What external security privileges are required for the CA OPS/MVS RESTful Web Services started task(OPSWS)?

Document ID : KB000044415
Last Modified Date : 14/02/2018
Show Technical Document Details

Question: 
What external security privileges are required for the CA OPS/MVS RESTful Web Services started task(OPSWS)?

Answer: 
Generally, the OPSWS task does not need any other privileges if it runs as user id zero (UID 0).  However, if you do not want to allow OPSWS to run UID=0, an alternative is defining the server to use thread-level security using BPX.SERVER and BPX.SUPERUSER.

External Security recommendations:

RACF
If your site has defined and activated the BPX.SERVER or BPX.DAEMON facilities, you need to define OPSWS to RACF as follows:

    • TSO PERMIT BPX.SERVER CLASS(FACILITY) ID(OPSWS) ACCESS(READ)
    • TSO PERMIT BPX.SUPERUSER ID(OPSWS) CLASS(FACILITY) ACCESS(READ)

CA TOP SECRET
Here are the CA Top Secret (TSS) commands for the alternative BPX.SERVER and BPX.SUPERUSER:

    • TSS PER(OPSWS) IBMFAC(BPX.SERVER) ACC(READ)
    • TSS PER(OPSWS) IBMFAC(BPX.SUPERUSER) ACC(READ)

If you use CA TOP SECRET, you must define a master facility (MASTFAC) for the Tomcat Server started task. If the started task does not have a MASTER FAC, you need to add one. Once you define the facility facname, add it as a MASTFAC to the Tomcat Server region acid.

    • TSS ADD(acid) MASTFAC(facname)

Also, you must add this FAC as a facility to the users that need access through TSS ADD(acid) FAC(facname) where acid is the user acid, an attached profile, or the ALL record if all users should have access.

CA ACF2
Here are the equivalent CA ACF2 definitions for the alternative BPX.SERVER and BPX.SUPERUSER:

    • SET RESOURCE(FAC)
    • RECKEY BPX ADD( SERVER UID(uid string for OPSWS) SERVICE(READ) ALLOW)
    • RECKEY BPX ADD( SUPERUSER UID(uid string for OPSWS) SERVICE(READ) ALLOW)
    • F ACF2,REBUILD(FAC)

Additional Information:
The recommendations to run Tomcat with BPX.DAEMON and BPX.SUPERUSER were derived from the Apache and IBM documentation. CA OPS/MVS does not need them directly.

The list below has links to a few of the manuals and web pages that contain information on USS security:

    • Using SAF Security in Tomcat (Copyright 2009 Dovetailed Technologies, LLC. All rights reserved.)
    • z/OS Unix Security needs fixing – next steps (© Copyright  zEdSkills Ltd 2014)

    • Defining servers to use thread-level security (Copyright IBM Corporation 1990, 2014)
    • Steps for setting up BPX.SUPERUSER (Copyright IBM Corporation 1990, 2014)

CA Documentation - CA OPS/MVS Event Management and Automation