Security for the Build System Toolkit and Rational Build Agent on z/OS systems

If you are using the Build System Toolkit and Rational® Build Agent with the applications for the IBM® Engineering Lifecycle Management (ELM) on z/OS®, you must consider several security options. These options help secure your data and provide appropriate access to different types of users.

After you set up the Resource Access Control Facility (RACF®) security options, you must complete the Build System Toolkit and Rational Build Agent configuration on z/OS. To complete the configuration, you must have created the JAZZCONF and JAZZWORK RACF GROUPs, as outlined in RACF security on z/OS systems, and completed the customization and submission of the BLZCP* jobs that are required for your configuration.

The next sections describe the additional security configurations that are specific to installing the Build System Toolkit and Rational Build Agent on z/OS.

Build System Toolkit RACF classes

Configuring the Build System Toolkit and Rational Build Agent depends on activating several RACF classes. The BLZRACFT sample member contains sample RACF statements to activate these classes.
  • The STARTED CLASS assigns user ID relationships to the IBM Engineering Workflow Management (EWM) ISPF daemon started task and the Rational Build Agent started task.
  • The APPL CLASS activates application protection for the ISPF daemon.
  • The PTKTDATA CLASS supports PassTicket generation for the ISPF client.

EWM ISPF daemon and client security setup

If you are installing and using the ISPF client, you must complete several RACF security steps. The basic tasks in the BLZRACFT sample job are as follows:
  1. Create a group for the ISPF daemon started task user.
  2. Create the ISPF daemon started task user (STCISPF).
  3. Associate the ISPF-started tasks, BLZISPFS and BLZISPFD, with the STCISPF user ID.
  4. Connect the STCISPF user ID to the groups that provide access to the configuration and work directories.
  5. Allow STCISPF to run secure UNIX servers by granting access to the BPX.SERVER facility CLASS.
  6. Allow STCISPF access to the PTKTDATA CLASS for PassTicket generation.
Important: If you use an ID other than STCISPF, change all references to that ID in BLZRACFT.

Program control

The Engineering Workflow Management ISPF daemon runs as a secure UNIX server. Servers with access to BPX.SERVER must run in a clean, program-controlled environment. Therefore, all programs that the ISPF client calls must also be program-controlled.

The Build System Toolkit components use the SYS1.LINKLIB library, the Language Environment® run time (CEE.SCEERUN*) and the ISPF TSO/ISPF gateway (ISP.SISPLOAD) load library. Program control for ISP.ISPLOAD is configured when the TSO/ISPF gateway is configured.

For more information about the TSO/ISPF gateway, see the chapter TSO/ISPF client gateway in ISPF Planning and Customizing (GC19-3623).

The following sample RACF commands create the program control entries in the RACF database. For an example of RACF statements to perform this task, see the relevant step in the BLZRACFT job in hlq.SBLZSAMP, where hlq is the high-level qualifier that was specified during the SMP/E installation.
        RALTER PROGRAM ** UACC(READ) ADDMEM(SYS1.LINKLIB//NOPADCHK)
        RALTER PROGRAM ** UACC(READ) ADDMEM(CEE.SCEERUN//NOPADCHK) 
        RALTER PROGRAM ** UACC(READ) ADDMEM(CEE.SCEERUN2//NOPADCHK) 
        SETROPTS WHEN(PROGRAM) REFRESH
Note: Use the ** profile unless you already have a * profile in the PROGRAM class, in which case, do not use the ** profile because it obscures and complicates the search path that your security software uses. In this case, you must merge the existing * and the new ** definitions. For more details, see the Security Server RACF Security Administrator's Guide (SA22-7683).

Rational Build Agent security setup

You can run the Rational Build Agent in several ways. For details, see Security for the Rational Build Agent . The user ID must be connected to the groups that allow access to the JAZZCONF and JAZZWORK directories. To run promotions, deployments, or other builds that use the ISPF gateway, this user ID must have READ access to the required ISPF configuration files (ISPZXENV and ISPF.conf), must be authorized to use TSO, and must have an ALIAS for a valid HLQ.

If you plan to run the Rational Build Agent as a started task, you must issue RACF commands to make the definitions to set up the started task. For an example of the RACF statements to perform this task, see the instructions in the BLZRACFT job in hlq.SBLZSAMP.

The following sample RACF commands create the BLZBFA started task, with protected user ID (STCBFA) and group STCGROUP assigned to them. Replace the #group-id and #user-id-* placeholders with valid OMVS IDs.
Note: Ensure that the started task user ID is protected by specifying the NOPASSWORD keyword.
 ADDGROUP STCGROUP OMVS(GID(#group-id)) DATA('GROUP WITH OMVS SEGMENT FOR STARTED TASKS')

 #  UID(0) is not required
 
 ADDUSER STCBFA DFLTGROUP(STCGROUP) NOPASSWORD NAME('RATIONAL BUILD AGENT') OMVS(UID(0) HOME(/tmp) PROGRAM(/bin/sh)) DATA('EWM')
 
 RDEFINE STARTED BLZBFA.* DATA('EWM - RATIONAL BUILD AGENT') STDATA(USER(STCBFA) GROUP(STCGROUP) TRUSTED(NO))
 
 SETROPTS RACLIST(STARTED) REFRESH
 
      #  connect Build Forge Agent userid to JAZZ config group (default JAZZCONF)
      
         LISTGRP  JAZZCONF
         CONNECT (STCBFA) GROUP(JAZZCONF)
         
      #  connect Build Forge Agent userid to JAZZ work group (default JAZZWORK)

         LISTGRP  JAZZWORK
         CONNECT (STCBFA) GROUP(JAZZWORK)
 

User ID OMVS segment creation

For each ISPF client user and for each IBM Developer for z Systems® user, you must define a RACF OMVS segment or equivalent that specifies a valid non-zero z/OS UNIX user ID (UID), home directory, and shell command. In addition, if you run builds through the Rational Build Agent and override the user authentication, and you set the "load directory" in the build to your OMVS home directory, you must have an OMVS segment for user who submit personal dependency builds. The users default group also requires an OMVS segment with a group ID.

In the following sample RACF commands, replace the following placeholders with actual values: #userid, #user-identifier, #group-name, and #group-identifier.
ALTUSER #userid OMVS(UID(#user-identifier) HOME(/u/#userid) PROGRAM(/bin/sh) NOASSIZEMAX)
ALTGROUP #group-name OMVS(GID(#group-identifier))

Additional access to configuration and work directories

The following additional users need access to the work directories. The users must be connected to the JAZZWORK group.
  • ISPF client users
  • Enterprise Extensions build users

Engineering Workflow Management Job Monitor security setup

If you plan to run JCL-based builds through the Rational Build Agent, you must consider additional security tasks when you configure the Job Monitor.

For additional details, see Using the Rational Build Agent and Job Monitor to run builds using JCL .

IBM Developer for z Systems integration feature security setup

If you plan to run the IBM Developer for z Systems integration feature with Engineering Workflow Management, the user ID that is assigned to the Remote System Explorer daemon (RSED) started task must be added to the RACF groups that control access to the JAZZCONF and JAZZWORK directories. To be able to store SCM metadata in the working directories, users of the integration feature must be connected to the JAZZWORK group.

The following sample RACF commands connect the RSED started task user ID to the configuration and work RACF groups:
       #  connect RSED Started task userid to JAZZCONF and JAZZWORK 
      
          LISTGRP  JAZZCONF 
          CONNECT  (RSED) GROUP(JAZZCONF) 
          LISTGRP  JAZZWORK 
          CONNECT  (RSED) GROUP(JAZZWORK)

Setting permission bits for temporary files and logs in USS

When you run dependency builds, promotions, or packaging, load files from SCM to a USS directory during a dependency build, perform an SCM operation during an ISPF client session, use the IBM Developer for z Systems Integration Load and Share function, or perform an SCM operation with the z/OS Unix Shell view from RSE, Engineering Workflow Management generates z/OS configured files, logs, and temporary files. If you want to change the permission bits for these types of files, take the following actions:
  • Login to (or have the system administrator login to) ccm/admin with a browser. Navigate to Server > Configurations > Advanced Properties. Under Build Agent verify that the Default File Permission is set to the desired value. The default value is 775.
  • Log in to the z/OS UNIX Shell, and change or add a umask value in /etc/profile.
  • Login to z/OS UNIX Shell, and verify the umask specified in install_dir/ispfclient/bin/ispfdmn.sh is set to the desired value. The default umask value is 0002, as shown in the following code sample:
     ------------------------------------------------------------ 
    cd $RTC_HOME/scmtools/eclipse 
    umask 0002 
    mask=`umask`  
    echo 
    ------------------------------------------------------------- 
    echo starting ISPF daemon on port $_ISPF_DAEMON_PORT ... -- $(date) umask=$mask echo 
    ------------------------------------------------------------- 
    Restart the ISPF daemon.
  • Set umask in rsed.envvars.

video icon Video

Jazz.net channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community

Jazz.net
Jazz.net forums
Jazz.net library

support icon Support

IBM Support Community
Deployment wiki