Implement REXX Server With Top Secret
Article ID: 46377
Updated On:
Products
Issue/Introduction
This technical document attempts to describe how to implement REXX Server with Top Secret.
Environment
Component:
Resolution
Below are the instructions for setting up REXX.
1) Define an AXR facility like it follows:
TSS9550I FACILITY DISPLAY FOR AXR
TSS9551I INITPGM=AXR ID=21 TYPE=099
TSS9552I ATTRIBUTES=IN-USE,ACTIVE,SHRPRF,ASUBM,NOABEND,MULTIUSER,NOXDEF
TSS9552I ATTRIBUTES=LUMSG,STMSG,SIGN(M),INSTDATA,RNDPW,AUTHINIT
TSS9552I ATTRIBUTES=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC,LCFTRANS
TSS9552I ATTRIBUTES=MSGLC,NOTRACE,NOEODINIT,IJU,NODORMPW,NONPWR
TSS9552I ATTRIBUTES=LUUPD
TSS9553I MODE=FAIL DOWN=GLOBAL LOGGING=INIT,SMF,MSG,SEC9
TSS9554I UIDACID=8 LOCKTIME=000 DEFACID=*NONE* KEY=8
TSS9566I MAXUSER=03000 PRFT=003
TSS0300I MODIFY FUNCTION SUCCESSFUL
2) Create acids: AXR and AXRUSER:
/*ARCHIVE AXR STORED mm/dd/yy-hh.mm.ss BY aaaaaaa ON ssss
/*Please edit any CREATE commands by adding a PASSWORD keyword to the command
TSS CREATE(AXR) NAME('REXX USER') TYPE(USER) DEPT(dept)
TSS ADDTO(AXR) GROUP(OMVSGRP)
TSS ADDTO(AXR) NODSNCHK NORESCHK
TSS ADDTO(AXR) MASTFAC(AXR)
TSS ADDTO(AXR) FACILITY(STC)
TSS ADDTO(AXR) UID(0000000000)
TSS ADDTO(AXR) HOME(/u/axr)
TSS ADDTO(AXR) OMVSPGM(/bin/sh)
TSS ADDTO(AXR) DFLTGRP(OMVSGRP)
/*ARCHIVE AXRUSER STORED mm/dd/yy-hh.mm.ss BY aaaaaaa ON ssss
/*Please edit any CREATE commands by adding a PASSWORD keyword to the command
TSS CREATE(AXRUSER) NAME('REXX USER') TYPE(USER) DEPT(dept)
TSS ADDTO(AXRUSER) GROUP(OMVSGRP)
TSS ADDTO(AXRUSER) NODSNCHK NORESCHK
TSS ADDTO(AXRUSER) FACILITY(AXR,STC)
TSS ADDTO(AXRUSER) UID(0000000000)
TSS ADDTO(AXRUSER) HOME(/u/axruser)
TSS ADDTO(AXRUSER) OMVSPGM(/bin/sh)
TSS ADDTO(AXRUSER) DFLTGRP(OMVSGRP)
3) Add STCs to the STC records:
STC = AXR ACID = AXR
STC = AXR* ACID = AXRUSER
4) In PROCLIB have:
BROWSE Your.PROCLIB(AXRPSTRT)
********************************* Top of Data
//AXRPSTRT PROC
//AXRPSTRT EXEC PGM=AXRINSTR,TIME=NOLIMIT
// PEND
You also must have Your.PROCLIB(AXRNN)
********************************* Top of Data
//AXRNN PROC
// EXEC PGM=AXRRXTSS
5) In SYS1.PARMLIB, have members AXR00 and CTIAXR00:
/********************************************************************/
/* THIS IS A SAMPLE AXR00 MEMBER OF SYS1.PARMLIB */
/* */
/* THIS MEMBER ILLUSTRATES THE SYNTAX OF THE CPF AND */
/* AXRUSER KEYWORDS. */
/* */
/* NEW WITH z/OS 1.9 */
/* */
/* NOTE: */
/* */
/* THIS SAMPLIB MEMBER IS ONLY AN EXAMPLE. THE DATA */
/* REPRESENTED ON EACH STATEMENT IS NOT NECESSARILY THE */
/* IBM-SUPPLIED VALUES. */
/* AN INSTALLATION MAY USE THIS MEMBER JUST AS A SAMPLE, AND */
/* MODIFY IT ACCORDING TO THEIR NEEDS. */
/* */
/********************************************************************/
CPF('REXX&SYSCLONE.',SYSPLEX) /* Defines REXXnn as a sysplex
wide cpf value */
AXRUSER(AXRUSER) /* ?AXREXX security=axruser results in the
exec running in a security environment
defined by the userid AXRUSER */
/* ================================================================ */
/* */
/* PROPRIETARY STATEMENT= */
/* LICENSED MATERIALS - PROPERTY OF IBM */
/* 5694-A01 (C) COPYRIGHT IBM CORP. 2006 */
/* */
/* STATUS = HBB77BR */
/* */
/* *01* EXTERNAL CLASSIFICATION: NONE */
/* *01* END OF EXTERNAL CLASSIFICATION: */
/* */
/* FUNCTION: CTIAXR00 is used to define the AXR trace options */
/* at trace startup. */
/* This is COMP=SYSAXR */
/* */
/* --------------------------------------------------------------------------------------------------------------------- */
/* */
/* CHANGE ACTIVITY: */
/* */
/* PRODUCTS= */
/* $L0= AXR HBB77BR 060715 PDCS: AXR */
/* */
/* */
/* --------------------------------------------------------------------------------------------------------------------- */
/* DEFAULT CTIAXR00 MEMBER*/
/* ================================================================ */
TRACEOPTS
/* --------------------------------------------------------------------------------------------------------------------- */
/* ON OR OFF: PICK ONE */
/* CAUTION: IF YOU USE "OFF", MAKE SURE THAT ALL SUBSEQUENT */
/* LINES ARE COMMENTED OUT OR DELETED. */
/* --------------------------------------------------------------------------------------------------------------------- */
ON
OPTIONS('ERROR')
/* --------------------------------------------------------------------------------------------------------------------- */
/* BUFSIZE: A VALUE IN RANGE 16K TO 4M */
/* --------------------------------------------------------------------------------------------------------------------- */
BUFSIZE(4M)
6) Special note:
When a System REXX PROC is invoked via the AXREXX macro, the user can code SECURITY={BYAXRUSER|BYUTOKEN}, with SECURITY=BYUTOKEN being the default.
- If SECURITY=BYAXRUSER, then the REXX PROC runs under the accessor ID specified by the AXRUSER(...) operand in member AXR00 in the MVS PARMLIB concatenation (See Item #5). This accessor ID must have teh CA Top Secret facility AXR.
- If SECURITY=BYUTOKEN, then the REXX PROC runs under the accessor ID of the invoker or of the accessor ID identified by the token specified by the UTOKEN=utoken parameter. This accessor ID must have the CA Top Secret facility AXR.
- If the AXRUSER(...) operand is the same as the accessor ID associated with the eight (8) AXRnn STCs, so this accessor ID must have both the CA Top Secret facilities AXR and STC.
7) AXR is started by the master scheduler at IPL time, so you have to recycle it:
FORCE AXR,ARM
S AXRPSTRT
8) The REXX lib by default is SYS1.SAXREXEC then issue at the console:
F AXR,SR,ST
It will display your REXX server status
*** End Of Data ***
Feedback
