Setting up security for the Rational solution for CLM on z/OS

If you are installing the Jazz Team Server and other Rational solution for Collaborative Lifecycle Management (CLM) applications on z/OS, there are several tasks that are required to make the CLM functions secure and available on z/OS. This article supplements the installation and configuration information in the Rational solution for Collaborative Lifecycle Management information center.

This article assumes you are installing some combination of the Jazz Team Server, any of the CLM applications, the Rational Team Concert Build System Toolkit, or the Rational Build Agent on z/OS.

Security considerations

This article provides information on the following security topics:

  • Data set protection – Security for z/OS data sets associated with the Jazz Team Server, CLM applications, the Rational Team Concert Build System Toolkit, and Rational Build Agent.
  • RACF general resource profiles, GROUPs, and USERs – Several RACF resources must be configured in order to use the CLM components on z/OS.
  • UNIX System Services (USS) directory protection – Installation and configuration of CLM components on z/OS use three main directories and associated subdirectories that need appropriate user and group-level permissions, specifically:
    1. Product binaries: Installed by SMP/E, typically to a directory such as /usr/lpp/jazz/v3.0.
    2. Configuration directories: Created by running sample configuration jobs to create and populate a directory such as /etc/jazz.
    3. Working directories: Created by running sample configuration jobs to create and populate a directory such as /u/jazz.
  • Database access – If you are running the Jazz Team Server and CLM applications on z/OS, you must provide access from the server to DB2 z/OS databases for the applications and data warehouse.

Two sample members from hlq.SBLZSAMP, BLZRACF (for the server, installed with SMP/E FMID HAHA300) and BLZRACFT (for the Build System Toolkit and Rational Build Agent, installed with SMP/E FMID HAHB300) are provided and referenced for various steps of this process. (The hlq is the high-level qualifier specified during the SMP/E installation.) After you have thoroughly reviewed this article and the related help topics, customize and submit the jobs to perform the RACF updates.

The security considerations for your deployment will vary based on which components you have installed. This article is divided into several sections:

General RACF considerations

There are several RACF settings that are relevant to deploying any of the CLM applications on z/OS. The detailed steps for installing CLM applications on z/OS are available in the Checklist for z/OS installations in the information center. The basic steps for installing z/OS components and the related security considerations are:

  1. SMP/E installation: Specific z/OS data sets and UNIX Systems Services directories are created based on which FMIDs are installed. The z/OS data sets are protected based on the existing data set profiles that you have already configured. The USS directories are owned by the installer’s user ID. Other users have READ and EXECUTE access. You can set up additional security protections.
  2. Creation of USS configuration and working directories: Running the sample JCL creates configuration and working directories. The sample jobs are called BLZCP* jobs because there is a version for each component. For example, the Jazz Team Server (JTS) job is BLZCPJTS and the Build System Toolkit is BLZCPBTK. You can specify group permissions when you run these sample jobs.

Data set profile protection

Before you begin the SMP/E installation, create a high-level qualifier (HLQ) for the CLM target and distribution libraries so you can protect the HLQ using RACF. Users working with z/OS functions like the Rational Team Concert ISPF client or Enterprise Extensions deployment and promotion functions require READ access on the target data sets. Note that if you copy the target data set elsewhere, users will also need READ access on those copy data sets.

If you are installing the Jazz Team Server and CLM applications, see the instructions provided with the BLZRACF job in hlq.SBLZSAMP for an example of RACF statements. If you are installing the Rational Team Concert Build System Toolkit, the same RACF commands are provided in job BLZRACFT in hlq.SBLZSAMP.

For most Rational Team Concert data sets, READ access for users and ALTER access for system programmers is sufficient. Ask the system programmer who installed and configured the product for the correct data set names. The default high-level qualifier is BLZ, and a BLZ GROUP is allocated before creating the data set definition. To protect a data set with RACF, the first-level qualifier of the data set name must be a RACF-defined user ID or group name.

Sample RACF commands included in the JCL:

LISTGRP BLZ                                        ADDGROUP (BLZ) OWNER(IBMUSER) SUPGROUP(SYS1) -      DATA('RATIONAL TEAM CONCERT - HLQ STUB')                                                           #  general data set protection                       LISTDSD PREFIX(BLZ) ALL                            ADDSD 'BLZ.**' -                                    UACC(READ) DATA('RATIONAL TEAM CONCERT')          PERMIT 'BLZ.**' -                                   CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)                                                            SETROPTS GENERIC(DATASET) REFRESH                                                                   #  show results                                      LISTGRP BLZ                                        LISTDSD PREFIX(BLZ) ALL         

User ID OMVS segment creation

A RACF OMVS segment (or equivalent) that specifies a valid z/OS UNIX user ID (UID), home directory, and shell command must be defined for the user who will run the BLZCP* configuration jobs for both the server and the Build System Toolkit. The user’s default group also requires an OMVS segment with a group ID.

BLZRACF and BLZRACFT contain similar RACF statements that you can use for this purpose. For the following sample RACF commands, replace the placeholders #userid, #user-identifier, #group-name, and #group-identifier with actual values:

ALTUSER #userid OMVS(UID(#user-identifier) HOME(/u/#userid) PROGRAM(/bin/sh) NOASSIZEMAX)  ALTGROUP #group-name OMVS(GID(#group-identifier))

Although it is not recommended, you can use the shared OMVS segment defined in the BPX.DEFAULT.USER profile of the FACILITY class to fulfill the OMVS segment requirement.

Jazz RACF group creation for access to resources

During the server and Build System Toolkit installation and configuration, several directories are created to hold configuration and temporary files. These directories are created in the BLZCP* jobs that are shipped in the hlq.SBLZSAMP data set. The directories are identified in the various BLZCP* jobs as @confPath@ and @workPath@ and, by default, are set to /etc/jazz and /u/jazz respectively. Running these jobs creates the directories and the owner is the user ID that submits the jobs.

These jobs require configuration of two RACF GROUPs that provide additional permission to other users who need access to the directories. If you are installing the Jazz Team Server, see the relevant step in the BLZRACF job in hlq.SBLZSAMP for sample RACF statements to perform this task. If you are installing the Build System Toolkit, the same RACF commands are provided in the BLZRACFT job in hlq.SBLZSAMP.

The following sample RACF commands create the groups JAZZCONF and JAZZWORK. Replace the #conf-group-id and #work-group-id placeholders with valid OMVS IDs.

Note: You must create these groups before you submit the BLZCP* jobs, or the jobs will fail.

       ADDGROUP JAZZCONF OMVS(GID(#conf-group-id))            DATA('GROUP WITH OMVS SEGMENT FOR JAZZ CONFIG DIRECTORIES')       ADDGROUP JAZZWORK OMVS(GID(#work-group-id))            DATA('GROUP WITH OMVS SEGMENT FOR JAZZ CONFIG DIRECTORIES')  

In general, you can control access to the USS configuration and work directories by limiting access to the directories that contain them. For example, access to /etc/jazz can be restricted if the user or group does not have READ access to /etc.

Jazz Team Server considerations

After you complete the general RACF settings, there are several steps required to complete the server installation and configuration on z/OS. For the detailed steps, see the Checklist for z/OS installations in the information center.

The steps in this section assume that you have created JAZZCONF and JAZZWORK RACF GROUPs as outlined in the General RACF considerations and completed the customization and submission of the BLZCP* jobs that are required for your configuration.

In addition, there are security considerations that are specific to installing the Jazz Team Server on z/OS. If you plan to run the Jazz Team Server on z/OS, after you create the configuration and work directories using the BLZCP* sample jobs, you must prepare the DB2 z/OS repositories by creating the databases, editing the properties files, and running the appropriate repository tools functions. See Setting up a DB2 database on z/OS in the information center for more details.

The basic steps for creating the DB2 z/OS databases and running repository tools include:

  • A DB2 system administrator must create the databases for the Jazz Team Server.
  • A user ID and password must be created that has DBADM authority to the repositories and data warehouse. This user ID and password will be used for all access to the DB2 z/OS repositories.
  • The user that runs the repository tools sample job (BLZCREDB) to create the database tables must either be the same user ID that ran the BLZCP* sample configuration JCL or be a member of the JAZZCONF and JAZZWORK RACF GROUPs to be able to read and update configuration files and logs.
  • Two additional user IDs are involved in populating and accessing the data warehouse:
    1. The first is a data collection user ID, which must be a TSO ID with JazzAdmins access (READ access to the JazzAdmins EJBROLE profile). This ID and password are specified during the setup process using the Jazz Team Server setup wizard.
    2. The second ID is a report user (by default RPTUSER) that is granted SELECT access to the data warehouse tables as part of the data warehouse table creation process. This user access can then be used if external products, for example, Rational Reporting for Development Intelligence, connect to the data warehouse.

WebSphere Application Server security setup

If you plan to run the Jazz Team Server as a WebSphere Application Server application, there are several RACF profiles that you must setup and run. Specifically, the user ID under which the application server runs must have READ and WRITE access to the CLM server configuration and work directories, and therefore must be added to the JAZZCONF and JAZZWORK GROUPs. In addition, each CLM user’s repository permissions are determined by their permissions to specific RACF EJBROLE profiles.

For additional details, see these information center topics:

There are several sections of BLZRACF that address these requirements including the definition of the EJBROLE profiles. Note that the EJBROLE profile definitions can be affected by whether or not an APPL profile was defined during the creation of the WebSphere Application Server profile itself. At least one user ID must be granted READ access to the JazzAdmins EJBROLE profile.

Tomcat server security setup

If you plan to run the Jazz Team Server on z/OS with Tomcat, the user ID that is assigned to the Tomcat server job, either a normal user ID or a started task user ID, must be added to the RACF groups controlling access to the JAZZCONF and JAZZWORK directories.

The following sample RACF commands in BLZRACF connect the Tomcat user ID to the configuration and work RACF groups:

      #  connect TOMCAT job or stc userid to JAZZCONF and JAZZWORK            LISTGRP  JAZZCONF           CONNECT  (TOMCATU) GROUP(JAZZCONF)          LISTGRP  JAZZWORK            CONNECT  (TOMCATU) GROUP(JAZZWORK)                                 

The Tomcat user ID must also have a valid OMVS segment.

Build System Toolkit and Rational Build Agent considerations

After you complete the general RACF settings, there are several steps required to complete the Build System Toolkit and Rational Build Agent installation and configuration on z/OS. For the detailed steps, see the Checklist for z/OS installations in the information center.

The steps in this section assume that you have created JAZZCONF and JAZZWORK RACF GROUPs as outlined in the General RACF considerations, and completed the customization and submission of the BLZCP* jobs that are required for your configuration.

There are additional security considerations that are specific to installing the Rational Team Concert Build System Toolkit and Rational Build Agent on z/OS.

Build System Toolkit RACF classes

Configuring the Rational Team Concert Build System Toolkit and Rational Build Agent depends on activating several RACF classes:

  • The STARTED CLASS is used to assign user ID relationships to the Rational Team Concert ISPF daemon started task and the Rational Build Agent started task.
  • The APPL CLASS is used to activate application protection for the ISPF daemon.
  • The PTKTDATA CLASS is used to support pass ticket generation for the ISPF client.

Sample member BLZRACFT contains sample RACF statements to activate these classes.

Rational Team Concert ISPF daemon and client security setup

If you are installing and using the ISPF client, there are several RACF security steps that you must complete. For additional details, see Setting up ISPF client security in the information center.

The basic steps included in BLZRACFT sample job include:

  • Create a group for the ISPF daemon started task user.
  • Create the ISPF daemon started task user (STCISPF).
  • Associate the ISPF started tasks BLZISPFS and BLZISPFD with the STCISPF user ID.
  • Connect the STCISPF user ID to the groups that allow access to the configuration and work directories.
  • Allow STCISPF to run secure UNIX servers by granting access to the BPX.SERVER facility CLASS.
  • Allow STCISPF access to the PTKTDATA CLASS for pass ticket generation.

Note: If you decide to use an ID other than STCISPF, you should change all references to that ID in BLZRACFT.

Program control

The Rational Team Concert ISPF daemon runs as a secure UNIX server. Servers with access to BPX.SERVER must run in a clean, program-controlled environment. This implies that all programs called by the ISPF client must also be program-controlled.

The Build System Toolkit components use system (SYS1.LINKLIB), the Language Environment runtime (CEE.SCEERUN*) and the ISPF TSO/ISPF gateway (ISP.SISPLOAD) load library. Program control for ISP.ISPLOAD should have been configured when the TSO/ISPF gateway was configured. For more information about the TSO/ISPF gateway, see the chapter “TSO/ISPF client gateway” in ISPF Planning and Customizing (GC34-4814).

The following sample RACF commands create the program control entries in the RACF database. See the relevant step in job BLZRACFT in hlq.SBLZSAMP for an example of RACF statements to perform this task.

             RALTER PROGRAM ** UACC(READ) ADDMEM(SYS1.LINKLIB//NOPADCHK)          RALTER PROGRAM ** UACC(READ) ADDMEM(CEE.SCEERUN//NOPADCHK)           RALTER PROGRAM ** UACC(READ) ADDMEM(CEE.SCEERUN2//NOPADCHK)           SETROPTS RACLIST(PROGRAM) REFRESH                

Note: Do not use the ** profile if you already have a * profile in the PROGRAM class. It obscures and complicates the search path your security software uses. In this case, you must merge the existing * and the new ** definitions. The ** profile is recommended. See the Security Server RACF Security Administrator’s Guide (SA22-7683).

Rational Build Agent security setup

You can run the Rational Build Agent in several ways. For details, see Installing and running the Rational Build Agent on z/OS in the information center. Running the Rational Build Agent under a user ID with UID(0)is recommended. Running the build agent with UID(0) allows users to override the authority under which the build agent runs when requesting a build. This user ID also must be connected to the groups that allow access to the JAZZCONF and JAZZWORK directories. To run promotions, deployments, or other builds that use the ISPF gateway, this user ID must have READ access to the required ISPF configuration files (ISPZXENV and ISPF.conf), must be authorized to use TSO, and must have an ALIAS for a valid HLQ.

If you plan to run the Rational Build Agent as a started task, you must issue RACF commands to make the definitions to set up the started task. See the instructions included in the BLZRACFT job in hlq.SBLZSAMP for an example of RACF statements to perform this task.

The following sample RACF commands create the BLZBFA started task, with protected user ID (STCBFA) and group STCGROUP assigned to them. Replace the #group-id and #user-id-* placeholders with valid OMVS IDs.

   ADDGROUP STCGROUP OMVS(GID(#group-id)) DATA('GROUP WITH OMVS SEGMENT FOR STARTED TASKS')      ADDUSER STCBFA DFLTGROUP(STCGROUP) NOPASSWORD NAME('RATIONAL BUILD AGENT') OMVS(UID(0) HOME(/tmp) PROGRAM(/bin/sh)) DATA('RATIONAL TEAM CONCERT')      RDEFINE STARTED BLZBFA.* DATA('RTC - RATIONAL BUILD AGENT') STDATA(USER(STCBFA) GROUP(STCGROUP) TRUSTED(NO))      SETROPTS RACLIST(STARTED) REFRESH           #  connect Build Forge Agent userid to JAZZ config group (default JAZZCONF)                   LISTGRP  JAZZCONF           CONNECT (STCBFA) GROUP(JAZZCONF)                   #  connect Build Forge Agent userid to JAZZ work group (default JAZZWORK)             LISTGRP  JAZZWORK           CONNECT (STCBFA) GROUP(JAZZWORK)   

Ensure that the started task user ID is protected by specifying the NOPASSWORD keyword.

User ID OMVS segment creation

You must define a RACF OMVS segment (or equivalent) that specifies a valid non-zero z/OS UNIX user ID (UID), home directory, and shell command for each ISPF client user and for each Rational Developer for System z user. In addition, if you run builds through the Rational Build Agent and override the user authentication, and you set the “load directory” in the build to your OMVS home directory, you must have an OMVS segment for users submitting personal dependency builds. The users default group also requires an OMVS segment with a group ID.

Replace the placeholders #userid, #user-identifier, #group-name, and #group-identifier with actual values in the following sample RACF commands:

            ALTUSER #userid          OMVS(UID(#user-identifier) HOME(/u/#userid) PROGRAM(/bin/sh) NOAS-SIZEMAX)          ALTGROUP #group-name OMVS(GID(#group-identifier))         

Although it is not recommended, you can use the shared OMVS segment defined in the BPX.DEFAULT.USER profile of the FACILITY class to fulfill the OMVS segment requirement for Rational Team Concert.

Additional access to configuration and work directories

The following additional users need access to the work directories. (They must be connected to the JAZZWORK group.)

  • ISPF client users
  • Enterprise Extensions build users

Rational Team Concert Job Monitor security setup

If you plan to run JCL-based builds through the Rational Build Agent, there are additional security tasks to consider when you configure the Job Monitor. The greatest flexibility for users to submit JCL under their own IDs is provided if the Build Agent supporting these builds is started by user ID UID(0). For details, see Using the Rational Build Agent and Job Monitor to run builds using JCL in the information center.

Rational Developer for System z integration feature security setup

If you plan to run the Rational Developer for System z integration feature with Rational Team Concert, the user ID that is assigned to the Remote System Explorer daemon (RSED) started task must be added to the RACF groups controlling access to the JAZZCONF and JAZZWORK directories.

The following sample RACF commands connect the RSED started task user ID to the configuration and work RACF groups:

         #  connect RSED Started task userid to JAZZCONF and JAZZWORK                     LISTGRP  JAZZCONF             CONNECT  (RSED) GROUP(JAZZCONF)             LISTGRP  JAZZWORK             CONNECT  (RSED) GROUP(JAZZWORK)    
Note:
  • The RSED user must be able to read the symlinks created by sample member BLZCRSYM as part of the configuration of the Rational Developer for System z integration feature. Typically these links are in a subdirectory of /etc/jazz, so connecting the RSED user to JAZZCONF will fulfill that requirement. If the symlinks are in another directory, ensure that the RSED user can access them.
  • Integration feature users need read access to the FileAgentConfiguration.dat file, which is in the same directory as the rsed.envvars file for Rational Developer for System z.
  • Integration feature users must be connected to the JAZZWORK group to be able to store SCM metadata in the working directories.

For more information


Feedback
Was this information helpful? Yes No 1 person rated this as helpful.