Security requirements on IBM z/OS computers#

Specific security definitions are used to secure HCL™ Launch functions for the IBM z/OS® environment. To deploy applications to an IBM z/OS environment, the user accounts on the agent computer must have adequate access permissions. You must also identify specific directories and data sets to the authorized program facility.

The topics in this section present the security configurations related to the agent started task, data sets, file systems, user IDs, impersonation and security configurations related to the z/OS Utility plugin.

Note: This document does NOT cover the HCL Launch server’s security model and the security configurations related to server agent communication. Refer to Security configuration related to z/OS.

Agent started task and agent user ID#

The HCL Launch IBM z/OS agent is a long running Java process in the IBM z/OS UNIX System Services. The HCL Launch server distributes work, known as deploy processes, to an agent to execute. For each step in the deploy process, the agent starts a separate work process. The work process inherits the agent user ID’s security environment, unless the process is configured to use impersonation.

z/OS Server Agent Architecture diagram

Agent impersonation#

The su command is used to impersonate users. This figure shows a deployment scenario with two logical environments, DEV and TEST, in the same logical partition (LPAR). The deployment process is configured so that the agent impersonates USERA when deploying to DEV and USERB when deploying to TEST.

z/OS Impersonation diagram

Limitations#

  1. HardwareCryptography IBMJCECCA is not supported.
  2. RACFdigital certificates are not supported. HCL Launch uses keystore and keytool provided by Java to generate and manage certifications to be used for the agent/server communication.

  3. IBM z/OS agent user accounts
    If you run the agent from a UNIX™ command line, the agent user account is the account that you use to log in to the UNIX shell. If you run the agent as a started task, the agent user account is assigned by the Resource Access Control Facility (RACF®) using the started procedures table (ICHRIN03) or the STARTED class. To learn more about RACF, see the z/OS Security Server RACF® System Programmer's Guide, SA23-2287-00.

  4. IBM z/OS authorized program facility
    To deploy applications to an IBM z/OS environment, you must identify specific directories and data sets to the authorized program facility (APF).
  5. IBM z/OS directories and data sets
    To deploy applications to an IBM z/OS environment, the user accounts on the agent computer must have adequate access permissions. You must also identify specific directories and data sets to the authorized program facility.
  6. IBM z/OS tokens
    Tokens are used to authenticate with the HCL Launch server when z/OS component versions are imported.
  7. IBM z/OS component versions
    Component versions forIBM z/OS are imported from the build LPAR by using the buztool.sh command.
  8. Security configuration related to z/OS
    Information for the HCL Launch server’s security model and the security configurations related to server agent communication for IBM z/OS are referenced in this topic.

Parent topic: Deploying components to the z/OS platform