From release 9.0.4.23-BPE onward, Pioneer Started Task no longer supports or requires a RACF userid attribute 'SPECIAL'. A normal RACF userid as shown below can be used.
There are various modes that you can use. The modes and the required RACF definitions are shown below. Note that the normal RACF userid is italicized.
Note:
Depending on the requirement, select one of the modes between 1, 2, or 3.One of the following 3 modes can be used:
Mode:
SECURE_ID=YES,DEFAULT=YES
This mode uses RACF userid IDFAGNT as the default userid. This must have SPECIAL as a coded attribute.
Default Pioneer control file parameter is SECURE_ID=YES,DEFAULT=YES
ADDGROUP SECGRP
ADDUSER PIONEER NAME(PIONEER) DFLTGRP(SECGRP) NOPASS NOPHRASE
ADDUSER IDFAGNT NAME(DEFAULT-ID) DFLTGRP(SECGRP) NOPASS NOPHRASE SPECIAL
PW USER(PIONEER) NOINTERVAL
ALU PIONEER AUDITOR
This is used for list type commands like LISTUSER, LISTGRP, and other similar commands.
RDEFINE FACILITY IDFADMIN.CMD UACC(NONE)
PERMIT IDFADMIN.CMD ID(PIONEER) ACCESS(READ)
CONNECT PIONEER GROUP(grpname).
The grpname must be the same grpname used for FTPD. It must have a OMVS segment and a Permit for using BPX.DAEMON without which the Pioneer RACF Userid will fail as shown below:
0090 IDMP006I - PIONEER DETECTS DEBUGGING IS ACTIVE 0090 IDMP011I - PIONEER DETECTS CPUID 1006112064 0090 IDMP012I - PIONEER DETECTS SYSPLEX SYSNAME ADCD113S 0090 IDMP013I - PIONEER DETECTS LPARNAME AS SYST 0090 IDMP014I - PIONEER DETECTS COUNTRY CODE OF US 0090 IDMP009I - PIONEER DETECTS ENCRYPTION ENABLED 0090 IDMP016I - PIONEER APF LIBRARY IS GOOD 0281 ICH408I JOB(PIONEER ) STEP(PIONEER ) CL(PROCESS ) 251 0281 OMVS SEGMENT NOT DEFINED 0090 IDMP402I PIONEER HAS NO OPEN SOCKETS 0090 IDMP402I PIONEER DID NOT OPEN TCPIP API 0090 IDMP402I PIONEER IS ENDING DUE TO ERRORS 0090 IDMP402I PIONEER - REVIEW SYSLOG OR PARMOUT 0090 IDMP402I PIONEER ENDS RC= 100 0090 IEF404I PIONEER - ENDED - TIME=10.26.13 0281 $HASP395 PIONEER ENDED 0281 IEA989I SLIP TRAP ID=X33E MATCHED. JOBNAME=*UNAVAIL, ASID=0037.
Mode:
SECURE ID=YES,DEFAULT=NO,ENCRYPT=NO,ID=IDMSECU
This mode uses the RACF userid for RACF API calls and must have 'SPECIAL' coded on that RACF userid.
Using a user defined RACF secure id:
Pioneer parameter is SECURE ID=YES,DEFAULT=NO,ENCRYPT=NO,ID=IDMSECU
ADDGROUP SECGRP
ADDUSER PIONEER NAME(PIONEER) DFLTGRP(SECGRP) NOPASS NOPHRASE
PW USER(PIONEER) NOINTERVAL
ALU PIONEER AUDITOR
This is used for list type commands like LISTUSER, LISTGRP, and other similar commands.
ADDUSER IDMSECU NAME('SECURE-ID') DFLTGRP(SECGRP) NOPASS NOPHRASE SPECIAL
RDEFINE FACILITY IDFADMIN.CMD UACC(NONE)
PERMIT IDFADMIN.CMD ID(PIONEER) ACCESS(READ)
See Pioneer CONNECT above
Mode:
SECURE_ID=YES,DEFAULT=NO,ENCRYPT=YES
This mode uses the RACF userid that was encrypted using the new IDFSECUT program. This encrypted RACF userid will be used for all RACF API calls.
Using a encrypted RACF userid:
Pioneer parameter is SECURE_ID=YES,DEFAULT=NO,ENCRYPT=YES
ADDGROUP SECGRP
ADDUSER PIONEER NAME(PIONEER) DFLTGRP(SECGRP) NOPASS NOPHRASE
PW USER(PIONEER) NOINTERVAL
ALU PIONEER AUDITOR
This is used for list type commands like LISTUSER, LISTGRP, and other similar commands.
ADDUSER <your-secure-id-that was encrypted> NAME('SECURE-ID') DFLTGRP(SECGRP) NOPASS NOPHRASE SPECIAL
RDEFINE FACILITY IDFADMIN.CMD UACC(NONE)
PERMIT IDFADMIN.CMD ID(PIONEER) ACCESS(READ)
See Pioneer CONNECT above
You can encrypt and decrypt the RACF userid, and implement the SECUREID process. To do so, perform the following procedures:
Procedure to encrypt the RACF userid:
Execute IDFSECUT. In the sample below, JCL is supplied in the distribution JCLLIB. The 'DFLEOUT' ddname dataset must match the ddname//SECUREID of Pioneer. The member name of JCLLIB is 'SECUTLE' which is the encryption utility of JCL. Then, only the parameters are visible and the ID=XXXXX is the RACF userid that has to be encrypted.
//IDFSECUT JOB SYSTEMS,MSGLEVEL=(1,1), // MSGCLASS=X,CLASS=A,PRTY=8, // NOTIFY=&SYSUID,REGION=4096K //* ID=XXXXX IS THE RACF USER THAT HAS SPECIAL ATRIIBUTES //* FOR USE WITH PIONEER //STEP1 EXEC PGM=IDFSECUT,PARM='ID=XXXXX,FUNC=ENCRYPT' //STEPLIB DD DSN=<YOURHLQ.PROD.LOADLIB,DISP=SHR //DFLEOUT DD DSN=<YOURHLQ>.SECUREID.FILE,DISP=SHR //LINEOUT DD SYSOUT=* //SYSPRINT DD SYSOUT=*
Procedure to decrypt the RACF userid:
Execute IDFSECUT. In the sample below, JCL is supplied in the distribution JCLLIB. The 'DFLEOUT' ddname dataset must match he ddname//SECUREID of Pioneer. The member name of JCLLIB is 'SECUTLE' which is the encryption utility of JCL. The parameters are the only ones that are displayed.
//IDFSECUT JOB SYSTEMS,MSGLEVEL=(1,1), // MSGCLASS=X,CLASS=A,PRTY=8, // NOTIFY=&SYSUID,REGION=4096K //* ID=NONE IS TO VERIFY WHAT RACF USER ID IS CONTAINED IN //* THE SECUREID FILE //STEP1 EXEC PGM=IDFSECUT,PARM='ID=NONE,FUNC=DECRYPT' //STEPLIB DD DSN=<YOURHLQ.PROD.LOADLIB,DISP=SHR //DFLEOUT DD DSN=<YOURHLQ>.SECUREID.FILE,DISP=SHR //LINEOUT DD SYSOUT=* //SYSPRINT DD SYSOUT=*
Procedure to implement the SECUREID process:
Select the RACF userid desired to perform the Pioneer RACF API calls to R_admin.
Define it to RACF as shown in Step 3.
Encrypt it using the IDFSECUT as shown in the above Step.
Start Pioneer.
Pioneer reads the SECURE_ID file and stores the encrypted id.
Pioneer also first receives the RACF command and accesses the RACF facility 'MYADMN.CMD'. If access is granted, Pioneer uses the encrypted id with which it decrypts all RACF calls.
The following steps are required to use all the modes as these are common for each mode.
Perform the following steps after you select the mode:
RACF Facility must be changed as mentioned below in order to start Pioneer:
RDEF STARTED PIONEER.* UACC(NONE) OWNER(xxxxxxx)
RALT STARTED PIONEER.* AUDIT(FAILURES(READ))
RALT STARTED PIONEER.* STDATA(USER(PIONEER) GROUP(SYS1) PRIVILEGED(NO) TRACE(NO))
Pioneer (Other RACF definitions):
.
RDEFINE FACILITY IRR.RADMIN.* UACC(NONE)
.
PERMIT IRR.RADMIN CLASS(FACILITY) ID(<your-RACF-non-secure-id>) ACCESS(READ)
. ADDSD '<yourhlq>.CONTROL.FILE' UACC(NONE)
. PERMIT '<yourhlq>.CONTROL.FILE' ID(<your-RACF-non-secure-id>) ACCESS(READ)
. ADDSD '<yourhlq>.REXXOUT.FILE' UACC(NONE)
. PERMIT '<yourhlq>.REXXOUT.FILE' ID(<your-RACF-non-secure-id>)ACCESS(UPDATE)
. ADDSD '<yourhlq>.RECON.FILE' UACC(NONE)
. PERMIT '<yourhlq>.RECON.FILE' ID (<your-RACF-non-secure-id>)ACCESS(UPDATE)
. ADDSD '<yourhlq>.RECON.LIBRARY' UACC(NONE)
. PERMIT '<yourhlq>.RECON.LIBRARY' ID (<your-RACF-non-secure-id>)ACCESS(READ)
. ADDSD '<yourhlq>.IMPORTU.FILE' UACC(NONE)
. PERMIT '<yourhlq>.IMPORTU.FILE' ID (<your-RACF-non-secure-id>)ACCESS(UPDATE)
. ADDSD '<yourhlq>.IMPORTG.FILE' UACC(NONE)
. PERMIT '<yourhlq>.IMPORTG.FILE' ID (<your-RACF-non-secure-id>) ACCESS(UPDATE)
. ADDSD '<yourhlq>.ALIAS.LSTOUT' UACC(NONE)
. PERMIT '<yourhlq>.ALIAS.LSTOUT' ID(<your-RACF-non-secure-id>) ACCESS(UPDATE)
. ADDSD '<yourhlq>.IDCAMS.CTL' UACC(NONE)
. PERMIT '<yourhlq>.IDCAMS.CTL' ID (<your-RACF-non-secure-id>) ACCESS(UPDATE)