diff --git a/bin/commands/init/mvs/index.sh b/bin/commands/init/mvs/index.sh
index fb1913442c..af2bf5dea1 100644
--- a/bin/commands/init/mvs/index.sh
+++ b/bin/commands/init/mvs/index.sh
@@ -117,7 +117,7 @@ else
else
print_message "JCL not submitted, command run with dry run flag."
print_message "To perform command, re-run command without dry run flag, or submit the JCL directly"
- print_level2_message "Zowe custom data sets are initialized successfully."
+ print_level2_message "Command run successfully."
rm $jcl_file
fi
fi
diff --git a/bin/commands/init/security/index.sh b/bin/commands/init/security/index.sh
index b0d2c48551..329c1a4099 100644
--- a/bin/commands/init/security/index.sh
+++ b/bin/commands/init/security/index.sh
@@ -13,9 +13,6 @@
print_level1_message "Run Zowe security configurations"
-###############################
-# constants
-
###############################
# validation
require_zowe_yaml
@@ -25,118 +22,86 @@ prefix=$(read_yaml "${ZWE_CLI_PARAMETER_CONFIG}" ".zowe.setup.dataset.prefix")
if [ -z "${prefix}" ]; then
print_error_and_exit "Error ZWEL0157E: Zowe dataset prefix (zowe.setup.dataset.prefix) is not defined in Zowe YAML configuration file." "" 157
fi
+security_product=$(read_yaml "${ZWE_CLI_PARAMETER_CONFIG}" ".zowe.setup.security.product")
+if [ -z "${security_product}" ]; then
+ print_error_and_exit "Error ZWEL0157E: (zowe.setup.security.product) is not defined in Zowe YAML configuration file." "" 157
+fi
+
# read JCL library and validate
jcllib=$(read_yaml "${ZWE_CLI_PARAMETER_CONFIG}" ".zowe.setup.dataset.jcllib")
-if [ -z "${jcllib}" ]; then
- print_error_and_exit "Error ZWEL0157E: Zowe custom JCL library (zowe.setup.dataset.jcllib) is not defined in Zowe YAML configuration file." "" 157
+does_jcl_exist=$(is_data_set_exists "${jcllib}(ZWEI${security_product})")
+if [ "${does_jcl_exist}" = "false" ]; then
+ zwecli_inline_execute_command init generate
fi
-security_product=$(read_yaml "${ZWE_CLI_PARAMETER_CONFIG}" ".zowe.setup.security.product")
-if [ -z "${security_product}" ]; then
- security_product=RACF
+does_jcl_exist=$(is_data_set_exists "${jcllib}(ZWEI${security_product})")
+if [ "${does_jcl_exist}" = "false" ]; then
+ print_error_and_exit "Error ZWEL0999E: ${jcllib}(ZWEI${security_product}) does not exist, cannot run. Run 'zwe init', 'zwe init generate', or submit JCL ${prefix}.SZWESAMP(ZWEGENER) before running this command." "" 999
fi
+
+
+
security_groups_admin=$(read_yaml "${ZWE_CLI_PARAMETER_CONFIG}" ".zowe.setup.security.groups.admin")
if [ -z "${security_groups_admin}" ]; then
- security_groups_admin=${ZWE_PRIVATE_DEFAULT_ADMIN_GROUP}
+ print_error_and_exit "Error ZWEL0157E: (zowe.setup.security.groups.admin) is not defined in Zowe YAML configuration file." "" 157
fi
security_groups_stc=$(read_yaml "${ZWE_CLI_PARAMETER_CONFIG}" ".zowe.setup.security.groups.stc")
if [ -z "${security_groups_stc}" ]; then
- security_groups_stc=${ZWE_PRIVATE_DEFAULT_ADMIN_GROUP}
+ print_error_and_exit "Error ZWEL0157E: (zowe.setup.security.groups.stc) is not defined in Zowe YAML configuration file." "" 157
fi
security_groups_sysProg=$(read_yaml "${ZWE_CLI_PARAMETER_CONFIG}" ".zowe.setup.security.groups.sysProg")
if [ -z "${security_groups_sysProg}" ]; then
- security_groups_sysProg=${ZWE_PRIVATE_DEFAULT_ADMIN_GROUP}
+ print_error_and_exit "Error ZWEL0157E: (zowe.setup.security.groups.sysProg) is not defined in Zowe YAML configuration file." "" 157
fi
security_users_zowe=$(read_yaml "${ZWE_CLI_PARAMETER_CONFIG}" ".zowe.setup.security.users.zowe")
if [ -z "${security_users_zowe}" ]; then
- security_users_zowe=${ZWE_PRIVATE_DEFAULT_ZOWE_USER}
+ print_error_and_exit "Error ZWEL0157E: (zowe.setup.security.users.zowe) is not defined in Zowe YAML configuration file." "" 157
fi
security_users_zis=$(read_yaml "${ZWE_CLI_PARAMETER_CONFIG}" ".zowe.setup.security.users.zis")
if [ -z "${security_users_zis}" ]; then
- security_users_zis=${ZWE_PRIVATE_DEFAULT_ZIS_USER}
+ print_error_and_exit "Error ZWEL0157E: (zowe.setup.security.users.zis) is not defined in Zowe YAML configuration file." "" 157
fi
security_stcs_zowe=$(read_yaml "${ZWE_CLI_PARAMETER_CONFIG}" ".zowe.setup.security.stcs.zowe")
if [ -z "${security_stcs_zowe}" ]; then
- security_stcs_zowe=${ZWE_PRIVATE_DEFAULT_ZOWE_STC}
+ print_error_and_exit "Error ZWEL0157E: (zowe.setup.security.stcs.zowe) is not defined in Zowe YAML configuration file." "" 157
fi
security_stcs_zis=$(read_yaml "${ZWE_CLI_PARAMETER_CONFIG}" ".zowe.setup.security.stcs.zis")
if [ -z "${security_stcs_zis}" ]; then
- security_stcs_zis=${ZWE_PRIVATE_DEFAULT_ZIS_STC}
+ print_error_and_exit "Error ZWEL0157E: (zowe.setup.security.stcs.zis) is not defined in Zowe YAML configuration file." "" 157
fi
security_stcs_aux=$(read_yaml "${ZWE_CLI_PARAMETER_CONFIG}" ".zowe.setup.security.stcs.aux")
if [ -z "${security_stcs_aux}" ]; then
- security_stcs_aux=${ZWE_PRIVATE_DEFAULT_AUX_STC}
+ print_error_and_exit "Error ZWEL0157E: (zowe.setup.security.stcs.aux) is not defined in Zowe YAML configuration file." "" 157
fi
-###############################
-# prepare ZWESECUR JCL
-print_message "Modify ZWESECUR"
-tmpfile=$(create_tmp_file $(echo "zwe ${ZWE_CLI_COMMANDS_LIST}" | sed "s# #-#g"))
-tmpdsm=$(create_data_set_tmp_member "${jcllib}" "ZW$(date +%H%M)")
-print_debug "- Copy ${prefix}.${ZWE_PRIVATE_DS_SZWESAMP}(ZWESECUR) to ${tmpfile}"
-# cat "//'IBMUSER.ZWEV2.SZWESAMP(ZWESECUR)'" | sed "s/^\\/\\/ \\+SET \\+PRODUCT=.*\\$/\\/\\ SET PRODUCT=ACF2 * RACF, ACF2, or TSS/"
-result=$(cat "//'${prefix}.${ZWE_PRIVATE_DS_SZWESAMP}(ZWESECUR)'" | \
- sed "s/^\/\/ \+SET \+PRODUCT=.*\$/\/\/ SET PRODUCT=${security_product}/" | \
- sed "s/^\/\/ \+SET \+ADMINGRP=.*\$/\/\/ SET ADMINGRP=${security_groups_admin}/" | \
- sed "s/^\/\/ \+SET \+STCGRP=.*\$/\/\/ SET STCGRP=${security_groups_stc}/" | \
- sed "s/^\/\/ \+SET \+ZOWEUSER=.*\$/\/\/ SET ZOWEUSER=${security_users_zowe}/" | \
- sed "s/^\/\/ \+SET \+ZISUSER=.*\$/\/\/ SET ZISUSER=${security_users_zis}/" | \
- sed "s/^\/\/ \+SET \+ZOWESTC=.*\$/\/\/ SET ZOWESTC=${security_stcs_zowe}/" | \
- sed "s/^\/\/ \+SET \+ZISSTC=.*\$/\/\/ SET ZISSTC=${security_stcs_zis}/" | \
- sed "s/^\/\/ \+SET \+AUXSTC=.*\$/\/\/ SET AUXSTC=${security_stcs_aux}/" | \
- sed "s/^\/\/ \+SET \+HLQ=.*\$/\/\/ SET HLQ=${prefix}/" | \
- sed "s/^\/\/ \+SET \+SYSPROG=.*\$/\/\/ SET SYSPROG=${security_groups_sysProg}/" \
- > "${tmpfile}")
-code=$?
-chmod 700 "${tmpfile}"
-if [ ${code} -eq 0 ]; then
- print_debug " * Succeeded"
- print_trace " * Exit code: ${code}"
- print_trace " * Output:"
- if [ -n "${result}" ]; then
- print_trace "$(padding_left "${result}" " ")"
- fi
-else
- print_debug " * Failed"
- print_error " * Exit code: ${code}"
- print_error " * Output:"
- if [ -n "${result}" ]; then
- print_error "$(padding_left "${result}" " ")"
- fi
-fi
-if [ ! -f "${tmpfile}" ]; then
- print_error_and_exit "Error ZWEL0159E: Failed to modify ${prefix}.${ZWE_PRIVATE_DS_SZWESAMP}(ZWESECUR)" "" 159
-fi
-print_trace "- ensure ${tmpfile} encoding before copying into data set"
-ensure_file_encoding "${tmpfile}" "SPDX-License-Identifier"
-print_trace "- ${tmpfile} created, copy to ${jcllib}(${tmpdsm})"
-copy_to_data_set "${tmpfile}" "${jcllib}(${tmpdsm})" "" "${ZWE_CLI_PARAMETER_ALLOW_OVERWRITE}"
-code=$?
-print_trace "- Delete ${tmpfile}"
-rm -f "${tmpfile}"
-if [ ${code} -ne 0 ]; then
- print_error_and_exit "Error ZWEL0160E: Failed to write to ${jcllib}(${tmpdsm}). Please check if target data set is opened by others." "" 160
-fi
-print_message "- ${jcllib}(${tmpdsm}) is prepared"
-print_message
-###############################
-# submit job
+jcl_file=$(create_tmp_file)
+copy_mvs_to_uss "${jcllib}(ZWEI${security_product})" "${jcl_file}"
+jcl_contents=$(cat "${jcl_file}")
+
+print_message "Template JCL: ${prefix}.SZWESAMP(ZWEI${security_product}) , Executable JCL: ${jcllib}(ZWEI${security_product})"
+print_message "--- JCL Content ---"
+print_message "$jcl_contents"
+print_message "--- End of JCL ---"
+
job_has_failures=
if [ "${ZWE_CLI_PARAMETER_SECURITY_DRY_RUN}" = "true" ]; then
- print_message "Dry-run mode, security setup is NOT performed on the system."
- print_message "Please submit ${jcllib}(${tmpdsm}) manually."
+ print_message "JCL not submitted, command run with dry run flag."
+ print_message "To perform command, re-run command without dry run flag, or submit the JCL directly"
+ rm $jcl_file
else
- print_message "Submit ${jcllib}(${tmpdsm})"
- jobid=$(submit_job "//'${jcllib}(${tmpdsm})'")
+ ###############################
+ # submit job
+ print_message "Submitting Job ZWEI${security_product}"
+ jobid=$(submit_job "//'${jcllib}(ZWEI${security_product})'")
code=$?
if [ ${code} -ne 0 ]; then
job_has_failures=true
if [ "${ZWE_CLI_PARAMETER_IGNORE_SECURITY_FAILURES}" = "true" ]; then
- print_error "Warning ZWEL0161W: Failed to run JCL ${jcllib}(${tmpdsm})."
+ print_error "Warning ZWEL0161W: Failed to run JCL ${jcllib}(ZWEI${security_product})."
# skip wait for job status step
jobid=
else
- print_error_and_exit "Error ZWEL0161E: Failed to run JCL ${jcllib}(${tmpdsm})." "" 161
+ print_error_and_exit "Error ZWEL0161E: Failed to run JCL ${jcllib}(ZWEI${security_product})." "" 161
fi
fi
@@ -179,5 +144,5 @@ fi
if [ "${job_has_failures}" = "true" ]; then
print_level2_message "Failed to apply Zowe security configurations. Please check job log for details."
else
- print_level2_message "Zowe security configurations are applied successfully."
+ print_level2_message "Command run successfully."
fi
diff --git a/bin/commands/init/stc/index.sh b/bin/commands/init/stc/index.sh
index cbe43a04f7..6eeac595ba 100644
--- a/bin/commands/init/stc/index.sh
+++ b/bin/commands/init/stc/index.sh
@@ -108,7 +108,7 @@ else
else
print_message "JCL not submitted, command run with dry run flag."
print_message "To perform command, re-run command without dry run flag, or submit the JCL directly"
- print_level2_message "Zowe main started tasks are installed successfully."
+ print_level2_message "Command run successfully."
rm $jcl_file
fi
fi
diff --git a/bin/commands/init/vsam/index.sh b/bin/commands/init/vsam/index.sh
index 764035afba..ec0212ae68 100644
--- a/bin/commands/init/vsam/index.sh
+++ b/bin/commands/init/vsam/index.sh
@@ -115,6 +115,6 @@ if [ -z "${ZWE_CLI_PARAMETER_DRY_RUN}" ]; then
else
print_message "JCL not submitted, command run with dry run flag."
print_message "To perform command, re-run command without dry run flag, or submit the JCL directly"
- print_level2_message "Zowe Caching Service VSAM storage is created successfully."
+ print_level2_message "Command run successfully."
rm $jcl_file
fi
diff --git a/files/SZWESAMP/ZWEIACF2 b/files/SZWESAMP/ZWEIACF2
new file mode 100644
index 0000000000..c446614664
--- /dev/null
+++ b/files/SZWESAMP/ZWEIACF2
@@ -0,0 +1,267 @@
+//ZWEIACF2 JOB
+//*
+//* This program and the accompanying materials are made available
+//* under the terms of the Eclipse Public License v2.0 which
+//* accompanies this distribution, and is available at
+//* https://www.eclipse.org/legal/epl-v20.html
+//*
+//* SPDX-License-Identifier: EPL-2.0
+//*
+//* Copyright Contributors to the Zowe Project. 2018, 2020
+//*
+//*********************************************************************
+//*
+//* Zowe Open Source Project
+//* This JCL can be used to define security permits for Zowe
+//*
+//*
+//* CAUTION: This is neither a JCL procedure nor a complete job.
+//* Before using this JCL, you will have to make the following
+//* modifications:
+//*
+//* 1) Add job name and job parameters to the JOB statement, to
+//* meet your system requirements.
+//*
+//* 2) When not using AUTOUID and AUTOGID to assign z/OS UNIX UID
+//* and GID values, update the SET *ID= statements to match the
+//* desired UID and GID values.
+//*
+//* 3) Customize the commands in the DD statement that matches your
+//* security product so that they meet your system requirements.
+//*
+//* Note(s):
+//*
+//* 1. THE USER ID THAT RUNS THIS JOB MUST HAVE SUFFICIENT AUTHORITY
+//* TO ALTER SECURITY DEFINITONS
+//*
+//* 2. The sample ACF2 commands create ROLEs that match the group
+//* names. Due to permits assigned to the &STCGRP ROLE, it is
+//* advised to ensure this ROLE has a unique identifier.
+//*
+//* 3. The Zowe started task user ID 'zowe.setup.security.users.zowe'
+//* Writes persistent data to 'zowe.workspaceDirectory'
+//* This sample JCL makes the Zowe started task part of
+//* the Zowe admin group 'zowe.setup.security.groups.admin'
+//* to facilitate admin access to this directory.
+//*
+//* 4. This job WILL complete with return code 0.
+//* The results of each command must be verified after completion.
+//*
+//*********************************************************************
+// EXPORT SYMLIST=*
+//*
+//* The sample commands assume AUTOUID and AUTOGID are
+//* enabled. When this is not the case,
+//* provide appropriate (numeric) values to these SET commands.
+// SET ADMINGID= * Group ID for ZOWE administrators
+// SET STCGID=&ADMINGID. * Group ID for ZOWE started tasks
+// SET ZOWEUID= * UID for ZOWE started task User
+// SET ZISUID= * UID for ZIS started task User
+//*
+//* If using AUTOUID and AUTOGID, an AUTOIDOM GSO Record must exist.
+//*
+//*********************************************************************
+//*
+//* EXECUTE COMMANDS FOR SELECTED SECURITY PRODUCT
+//*
+//RUN EXEC PGM=IKJEFT01,REGION=0M
+//SYSTSPRT DD SYSOUT=*
+//SYSTSIN DD DDNAME=ACF2
+//ACF2 DD DATA,DLM=$$,SYMBOLS=JCLONLY
+ACF
+*
+* DEFINE ADMINISTRATORS ...........................................
+*
+* group for administrators
+* replace AUTOGID with GID(&ADMINGID.) if AUTOGID is not enabled
+*
+SET PROFILE(GROUP) DIV(OMVS)
+INSERT {zowe.setup.security.groups.admin}. AUTOGID
+F ACF2,REBUILD(GRP),CLASS(P)
+*
+* uncomment and customize to add an existing userid as administrator
+*
+* SET X(ROL)
+* INSERT {zowe.setup.security.groups.admin}. INCLUDE(userid) ROLE
+* F ACF2,NEWXREF,TYPE(ROL)
+*
+* DEFINE STARTED TASK .............................................
+*
+* comment out if STCGRP matches ADMINGRP (default), expect
+* warning messages otherwise
+* group for started tasks
+* replace AUTOGID with GID(&STCGID.) if AUTOGID is not enabled
+*
+SET PROFILE(GROUP) DIV(OMVS)
+INSERT {zowe.setup.security.groups.stc}. AUTOGID
+F ACF2,REBUILD(GRP),CLASS(P)
+*
+*****
+*
+* userid for ZOWE main server
+* replace AUTOUID with UID(&ZOWEUID.) if AUTOUID is not enabled
+*
+SET LID
+INSERT {zowe.setup.security.users.zowe}. +
+ STC GROUP({zowe.setup.security.groups.stc}.)
+SET PROFILE(USER) DIV(OMVS)
+INSERT {zowe.setup.security.users.zowe}. +
+ AUTOUID HOME(/tmp) OMVSPGM(/bin/sh)
+F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS)
+*
+* userid for ZIS cross memory server
+* replace AUTOUID with UID(&ZISUID.) if AUTOUID is not enabled
+*
+SET LID
+INSERT {zowe.setup.security.users.zis}. +
+ STC GROUP({zowe.setup.security.groups.stc}.)
+SET PROFILE(USER) DIV(OMVS)
+INSERT {zowe.setup.security.users.zis}. +
+ AUTOUID HOME(/tmp) OMVSPGM(/bin/sh)
+F ACF2,REBUILD(USR),CLASS(P),DIVISION(OMVS)
+*
+*****
+*
+* started task for ZOWE main server
+*
+SET CONTROL(GSO)
+INSERT STC.{zowe.setup.security.stcs.zowe}. +
+ LOGONID({zowe.setup.security.users.zowe}.) +
+GROUP({zowe.setup.security.groups.stc}.) +
+STCID({zowe.setup.security.stcs.zowe}.)
+F ACF2,REFRESH(STC)
+*
+* started task for ZIS cross memory server
+*
+SET CONTROL(GSO)
+INSERT STC.{zowe.setup.security.stcs.zis}. +
+ LOGONID({zowe.setup.security.users.zis}.) +
+GROUP({zowe.setup.security.groups.stc}.) +
+STCID({zowe.setup.security.stcs.zis}.)
+F ACF2,REFRESH(STC)
+*
+* started task for ZIS Auxiliary cross memory server
+*
+SET CONTROL(GSO)
+INSERT STC.{zowe.setup.security.stcs.aux}. +
+ LOGONID({zowe.setup.security.users.zis}.) +
+GROUP({zowe.setup.security.groups.stc}.) +
+STCID({zowe.setup.security.stcs.aux}.)
+F ACF2,REFRESH(STC)
+*
+* DEFINE ZIS SECURITY RESOURCES ..................................
+*
+* define a role holding the permissions, add ZISUSER and
+* ZOWEUSER to it
+*
+SET X(ROL)
+INSERT {zowe.setup.security.groups.stc}. +
+ INCLUDE({zowe.setup.security.users.zowe}.) ROLE
+F ACF2,NEWXREF,TYPE(ROL)
+CHANGE {zowe.setup.security.groups.stc}. +
+ INCLUDE({zowe.setup.security.users.zis}.) ADD
+F ACF2,NEWXREF,TYPE(ROL)
+*
+* DEFINE STC SERVER PERMISIONS ....................................
+*
+* permit AUX and Zowe main server to use ZIS cross memory server
+*
+SET RESOURCE(FAC)
+RECKEY ZWES ADD(IS SERVICE(READ) +
+ ROLE({zowe.setup.security.groups.stc}.) ALLOW)
+F ACF2,REBUILD(FAC)
+*
+* DEFINE ZOWE SERVER PERMISIONS ...................................
+*
+* permit Zowe main server to create a user's security environment
+* ATTENTION: Defining the BPX.DAEMON or BPX.SERVER profile makes
+* z/OS UNIX switch to z/OS UNIX level security. This is
+* more secure, but it can impact operation of existing
+* applications. Test this thoroughly before activating
+* it on a production system.
+*
+SET RESOURCE(FAC)
+RECKEY BPX ADD(DAEMON SERVICE(UPDATE) +
+ ROLE({zowe.setup.security.groups.stc}.) ALLOW)
+RECKEY BPX ADD(SERVER SERVICE(UPDATE) +
+ ROLE({zowe.setup.security.groups.stc}.) ALLOW)
+*
+* permit Zowe main server to create a user's security environment
+* comment out the following 3 lines if the OMVSAPPL is not defined
+* in your environment
+SET RESOURCE(APL)
+RECKEY OMVSAPPL ADD(SERVICE(READ) +
+ ROLE({zowe.setup.security.groups.stc}.) ALLOW)
+F ACF2,REBUILD(APL)
+*
+* Allow STCGRP role access to BPX.JOBNAME
+RECKEY BPX ADD(JOBNAME SERVICE(READ) +
+ ROLE({zowe.setup.security.groups.stc}.) ALLOW)
+F ACF2,REBUILD(FAC)
+
+* allow STCGRP role to use client certificate mapping service
+SET RESOURCE(FAC)
+RECKEY IRR ADD(RUSERMAP ROLE({zowe.setup.security.groups.stc}.) +
+ SERVICE(READ) ALLOW)
+F ACF2,REBUILD(FAC)
+
+* allow STCGRP role to use distributed identity mapping service
+SET RESOURCE(FAC)
+RECKEY IRR ADD(IDIDMAP.QUERY +
+ ROLE({zowe.setup.security.groups.stc}.) SERVICE(READ) ALLOW)
+F ACF2,REBUILD(FAC)
+
+* permit Zowe main server to cut SMF records
+SET RESOURCE(FAC)
+RECKEY IRR ADD(RAUDITX ROLE({zowe.setup.security.groups.stc}.) +
+ SERVICE(READ) ALLOW)
+F ACF2,REBUILD(FAC)
+
+*
+* DEFINE ZOWE DATA SET PROTECTION .................................
+*
+* - HLQ..SZWEAUTH is an APF authorized data set. It is strongly
+* advised to protect it against updates.
+*
+* HLQ stub
+SET RULE
+* general data set protection
+LIST {zowe.setup.dataset.prefix}.
+RECKEY {zowe.setup.dataset.prefix}. ADD(- UID(-) READ(A) EXEC(P))
+RECKEY {zowe.setup.dataset.prefix}. +
+ADD(- UID({zowe.setup.security.groups.sysProg}.) +
+ READ(A) EXEC(A) ALLOC(A) WRITE(A))
+*
+* show results
+LIST {zowe.setup.dataset.prefix}.
+*
+
+*
+* DEFINE ZOWE RESOURCE PROTECTION .................................
+*
+* - Defines new resource class for Zowe that protects access to
+* sensitive Zowe resources.
+* - Defines resource APIML.SERVICES that controls access to
+* detailed information about API services to Zowe users.
+
+* define ZOWE resource type and class mapping
+* skip this section if the ZOWE resource class already exists
+SET CONTROL(GSO)
+INSERT CLASMAP.ZOWE RESOURCE(ZOWE) RSRCTYPE(ZWE)
+F ACF2,REFRESH(CLASMAP),TYPE(GSO)
+CHANGE INFODIR TYPES(R-RZWE)
+F ACF2,REFRESH(INFODIR)
+SET CONTROL(GSO)
+
+* uncomment and replace "user" to permit Zowe users to access
+* the resource:
+* SET RESOURCE(ZWE)
+* RECKEY APIML ADD(SERVICES -
+* UID(user) SERVICE(READ) ALLOW)
+* F ACF2,REBUILD(ZWE)
+
+* show results
+SET RESOURCE(ZWE)
+LIST LIKE(-)
+$$
+//*
diff --git a/files/SZWESAMP/ZWEIRACF b/files/SZWESAMP/ZWEIRACF
new file mode 100644
index 0000000000..764208bc58
--- /dev/null
+++ b/files/SZWESAMP/ZWEIRACF
@@ -0,0 +1,315 @@
+//ZWEIRACF JOB
+//*
+//* This program and the accompanying materials are made available
+//* under the terms of the Eclipse Public License v2.0 which
+//* accompanies this distribution, and is available at
+//* https://www.eclipse.org/legal/epl-v20.html
+//*
+//* SPDX-License-Identifier: EPL-2.0
+//*
+//* Copyright Contributors to the Zowe Project. 2018, 2020
+//*
+//*********************************************************************
+//*
+//* Zowe Open Source Project
+//* This JCL can be used to define security permits for Zowe
+//*
+//*
+//* CAUTION: This is neither a JCL procedure nor a complete job.
+//* Before using this JCL, you will have to make the following
+//* modifications:
+//*
+//* 1) Add job name and job parameters to the JOB statement, to
+//* meet your system requirements.
+//*
+//* 2) When not using AUTOUID and AUTOGID to assign z/OS UNIX UID
+//* and GID values, update the SET *ID= statements to match the
+//* desired UID and GID values.
+//*
+//* 3) Customize the commands in the DD statement that matches your
+//* security product so that they meet your system requirements.
+//*
+//* Note(s):
+//*
+//* 1. THE USER ID THAT RUNS THIS JOB MUST HAVE SUFFICIENT AUTHORITY
+//* TO ALTER SECURITY DEFINITONS
+//*
+//* 2. The Zowe started task user ID 'zowe.setup.security.users.zowe'
+//* Writes persistent data to 'zowe.workspaceDirectory'
+//* This sample JCL makes the Zowe started task part of
+//* the Zowe admin group 'zowe.setup.security.groups.admin'
+//* to facilitate admin access to this directory.
+//*
+//* 3. This job WILL complete with return code 0.
+//* The results of each command must be verified after completion.
+//*
+//*********************************************************************
+// EXPORT SYMLIST=*
+//*
+//* The sample commands assume AUTOUID and AUTOGID are
+//* enabled. When this is not the case,
+//* provide appropriate (numeric) values to these SET commands.
+// SET ADMINGID= * Group ID for ZOWE administrators
+// SET STCGID=&ADMINGID. * Group ID for ZOWE started tasks
+// SET ZOWEUID= * UID for ZOWE started task User
+// SET ZISUID= * UID for ZIS started task User
+//*
+//* If using AUTOUID and AUTOGID, the RACF database must be
+//* at AIM 2 or higher, and BPX.NEXT.USER must exist.
+//*
+//*********************************************************************
+//*
+//* EXECUTE COMMANDS FOR SELECTED SECURITY PRODUCT
+//*
+//RUN EXEC PGM=IKJEFT01,REGION=0M
+//SYSTSPRT DD SYSOUT=*
+//SYSTSIN DD DDNAME=RACF
+//RACF DD DATA,DLM=$$,SYMBOLS=JCLONLY
+
+/* ACTIVATE REQUIRED RACF SETTINGS AND CLASSES ..................... */
+
+/* - Comment out the activation statements for the classes that are */
+/* already active. */
+
+/* display current settings */
+/*SETROPTS LIST */
+
+/* activate FACILITY class for z/OS UNIX & Zowe ZIS profiles */
+ SETROPTS GENERIC(FACILITY)
+ SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
+
+/* activate started task class */
+ SETROPTS GENERIC(STARTED)
+ SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
+
+/* show results .................................................... */
+ SETROPTS LIST
+
+/* DEFINE ADMINISTRATORS ........................................... */
+
+/* - The sample commands assume automatic generation of GID is */
+/* enabled. */
+
+/* group for administrators */
+/* replace AUTOGID with GID(&ADMINGID.) if AUTOGID not enabled */
+ LISTGRP {zowe.setup.security.groups.admin}. OMVS
+ ADDGROUP {zowe.setup.security.groups.admin}. OMVS(AUTOGID) -
+ DATA('ZOWE ADMINISTRATORS')
+
+/* uncomment to add existing user IDs to the ADMINGRP group */
+/* CONNECT (userid,userid,...) - */
+/* GROUP({zowe.setup.security.groups.admin}.) AUTH(USE) */
+
+/* DEFINE STARTED TASK ............................................. */
+
+/* - Ensure that user IDs are protected with the NOPASSWORD keyword. */
+/* - The sample commands assume automatic generation of UID and GID */
+/* is enabled. */
+
+/* comment out if STCGRP matches ADMINGRP (default), expect */
+/* warning messages otherwise */
+/* group for started tasks */
+/* replace AUTOGID with GID(&STCGID.) if AUTOGID not enabled */
+ LISTGRP {zowe.setup.security.groups.stc}. OMVS
+ ADDGROUP {zowe.setup.security.groups.stc}. OMVS(AUTOGID) -
+ DATA('STARTED TASK GROUP WITH OMVS SEGMENT')
+
+/* */
+
+/* userid for ZOWE main server */
+/* replace AUTOUID with UID(&ZOWEUID.) if AUTOUID not enabled */
+ LISTUSER {zowe.setup.security.users.zowe}. OMVS
+ ADDUSER {zowe.setup.security.users.zowe}. -
+ NOPASSWORD -
+ DFLTGRP({zowe.setup.security.groups.stc}.) -
+ OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) -
+ NAME('ZOWE SERVER') -
+ DATA('ZOWE MAIN SERVER')
+
+/* userid for ZIS cross memory server */
+/* replace AUTOUID with UID(&ZISUID.) if AUTOUID not enabled */
+ LISTUSER {zowe.setup.security.users.zis}. OMVS
+ ADDUSER {zowe.setup.security.users.zis}. -
+ NOPASSWORD -
+ DFLTGRP({zowe.setup.security.groups.stc}.) -
+ OMVS(HOME(/tmp) PROGRAM(/bin/sh) AUTOUID) -
+ NAME('ZOWE ZIS SERVER') -
+ DATA('ZOWE ZIS CROSS MEMORY SERVER')
+
+/* */
+
+/* started task for ZOWE main server */
+ RLIST STARTED {zowe.setup.security.stcs.zowe}..* ALL STDATA
+ RDEFINE STARTED {zowe.setup.security.stcs.zowe}..* -
+ STDATA(USER({zowe.setup.security.users.zowe}.) -
+ GROUP({zowe.setup.security.groups.stc}.) -
+ TRUSTED(NO)) DATA('ZOWE MAIN SERVER')
+
+/* started task for ZIS cross memory server */
+ RLIST STARTED {zowe.setup.security.stcs.zis}..* ALL STDATA
+ RDEFINE STARTED {zowe.setup.security.stcs.zis}..* -
+ STDATA(USER({zowe.setup.security.users.zis}.) -
+ GROUP({zowe.setup.security.groups.stc}.) -
+ TRUSTED(NO)) DATA('ZOWE ZIS CROSS MEMORY SERVER')
+
+/* started task for ZIS Auxiliary cross memory server */
+ RLIST STARTED {zowe.setup.security.stcs.aux}..* ALL STDATA
+ RDEFINE STARTED {zowe.setup.security.stcs.aux}..* -
+ STDATA(USER({zowe.setup.security.users.zis}.) -
+ GROUP({zowe.setup.security.groups.stc}.) -
+ TRUSTED(NO)) DATA('ZOWE ZIS AUX CROSS MEMORY SERVER')
+
+ SETROPTS RACLIST(STARTED) REFRESH
+
+/* show results .................................................... */
+ LISTGRP {zowe.setup.security.groups.stc}. OMVS
+ LISTUSER {zowe.setup.security.users.zowe}. OMVS
+ LISTUSER {zowe.setup.security.users.zis}. OMVS
+ RLIST STARTED {zowe.setup.security.stcs.zowe}..* ALL STDATA
+ RLIST STARTED {zowe.setup.security.stcs.zis}..* ALL STDATA
+ RLIST STARTED {zowe.setup.security.stcs.aux}..* ALL STDATA
+
+/* DEFINE ZIS SECURITY RESOURCES ................................... */
+
+/* define ZIS security profile */
+ RLIST FACILITY ZWES.IS ALL
+ RDEFINE FACILITY ZWES.IS UACC(NONE)
+
+/* DEFINE AUX SERVER PERMISIONS .................................... */
+
+/* permit AUX STC to use ZIS cross memory server */
+ PERMIT ZWES.IS CLASS(FACILITY) ACCESS(READ) -
+ ID({zowe.setup.security.users.zis}.)
+ SETROPTS RACLIST(FACILITY) REFRESH
+
+/* DEFINE ZOWE SERVER PERMISIONS ................................... */
+
+/* permit Zowe main server to use ZIS cross memory server */
+ PERMIT ZWES.IS CLASS(FACILITY) ACCESS(READ) -
+ ID({zowe.setup.security.users.zowe}.)
+ SETROPTS RACLIST(FACILITY) REFRESH
+
+/* permit Zowe main server to create a user's security environment */
+/* ATTENTION: Defining the BPX.DAEMON or BPX.SERVER profile makes */
+/* z/OS UNIX switch to z/OS UNIX level security. This is */
+/* more secure, but it can impact operation of existing */
+/* applications. Test this thoroughly before activating */
+/* it on a production system. */
+ RLIST FACILITY BPX.DAEMON ALL
+ RDEFINE FACILITY BPX.DAEMON UACC(NONE)
+ PERMIT BPX.DAEMON CLASS(FACILITY) ACCESS(UPDATE) 0
+ ID({zowe.setup.security.users.zowe}.)
+
+ RLIST FACILITY BPX.SERVER ALL
+ RDEFINE FACILITY BPX.SERVER UACC(NONE)
+ PERMIT BPX.SERVER CLASS(FACILITY) ACCESS(UPDATE) -
+ ID({zowe.setup.security.users.zowe}.)
+
+/* permit Zowe main server to create a user's security environment */
+/* comment out the following 2 lines if the OMVSAPPL is not defined */
+/* in your environment */
+ PERMIT OMVSAPPL CLASS(APPL) ID({zowe.setup.security.users.zowe}.) -
+ ACCESS(READ)
+ SETROPTS RACLIST(APPL) REFRESH
+
+/* permit Zowe main server to set job name */
+ RLIST FACILITY BPX.JOBNAME ALL
+ RDEFINE FACILITY BPX.JOBNAME UACC(NONE)
+ PERMIT BPX.JOBNAME CLASS(FACILITY) ACCESS(READ) -
+ ID({zowe.setup.security.users.zowe}.)
+
+ SETROPTS RACLIST(FACILITY) REFRESH
+
+/* permit Zowe main server to use client certificate mapping service */
+ RLIST FACILITY IRR.RUSERMAP ALL
+ RDEFINE FACILITY IRR.RUSERMAP UACC(NONE)
+ PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) -
+ ID({zowe.setup.security.users.zowe}.)
+
+/* permit Zowe main server to use distributed identity mapping */
+/* service
+ RLIST FACILITY IRR.IDIDMAP.QUERY ALL
+ RDEFINE FACILITY IRR.IDIDMAP.QUERY UACC(NONE)
+ PERMIT IRR.IDIDMAP.QUERY CLASS(FACILITY) ACCESS(READ) -
+ ID({zowe.setup.security.users.zowe}.)
+
+/* permit Zowe main server to cut SMF records */
+ RLIST FACILITY IRR.RAUDITX ALL
+ RDEFINE FACILITY IRR.RAUDITX UACC(NONE)
+ PERMIT IRR.RAUDITX CLASS(FACILITY) ACCESS(READ) -
+ ID({zowe.setup.security.users.zowe}.)
+
+ SETROPTS RACLIST(FACILITY) REFRESH
+/* show results .................................................... */
+ RLIST FACILITY ZWES.IS ALL
+ RLIST FACILITY BPX.DAEMON ALL
+ RLIST FACILITY BPX.SERVER ALL
+ RLIST FACILITY BPX.JOBNAME ALL
+ RLIST FACILITY IRR.RUSERMAP ALL
+ RLIST FACILITY IRR.RAUDITX ALL
+
+/* DEFINE ZOWE DATA SET PROTECTION ................................. */
+
+/* - HLQ..SZWEAUTH is an APF authorized data set. It is strongly */
+/* advised to protect it against updates. */
+/* - The sample commands assume that EGN (Enhanced Generic Naming) */
+/* is active, which allows the usage of ** to represent any number */
+/* of qualifiers in the DATASET class. Substitute *.** with * if */
+/* EGN is not active on your system. */
+
+/* HLQ stub */
+ LISTGRP {zowe.setup.dataset.prefix}.
+ ADDGROUP {zowe.setup.dataset.prefix}. DATA('Zowe - HLQ STUB')
+
+/* general data set protection */
+ LISTDSD PREFIX({zowe.setup.dataset.prefix}.) ALL
+ ADDSD '{zowe.setup.dataset.prefix}..*.**' UACC(READ) DATA('Zowe')
+ PERMIT '{zowe.setup.dataset.prefix}..*.**' CLASS(DATASET) -
+ ACCESS(ALTER) ID({zowe.setup.security.groups.sysProg}.)
+
+ SETROPTS GENERIC(DATASET) REFRESH
+
+/* show results .................................................... */
+ LISTGRP {zowe.setup.dataset.prefix}.
+ LISTDSD PREFIX({zowe.setup.dataset.prefix}.) ALL
+
+/* DEFINE ZOWE RESOURCE PROTECTION ................................. */
+
+/* - Defines new resource class for Zowe that protects access to */
+/* sensitive Zowe resources. */
+/* - Defines resource APIML.SERVICES that controls access to */
+/* detailed information about API services to Zowe users. */
+
+/* uncomment to activate CDT class to define ZOWE resource class */
+/* SETROPTS CLASSACT(CDT) RACLIST(CDT) */
+
+/* define ZOWE resource class */
+/* skip this command if the ZOWE resource class already exists */
+/* use a unique value in POSIT */
+ RDEFINE CDT ZOWE -
+ UACC(NONE) -
+ CDTINFO(DEFAULTUACC(NONE) -
+ FIRST(ALPHA) -
+ OTHER(ALPHA,NATIONAL,NUMERIC,SPECIAL) -
+ MAXLENGTH(246) -
+ POSIT(607) -
+ RACLIST(DISALLOWED))
+
+ SETROPTS RACLIST(CDT) REFRESH
+ SETROPTS CLASSACT(ZOWE)
+
+/* define resource for information about API services */
+ RDEFINE ZOWE APIML.SERVICES UACC(NONE)
+
+/* uncomment and replace "user" to permit Zowe users to access */
+/* the resource: */
+/* PERMIT APIML.SERVICES CLASS(ZOWE) ID(user) ACCESS(READ) */
+
+/* show results */
+ RLIST ZOWE *
+
+/* ................................................................. */
+/* only the last RC is returned, this command ensures it is a 0 */
+PROFILE
+$$
+//*
diff --git a/files/SZWESAMP/ZWEITSS b/files/SZWESAMP/ZWEITSS
new file mode 100644
index 0000000000..8b0d10c962
--- /dev/null
+++ b/files/SZWESAMP/ZWEITSS
@@ -0,0 +1,267 @@
+//ZWEITSS JOB
+//*
+//* This program and the accompanying materials are made available
+//* under the terms of the Eclipse Public License v2.0 which
+//* accompanies this distribution, and is available at
+//* https://www.eclipse.org/legal/epl-v20.html
+//*
+//* SPDX-License-Identifier: EPL-2.0
+//*
+//* Copyright Contributors to the Zowe Project. 2018, 2020
+//*
+//*********************************************************************
+//*
+//* Zowe Open Source Project
+//* This JCL can be used to define security permits for Zowe
+//*
+//*
+//* CAUTION: This is neither a JCL procedure nor a complete job.
+//* Before using this JCL, you will have to make the following
+//* modifications:
+//*
+//* 1) Add job name and job parameters to the JOB statement, to
+//* meet your system requirements.
+//*
+//* 2) When not using AUTOUID and AUTOGID to assign z/OS UNIX UID
+//* and GID values, update the SET *ID= statements to match the
+//* desired UID and GID values.
+//*
+//* 3) Customize the commands in the DD statement that matches your
+//* security product so that they meet your system requirements.
+//*
+//* Note(s):
+//*
+//* 1. THE USER ID THAT RUNS THIS JOB MUST HAVE SUFFICIENT AUTHORITY
+//* TO ALTER SECURITY DEFINITONS
+//*
+//* 2. The Zowe started task user ID 'zowe.setup.security.users.zowe'
+//* Writes persistent data to 'zowe.workspaceDirectory'
+//* This sample JCL makes the Zowe started task part of
+//* the Zowe admin group 'zowe.setup.security.groups.admin'
+//* to facilitate admin access to this directory.
+//*
+//* 3. This job WILL complete with return code 0.
+//* The results of each command must be verified after completion.
+//*
+//*********************************************************************
+// EXPORT SYMLIST=*
+//*
+//* Provide appropriate (numeric) values to these SET commands.
+// SET ADMINGID= * Group ID for ZOWE administrators
+// SET STCGID=&ADMINGID. * Group ID for ZOWE started tasks
+// SET ZOWEUID= * UID for ZOWE started task User
+// SET ZISUID= * UID for ZIS started task User
+//*
+//* If a default UID and GID range is defined, you can specify '?'
+//* in the SET *ID= statements to utilize auto-assignment
+//* of UID and GID.
+//*
+//* 12345678
+// SET ADMINDEP= * department owning admin group
+// SET STCGDEP= * department owning STC group
+// SET STCUDEP= * department owning STC user IDs
+// SET ZOWEDEP= * department owning Zowe resources
+// SET FACACID= * ACID owning IBMFAC
+//* 12345678
+//*
+//*********************************************************************
+//*
+//* EXECUTE COMMANDS FOR SELECTED SECURITY PRODUCT
+//*
+//RUN EXEC PGM=IKJEFT01,REGION=0M
+//SYSTSPRT DD SYSOUT=*
+//SYSTSIN DD DDNAME=TSS
+//TSS DD DATA,DLM=$$,SYMBOLS=JCLONLY
+
+/* DEFINE ADMINISTRATORS ........................................... */
+
+/* group for administrators */
+ TSS LIST({zowe.setup.security.groups.admin}.) SEGMENT(OMVS)
+ TSS CREATE({zowe.setup.security.groups.admin}.) TYPE(GROUP) +
+ NAME('ZOWE ADMINISTRATORS') +
+ DEPT(&ADMINDEP.)
+ TSS ADD({zowe.setup.security.groups.admin}.) GID(&ADMINGID.)
+
+/* uncomment to add existing user IDs to the Zowe admin group */
+/* TSS ADD(userid) GROUP({zowe.setup.security.groups.admin}.) */
+
+/* DEFINE STARTED TASK ............................................. */
+
+/* comment out if STCGRP matches ADMINGRP (default), expect */
+/* warning messages otherwise */
+/* group for started tasks */
+ TSS LIST({zowe.setup.security.groups.stc}.) SEGMENT(OMVS)
+ TSS CREATE({zowe.setup.security.groups.stc}.) TYPE(GROUP) +
+ NAME('STC GROUP WITH OMVS SEGMENT') +
+ DEPT(&STCGDEP.)
+ TSS ADD({zowe.setup.security.groups.stc}.) GID(&STCGID.)
+
+/* */
+
+/* userid for ZOWE main server */
+ TSS LIST({zowe.setup.security.users.zowe}.) SEGMENT(OMVS)
+ TSS CREATE({zowe.setup.security.users.zowe}.) TYPE(USER) PASS(NOPW,0) +
+ NAME('ZOWE MAIN SERVER') +
+ DEPT(&STCUDEP.)
+ TSS ADD({zowe.setup.security.users.zowe}.) +
+ GROUP({zowe.setup.security.groups.stc}.) +
+ DFLTGRP({zowe.setup.security.groups.stc}.) +
+ HOME(/tmp) OMVSPGM(/bin/sh) UID(&ZOWEUID.)
+
+/* userid for ZIS cross memory server */
+ TSS LIST({zowe.setup.security.users.zis}.) SEGMENT(OMVS)
+ TSS CREATE({zowe.setup.security.users.zis}.) TYPE(USER) PASS(NOPW,0) +
+ NAME('ZOWE ZIS CROSS MEMORY SERVER') +
+ DEPT(&STCUDEP.)
+ TSS ADD({zowe.setup.security.users.zis}.) +
+ GROUP({zowe.setup.security.groups.stc}.) +
+ DFLTGRP({zowe.setup.security.groups.stc}.) +
+ HOME(/tmp) OMVSPGM(/bin/sh) UID(&ZISUID.)
+
+/* */
+
+/* started task for ZOWE main server */
+ TSS LIST(STC) PROCNAME({zowe.setup.security.stcs.zowe}.) PREFIX
+ TSS ADD(STC) PROCNAME({zowe.setup.security.stcs.zowe}.) +
+ ACID({zowe.setup.security.users.zowe}.)
+ TSS ADD({zowe.setup.security.users.zowe}.) FAC(STC)
+
+/* started task for ZIS cross memory server */
+ TSS LIST(STC) PROCNAME({zowe.setup.security.stcs.zis}.) PREFIX
+ TSS ADD(STC) PROCNAME({zowe.setup.security.stcs.zis}.) +
+ ACID({zowe.setup.security.users.zis}.)
+ TSS ADD({zowe.setup.security.users.zis}.) FAC(STC)
+
+/* started task for ZIS Auxiliary cross memory server */
+ TSS LIST(STC) PROCNAME({zowe.setup.security.stcs.aux}.) PREFIX
+ TSS ADD(STC) PROCNAME({zowe.setup.security.stcs.aux}.) +
+ ACID({zowe.setup.security.users.zis}.)
+ TSS ADD({zowe.setup.security.users.zis}.) FAC(STC)
+
+/* DEFINE ZIS SECURITY RESOURCES ................................... */
+
+/* define ZIS security profile */
+ TSS ADD(&FACACID.) IBMFAC(ZWES.IS)
+
+/* DEFINE AUX SERVER PERMISIONS .................................... */
+
+/* permit AUX STC to use ZIS cross memory server */
+ TSS WHOHAS IBMFAC(ZWES.IS)
+ TSS PERMIT({zowe.setup.security.users.zis}.) IBMFAC(ZWES.IS) +
+ ACCESS(READ)
+
+/* DEFINE ZOWE SERVER PERMISIONS ................................... */
+
+/* permit Zowe main server to use ZIS cross memory server */
+ TSS WHOHAS IBMFAC(ZWES.IS)
+ TSS PERMIT({zowe.setup.security.users.zowe}.) IBMFAC(ZWES.IS) +
+ ACCESS(READ)
+
+/* permit Zowe main server to create a user's security environment */
+/* ATTENTION: Defining the BPX.DAEMON or BPX.SERVER profile makes */
+/* z/OS UNIX switch to z/OS UNIX level security. This is */
+/* more secure, but it can impact operation of existing */
+/* applications. Test this thoroughly before activating */
+/* it on a production system. */
+ TSS ADD(&FACACID.) IBMFAC(BPX.)
+ TSS WHOHAS IBMFAC(BPX.DAEMON)
+ TSS PER({zowe.setup.security.users.zowe}.) IBMFAC(BPX.DAEMON) +
+ ACCESS(UPDATE)
+ TSS WHOHAS IBMFAC(BPX.SERVER)
+ TSS PER({zowe.setup.security.users.zowe}.) IBMFAC(BPX.SERVER) +
+ ACCESS(UPDATE)
+
+/* permit Zowe main server to create a user's security environment */
+/* comment out the following line if the OMVSAPPL is not defined */
+/* in your environment */
+TSS PERMIT({zowe.setup.security.users.zowe}.) APPL(OMVSAPPL)
+
+/* Allow ZOWEUSER access to BPX.JOBNAME */
+ TSS WHOHAS IBMFAC(BPX.JOBNAME)
+ TSS PER({zowe.setup.security.users.zowe}.) IBMFAC(BPX.JOBNAME) +
+ ACCESS(READ)
+
+/* permit Zowe main server to use client certificate mapping service */
+ TSS WHOHAS IBMFAC(IRR.RUSERMAP)
+ TSS PER({zowe.setup.security.users.zowe}.) IBMFAC(IRR.RUSERMAP) +
+ ACCESS(READ)
+
+/* permit Zowe main server to use distributed identity mapping */
+/* service
+ TSS WHOHAS IBMFAC(IRR.IDIDMAP.QUERY)
+ TSS PER({zowe.setup.security.users.zowe}.) +
+ IBMFAC(IRR.IDIDMAP.QUERY) ACCESS(READ)
+
+/* permit Zowe main server to cut SMF records */
+ TSS WHOHAS IBMFAC(IRR.RAUDITX)
+ TSS PER({zowe.setup.security.users.zowe}.) IBMFAC(IRR.RAUDITX) +
+ ACCESS(READ)
+
+/* DEFINE ZOWE DATA SET PROTECTION ................................. */
+
+/* - HLQ..SZWEAUTH is an APF authorized data set. It is strongly */
+/* advised to protect it against updates. */
+
+/* HLQ stub */
+ TSS ADD(&ADMINDEP.) DATASET({zowe.setup.dataset.prefix}..)
+
+/* general data set protection */
+ TSS WHOHAS DATASET({zowe.setup.dataset.prefix}.)
+ TSS PER(ALL) DATASET({zowe.setup.dataset.prefix}..) ACCESS(READ)
+ TSS PER({zowe.setup.security.groups.sysProg}) +
+ DATASET({zowe.setup.dataset.prefix}..) ACCESS(ALL)
+
+/* show results */
+ TSS WHOHAS DATASET({zowe.setup.dataset.prefix}.)
+
+/* DEFINE ZOWE RESOURCE PROTECTION ................................. */
+
+/* - Defines new resource class for Zowe that protects access to */
+/* sensitive Zowe resources. */
+/* - Defines resource APIML.SERVICES that controls access to */
+/* detailed information about API services to Zowe users. */
+
+/* define ZOWE resource class */
+/* skip this command if the ZOWE resource class already exists */
+ TSS ADDTO(RDT) RESCLASS(ZOWE) MAXLEN(246) +
+ ACLST(NONE,READ,UPDATE,CONTROL) DEFACC(NONE)
+
+/* define resource for information about API services */
+ TSS ADDTO(&ZOWEDEP.) ZOWE(APIML.)
+
+/* uncomment and replace "user" to permit Zowe users to access */
+/* the resource: */
+/* TSS PERMIT(user) ZOWE(APIML.SERVICES) ACCESS(READ) */
+
+/* show results */
+ TSS LIST(RDT) RESCLASS(ZOWE)
+
+/* If any of these started tasks are multiusers address spaces */
+/* a TSS FACILITY needs to be defined and assigned to the started */
+/* and should not be using the STC FACILITY . The all acids signing */
+/* on to the started tasks will need to be authorized to the */
+/* FACILITY. */
+/* */
+/* Create FACILITY example: */
+/* In the TSSPARMS add the following lines to create */
+/* the new FACILITY. */
+/* */
+/* FACILITY(USER11=NAME=ZOWE) */
+/* FACILITY(ZOWE=MODE=FAIL) */
+/* FACILITY(ZOWE=RES) */
+/* */
+/* To assign the FACILITY to the started task issue the following */
+/* command: */
+/* */
+/* TSS ADD(started_task_acid) MASTFAC(ZOWE) */
+/* */
+/* To authorize a user to signon to the FACILITY, issues the */
+/* following command. */
+/* */
+/* TSS ADD(user_acid) FAC(ZOWE) */
+
+/* ................................................................. */
+/* only the last RC is returned, this command ensures it is a 0 */
+PROFILE
+$$
+//*
diff --git a/workflows/templates/ZWESECUR.properties b/workflows/templates/ZWESECUR.properties
index 11543d4aa5..029ea6f982 100644
--- a/workflows/templates/ZWESECUR.properties
+++ b/workflows/templates/ZWESECUR.properties
@@ -177,15 +177,7 @@ ZISUSER: '#ZWESIUSR'
# Category: General Security
# Description:
# Zowe started task name
-ZOWESTC: '#ZWESVSTC'
-
-# ZLNCHSTC
-# Label: ZLNCHSTC
-# Abstract: Zowe started task name for HA
-# Category: General Security
-# Description:
-# Zowe started task name for HA
-ZLNCHSTC: '#ZWESLSTC'
+ZOWESTC: '#ZWESLSTC'
# ZISSTC
# Label: ZISSTC
diff --git a/workflows/templates/ZWESECUR.vtl b/workflows/templates/ZWESECUR.vtl
index d32ecb48dc..84d86af7ab 100644
--- a/workflows/templates/ZWESECUR.vtl
+++ b/workflows/templates/ZWESECUR.vtl
@@ -35,6 +35,7 @@
//* 1) Add job name and job parameters to the JOB statement, to
//* meet your system requirements.
//*
+#if($ibmTemplate != 'YES')
//* 2) Update the SET PRODUCT= statement to match your security
//* product.
//*
@@ -53,30 +54,27 @@
//* 7) Update the SET ZOWESTC= statement to match the desired
//* Zowe started task name.
//*
-//* 8) Update the SET ZLNCHSTC= statement to match the desired
-//* Zowe launcher started task name. It is applicable if you
-//* run Zowe for high availability.
-//*
-//* 9) Update the SET ZISSTC= statement to match the desired
+//* 8) Update the SET ZISSTC= statement to match the desired
//* ZIS started task name.
//*
-//* 10) Update the SET AUXSTC= statement to match the desired
+//* 9) Update the SET AUXSTC= statement to match the desired
//* ZIS Auxiliary started task name.
//*
-//* 11) Update the SET HLQ= statement to match the desired
+//* 10) Update the SET HLQ= statement to match the desired
//* Zowe data set high level qualifier.
//*
-//* 12) Update the SET SYSPROG= statement to match the existing
+//* 11) Update the SET SYSPROG= statement to match the existing
//* user ID or group used by z/OS system programmers.
//*
-//* 13) When not using AUTOUID and AUTOGID to assign z/OS UNIX UID
+#end
+//* 12) When not using AUTOUID and AUTOGID to assign z/OS UNIX UID
//* and GID values, update the SET *ID= statements to match the
//* desired UID and GID values.
//*
-//* 14) When using Top Secret, update the Top Secret specific SET
+//* 13) When using Top Secret, update the Top Secret specific SET
//* statements.
//*
-//* 15) Customize the commands in the DD statement that matches your
+//* 14) Customize the commands in the DD statement that matches your
//* security product so that they meet your system requirements.
//*
//* Note(s):
@@ -103,19 +101,16 @@
#if($ibmTemplate == 'YES')
// EXPORT SYMLIST=*
//*
-// SET PRODUCT=RACF * RACF, ACF2, or TSS
-//* 12345678
-// SET ADMINGRP=ZWEADMIN * group for Zowe administrators
-// SET STCGRP=&ADMINGRP. * group for Zowe started tasks
-// SET ZOWEUSER=ZWESVUSR * userid for Zowe started task
-// SET ZISUSER=ZWESIUSR * userid for ZIS started task
-// SET ZOWESTC=ZWESVSTC * Zowe started task name
-// SET ZLNCHSTC=ZWESLSTC * Zowe started task name for HA
-// SET ZISSTC=ZWESISTC * ZIS started task name
-// SET AUXSTC=ZWESASTC * ZIS AUX started task name
-// SET HLQ=ZWE * data set high level qualifier
-// SET SYSPROG=&ADMINGRP. * system programmer user ID/group
-//* 12345678
+// SET PRODUCT=#[[{zowe.setup.security.product}]]#
+// SET ADMINGRP=#[[{zowe.setup.security.groups.admin}]]#
+// SET STCGRP=#[[{zowe.setup.security.groups.stc}]]#
+// SET ZOWEUSER=#[[{zowe.setup.security.users.zowe}]]#
+// SET ZISUSER=#[[{zowe.setup.security.users.zis}]]#
+// SET ZOWESTC=#[[{zowe.setup.security.stcs.zowe}]]#
+// SET ZISSTC=#[[{zowe.setup.security.stcs.zis}]]#
+// SET AUXSTC=#[[zowe.setup.security.stcs.aux}]]#
+// SET HLQ=#[[{zowe.setup.dataset.prefix}]]#
+// SET SYSPROG=#[[{zowe.setup.security.groups.sysProg}]]#
//*
//* The sample RACF and ACF2 commands assume AUTOUID and AUTOGID are
//* enabled. When this is not the case, or you are using Top Secret,
@@ -152,7 +147,6 @@
// SET ZOWEUSER=${ZOWEUSER} * userid for Zowe started task
// SET ZISUSER=${ZISUSER} * userid for ZIS started task
// SET ZOWESTC=${ZOWESTC} * Zowe started task name
-// SET ZLNCHSTC=${ZLNCHSTC} * Zowe started task name for HA
// SET ZISSTC=${ZISSTC} * ZIS started task name
// SET AUXSTC=${AUXSTC} * ZIS AUX started task name
// SET HLQ=${HLQ} * data set high level qualifier
@@ -283,12 +277,6 @@
STDATA(USER(&ZOWEUSER.) GROUP(&STCGRP.) TRUSTED(NO)) -
DATA('ZOWE MAIN SERVER')
-/* started task for ZOWE Launcher in high availability */
- RLIST STARTED &ZLNCHSTC..* ALL STDATA
- RDEFINE STARTED &ZLNCHSTC..* -
- STDATA(USER(&ZOWEUSER.) GROUP(&STCGRP.) TRUSTED(NO)) -
- DATA('ZOWE LAUNCHER SERVER')
-
/* started task for ZIS cross memory server */
RLIST STARTED &ZISSTC..* ALL STDATA
RDEFINE STARTED &ZISSTC..* -
@@ -308,7 +296,6 @@
LISTUSER &ZOWEUSER. OMVS
LISTUSER &ZISUSER. OMVS
RLIST STARTED &ZOWESTC..* ALL STDATA
- RLIST STARTED &ZLNCHSTC..* ALL STDATA
RLIST STARTED &ZISSTC..* ALL STDATA
RLIST STARTED &AUXSTC..* ALL STDATA
@@ -520,14 +507,6 @@ GROUP(&STCGRP.) +
STCID(&ZOWESTC.)
F ACF2,REFRESH(STC)
*
-* started task for ZOWE Launcher in high availability
-*
-SET CONTROL(GSO)
-INSERT STC.&ZLNCHSTC. LOGONID(&ZOWEUSER.) +
-GROUP(&STCGRP.) +
-STCID(&ZLNCHSTC.)
-F ACF2,REFRESH(STC)
-*
* started task for ZIS cross memory server
*
SET CONTROL(GSO)
@@ -721,11 +700,6 @@ $$
TSS ADD(STC) PROCNAME(&ZOWESTC.) ACID(&ZOWEUSER.)
TSS ADD(&ZOWEUSER.) FAC(STC)
-/* started task for ZOWE Launcher in high availability */
- TSS LIST(STC) PROCNAME(&ZLNCHSTC.) PREFIX
- TSS ADD(STC) PROCNAME(&ZLNCHSTC.) ACID(&ZOWEUSER.)
- TSS ADD(&ZOWEUSER.) FAC(STC)
-
/* started task for ZIS cross memory server */
TSS LIST(STC) PROCNAME(&ZISSTC.) PREFIX
TSS ADD(STC) PROCNAME(&ZISSTC.) ACID(&ZISUSER.)
diff --git a/workflows/templates/ZWESECUR.xml b/workflows/templates/ZWESECUR.xml
index 2616c0e018..4508e22a2f 100644
--- a/workflows/templates/ZWESECUR.xml
+++ b/workflows/templates/ZWESECUR.xml
@@ -122,15 +122,6 @@
Zowe started task nameZowe started task nameGeneral Security
-
- #ZWESVSTC
-
-
-
-
- Zowe started task name for HA
- Zowe started task name for HA
- General Security#ZWESLSTC
@@ -265,7 +256,6 @@
- Run this step to initialize variable values.<br/>
Note(s):<br/>
1. THE USER ID THAT RUNS THIS JOB MUST HAVE SUFFICIENT AUTHORITY <br/>