Decide on the started task names of the broker, Configuration Manager, and User Name Server. These names are used to set up started task authorizations, and to manage your system performance.
If you intend to use Publish/Subscribe, define a group called MQBRKRS and connect the started task user IDs to this group. Define an OMVS group segment for this group so that the User Name Server can extract information from the External Security Manager (ESM) database to enable you to use Publish/Subscribe security.
A unique group for the broker (for example MQP1GRP) which has defined all necessary DB2 authorities. The broker started task user ID and the WebSphere Message Broker administrator are both members of this group.
LU userid OMVSThe command output includes the OMVS segment, for example:
USER=MQP1BRK NAME=SMITH, JANE OWNER=TSOUSER CREATED=99.342 DEFAULT-GROUP=TSOUSER PASSDATE=01.198 PASS-INTERVAL=30 ...... OMVS INFORMATION ---------------- UID=0000070594 HOME=/u/MQP1BRK PROGRAM=/bin/sh CPUTIMEMAX=NONE ASSIZEMAX=NONE FILEPROCMAX=NONE PROCUSERMAX=NONE THREADSMAX=NONE MMAPAREAMAX=NONEThe command:
df -P /u/MQP1BRKdisplays the amount of space used and available, where /u/MQP1BRK is the value from HOME above. This command shows you how much space is currently available in the file system. Check with your data administrators that this is sufficient. You need a minimum of 400 000 blocks free; this is needed if a dump is taken.
Associate the started task procedure with the user ID to be used. For example, you can use the STARTED class in RACF®. The WebSphere Message Broker and z/OS administrators must agree on the name of the started task.
WebSphere Message Broker administrators need an OMVS segment and a home directory. Check the setup described above.
The started task user IDs and the WebSphere Message Broker administrators need access to the install processing files, the component specific files, and the home directory of the started task. During customization the file ownership can be changed to alter group access. This might require super user authority.
When the service user ID is root, all libraries loaded by the broker, including all user-written plug-in libraries and all shared libraries that they might access, also have root access to all system resources (for example, file sets). Review and assess the risk involved in granting this level of authorization.
For more information on various aspects of security, see Security overview.