The Zowe documentation for security definitions is here. I consider the documentation is dangerous, as it defines some global profiles which can affect other address spaces, and change their behaviour.
Before you start
You need to know
- Which userid you want the main Zowe started tasks to run under.
- Which user you want the cross memory server to run under.
- The name of an admin group these userids will be a member of. You can connect your existing userids to this group to make them administrators.
- The name of the started task for Zowe, and for the cross memory server.
- The name of the Zowe APF authorised data set.
System wide definitions
If you use RACF you need the following RACF profiles defined – they may already be defined.
SETROPTS LIST
RLIST FACILITY BPX.SERVER ALL
RLIST FACILITY BPX.DAEMON ALL
RLIST FACILITY BPX.JOBNAME ALL
RLIST FACILITY IRR.RUSERMAP ALL
RLIST FACILITY IRR.RAUDITX ALL
RLIST FACILITY IRR.IDIDMAP.QUERY ALL
/* this is optional
RLIST APPL OMVSAPPL ALL
If you are missing the BPX.SERVER or the BPX.DAEMON profiles, then you need to carefully test your existing applications, because their behaviour may change when these profiles are defined.
/* permit Zowe main server to create a user's security environment */
/* ATTENTION: Defining the BPX.DAEMON or BPX.SERVER profile makes */
/* z/OS UNIX switch to z/OS UNIX level security. This is */
/* more secure, but it can impact operation of existing */
/* applications. Test this thoroughly before activating */
/* it on a production system. */
RDEFINE FACILITY BPX.DAEMON UACC(NONE)
RDEFINE FACILITY BPX.SERVER UACC(NONE)
/* permit Zowe main server to set job name */
RDEFINE FACILITY BPX.JOBNAME UACC(NONE)
/* permit Zowe main server to use client certificate mapping service */
RDEFINE FACILITY IRR.RUSERMAP UACC(NONE)
/* permit Zowe main server to use distributed identity mapping */
/* service
RDEFINE FACILITY IRR.IDIDMAP.QUERY UACC(NONE)
/* permit Zowe main server to cut SMF records */
RDEFINE FACILITY IRR.RAUDITX UACC(NONE)
SETROPTS RACLIST(APPL) REFRESH
SETROPTS RACLIST(FACILITY) REFRESH
Userid and group definitions
You need to have a userid to run the Zowe started tasks. Zowe also defines a different userid for the ZIS cross memory server. It is not clear to me why this is needed.
The userids need an admin group.
The definitions provided by Zowe for userids ZWESVUSR and ZWESIUSR; and the admin group are
/* - The sample commands assume automatic generation of GID is */
/* enabled. */
/* group for administrators */
/* replace AUTOGID with GID(&ADMINGID.) if AUTOGID not enabled */
LISTGRP ZWEADMIN OMVS
ADDGROUP ZWEADMIN OMVS(AUTOGID) -
DATA('ZOWE ADMINISTRATORS')
/* uncomment to add existing user IDs to the ADMINGRP group */
/* CONNECT (userid,userid,...) - */
/* GROUP(ZWEADMIN) AUTH(USE) */
/* userid for ZOWE main server */
/* replace AUTOUID with UID(&ZOWEUID.) if AUTOUID not enabled */
LISTUSER ZWESVUSR OMVS
ADDUSER ZWESVUSR -
NOPASSWORD -
DFLTGRP(ZWEADMIN) -
OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) -
NAME('ZOWE SERVER') -
DATA('ZOWE MAIN SERVER')
/* userid for ZIS cross memory server */
/* replace AUTOUID with UID(&ZISUID.) if AUTOUID not enabled */
LISTUSER ZWESIUSR OMVS
ADDUSER ZWESIUSR -
NOPASSWORD -
DFLTGRP(ZWEADMIN) -
OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) -
NAME('ZOWE ZIS SERVER') -
DATA('ZOWE ZIS CROSS MEMORY SERVER')
/* show results .................................................... */
LISTGRP ZWEADMIN OMVS
LISTUSER ZWESVUSR OMVS
LISTUSER ZWESIUSR OMVS
Create a profile to protect the APF data set
LISTDSD PREFIX(IBMUSER.ZWEV3A) ALL
ADDSD 'IBMUSER.ZWEV3A.*.**' UACC(READ) -
DATA('Zowe')
PERMIT 'IBMUSER.ZWEV3A.*.**' CLASS(DATASET) -
ACCESS(ALTER) ID(ZWEADMIN)
SETROPTS GENERIC(DATASET) REFRESH
/* show results .................................................... */
LISTGRP IBMUSER.ZWEV3A
LISTDSD PREFIX(IBMUSER.ZWEV3A) ALL
Create the definitions for the started tasks
/* started task for ZOWE main server
RLIST STARTED ZWESLSTC* ALL STDATA
/*RDELETE STARTED ZWESLSTC*
RDEFINE STARTED ZWESLSTC* -
STDATA(USER(ZWESVUSR) -
GROUP(ZWEADMIN) -
TRUSTED(NO)) DATA('ZOWE MAIN SERVER')
/* started task for ZIS cross memory server
RLIST STARTED ZWESISTC* ALL STDATA
/*RDELETE STARTED ZWESISTC*
RDEFINE STARTED ZWESISTC* -
STDATA(USER(ZWESIUSR) -
GROUP(ZWEADMIN) -
TRUSTED(NO)) DATA('ZOWE ZIS CROSS MEMORY SERVER')
/* started task for ZIS Auxiliary cross memory server
RLIST STARTED ZWESASTC* ALL STDATA
/*RDELETE STARTED ZWESASTC*
RDEFINE STARTED ZWESASTC* -
STDATA(USER(ZWESIUSR) -
GROUP(ZWEADMIN) -
TRUSTED(NO)) DATA('ZOWE ZIS AUX CROSS MEMORY SERVER')
SETROPTS RACLIST(STARTED) REFRESH
RLIST STARTED ZWESLSTC* ALL STDATA
RLIST STARTED ZWESISTC* ALL STDATA
RLIST STARTED ZWESASTC* ALL STDATA
Define a profile and permissions to the cross memory server
/* DEFINE ZIS SECURITY RESOURCES ................................... */
/* define ZIS security profile */
RLIST FACILITY ZWES.IS ALL
RDEFINE FACILITY ZWES.IS UACC(NONE)
/* DEFINE AUX SERVER PERMISIONS .................................... */
/* permit AUX STC to use ZIS cross memory server */
PERMIT ZWES.IS CLASS(FACILITY) ACCESS(READ) -
ID(ZWESIUSR)
SETROPTS RACLIST(FACILITY) REFRESH
/* DEFINE ZOWE SERVER PERMISIONS ................................... */
/* permit Zowe main server to use ZIS cross memory server */
PERMIT ZWES.IS CLASS(FACILITY) ACCESS(READ) -
ID(ZWESVUSR)
SETROPTS RACLIST(FACILITY) REFRESH
Define other profiles
/* permit Zowe main server to create a user's security environment */
/* comment out the following 2 lines if the OMVSAPPL is not defined */
/* in your environment */
PERMIT OMVSAPPL CLASS(APPL) ID(ZWESVUSR) -
ACCESS(READ)
SETROPTS RACLIST(APPL) REFRESH
PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) -
ID(ZWESVUSR)
/* permit Zowe main server to use distributed identity mapping */
/* service
PERMIT IRR.IDIDMAP.QUERY CLASS(FACILITY) ACCESS(READ) -
ID(ZWESVUSR)
/* permit Zowe main server to cut SMF records */
PERMIT IRR.RAUDITX CLASS(FACILITY) ACCESS(READ) -
ID(ZWESVUSR)
Define another profile
/* DEFINE ZOWE RESOURCE PROTECTION ................................. */
/* - Defines resource APIML.SERVICES that controls access to */
/* detailed information about API services to Zowe users. */
/* define resource for information about API services */
RDEFINE ZOWE APIML.SERVICES UACC(NONE)
/* uncomment and replace "user" to permit Zowe users to access */
/* the resource: */
/* PERMIT APIML.SERVICES CLASS(ZOWE) ID(user) ACCESS(READ) */
/* show results */
RLIST ZOWE *
z/OSMF changes
Same origin policy. Wikipedia says the same-origin policy (SOP) is a concept in the web-app application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.
Having a REST request go from Zowe to z/OSMF counts as a cross-origin resource sharing (CORS)
The z/OSMF documentation says
Enabling cross-origin resource sharing (CORS) for REST services
Your installation can allow browser applications from certain, trusted sites to access z/OSMF REST services on the host system. If so, you must enable cross-origin resource sharing (CORS) on the host system. This work involves creating an “allow list” of exceptions (the trusted sites), and enabling those exceptions in your external security manager.
Identify which sites are to be allowed, and which REST interfaces are to be made available for cross-site access. Then, work with your security administrator to create the appropriate authorizations in your external security manager. In a RACF installation, for example, define generic or discrete profiles for the remote sites in the ZMFAPLA class, and permit the profiles to the z/OSMF REST interfaces.
For example
RDEFINE ZMFAPLA IZUDFLT.REST.JOBS.COM.IBM.LAB2 UACC(NONE)
Zowe Explorer access
A userid using the Zowe explorer access into z/OSMF needs
- Access to the ISPF procedure
- Access to the TSO Account number
- Read access to CSFRNGL Class(CSFSERV )
ColinPaice 
One thought on “Zowe: Create the z/OS security definitions”