When a CICS region requests a z/OS UNIX function for the first
time, RACF:
- Verifies that the user (the CICS region user ID) is defined as a z/OS
UNIX user.
- Verifies that the user's current connect group is defined as a z/OS UNIX
group.
- Initializes the control blocks needed for subsequent security checks.
You need to ensure that each CICS region meets these security requirements,
by assigning a z/OS UNIX user identifier (UID) to the CICS region user ID,
and assigning a z/OS UNIX group identifier (GID) to a RACF group to which
the CICS region user ID connects. The identifiers will also be needed to give
each CICS region permission to access the HFS directories and files that it
needs. During this process, you also need to set up a home directory for each
CICS region. This home directory can then be used, if you wish, as the work
directory for Java-related activities and for output from JVMs, or as the
location for HFS files used by CICS Web support.
The UID and GID are
numbers that can be in the range 0 to 16 777 216. (0 is a superuser ID.) Give
some thought to naming conventions, and to any existing UIDs and GIDs in your
z/OS UNIX system. z/OS UNIX System Services Planning, GA22-7800,
explains how to manage the UIDs and GIDs for your z/OS UNIX system.
To
assign a z/OS UNIX UID and GID for your CICS regions and set up a home directory:
- Choose a RACF group that can be used by all your CICS regions. For example,
you could use a RACF group that is defined as the default group of your CICS
region user IDs, or you could set up a RACF group to be used only for access
to JVM-related directories and files or CICS Web support directories and files.
If you use this RACF group for giving file access permissions, following the
procedure described in Giving CICS regions permission to access HFS directories and files, the RACF
group's z/OS UNIX group identifier (GID) will be associated with the HFS directories
and files. This means that the owner of these directories and files, and anyone
who is not the owner but needs to carry out operations with these files, will
need to have this group as his or her group or one of their supplementary
groups. “RACF
group profiles” in the CICS® RACF® Security Guide explains how RACF groups
work.
- Choose a suitable z/OS UNIX group identifier (GID) for the RACF group,
and assign the GID to the RACF group. To assign a GID, specify the GID value
in the OMVS segment of the RACF group profile. For example, if the RACF group
is CICSTSAB, and the GID you want to assign is 9, use the command:
ALTGROUP CICSTSAB OMVS(GID(9))
- Choose a suitable z/OS UNIX user identifier (UID) for each CICS region.
Assign the UID to each of your CICS region user IDs. (“Specifying the CICS region
userid” in the CICS RACF Security Guide explains how the region
user ID under which CICS executes is specified when CICS is run as a started
task, as a started job, or as a job.) To assign UIDs, specify the UID value
in the OMVS segment of the RACF user profile for each CICS region user ID.
Also specify the name of a home directory for each CICS region using the HOME
option. The directory name should be in the format /u/CICS region
userid. “RACF
user profiles” in the CICS RACF Security Guide tells you how to update
a RACF user profile using the ALTUSER command. For example, if the CICS region
user ID is CICSHT##, and the UID you want to assign is 2001, use the command:
ALTUSER CICSHT## OMVS(UID(2001) HOME('/u/cicsht##'))
If you want to know about the other information that can be specified in
an OMVS segment parameter in a user profile besides the UID and home directory,
see the z/OS Security Server RACF Command Language Reference,
SA22-7687. Note: It is possible to assign the same UID to more than one CICS
region user ID. If all your CICS regions need to use the same HFS files (for
example, the supplied sample files for JVMs), you could give all the CICS
regions the same UID, and then you could assign permissions to that UID, rather
than to the GID. However, bear in mind that:
- The sharing of UIDs allows each CICS region to access all of the z/OS
UNIX resources that the other CICS regions with that shared user ID can access,
and this might not be appropriate in your system.
- The sharing of UIDs is not normally recommended in a z/OS UNIX system.
- If you do choose to share UIDs, note that
the z/OS UNIX System Services parameter MAXPROCUSER limits the maximum number
of processes that a single user (that is, with the same UID) can have concurrently
active. z/OS UNIX System Services Planning, GA22-7800, has more
information about this parameter.
- Set up each of the directories that you have specified as a home directory
for one of your CICS regions. To do this:
- If you are not using an automount facility, use the mkdir command
to create the HFS directories. For example, issuing the UNIX command
mkdir /u/cicsht##
creates
the HFS directory /u/cicsht##. (If you are using the TSO
command, the directory name must be enclosed in single quotes.)
- Whether or not you are using an automount facility, allocate an HFS data
set for each directory. z/OS UNIX System Services Planning, GA22-7800,
tells you how to do this.
- If you are not using an automount facility, mount the data set that you
have allocated. Again, z/OS UNIX System Services Planning, GA22-7800,
tells you how to do this.
Note that the HFS data set that you allocate for a CICS region's home
directory has a finite size, and if a particular CICS region is using the
home directory extensively, you might need to increase the amount of space
that the region has available.
- Make sure that each of your CICS region user IDs connects to the RACF
group to which you assigned a z/OS UNIX group identifier (GID). If your CICS
region user IDs need to connect to more than one RACF group, RACF list of
groups must be active in your system.
To check the UID and GID details for a user, use the
id command
in the UNIX environment. For example, issuing the
id command
for our example CICS region user ID CICSHT## would give the following result:
uid=2001(CICSHT##) gid=9(CICSTSAB)
Now that each CICS region user ID has a UID and is connected to a group with
a GID, it can use z/OS UNIX functions and access z/OS UNIX files. Next, identify
the files that each CICS region needs, and the HFS directories
that contain the files, and use the group name or GID to give the CICS region
permission to access these directories and files. Giving CICS regions permission to access HFS directories and files tells
you how to do this.