What external security privileges are required for the OPS/MVS RESTful Web Services started task(OPSWS)?

Generally, the OPSWS task does not need any other privileges if it runs as user id zero (UID 0).  However, if you do not want to allow OPSWS to run UID=0, an alternative is defining the server to use thread-level security using BPX.SERVER and BPX.SUPERUSER.

External Security recommendations:

RACF
If your site has defined and activated the BPX.SERVER or BPX.DAEMON facilities, you need to define OPSWS to RACF as follows:

    • TSO PERMIT BPX.SERVER CLASS(FACILITY) ID(OPSWS) ACCESS(READ)
    • TSO PERMIT BPX.SUPERUSER ID(OPSWS) CLASS(FACILITY) ACCESS(READ)

TOP SECRET
Here are the Top Secret (TSS) commands for the alternative BPX.SERVER and BPX.SUPERUSER:

    • TSS PER(OPSWS) IBMFAC(BPX.SERVER) ACC(READ)
    • TSS PER(OPSWS) IBMFAC(BPX.SUPERUSER) ACC(READ)

If you use TOP SECRET, you must define a master facility (MASTFAC) for the Tomcat Server started task. If the started task does not have a MASTER FAC, you need to add one. Once you define the facility facname, add it as a MASTFAC to the Tomcat Server region acid.

    • TSS ADD(acid) MASTFAC(facname)

Also, you must add this FAC as a facility to the users that need access through TSS ADD(acid) FAC(facname) where acid is the user acid, an attached profile, or the ALL record if all users should have access.

ACF2
Here are the equivalent ACF2 definitions for the alternative BPX.SERVER and BPX.SUPERUSER:

    • SET RESOURCE(FAC)
    • RECKEY BPX ADD( SERVER UID(uid string for OPSWS) SERVICE(READ) ALLOW)
    • RECKEY BPX ADD( SUPERUSER UID(uid string for OPSWS) SERVICE(READ) ALLOW)
    • F ACF2,REBUILD(FAC)

The recommendations to run Tomcat with BPX.DAEMON and BPX.SUPERUSER were derived from the Apache and IBM documentation. OPS/MVS does not need them directly.

Reference in the OPS/MVS documentation:

Deploy and Configure OPS/MVS RESTful Web Services