IBM z/OS agent user accounts#
If you run the agent from a UNIX™ command line, the agent user account is the account that you use to log in to the UNIX shell. If you run the agent as a started task, the agent user account is assigned by the Resource Access Control Facility (RACF®) using the started procedures table (ICHRIN03) or the STARTED class. To learn more about RACF, see the z/OS® Security Server RACF System Programmer's Guide, SA23-2287-00.
The agent user account must have the following:
- Access to the Time Sharing Option (TSO) and Interactive System Productivity Facility (ISPF) environments.
- The ability to create temporary data sets. By default, HCL™ Launch uses the data-set prefix that is stored in the TSO profile. Otherwise, HCL Launch uses the user ID as a temporary data-set prefix. You can specify a different prefix by setting the BUZ_TMP_DSN_PREFIX environment variable in agent_install_dir/bin/setenv-zos.sh.
- Sufficient virtual memory to run Java™ in the OMVS address space is required. The amount of required memory can vary based on which plug-ins are used in deployment processes. The following list includes typical values for RACF configuration parameters that specify virtual memory.
- ASSIZEMAX= 2147483647
- FILEPROCMAX= 00524287
- PROCUSERMAX= 00032767
- THREADSMAX= 00100000
- Sufficient virtual storage limits, if the agent is running as a started task. To set the virtual storage limits, specify the REGION=0M parameter in the EXEC PGM=BPXBATCH statement.
- A protected ID (which can not be used to log in) can be used as the agent ID. Because of the limitation of protected IDs, the ID cannot be used in steps that require a password or password phrase, for example, the Submit Job step or the CICS TS plug-in steps.
It is preferable for the installing ID to have read access to the BP.FILEATTR.APF resource in the FACILITY class profile to run the checkaccess command.
Note: If read access is not granted, the following message might be displayed.
chattr() error: rv=-1, errno=8B, rsn=0924041A
Respond to this message with the following command that must be run immediately after the installation by an ID that has this access.
extattr +a < agent dir>/auth/checkaccess
The following properties are supported and can be used with a zOS agent. These properties needs to be specified in installed.properties. The property names are case sensitive.
|mvs.sysoutclass||Accepts an one letter value that corresponds to the sysout class where the buztool / deployment outputs need to go.|
|mvs.tempvolser||Specifies the serial number of an eligible direct access volume on which temporary data sets need to reside. For SMS managed datasets, BUZ_TMP_DSN_PREFIX specified in this page will be a better option.|
|mvs.tempunit||Specifies the type of the unit to which temporary data set is to be allocated. You can specify an installation-defined group name, a generic device type, or a specific device number. For SMS managed datasets, BUZ_TMP_DSN_PREFIX specified in this page will be a better option.|
mvs.sysoutclass=X mvs.tempunit=SYSALLDA mvs.tempvolser=F$US01
Parent topic: Security requirements on IBM z/OS computers