Setting up security for the IBM Health Checker
search cancel

Setting up security for the IBM Health Checker

book

Article ID: 11269

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP

Issue/Introduction

The following document provides guidelines on setting up security for the IBM Health Checker for z/OS started task with TOP SECRET.

IBM Health Checker for z/OS documentation provides RACF examples, but unfortunately no TOP SECRET examples.

 

Note: The IBM Health Checker for z/OS documentation provides RACF examples that were converted to TOP SECRET examples in order to produce this document.

Environment

Release: TOPSEC00200-16-Top Secret-Security
Component:

Resolution

Security for IBM Health Checker for z/OS must be set up the same way as it would done for any other started task.

 

Here are the steps to be followed:

 

1. Create a user ID for IBM Health Checker for z/OS with superuser authority (UID(0)) and connect this superuser user ID to a group. 

Example: 

TSS CREATE(hcsuperid) NAME('hcsuperid') TYPE(SCA) DEPT(dept) PASS(password,0)
TSS ADD(hcsuperid) UID(0) HOME('/') OMVSPGM('/bin/sh') GROUP(OMVSGRP) DFLTGRP(OMVSGRP)
TSS ADD(OMVSGRP) GID(46)
TSS ADD(hcsuperid) FACILITY(STC)
TSS MODIFY(OMVSTABS)

 

2. Associate the superuser User ID, hcsuperid, with the IBM Health Checker for z/OS started task, HZSPROC. 

Example: 

TSS ADD(STC) PROCN(HZSPROC) ACID(hcsuperid)

 

3. Give the IBM Health Checker for z/OS started task super User ID access to the HZSPDATA data set on each system where you'll run IBM Health Checker for z/OS. 

Example: 

TSS ADD(owningacid) DSN(SYS1.PRODSYS.HZSPDATA)
TSS PER(hcsuperid) DSN(SYS1.PRODSYS.HZSPDATA) ACCESS(UPDATE)

 

4. Give IBM Health Checker for z/OS started task super User ID READ access to the HZSPRMxx parmlib member(s). 

Example: 

TSS ADD(owningacid) DSN(SYS1.PARMLIB)
TSS PER(hcsuperid) DSN(SYS1.PARMLIB) ACCESS(READ)

 

5. If log stream is being used, UPDATE access must be defined for the IBM Health Checker for z/OS started task super User ID to each RESOURCE(logstreamname) CLASS(LOGSTRM). IBM Health Checker for z/OS connects directly to the defined log stream or streams. 

Example: 

TSS ADD(owningacid) LOGSTRM(logstreamname) 
TSS PER(hcsuperid) LOGSTRM(logstreamname) ACCESS(UPDATE)

 

Setting up security for the HZSPRINT utility

 

In order to use HZSPRINT to view check output, it must be authorized for users to QUERY and MESSAGES services. 

Note that in the following examples, hcprintuserid is the ID of either a user or group to give access to HZSPRINT output.

 

  1. When using HZSPRINT with a wildcard character in the check owner: 
       // EXEC PGM=HZSPRNT,PARM='CHECK(*,GRS_Mode)')

    When using HZSPRINT with a wildcard character in both the check owner and check name: 
       // EXEC PGM=HZSPRNT,PARM='CHECK(*,*)'

    The following set of resources must be owned and permitted: 

    • HZS.sysname.QUERY
    • HZS.sysname.check_owner.MESSAGES
    • HZS.sysname.check_owner.check_name.MESSAGES


    Example:
    TSS ADD(owningacid) XFACILIT(HZS.sysname.QUERY)
    TSS PER(hcprintuserid) XFACILIT(HZS.sysname.QUERY) ACC(READ)
    TSS ADD(owningacid) XFACILIT(HZS.sysname.check_owner.MESSAGES)
    TSS PER(hcprintuserid) XFACILIT(HZS.sysname.check_owner.MESSAGES) ACC(READ)
  2. When HZSPRINT with an explicit check owner, but a wildcard character for the check name to look at multiple checks, as follows:
    // EXEC PGM=HZSPRNT,PARM='CHECK(IBMRACF,*)'

    The following set of resources must be owned and permitted: 

    • HZS.sysname.check_owner.QUERY
    • HZS.sysname.check_owner.MESSAGES or HZS.sysname.check_owner.check_name.MESSAGES


    Example: 
    TSS ADD(owningacid) XFACILIT(HZS.sysname.IBMRACF.QUERY)
    TSS PER(hcprintuserid)  XFACILIT(HZS.SYS1.IBMRACF.QUERY) ACCESS(READ) 
    TSS ADD(owningacid) XFACILIT(HZS.sysname.IBMRACF.check_name.MESSAGES)
    TSS PERMIT(hcprintuserid) XFACILIT(HZS.SYS1.IBMRACF.check_name.MESSAGES) ACCESS(READ
  3. When using HZSPRINT to look at one check at a time, explicitly specifying both check owner and check name, as follows: 
    // EXEC PGM=HZSPRNT,PARM='CHECK(IBMRACF,RACF_GRS_RNL)'

    The following set of resources must be owned and permitted:

    For QUERY in one of the following ways: 

    • HZS.sysname.check_owner.QUERY
    • HZS.sysname.check_owner.check_name.QUERY


    For MESSAGES in one of the following ways: 

    • HZS.sysname.check_owner.MESSAGES
    • HZS.sysname.check_owner.check_name.MESSAGES


    Example: 
    TSS ADD(owningacid) XFACILIT(HZS.SYS1.IBMRACF.RACF_GRS_RNL.QUERY) 
    TSS PERMIT(hcprintuserid) XFACILIT(HZS.SYS1.IBMRACF.RACF_GRS_RNL.QUERY) ACCESS(READ) 
    TSS ADD(owningacid) XFACILIT(HZS.SYS1.IBMRACF.RACF_GRS_RNL.MESSAGES) 
    TSS PERMIT(hcprintuserid) XFACILIT(HZS.SYS1.IBMRACF.RACF_GRS_RNL.MESSAGES) ACCESS(READ)

    Note that IBM Health Checker for z/OS looks first at the shorter, higher level definitions, then if it finds no match, it looks for a more detailed one. 

  4. When HZSPRINT to print IBM Health Checker for z/OS log stream data, as follows: 
    // EXEC PGM=HZSPRINT,PARM='LOGSTREAM(logstreamname)'

    OR 
    // EXEC PGM=HZSPRINT,PARM='LOGSTREAM(logstreamname),CHECK(owner,name)'

    OR 
    // EXEC PGM=HZSPRINT,PARM='LOGSTREAM(logstreamname),CHECK(owner,name),EXCEPTIONS'

    The log stream must be owned and be assigned READ access to users accessing the log stream through HZSPRINT. 

    Example: 
    TSS ADD(owningacid) IBMFAC(log_stream_data_set_name) 
    TSS PERMIT(hcprintuserid) IBMFAC(log_stream_data_set_name) ACCESS(READ)

    Please note : Generic prefixing may be used for the IBMFAC, XFACILIT, and LOGSTRM resource names.

Additional Information

Powered by Wolken Software