z/OS Configuration - Started Tasks

z/OS Configuration - Started Tasks

The Universal Agent for z/OS solution consists of two started tasks:

  1. Universal Broker is a required started task that provides a number of services for manager and server components.
  2. Universal Enterprise Controller is an optional started task that provides monitoring and administration services.

The following started task JCL procedures are provided in the SUNVSAMP library:

  • UBROKER is the JCL procedure for the Universal Broker started task.
  • UECTLR is the JCL procedure for the Universal Enterprise Controller started task.

The JCL procedures are copied to a system procedure library by installation job UNVIN09. If this was not done, copy the JCL members to the appropriate procedure library for your local environment.

The started task programs utilize both z/OS UNIX System Services (USS) and MVS services. As a result of using USS services, the programs execute as USS processes. As do all USS processes, the Universal Broker and Universal Enterprise Controller processes must execute with user profiles that have a properly defined OMVS segments. Additionally, the user profiles must be permitted security access to privileged USS services in order for them to perform specific functions.

This page describes the following configuration tasks:

  • Started task security requirements.
  • Defining the started task user and group profiles.
  • Permitting the started task user profile to required security resources.
  • Associating started tasks with the user and group profiles.

Started Task Security

z/OS UNIX System Services (USS) operates in one of two different security modes. If the resource profile BPX.DAEMON is not defined, USS is operating in UNIX-level security mode; otherwise, USS is operating in z/OS UNIX security mode.

UNIX-level security provides few options to control access to USS services. A user account that requires access to privileged services must be defined with a UID value of 0, which is referred to as superuser.

z/OS UNIX security provides better access controls to USS services using a SAF security package, such as RACF. A user account can be defined with a non-zero UID and granted permissions to specific resource profiles that protect USS services. Superuser access is granted not with UID 0 but with READ access to the resource BPX.SUPERUSER in the FACILITY class.

Universal Broker

The Universal Broker started task provides services for local and remote Universal Agent managers, such as Universal Command managers or Universal Data Mover managers. Locally executed managers register with the local Universal Broker for monitoring, configuration data, and event recording. Remotely executed managers communicate with the local Universal Broker over a TCP/IP network connection and request execution of server components in order to process local services, such as execution of commands or transfer of data.

Server components initiated by the Universal Broker started task execute as child processes of the Universal Broker process. As such, the server components inherit the user identifier of the Universal Broker process. Some server components, such as Universal Command server, can switch the user identifier with which the work is executed. Switching a user identifier is a privileged operation. The Universal Broker user profile requires sufficient security access for itself and the server components to perform their services.

Universal Broker User and Group Profiles

The security requirements of the Universal Broker depend upon which services are being utilized. By default, all services are configured to be used. Some services can be disabled to reduce the amount of authority the Universal Broker user profile requires. The following table lists the USS privileged services for each component and how to disable the service so that security access to the service is not required.

Service

Description

Disabling

Change directory ownership

Universal Broker dynamically mounts its USS file systems. Once the file systems are mounted, the Broker will initialize them. Initialization consists of changing the ownership of the file systems root directories to the Broker user identifier.

Initialize the file system ownership manually. The Broker will not dynamically mount the file systems and initialize them if they are already mounted and initialized.
 
Make sure the account used to execute the Universal Broker STC owns the location on which the file system is mounted.

Create external links owned by UID 0

Universal Broker dynamically creates external links on the USS file system to select MVS programs in its STEPLIB ddname allocation. The external links are required for the USS spawn function used by the Universal Broker to execute the components. In addition, the UDM Manager also requires external links to execute UCMD Manager or the Universal Connector for SAP (USAP). The external links must be owned by UID 0 when they link to an MVS program that resides in an APF authorized library. Creation of the external links so that they are owned by UID 0 requires superuser access.

Create the external links manually at a permanent location in the USS file system. The content/name of the external links is user-defined. The external links must be owned by UID 0. Specify the external link absolute path name in the component definition START_COMMAND option for UAGSRV, UCMSRV, UCTSRV, and UDMSRV, located in UNVCOMP(UAGCMP00), UNVCOMP(UCSCMP00), UNVCOMP(UTSCMP00), and UNVCOMP(UDSCMP00), respectively. Absolute paths to the external links that Universal Broker creates for UCMD and USAP (for the UDM exec and execsap commands) and UCTL can be specified with the ucmd_path, usap_path, and uctl_path configuration options defined in UNVCONF(UBRCFG00).

Switch user ID and group associations

Universal Command, Universal Data Mover, and Universal Control switch their user IDs with which a work request is executed. The user ID is first authenticated before switching unless there is a Universal Access Control List (UACL) entry that turns authentication off for the request.

Set the Universal Command, Universal Data Mover, and Universal Control servers configuration SECURITY option to a value of NONE. With SECURITY set to NONE, all work requests are executed with the Universal Broker's user ID.
 
Starting with Universal Agent 6.5.0.0, if a valid account password is provided, security contexts can be switched even when the Broker is running without access to BPX.SUPERUSER or BPX.DAEMON. This feature allows the SECURITY option to be set to a value other than NONE, but does not support UACL entries that turn authentication off for a particular request via the 'noauth' parameter. With this option, supplemental group information for the user account will be set, but the process' effective group ID will not be changed. This means that access to system resources must be granted to the specific user account.

Change server component job name

Universal Broker will set the job name of child server processes to the appropriate component name. For example, when the Universal Broker starts a Universal Command server component, the job name is set to UCMSRV.

There is no product configuration option to disable this. By simply not permitting the Broker to the resource profile that protects it, all server components will run with the Universal Broker job name with a numeric value appended to it (for example, UBROKER2).

How to configure the Universal Broker started task user profile to meet security requirements depends on whether USS is running with UNIX-level security or z/OS UNIX security. The following sections describe how to configure the Universal Broker user profile to perform the privileged services listed above for both USS UNIX-level security and z/OS UNIX security configurations.

UNIX-level Security

UNIX-level security refers to a USS security environment where the resource profile BPX.DAEMON is not defined to the FACILITY class.

The only method of permitting a user profile access to privileged services is to define the user profile with a UID value of 0 (superuser). The Universal Broker user profile must be defined with UID 0 to perform any privileged service.

The following steps define the Universal Broker user profile for a UNIX-level security environment:

Step 1

Add the Universal Broker group profile UBRGRP using the following RACF command:
 

ADDGROUP UBRGRP OWNER(SYS1) OMVS(GID(5001))

Change the GID value 5001 to a value suitable for your local USS environment. The GID value must be unique among all group profiles.

Step 2

Add the Universal Broker user profile UBRUSR using the following RACF command:
 

ADDUSER UBRUSR DFLTGRP(UBRGRP) OWNER(SYS1) NOPASSWORD OMVS(UID(0))

z/OS UNIX Security

z/OS UNIX security refers to a USS security environment where the resource profile BPX.DAEMON is defined to the FACILITY class.

The Universal Broker user profile must be defined with a valid OMVS segment with a non-zero, unique UID value. The user profile security requirements are listed in the following table for each privileged service.

Service

Requirement

Change directory ownership

READ access to BPX.SUPERUSER resource profile in the FACILITY class.

Create external links owned by UID 0

READ access to BPX.SUPERUSER resource profile in the FACILITY class.

Switch user ID and group associations

READ access to BPX.DAEMON and BPX.SUPERUSER resource profiles in the FACILITY class.

Change server component job name

READ access to the BPX.JOBNAME profile in the FACILITY class.

The security requirements can be lifted if the feature that utilizes the service is disabled as described above.
 

The following steps configure the Universal Broker user profile for a z/OS UNIX security environment:

Step 1

Add the Universal Broker group profile UBRGRP using the following RACF command:
 

ADDGROUP UBRGRP OWNER(SYS1) OMVS(GID(5001))

Change the GID value 5001 to a value suitable for your local USS environment. The GID value must be unique among all group profiles.

Step 2

Add the Universal Broker user profile UBRUSR using the following RACF command:
 

ADDUSER UBRUSR DFLTGRP(UBRGRP) OWNER(SYS1) NOPASSWORD OMVS(UID(5001))

Change the UID value 5001 to a value suitable for your local USS environment. The value must be unique among all user profiles.

Step 3

Permit the Universal Broker user profile READ access to the resource profiles required for enabled services. The following RACF commands permit the user profile to the resources required for all privileged services:
 

PE BPX.DAEMON CLASS(FACILITY) ID(UBRUSR) ACCESS(READ)
PE BPX.SUPERUSER CLASS(FACILITY) ID(UBRUSR) ACCESS(READ)
PE BPX.JOBNAME CLASS(FACILITY) ID(UBRUSR) ACCESS(READ)
SETR RACLIST(FACILITY) REFRESH


As described above, services can be disabled to make access to BPX.DAEMON and BPX.SUPERUSER optional. By not granting the Universal Broker account access to these resources, the Broker STC will run in unprivileged mode. Access to resources the Broker requires will need to be manually configured, but user context switching is still possible.

Universal Broker Data Access

The Universal Broker user profile UBRUSR requires the following access to the data sets allocated in the Universal Broker started task, UBROKER:

Ddname

Access

Description

STEPLIB

READ

Program library

UNVCONF

ALTER

Product configuration data

UNVRFC

READ

Universal Connector SAP RFC file

UNVCOMP

ALTER

Product component definition data

UNVNLS

READ

Product national language support data

UNVCREF

READ

Universal Command command reference definitions

UNVDB

UPDATE

Universal Broker HFS component database

UNVSPOOL

UPDATE

Universal Broker HFS spool database

UNVTMPL

READ

Universal Broker configuration templates

UNVTRACE

UPDATE

Universal Broker application trace PDSE

UNVTRMDL

ALTER

Universal Broker application model trace data set

UNVLOG

UPDATE

Universal Broker log data set

UNVKSTR

UPDATE

Universal Broker Keystore data set

UNVAGMDL

ALTER

Universal Automation Center Agent (UAG) model log data set

Universal Enterprise Controller

The Universal Enterprise Controller started task provides services for monitoring and administering Universal Agents distributed throughout the computer network. GUI clients connect to Universal Enterprise Controller to perform tasks and view component activity and statuses.

Universal Enterprise Controller User and Group Profiles

The security requirements of the Universal Enterprise Controller depend upon which services are being utilized. By default, all services are configured to be used. Some services can be disabled to reduce the amount of authority the Universal Enterprise Controller user profile requires. The following table lists the USS privileged services and how to disable the service so that security access to the service is not required.

Service

Description

Disabling

Mount file system

Universal Enterprise Controller dynamically mounts its USS file system. Mounting a file system requires APF authorization or superuser access. Universal Enterprise Controller is not APF authorized.

Statically mount the Universal Enterprise Controller file system.
 
Make sure the account used to execute the Universal Enterprise Controller STC owns the location on which the file system is mounted.

Change directory ownership

Universal Enterprise Controller will initialize its file system if it detects initialization has not been completed. Initialization consists of changing the ownership of the file system root directory to the Universal Enterprise Controller user identifier.

Initialize the file system ownership manually.

How to configure the Universal Enterprise Controller started task user profile to meet security requirements depend on whether USS is running with UNIX-level security or z/OS UNIX security. The following sections describe how to configure the Universal Enterprise Controller user profile to perform the privileged services listed above for both USS UNIX-level security and z/OS UNIX security configurations.

UNIX-level Security

UNIX-level security refers to a USS security environment where the resource profile BPX.DAEMON is not defined to the FACILITY class.

The only method of permitting a user profile access to privileged services is to define the user profile with a UID value of 0 (superuser). The Universal Enterprise Controller user profile must be defined with UID 0 to perform any privileged service.

The following steps define the Universal Enterprise Controller user profile for a UNIX-level security environment:

Step 1

Add the Universal Enterprise Controller group profile UECGRP using the following RACF command:
 

ADDGROUP UECGRP OWNER(SYS1) OMVS(GID(5002))

Change the GID value 5002 to a value suitable for your local USS environment. The GID value must be unique among all group profiles.

Step 2

Add the Universal Enterprise Controller user profile UECUSR using the following RACF command:
 

ADDUSER UECUSR DFLTGRP(UECGRP) OWNER(SYS1) NOPASSWORD OMVS(UID(0))

z/OS UNIX Security

z/OS UNIX security refers to a USS security environment where the resource profile BPX.DAEMON is defined to the FACILITY class.

The Universal Enterprise Controller user profile must be defined with a valid OMVS segment with a non-zero, unique UID value. The user profile security requirements are listed in the following table for each privileged service.

Service

Requirement

Mount file system

READ access to BPX.SUPERUSER resource profile in the FACILITY class.

Change directory ownership

READ access to BPX.SUPERUSER resource profile in the FACILITY class.


The security requirements can be lifted if the feature that utilizes the service is disabled as described above.
 

The following steps configure the Universal Enterprise Controller user profile for a z/OS UNIX security environment:

Step 1

Add the Universal Enterprise Controller group profile UECGRP using the following RACF command:
 

ADDGROUP UECGRP OWNER(SYS1) OMVS(GID(5002))

Change the GID value 5002 to a value suitable for your local USS environment. The GID value must be unique among all group profiles.

Step 2

Add the Universal Enterprise Controller user profile UECUSR using the following RACF command:
 

ADDUSER UECUSR DFLTGRP(UECGRP) OWNER(SYS1) NOPASSWORD OMVS(UID(5002))

Change the UID value 5002 to a value suitable for your local USS environment. The value must be unique among all user profiles.

Step 3

Permit the Universal Enterprise Controller user profile READ access to the resource profiles required for enabled services. The following RACF commands permit the user profile to the resources required for all privileged services:
 

PE BPX.SUPERUSER CLASS(FACILITY) ID(UECUSR) ACCESS(READ)
SETR RACLIST(FACILITY) REFRESH

Universal Enterprise Controller Data Access

The Universal Enterprise Controller user profile UECUSR requires the following access to the data sets allocated in the Universal Enterprise Controller started task, UECTLR:

Ddname

Access

Description

STEPLIB

READ

Program library

UNVCONF

READ

Product configuration data

UNVNLS

READ

Product national language support data

UNVDB

UPDATE

Universal Enterprise Controller HFS database

UNVMSGS

UPDATE

Universal Enterprise Controller message trace data

UNVPRSR

UPDATE

Universal Enterprise Controller parser trace data

UNVTRACE

UPDATE

Universal Enterprise Controller application trace data

Associate Started Tasks with User and Group Profiles

The started tasks must be associated with their user and group profiles defined above. IBM provides two different methods to accomplish this using RACF:

  1. STARTED Class Profile
  2. Started Procedures Table

Both methods are described below. Only one, not both, of the methods is required. They are provided as examples for your reference. Your local security procedures and processes should be followed.

STARTED Class Profile

The following procedure describes how to associate a user and group profile with the started procedures using the RACF class STARTED method.

Step 1

Define a STARTED class profile for the Universal Enterprise Controller started procedure with the following TSO command:
 

RDEFINE STARTED UECTLR.* STDATA(USER(UECUSR) GROUP(UECGRP))

The started procedure member name used in the above command is UECTLR. If this has been change, the name in the REDEFINE command must also be changed to match.

Step 2

Define a STARTED class profile for the Universal Broker started procedure with the following TSO command:
 

RDEFINE STARTED UBROKER.* STDATA(USER(UBRUSR) GROUP(UBRGRP))

The started procedure member name used in the above command is UBROKER. If this has been change, the name in the REDEFINE command must also be changed to match.

Step 3

The STARTED class must be refreshed to recognize the new profile definitions. The following command assumes that the STARTED class is active and RACLIST'ed.
 

SETROPTS RACLIST(STARTED) REFRESH

Started Procedures Table

This section describes how to associate a user and group profile with the started procedures using the RACF started procedure table ICHRIN03 method.

The ICHRIN03 table resides in a system LPA library, such as SYS1.LPALIB. Changes to the table require a system IPL using the CLPA option for them to take effect. RACF loads the table at IPL.

Step 1

Add the following entry to the ICHRIN03 table. The table is an assembly language program that is assembled and link edited into a system LPA library.
 

Step 2

Increment the table count field by two. (The count field is the first 2 bytes of the table.)

Step 3

Assemble and link edit the ICHRIN03 table.
IBM provides a sample ICHRIN03 table and the JCL to assemble and link edit it in SYS1.SAMPLIB(RACTABLE).

Step 4

IPL the system with the CLPA option.