What are the RACF requirements for the userid assigned to the CA Chorus Software Manager MSMTC task if not assigned a UID(0)?

book

Article ID: 38123

calendar_today

Updated On:

Products

CA Mainframe Software Manager (Chorus Software Manager)

Issue/Introduction

Question: 

After following the documented procedure to set up the CA CSM Userid for RACF without UID(0), the MSMTC task is failing with this error upon startup:
ICH408I USER(MSMUSR) GROUP(MSMGRP) NAME(MSM STC USERID)
CL(MSOBJ)
INSUFFICIENT AUTHORITY TO MOUNTSETUID
EFFECTIVE UID(000000027) GID(0000000277)

Did I miss something? 

Answer:

To ensure that CA CSM can run without a UID(0), the following requirements need to be met:

  • The CA CSM user ID that is associated with the CA CSM application server must have a UID other than 0
  • The first user to log in to CA CSM must have a UID other than 0
    • The LIWK directory and the mount point are created using the user ID of the first user instead of the CA_CSM_USER_ID

Once the prerequisites are met, and the installation of CA CSM is complete, follow these steps for RACF:

  • Create a group with a GID definition, for example CACSMGRP in your security system, and specify CACSMGRP to be the default group for the CA CSM user ID and each CA CSM user
  • Change the owner and the group by issuing the following commands under SUPERUSER authority:
    chown -R CA_CSM_USER_ID MSMPATHchgrp -R CACSMGRP MSMPATHchown -R CA_CSM_USER_ID MountPathchgrp -R CACSMGRP MountPathchown -R CA_CSM_USER_ID RunTimeUSSPathchgrp -R CACSMGRP RunTimeUSSPath

    where MSMPATH, MountPath, and RunTimeUSSPath are values that are referenced in the MSMSetupOptionsFile.properties file.

    Note: When you issue the commands for RunTimeUSSPath, the following message can appear:

    EDC5129I No such file or directory

    This message is issued against the ioeagfmt file and does not affect command completion in any way. You can ignore this message.

    Important! Also, issue these commands after you run the MSMDEPLY job.

  • In the FACILITY resource class, define the following profiles with access rights to the CA CSM user id:
    BPX.CONSOLE            UPDATEBPX.SERVER             UPDATEBPX.FILEATTR.APF       READBPX.FILEATTR.PROGCTL   READBPX.FILEATTR.SHARELIB  READ

 

  • In the UNIXPRIV resource class, define the following profiles with access rights to the CA CSM user ID:
    SUPERUSER.FILESYS.CHANGEPERMS   READSUPERUSER.FILESYS.MOUNT         UPDATESUPERUSER.FILESYS.PFSCTL        READ
  • In the SERVAUTH resource class, define the following profiles with access rights to the CA CSM user ID:
    EZB.FTP          READEZB.STACKACCESS  READ
  • After the first task within CA CSM finishes, issue the following commands under SUPERUSER authority:
    chown -R CA_CSM_USER_ID MountPathchgrp -R CACSMGRP MountPath

    where MountPath is a value that is referenced in the MSMSetupOptionsFile.properties file

  • After the RACF updates are completed, be sure to issue the SETR REFRESH RACLIST(UNIXPRIV) to refresh the UNIXPRIV class before Tomcat initializes

 

Additional Information:

The steps detailed above are found in the following documentation:

 

 

 

 

 

 

Environment

Release:
Component: MSM