Configuring Security

This chapter tells you how to define a SERNET started task running ChangeMan ZMF to your security system and define security entities that grant authorization to execute ChangeMan ZMF functions.

Introduction

See Security Considerations for a description of how ChangeMan ZMF works with your security system.

This chapter includes instructions for configuring security in the three security systems that are compatible with ChangeMan ZMF: IBM Security Server RACF, CA ACF2, and CA Top Secret. Regardless of the security system you use, these are the tasks you perform.

Set switches in security interface program SERLCSEC.
Identify each SERNET instance to your security system as a started task.
Assign a User ID to each SERNET started task. One User ID may be assigned to several SERNET started tasks if their data set access needs are identical.
Set up a security resource class under which ChangeMan ZMF security entities can be defined.
Define security entities to grant authorization to execute ChangeMan ZMF functions.
Permit data set access to the SERNET started tasks.
Add an OMVS segment for access to TCP/IP facilities in Unix System Services.

Step 1: Customize SERLCSEC

Program SERLCSEC establishes the security environment for the user's subtask in SERNET so that the subtask runs with the authority of the logged on user.

If your security system is IBM Security Server RACF, no changes to SERLCSEC are required unless you plan to implement XMLSERV and/or use XML. SERLCSEC uses this statement to define the XML class that will be used in your security system:

XMLCLASS DC    CL8'$XMLSERV'    XML class

You will need to adjust this value according to your site requirements. It is independent of the value specified in your Package Master Initialize job, INITIAL2 step INITPM for the PARM RSRCCL but it may be defined here in SERLCSEC as the same value.

If you use CA Top Secret or CA ACF2 as your security system, see the topics below for changes you might make to SERLCSEC.

Before you modify the source code for SERLCSEC, copy the source for program SERLCSEC from the delivered SERCOMC ASMSRC library to your custom ASMSRC library, and make your changes in the custom library.

To assemble and link edit SERLCSEC, See Assembling SERLCSEC.

CA Top Secret Security Violations

Many CA Top Secret customers can run with the delivered switch settings in SERLCSEC.

However, if you are using CA Top Secret and there are too many security violations for users to connect to ChangeMan ZMF, set the bit switch for \&LOGSVIO to zero, as shown in the SERLCSEC code fragment below:

    *--------------------------------------------------------------------
    * Below is where the user can tailor the source code
    *--------------------------------------------------------------------
    &VERFYID   SETB  1     (YES)        SAF user ID verification
I - &LOGSVIO   SETB  0     (YES)        security violation logging
D - &LOGSVIO   SETB  1     (YES)        security violation logging
    &LOGSEL    SETB  1     (NO)         selective logging (by calling pgm)
    &STUB      SETB  0     (NO)         nullfy security checking
    *--------------------------------------------------------------------
    *ACF2 batch ids are specified in a user modifiable table
    *     'F ACF2BAT WORD 1' will find the start of this table.
    *     Please modify it as necessary.
    *--------------------------------------------------------------------
    * Notes:
    *    #1 If &VERFYID is set to '1' in a Top Secret (TSS) shop,
    *       the started task must be set up as a MULTIUSER FACILITY.
    *    #2 &LOGSVIO must be set to '1' for &LOGSEL to have any affect.
    *       If selective logging is selected, the logging is determined
    *       by the calling program from products like XCH, CMN and CMW.
    *--------------------------------------------------------------------

...

CA ACF2 Batch LOGONID

Customers who use CA ACF2 for their security system may need to define alternate user IDs for the LOGONID in batch JCL submitted by ChangeMan ZMF through the SERNET started task. Batch LOGONIDs are included but commented out in ZMF JOB statement skeletons:

)CM //*LOGONID CMNBATCH <--- UNCOMMENT FOR ACF2

Alternate user IDs are specified in a table in SERLCSEC. Alternate user IDs may be assigned globally across all SERNET instances, or an alternate user ID can be assigned to a specific SERNET instance by specifying a subsystem ID.

See the comments at label ACF2BAT in program SERLCSEC for details about coding entries in the LOGONID table.

Note

The table at ACF2BAT was created to provide alternate user IDs in CA ACF2. However, user IDs coded in this table are also authorized in IBM Security Server RACF and CA Top Secret.

Assembling SERLCSEC

If you modified the source for program SERLCSEC, follow these steps to assemble the custom source to create a custom load module.

Copy member ASSEMBLE from the delivered SERCOMC CNTL library to your custom CMNZMF CNTL library.
Edit the assemble and link JCL.
1. Code your JOB statement at the top.
2. Change the assembler program name and the linkage editor program name to comply with your local standards.
3. Change the SYSLIB concatenation for the ASM step to include the delivered CMNZMF and SERCOMC copybook and source libraries.
4. Change the SYSLIB concatenation for the LKED step to include the delivered CMNZMF and SERCOMC LOAD libraries.
5. Change the SYSLMOD data set name in the link step to point to your ChangeMan ZMF custom LOAD library. Do not link-edit into a delivered LOAD library.
6. Code the symbolic parameters on the EXEC statement, which follows the PEND statement at the bottom of the in-line procedure. Set MBR to the program name SERLCSEC. Code AC=0 for the authorization code symbolic parameter.
Submit the ASSEMBLE job JCL.

...
If the return code is zero, compare the directory entries for SERLCSEC in your custom LOAD library to the directory entries in the delivered LOAD library. If they are not identical, adjust the ASSEMBLE job JCL and submit the job again.
If you are changing SERLCSEC after you have brought up the SERNET started task, shut SERNET down and restart it to enable your changes.

...

Stubbing ChangeMan ZMF Security

If you have difficulty gaining access to ChangeMan ZMF administration because of security problems, you can temporarily code SERLCSEC to disable security checking. Set the \&STUB switch to 1 and set &VERFYID switch to 0.

Caution

Only use the STUB switch in SERLCSEC temporarily and with extreme caution because it allows all users access to all ChangeMan ZMF functions. This gives them the authority to update all libraries managed by ChangeMan ZMF. Stubbing security also allows anyone to connect to ChangeMan ZMF and make changes to global and application administration.

Step 2: Add ChangeMan ZMF to Your Security System

Set up entities and grant privileges in your security system to restrict access to

ChangeMan ZMF functions. For a general discussion of security and ChangeMan ZMF, see Security Considerations.

Add ChangeMan ZMF to CA ACF2

The steps listed here provide examples specific to CA ACF2 for accomplishing the security setup tasks listed in the Introduction of this section. The following conventions are used in these examples:

CMN is the CA ACF2 resource type.
SERUSER is the SERNET logon ID.
SERPROC is the started procedure name.
CMNBATCH is the batch LOGONID. ChangeMan ZMF JOB statement skeletons contain CMNBATCH for the LOGONID.
CMNxADSP is the started procedure name for the default file tailoring started task, where x is the subsystem ID of the SERNET started task that initiates CMNxADSP.

Important

Resource type CMN was suggested when you initialized the package master VSAM file in Step 4: Define ChangeMan ZMF VSAM Files. If you use a different resource type here to satisfy local requirements, code the same resource type in initialization subparameter RSRCCL.

This section is not intended to be an authoritative reference for CA ACF2 command syntax. Your security administrator should be aware of the intent of each step and should adjust the sample command syntax if necessary.

Change the ACF2 Global System Options (GSO) to associate a logon ID with started tasks. Set up a default logon ID to allow all started tasks to come up successfully. From the TSO command processing option, enter the following commands:
```
ACF2
SET CONTROL(GSO)
INSERT ACFSTCID (Set up default logon ID for started tasks)
OPTS STC (To have privilege of started task)
```
Set up SERUSER as unique logon ID for SERNET. From the TSO command processing option enter the following commands:
```
ACF2
SET CONTROL(GSO)
INSERT SERUSER (To insert a new logon ID)
OPTS STC (To have privilege of started task)
```
To give ChangeMan ZMF enough data set access to perform its functions, add noncancel authority NONCNCL or PREFIX(********).
Add two TSO IDs to enable SERNET to submit batch jobs:
1. Add one TSO ID with the started task option:
```
ACF
SET LID
INSERT SERPROC JOB STC ACC-SRCE(STCINRDR) MUSASS
```
  MUSASS means multiple-user single address space system.
2. Add a second ID with the TSO and batch option. Define this ID so that it can be invoked with //*LOGONID by SERNET programs SERVMDUH and SERUSER:
```
ACF
SET LID
INSERT CMNBATCH JOB TSO PROGRAM(SER-)
RESTRICT SUBAUTH
```
  Caution
  
  Verify that neither of these IDs is assigned to users as a TSO logon ID.
Create an ACF2 GSO record type STC for the default file tailoring started procedure CMNxADSP, where x is the subsystem ID of the SERNET started task:
```
ACF2
SET CONTROL(GSO)
INSERT STC.CMN LOGONID(SERUSER) STCID(CMNxADSP)
```
Assign the same user ID as the SERNET started task that initiates the file tailoring started task.

Make additional entries when you create other file tailoring started procedures and enter them in global administration.

Add the following version-dependent definitions to the environment:

For ACF2 Version 4:

SAFMAPS          MAPS(CMN/CMN)
SAFPROT          SUBSYS(SVC109)
CNTLPTS(SER-)
CLASSES(CMN,DATA SET)

For ACF2 Version 6.x:

SET C(GSO)
INSERT CLASMAP.CMN
RESOURCE(CMN)
RSRCTYPE(CMN)
INSERT SAFDEF.CMN001
ID(CMN001)
PROGRAM(SER-)
RB(SVC109)
RACROUTE(REQUEST=AUTH CLASS=CMN)

Copy member #ACF2 from the delivered CMNZMF CNTL library to your custom CMNZMF CNTL library. This member contains model code to create a CA ACF2 rule base for ChangeMan ZMF security entities under the CMN resource class.
Edit PDS member #ACF2 to create CA ACF2 rules for the five administrative security entities. You will define more entities and rules later, but these definitions allow you to get ChangeMan ZMF running.
1. Code your JOB statement at the top.
2. Code a valid output data set name for the rule base PDS.
3. Change IEBUPDTE control characters from $/ to ./
4. Code CA ACF2 rules for the five administrative security entities listed in Administrator and Change Manager Security Entities. Remember that if you want rules specific to one subsystem ID, imbed the subsystem ID in the fixed format security entity name.
5. Move the code for all other security entities outside of the IEBUPDTE JCL, then submit the job to create the somnode.CMNZMF.ACF2 PDS.
Activate the resource type CMN and compile the members you just created in the custom CNTL member #ACF2. Enter the following commands from the TSO command processing option:
```
ACF2
SET RESOURCE(CMN)
COMPILE 'somnode.CMNZMF.ACF2' ALL STORE
```
Check for any super IDs to verify that there are no other logon ID’s that have authority to update libraries managed by ChangeMan ZMF. If an ID has NONCNCL authority, it can access any data set or authority level secured for ChangeMan ZMF.
If you use the ACF2 TSO Command Limiting feature to restrict execution access to TSO commands, add the following ChangeMan ZMF programs to the ACF2 Command Limiting Table:
```
CMNINIT
CMNCISPF
```
This is the format of the table entries:
```
TSOtable CSECT *        REGIONAL ACF2 TABLE
TSOCST ,                TSO RESTRICTED COMMANDS LIST
$TSOCMD CLS             CLEAR SCREEN
$TSOCMD CMNINIT         CHAMGEMAN ZMF INITIALIZATION
$TSOCMD CMNCISPF        SECURE PROGRAM NAMES TABLE
$TSOCEND ,              INDICATE END OF LIST END
```
If you use the ACF2 Command Limiting Feature and do not make the table entries above, and you attempt to use ZMF, the following message results:
```
IKJ56500I COMMAND XXXXXXXX NOT FOUND
```
...

Caution

Do not add these modules to the TSO Command Table IKJTSOnn in SYS1.PARMLIB. If you do and you attempt to use ZMF, your session will freeze and this message is displayed: ISPS118L SERVICE NOT INVOKED. A VALID ISPF ENVIRONMENT DOES NOT EXIST.

Add ChangeMan ZMF to IBM Security Server RACF

The steps listed here provide examples specific to IBM Security Server RACF for accomplishing the security setup tasks listed in the "Introduction." The following conventions are used in these examples:

$CHGMAN is the general resource class.
SERPROC is the member name of the started procedure.
SERTASK is the jobname assigned to the started task when procedure member SERPROC is started. See SERNET Started Task Names.
SERUSER is the RACF user ID for all SERNET instances. If you want different RACF authority for different SERNET instances, assign a unique user ID to each.
CMNxADSP is the procedure member name of the default file tailoring started task, where x is the subsystem ID of the SERNET started task that initiates CMNxADSP. See Step 11: Build Default File Tailoring Procedure.

Important

Resource class name $CHGMAN was suggested when you initialized the package master VSAM file in Step 4: Define ChangeMan ZMF VSAM Files. If you use a different resource class name here to satisfy local requirements, do the following:

Follow the rules for class name syntax in the z/OS Security Server RACF Security Administrator’s Guide.
Code the same resource class name in initialization subparameter "RSRCCL".

This section is not intended to be an authoritative reference for RACF command syntax. Your security administrator should be aware of the intent of each step and should adjust the sample command syntax if necessary.

Define $CHGMAN as a RACF resource class by adding an entry to the dynamic class descriptor table (CDT).

Use this job to execute commands to define the class to the CDT. You can also enter the commands under TSO or through RACF administrative panels.

//jobname JOB (account),'CHGMAN/RACF',
//              CLASS=?,NOTIFY=?,
//              MSGCLASS=?
//* RACF class descriptor table - sample assembly *
//CDTDEF   EXEC     PGM=IKJEFT01,REGION=0M
//SYSTSPRT DD       SYSOUT=*
//SYSTSIN  DD       *
 RDEFINE CDT $CHGMAN UACC(NONE) CDTINFO(DEFAULTUACC(NONE) +
  FIRST(ALPHA) OTHER(ALPHA NUMERIC NATIONAL               +
  SPECIAL) MAXLENGTH(39) POSIT(25)                        +
  RACLIST(REQUIRED) OPERATIONS(NO))
SETROPTS CLASSACT($CHGMAN)
SETROPTS GENERIC($CHGMAN)
SETROPTS RACLIST($CHGMAN)
SETROPTS RACLIST(CDT) REFRESH

In this example:

The RDEFINE statement declares $CHGMAN as class to RACF and specifies its characteristics.
The first SETROPTS statement activates the class.
The second SETROPTS statement allows the specification of generic profiles in this class.
The third SETROPTS statement activates these definitions immediately.

Define the user ID that will be assigned to the SERNET started task:

ADDUSER SERUSER NAME('SERNET') OWNER(owner userid) +
   DFLTGRP(group name) DATA('SERNET STARTED TASK')

Add each SERNET instance to the STARTED class to associate the started task with the user ID.

Note

With RACF 2.1 and higher, you may define started procedures to the STARTED class rather than adding them to the RACF Started Procedure Table, which requires an IPL. The STARTED class must be active at your site.

Use the following command:
```
RDEF STARTED SERPROC.SERTASK STDATA(USER(SERUSER) +
    GROUP(groupname))
SETROPTS RACLIST(STARTED) REFRESH
```
...

In the STARTED class, you specify both the started procedure member name and the jobname assigned in the START command. (See SERNET Started Task Names.) You can use a wild card for the jobname:
```
RDEF STARTED SERPROC.** STDATA(USER(SERUSER) GROUP(groupname)) 
```
or
```
RDEF STARTED SERPROC.SER* STDATA(USER(SERUSER) GROUP(groupname))
```
Make an additional entry in the STARTED class for the default file tailoring started procedure CMNxADSP, where x is the subsystem ID of the SERNET started task. Issue the following command:
```
RDEF STARTED CMNxADSP.** STDATA(USER(SERUSER) + 
     GROUP(groupname))
```
Assign the same user ID as the SERNET started task that initiates the file tailoring started task.

Note

Make additional entries in the STARTED class when you create other file tailoring started procedures besides CMNxADSP and enter their names in global administration.

Add ChangeMan ZMF to CA Top Secret

The steps listed here provide examples specific to CA Top Secret for accomplishing the security setup tasks listed in the Introduction. The following conventions are used in these examples:

SERPROC is the member name of the started procedure.
SERACID is the name of ACID associated with the SERNET instance.
SERFAC is the name of the Multiuser Facility created for the SERNET instance.
CMNxADSP is the procedure member name of the default file tailoring started task, where x is the subsystem ID of the SERNET started task that initiates CMNxADSP.

This section is not intended to be an authoritative reference for CA Top Secret command syntax. Your security administrator should be aware of the intent of each step and should adjust the sample command syntax if necessary.

Define the SERNET server as a Multiuser Facility, using one of the dummy facility entries in the Facilities Matrix Table. See the CA Top Secret USER GUIDE for information on how to add a new facility.

Example:
```
FACILITY(USERxx=NAME=SERFAC)
FACILITY(SERFAC=PGM=SER)
FACILITY(SERFAC=NOASUBM)
FACILITY(SERFAC=LCFCMD)
FACILITY(SERFAC=UIDACID=7)
```
Execute a TSS refresh to implement this parameter change, or perform a temporary change until the next refresh or IPL by executing this command:
```
TSS MODIFY FACILITY(USERxx=NAME=SERFAC)
```

After the above TSS command has been completed, query Top Secret to verify that the definition is correct.

TSS MODIFY FAC(SERFAC)

The following messages are from a successful installation.

TSS9550I FACILITY DISPLAY FOR SERFAC
TSS9551I INITPGM=SER ID=T TYPE=013
TSS9552I
    ATTRIBUTES=INUSE,ACTIVE,SHRPRF,NOASUBM,NOABEND,MULTIUSER,NOXD 
    EF
TSS9552I ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
TSS9552I ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFCMD 
TSS9552I
    ATTRIBUTES=MSGLC,NOTRACE,NOEODINIT,IJU,NODORMPW,NONPWR,NOIMSX 
    TND
TSS9553I MODE=FAIL DOWN=GLOBAL LOGGING=INIT,MSG
TSS9554I UIDACID=8 LOCKTIME=000 DEFACID=*NONE* KEY=8
TSS9556I MAXUSER=03000 PRFT=003 
TSS0300I MODIFY FUNCTION SUCCESSFUL

4. Create a CA Top Secret started task (STC):

TSS CREATE(SERACID) TYPE(USER) NAME('SERACID STC FOR CHGMAN')
FACILITY(STC,BATCH,SERFAC) DEPT(NAME) PASS(NOPW,0)

Add the new STC to the Started Task Table:

TSS ADD(STC) ACID(SERACID) PROCNAME(SERPROC)

Make an additional entry in the Started Task Table for the default file tailoring started procedure CMNxADSP, where x is the subsystem ID of the SERNET started task:
```
TSS ADD(STC) ACID(SERACID) PROCNAME(CMNxADSP)
```
Assign the same user ID as the SERNET started task that initiates the file tailoring started task.

Make additional entries when you create other file tailoring started procedures and enter them in global administration.
Add access to the facility (SERFAC) for the started task user ID (SERACID) and anyone who will use ChangeMan ZMF:
```
TSS ADD(SERACID) FACILITY(SERFAC)
```
Note

Repeat this command for each user that requires this access, or put it in a profile to which users are attached.

For more information, refer to the CA Top Secret OS Reference Guide Volume 3, Section: TSS Command Function.

Step 3: Define Security Entities

Define security entities used to authorize administrative and package management functions as described in topic Access to ChangeMan ZMF Functions, including the two subtopics "Administrator and Change Manager Security Entities" and "Mandatory System-Specific Security Entities".

The examples in this section use the values described in this table.

Value	Description
3	Subsystem ID of the SERNET instance running ChangeMan ZMF. The subsystem ID is imbedded in the fixed format security entities, such as CMN3GBAD.
$CHGMAN	General resource class for ChangeMan ZMF
ACTP	Four-character ChangeMan application mnemonic for the Accounts Payable application
APBUSMGR	Security entity for approval of ACTP change packages by the business manager
APPRJMGR	Security entity for approval of ACTP change packages by the project manager
TESTQA	Security entity for promotion to a QA test environment
TESTUT	Security entity for promotion to a unit test environment
USER111	TSO user ID of the ChangeMan ZMF Global Administrator
USER222	TSO user ID of the ChangeMan ZMF Application Administrator for the Accounts Payable application
USER333	TSO user ID of the Accounts Payable Department Manager
USER444	TSO user ID of the IT Project Manager for the Accounts Payable application
USER555	TSO user ID of the QA Test Coordinator who promotes packages to the QA test environment libraries
USER666	TSO user ID of a developer on the Accounts Payable application who creates ACTP packages and changes ACTP components
USER777	TSO user ID of a business analyst in the Accounts Payable department who is allowed to query packages, browse Accounts Payable programs, but not make changes
USER888	TSO user ID of the Operations Supervisor

The steps listed here show you how to define ChangeMan ZMF security entities in IBM Security Server RACF.

Note

When you define a ChangeMan ZMF security entity in your security system, you define it with no universal access. READ or UPDATE access is established when you grant a user ID or group access to the security entity.

Define the five fixed-format ChangeMan ZMF administrative security entities under the $CHGMAN resource class.

RDEFINE $CHGMAN CMN3GBAD OWNER(@$CHGMAN) +
    UACC(NONE) APPLDATA('GLOBAL ADMINISTRATOR')
RDEFINE $CHGMAN CMN3LCAD OWNER(@$CHGMAN) +
    UACC(NONE) APPLDATA('LOCAL ADMINISTRATOR')
RDEFINE $CHGMAN CMN3REVR OWNER(@$CHGMAN) +
    UACC(NONE) APPLDATA('CHANGEMAN ZMF REVERT')
RDEFINE $CHGMAN CMN3BKOU OWNER(@$CHGMAN) +
    UACC(NONE) APPLDATA('CHAMGEMAN ZMF BACKOUT')
RDEFINE $CHGMAN CMN3MON OWNER(@$CHGMAN) + 
    UACC(NONE) APPLDATA('MONITOR SCHEDULER LIMBO')

...

Permit ChangeMan ZMF administrators and application project managers access to the administration functions. In this example, access is granted to TSO user IDs, but you will permit access to groups for easier maintenance.

PE CMN3GBAD CLASS($CHGMAN) ID(USER111) +
    ACCESS(UPDATE)
PE CMN3LCAD CLASS($CHGMAN) ID(USER222) +
    ACCESS(UPDATE)
PE CMN3REVR CLASS($CHGMAN) ID(USER444) +
    ACCESS(UPDATE)
PE CMN3BKOU CLASS($CHGMAN) ID(USER444) +
    ACCESS(UPDATE)
PE CMN3BKOU CLASS($CHGMAN) ID(USER888) +
    ACCESS(UPDATE)
PE CMN3MON CLASS($CHGMAN) ID(USER222) +
    ACCESS(UPDATE)
PE CMN3MON CLASS($CHGMAN) ID(USER888) +
    ACCESS(UPDATE)

Define security entities for applications under the $CHGMAN resource class.

RDEFINE $CHGMAN ACTP OWNER(@$CHGMAN) UACC(NONE) +
   APPLDATA('ACCOUNTS PAYABLE APPLICATION')

Define security entities for package approvals under the $CHGMAN resource class.

RDEFINE $CHGMAN APPRJMGR OWNER(@$CHGMAN) +
    UACC(NONE) +
    APPLDATA('ACCOUNTS PAYABLE PROJECT MANAGER')
RDEFINE $CHGMAN APBUSMGR OWNER(@$CHGMAN) +
    UACC(NONE) +
    APPLDATA('ACCOUNTS PAYABLE BUSINESS MANAGER') **5** Permit package approvers access to approval security entities.

Permit package approvers access to approval security entities.

PE APPRJMGR CLASS($CHGMAN) ID(USER444) +
    ACCESS(UPDATE)
PE APBUSMGR CLASS($CHGMAN) ID(USER333) +
    ACCESS(UPDATE)

Define security entities for package promotion under the $CHGMAN resource class.

RDEFINE $CHGMAN TESTUT OWNER(@$CHGMAN) +
    UACC(NONE) +
    APPLDATA('UNIT TEST COORDINATOR')
RDEFINE $CHGMAN TESTQA OWNER(@$CHGMAN) +
    UACC(NONE) +
    APPLDATA('QA TEST COORDINATOR')

Permit developers and test coordinators access to promotion security entities.

PE TESTUT CLASS($CHGMAN) ID(USER666) +
    ACCESS(UPDATE)
PE TESTQA CLASS($CHGMAN) ID(USER555) +
    ACCESS(UPDATE)

...

Permit access to applications by application administrators, package approvers, test coordinators, developers, and others.

PE ACTP CLASS($CHGMAN) ID(USER222) ACCESS(UPDATE)
PE ACTP CLASS($CHGMAN) ID(USER333) ACCESS(READ)
PE ACTP CLASS($CHGMAN) ID(USER444) ACCESS(READ)
PE ACTP CLASS($CHGMAN) ID(USER555) ACCESS(READ)
PE ACTP CLASS($CHGMAN) ID(USER666) ACCESS(UPDATE)
PE ACTP CLASS($CHGMAN) ID(USER777) ACCESS(READ)
PE ACTP CLASS($CHGMAN) ID(USER888) ACCESS(READ)

See Access to ChangeMan ZMF Functions to see how execution of a ChangeMan ZMF function in an application may require access to both the functional security entity and to the application.

If required, ensure that users have access to the required ZMF functions. For example:
```
PE CMNCREAT CLASS($CHGMAN) ID(USER666) ACCESS(UPDATE)
```
See Functional entities for additional information.

Step 4: Define Data Set Access

Libraries and Data Sets in the SERNET Started Procedure

This table shows you what authority is required for libraries and data sets that are coded in the SERNET started procedure.

Access	Data Set Name	DD Name
UPDATE	somnode.CMNZMF.CMNPMAST	CMNPMAST
UPDATE	somnode.CMNZMF.CMNRECV	CMNRECV
UPDATE	somnode.CMNZMF.CMNCMPNT	CMNCMPNT
UPDATE	somnode.CMNZMF.CMNCMPNL	CMNCMPNL
UPDATE	somnode.CMNZMF.CMNLOG	CMNLOG
UPDATE	somnode.CMNZMF.CMNDELAY	CMNDELAY
UPDATE	somnode.CMNZMF.IADSP	CMNIMPCT
UPDATE	somnode.CMNZMF.IALOG	CMNIALOG
UPDATE	somnode.SERCOMC.TCPIPORT	SER#PARM
READ	somnode.SERCOMC.XMLSPACE	XMLSPACE
READ	somnode.SERCOMC.LICENSE1	SERLIC
READ	somnode.SERCOMC.PARMLIB	PARMLIB2 HPSPLIB
READ	somnode.CMNZMF.LOAD	STEPLIB ISPLLIB
READ	somnode.SERCOMC.LOAD	STEPLIB ISPLLIB
READ	somnode.CMNZMF.PANELS	STEPLIB
READ	somnode.CMNZMF.MESSAGES	ISPMLIB
READ	somnode.CMNZMF.SKELS	ISPSLIB
READ	somnode.CMNZMF.TABLES	ISPTLIB
READ	somnode.CMNZMF.CUSTOM.LOAD	STEPLIB ISPLLIB
READ	somnode.SERCOMC.CUSTOM.LOAD	STEPLIB ISPLLIB
READ	somnode.CMNZMF.CUSTOM.PANELS	ISPPLIB
READ	somnode.CMNZMF.CUSTOM.MESSAGES	ISPMLIB
READ	somnode.CMNZMF.CUSTOM.SKELS	ISPSLIB
READ	somnode.CMNZMF.CUSTOM.TABLES	ISPTLIB
READ	somnode.SISPMENU	ISPMLIB
READ	somnode.SISPTENU	ISPTABL
READ	CA Librarian or CA Panvalet product library (if required)	STEPLIB

The LICENSE library and SERLIC DD statement are used only if licenses are not stored in CSA or a load module.
This ddname may be specified in the DDNAME= keyword parameter.

Some of these libraries and data sets are also coded in file tailoring started procedures and in batch job JCL created from ChangeMan ZMF skeleton file tailoring.

For information about the libraries and data sets coded in the SERNET started procedure, see Step 10: Build SERNET JCL for ChangeMan ZMF for more information.

Other Libraries and Data Sets

This table shows you what authority is required for other libraries and data sets that ChangeMan ZMF uses or manages.

Access	Data Set
ALTER/CREATE/ UPDATE/DELETE	ChangeMan ZMF utility data sets See Utility Data Sets.
ALTER/CREATE/ UPDATE/DELETE	ChangeMan ZMF package staging libraries See Staging Library Model Data Set Name for more information.
ALTER/CREATE	ChangeMan ZMF Baseline libraries These libraries are specified in ChangeMan ZMF application administration. See the ChangeMan ZMF Administrator’s Guide.
UPDATE	Production libraries that ChangeMan ZMF will manage. These libraries are specified in ChangeMan ZMF application administration. See the ChangeMan ZMF Administrator’s Guide.
UPDATE	Test libraries ChangeMan ZMF will populate with the promotion function. These libraries are specified in ChangeMan ZMF application administration. See the ChangeMan ZMF Administrator’s Guide.
READ	The system procedure library where you store ChangeMan ZMF cataloged procedures. See Step 11: Build Default File Tailoring Procedure for more information.
READ	Other libraries that contain components that will be brought into a ChangeMan ZMF package with the Stage from Development function. See the ChangeMan ZMF User’s Guide.

Step 5: Add OMVS Segment To Use TCP/IP

TCP/IP Services in z/OS Communications Server requires a z/OS UNIX security context, referred to as an OMVS segment, for the user ID associated with a SERNET instance.

For instructions on satisfying the requirement for an OMVS segment in RACF, see topic "Requirement for an OMVS Segment” in the IBM publication z/OS Communications Server: IP Configuration Guide.

Failure to add an OMVS segment results in the following error message during SERNET initialization:

SERA000E XCH TCP/IP INITAPI: RC=00001,ERRNO=00156

...

Step 6: Add PassTicket Support In Sernet

RACF PassTickets are a requirement for mainframe clients connecting via TCP/IP.

Note

RACF PassTickets are not a requirement for ChangeMan ZDD or ChangeMan ZMF for Eclipse. These PassTickets are the result of the RACF Secure Signon Function and eliminate the need for clients to provide a password or passphrase that needs to be sent over a network. Additional information on PassTickets can be found in the ‘Using the Secured Signon Function’ section of the IBM-supplied ‘Security Server RACF Security Administrator's Guide’.

PassTickets are application-specific so a Sernet-generated PassTicket is only valid for connecting to a Sernet started task. If you don’t specify in your RDEFINE the parameter APPLDATA(’NO REPLAY PROTECTION’) then each PassTicket is valid for approximately ten minutes from the time it is issued and can only be used once. For that reason you must specify the APPLDATA(’NO REPLAY PROTECTION’) parameter.

RACF Administration Required

Activate the PTKTDATA class by entering:

SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)

Refresh the PTKTDATA class by entering:
```
SETROPTS RACLIST(PTKTDATA) REFRESH
```

Create a profile in the PTKTDATA class by entering:

RDEFINE PTKTDATA SERNET SSIGNON(user_must_choose) APPLDATA(’NO REPLAY PROTECTION’)

For further information. refer to the appropriate IBM RACF manual for further information, for example "Defining Profiles in the PTKTDATA Class", in the manual z/OS Security Server RACF Security Administrator's Guide.

Note

The value of SERNET in the above RDEFINE command is mandatory and should not be altered. You must provide the SSIGNON specification.

The SERSET Utility

Support for PassTickets in Sernet is provided via the execution of the SERSET utility. Each time a ChangeMan started task is brought up, during the initialization process, the SETSET utility gets invoked. This caters for the case where clients connect to a started task running on the same LPAR.

However the SERSET utility can also be executed as a batch utility. We provide a new member called SERSET in the delivered SERCOMC CNTL library. If you have a situation where users are signing onto ZMF from an LPAR which does not host a ZMF started task, you need to run the SERSET batch job on this LPAR. This must be done after each IPL to enable a remote connection to ZMF.

Generating a PassTicket

Sernet generates PassTickets when SERCLIEN calls SERXPTIK. The generation process requires authorization (key zero) so SERXPTIK executes as a PC routine and the sole purpose of the SERSET utility is to implement this routine.

For SERCLIEN to generate a PassTicket SERCLIEN only needs to know the PC number associated with SERXPTIK. To find this number SERCLIEN retrieves two system-level tokens, as follows:

SerNet.PTickTok – this contains the SerNet.PTickX value. 
SerNet.PTickX – this contains the PC number.

Note

The X in this token name corresponds directly to the TOKEN= value established when SERSET runs

Failures in PassTicket Generation

SERXPTIK calls the routine anchored in field RCVTPTGN of the RACF CVT. Errors will be returned to the caller of SERCLIEN with the following message:

SER6035E Passticket generation failed, RCVTPTGN RC=nnnn

RCVTPTGN and its accompanying return codes are documented under “Using the service to generate a PassTicket” in the RACF Macros and Interfaces manual.

TOKEN =Operand of SERSET

The SERSET member of the SERCOMC CNTL library contains an EXEC card that reads:

PTICKET EXEC PGM=SERSET,REGION=2M,PARM='TOKEN= '

The default value for TOKEN is A so this effectively reads:

PTICKET EXEC PGM=SERSET,REGION=2M,PARM='TOKEN=A'

When the JCL executes one of two message sequences will normally ensue:

SER1704I CSVDYLPA loaded SERXPTIK @ xxxxxxxx
SER1708I SerNet.PtickA token created
SER1708I SerNet.PtickTok token created
SER1709I Passticket support enabled

This sequence will appear when SERSET first executes after an IPL. It shows the loading of SERXPTIK and the creation of the two system-level tokens.

SER1701I Passticket support previously enabled under 'A' suffix

This message will appear if SERSET executes any subsequent time after the first execution following each IPL. It signifies that SerNet.PTickTok points at SerNet.PTickA and that the latter contains the PC number associated with SERXPTIK.

Refreshing SERXPTIK

SERXPTIK is loaded into common storage by SERSET. By design, it’s a very small piece of code that should rarely change but, even so, on occasion it may need to be refreshed without an IPL.

To do this, rerun SERSET ensuring it will pick up the new version of SERXPTIK from STEPLIB and specifying a different TOKEN= value. For example, specifying TOKEN=B will result in the following message sequence:

SER1704I CSVDYLPA loaded SERXPTIK @ xxxxxxxx
SER1708I SerNet.PtickB token created
SER1708I SerNet.PtickTok token created
SER1709I Passticket support enabled

Once this has executed SerNet.PTickTok will point at SerNet.PTickB and this will cause SERCLIEN to invoke the new version of SERXPTIK [via a different PC number].

The TOKEN= parameter will accept any value from A-Z and 0-9 but any use beyond A and, rarely, B would be highly unusual.

Step 7: Set Security for USS File Systems

If you want to use ChangeMan ZDD to access zFS files in Unix System Services on the mainframe, you must make additional entries in your security system.

The instructions here describe commands for z/OS Security Server RACF. If you use CA ACF2 or CA Top Secret, consult with your security administrator to determine the actions they must take in those security systems to accomplish the same objectives.

In the commands that follow, the following conventions are used:

SERUSER is the user-id assigned to the SERNET/ZMF started task.
SERGRP is the RACF group assigned to the SERNET/ZMF started task.
Assign a non-zero UID to SERUSER by manually assigning the next available value:
```
ALTERUSER SERUSER OMVS(UID(xxx))
```

Permit access for SERUSER to two resources so it can manage zFS in USS:

PERMIT BPX.SERVER CLASS(FACILITY) ID(SERUSER) ACCESS(UPDATE)
PERMIT SUPERUSER.FILESYS CLASS(UNIXPRIV) ID(SERUSER) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
SETROPTS RACLIST(UNIXPRIV) REFRESH

Ensure that the SERUSER default group SERGRP has a GID:
```
ALTERGROUP SERGRP OMVS(GID(YYY))
```