Before starting IBM HTTP Server, there are required z/OS system configurations that you must set up.
In order to run IBM HTTP Server, you must set the following z/OS system configurations:
ALTUSER WWWSERV OMVS(MEMLIMIT(512M))
For a complete description of how to set MEMLIMIT, refer to the section "Limiting the use of memory objects" in z/OS MVS Programming Extended Addressability Guide (SA22-7614). You can link to this document from the z/OS Internet Library.
IBM HTTP Server requires approximately 5.4 megabytes of 64-bit virtual memory per thread. The minimum recommended MEMLIMIT setting for proper IBM HTTP Server operation is: 6 * (ThreadsPerChild + 3) megabytes.
For more information on configuration methods for allowing access to low ports, refer to the sections "Port access control" and "Setting up reserved port number definitions in PROFILE.TCPIP" in z/OS Communications Server IP Configuration Guide (SC31-8775). You can link to this document from the z/OS Internet Library.
For an explanation of how Unix System Services jobnames (such as those for IBM HTTP Server instances) are determined, refer to the section "Generating jobnames for OMVS address spaces" in z/OS UNIX System Services Planning (GA22-7800). Link to this document from the z/OS Internet Library.
Password example ADDGROUP WWWGROUP OMVS(GID(999)) ADDUSER WWWSERV DFLTGRP(WWWGROUP) OMVS(UID(999)) PASSWORD(password)
Password phrase example ADDGROUP WWWGROUP OMVS(GID(999)) ADDUSER WWWSERV DFLTGRP(WWWGROUP) OMVS(UID(999)) PHRASE('my0users@99#701_workgroup')The security administrator should define the password for the Web server user ID, instead of allowing it to default, to prevent an unauthorized user from being able to log in with that user ID. The ALTUSER command can be used to modify the password of an existing user ID.
RDEFINE STARTED WEBSRV1.* STDATA(USER(WWWSERV) GROUP(WWWGROUP) TRACE(YES))
RALTER PROGRAM * ADDMEM('hlq.LINKLIB'//NOPADCHK) UACC(READ) RALTER PROGRAM * ADDMEM('hlq.SCEERUN'//NOPADCHK) UACC(READ) RALTER PROGRAM * ADDMEM('hlq.SCLBDLL') UACC(READ) SETROPTS WHEN(PROGRAM) REFRESHIn this example, an asterisk (*) is used to specify all programs in the data set.
# extattr +ap /opt/IBM/HTTPServer/modules/mod_jauth.soIn this example, substitute the IBM HTTP Server installation location for /opt/IBM/HTTPServer/. (You can build custom plug-in modules using the apxs script that is provided.)
RALTER PROGRAM * ADDMEM('hlq.SIEALNKE'//NOPADCHK) UACC(READ) SETROPTS WHEN(PROGRAM) REFRESHIf you are turning on program control for the first time, use the RDEFINE statements instead of the RALTER statements. If you are using another security product, refer to that product's documentation for instructions.
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE) PE IRR.DIGTCERT.LIST CLASS(FACILITY) ID(WWWSERV) ACCESS(READ) RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) PE IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(WWWSERV) ACCESS(READ) SETR CLASSACT(FACILITY) SETR RACLIST(FACILITY) REFRESHFor a complete guide to RACF commands, refer to z/OS Security Server RACF Security Administrator's Guide (SA22-7683). You can link to this document from the z/OS Internet Library.
Integrated Cryptographic Services Facility (ICSF) is the software interface to the cryptographic hardware. If you plan to run IBM HTTP Server with cryptographic hardware capability, you can restrict the use of ICSF services. To restrict the use of ICSF services, you can permit user IDs to certain profiles in the CSFSERV general resource class. CSFSERV controls the use of ICSF software. If you have defined your IBM HTTP Server to execute with a nonzero user ID, you can give the nonzero user ID READ access to CSFSERV. If you are using a security product other than RACF, refer to that product's documentation for instructions.
If you want to restrict the use of ICSF services, issue RACF commands similar to the commands in the following examples. If you have applications other than IBM HTTP Server that are using ICSF, you must customize the examples. Otherwise, the other applications will no longer have access to ICSF services.
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) RDEFINE CSFSERV CSF* UACC(NONE) PERMIT CSF%%C CLASS(CSFSERV) ID(WWWSERV PUBLIC) ACCESS(READ) PERMIT CSFPK% CLASS(CSFSERV) ID(WWWSERV PUBLIC) ACCESS(READ) PERMIT CSFCK% CLASS(CSFSERV) ID(WWWSERV PUBLIC) ACCESS(READ) SETROPTS CLASSACT(CSFSERV) SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) REFRESH
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) RDEFINE CSFSERV CSF%%C UACC(READ) RDEFINE CSFSERV CSFPK% UACC(READ) RDEFINE CSFSERV CSFCK% UACC(READ) SETROPTS CLASSACT(CSFSERV) SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) REFRESH
To perform key storage on cryptographic devices refer to the section "Integrated Cryptographic Service Facility (ICSF) Considerations" in z/OS Security Server RACF Security Administrator's Guide (SA22-7683).
For information on ICSF options refer to the section "Using Hardware Cryptographic Features with System SSL" in z/OS Cryptographic Services System Secure Sockets Layer (SSL) Programming (SC24-5901).
You can link to both of these documents from the z/OS Internet Library.
A typical setting is: export _BPX_JOBNAME=HTTPD. The default is to append an incrementing integer to your jobname, such as HTTPD1, HTTPD2, HTTPD3. For more information refer to the section "Generating jobnames for OMVS address spaces" in z/OS UNIX System Services Planning (GA22-7800). Link to this document from the z/OS Internet Library.
RDEFINE FACILITY BPX.JOBNAME UACC(NONE) SETROPTS RACLIST(FACILITY) REFRESH PERMIT BPX.JOBNAME CLASS(FACILITY) ACCESS(READ) ID(WWWSERV) SETROPTS RACLIST(FACILITY) REFRESH RLIST FACILITY BPX.JOBNAME ALLFor more information refer to the section "Setting up the BPX.* FACILITY class profiles" in z/OS UNIX System Services Planning (GA22-7800). Link to this document from the z/OS Internet Library.