZEMAX=NONE
FILEPROCMAX=NONE
PROCUSERMAX=NONE
THREADSMAX=NONE
MMAPAREAMAX=NONE
The command:
df -P /u/MQP1BRK
displays the amount of space used and available, where /u/MQP1BRK is the value from HOME above. This command shows you how much space is currently available in the file system. Check with your data administrators that this is sufficient. You need a minimum of 400 000 blocks free; this is needed if a dump is taken.

Associate the started task procedure with the user ID to be used. For example, you can use the STARTED class in RACF®. The WebSphere Event Broker and z/OS administrators must agree on the name of the started task.

WebSphere Event Broker administrators need an OMVS segment and a home directory. Check the setup described above.

The started task user IDs and the WebSphere Event Broker administrators need access to the install processing files, the component specific files, and the home directory of the started task. During customization the file ownership can be changed to alter group access. This might require super user authority.

When the service user ID is root, all libraries loaded by the broker, including all user-written plug-in libraries and all shared libraries that they might access, also have root access to all system resources (for example, file sets). Review and assess the risk involved in granting this level of authorization.

For more information on various aspects of security, see Security overview.

Related concepts
Security overview
Start of changeEnabling the Configuration Manager on z/OS to obtain user ID informationEnd of change
Related tasks
Setting up DB2
Setting up WebSphere MQ
Setting up workbench access on z/OS
Creating Publish/Subscribe user IDs
Related reference
Customization tasks and roles on z/OS
Summary of required access (z/OS)