z/OS UNIX program-controlled files for the ISPF daemon

The ISPF daemon needs UPDATE access to the BPX.SERVER profile to manage the security environment.
Servers with authority to BPX.SERVER must run in a clean, program-controlled environment. This implies that all programs called by the ISPF daemon must also be program-controlled. For z/OS UNIX files, program control is managed by the extattr command. To run this command, you need READ access to BPX.FILEATTR.PROGCTL in the FACILITY class, or be UID(0).
The ISPF daemon server uses RACF's Java shared library (/usr/lib/libIRRRacf.so) as well as a number of IBM® Engineering Workflow Management (EWM) programs.
  • extattr +p /usr/lib/libIRRRacf.so
  1. Since z/OS 1.9, /usr/lib/libIRRRacf.so is installed as program-controlled during SMP/E RACF installation.
  2. Since z/OS 1.10, /usr/lib/libIRRRacf.so is part of SAF, which ships with base z/OS, so it is available also to non-RACF customers.
  3. The setup might be different if you use a security product other than RACF. Consult the documentation of your security product for more information.
  4. The SMP/E installation of IBM Engineering Workflow Management sets the program-control bit for internal programs, when it is available.
  5. Use the ls -Eog z/OS® UNIX command to display the current status of the program-control bit (the file is program controlled if the letter p shows in the second string).
    $ ls -Eog /usr/lib/libIRRRacf.so
    -rwxr-xr-x aps- 2 69632 Oct 5 2007 /usr/lib/libIRRRacf.so

video icon Video

Jazz.net channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community

Jazz.net forums
Jazz.net library

support icon Support

IBM Support Community
Deployment wiki