What are the ServerPac and SystemPac Security Requirements with eTrust CA ACF2?

The documentation for ServerPac and SystemPac indicate that there a number of requirements to complete the installation.

The userid must be superuser (UID=0). Note that you must be a superuser. Just having access to the BPX.SUPERUSER facility class resource is not sufficient. This is because the pax utility is used to unload the ServerPac HFS and this utility does not use the BPX.SUPERUSER facility class resource to establish superuser identification.

The example below shows how to define user OMVSUSR as a superuser. Since HOME and OMVSPGM are not explicitly specified, the defaults are taken for these fields.

SET PROFILE(USER) DIV(OMVS)
INSERT OMVSUSR UID(0)

The userid doing the install must also have read access to FACILITY class resources BPX.FILEATTR.APF and BPX.FILEATTR.PROGCTL (or BPX.FILEATTR.- if you choose to use a generic rule entry for these for both resources). In order to allow access to these resources, the following examples define both methods in granting access to the required FACILITY class resources. Choose the one most suited to your sites security policy:

$KEY(BPX) TYPE(FAC)
FILEATTR.APF UID(user's_uid) SERVICE(READ) ALLOW
FILEATTR.PROGCTL UID(user's_uid) SERVICE(READ) ALLOW

Or, if you choose to use a generic rule entry:

$KEY(BPX) TYPE(FAC)
FILEATTR.- UID(user's_uid) SERVICE(READ) ALLOW

For details on ServerPac and SystemPac see the CA ACF2 fpr z/OS Administration Guide, Chapter 22: z/OS UNIX System Services Support section 'ServerPac and SystemPac Security Requirements'.