IBM Explorer for z/OS IBM Host Configuration Reference Guide SC27-8438-02 IBM Explorer for z/OS IBM Host Configuration Reference Guide SC27-8438-02 Note Before using this information, be sure to read the general information under “Notices” on page 175. Third edition (September, 2017) This edition applies to IBM Explorer for z/OS Version 3.1.1 (program number 5655-EX1) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright IBM Corporation 2017. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Figures .............. vii Certificate Authority (CA) validation ..... 24 (Optional) Query a Certificate Revocation List Tables ............... ix (CRL) ............... 25 Authentication by your security software ... 25 Authentication by RSE daemon....... 26 About this document ......... xi Port Of Entry (POE) checking ........ 27 Who should use this document ........ xi Altering client functions .......... 27 Description of the document content ...... xi OFF.REMOTECOPY.MVS ......... 28 Understanding z/OS Explorer ....... xii Push-to-client developer groups ....... 28 Security considerations ......... xii Send message security........... 30 TCP/IP considerations ......... xii Log file security ............. 31 WLM considerations .......... xii UNIXPRIV class permits.......... 32 Tuning considerations .......... xii BPX.SUPERUSER profile permit ....... 33 Performance considerations ........ xii UID 0 ............... 33 Push-to-client considerations ....... xii Miscellaneous information ......... 33 User exit considerations ......... xii GATE trashing ............ 33 Customizing the TSO environment ..... xiii Managed ACEE ............ 33 Troubleshooting configuration problems ... xiii ACEE caching ............ 34 Setting up encrypted communication and X.509 TCP/IP port reservation ......... 34 authentication ............ xiii z/OS Explorer configuration files ....... 34 Setting up TCP/IP........... xiii JES Job Monitor - FEJJCNFG........ 34 RSE - rse.env ............. 35 Chapter 1. Understanding z/OS Explorer 1 RSE - ssl.properties ........... 36 Component overview ........... 1 RSE - pushtoclient.properties ....... 36 RSE as a Java application .......... 2 Security definitions ............ 37 Task owners .............. 3 Requirements and checklist ........ 37 Connection flow ............. 5 Activate the security settings and classes ... 39 Data set lock owner ............ 7 Define an OMVS segment for z/OS Explorer Freeing a lock ............. 8 users ............... 40 z/OS UNIX directory structure ........ 9 Define the z/OS Explorer started tasks .... 40 Update privileges for non-system administrators 10 Define RSE as a secure z/OS UNIX server ... 41 Define the MVS program controlled libraries for Chapter 2. Security considerations .. 13 RSE ................ 41 Authentication methods .......... 13 Define the PassTicket support for RSE .... 42 User ID and password.......... 14 Define z/OS UNIX file access permission for RSE 43 User ID and one-time password ...... 14 Define the application protection for RSE ... 43 User ID and pass phrase ......... 14 Define the JES command security ...... 44 X.509 certificate ............ 14 Define the data set profiles ........ 45 JES Job Monitor authentication ....... 14 Verify the security settings ........ 46 Connection security ........... 14 Limit external communication to specified ports 15 Chapter 3. TCP/IP considerations ... 47 Communication encryption ........ 15 TCP/IP ports .............. 47 Port Of Entry checking ......... 15 External communication ......... 47 Using PassTickets ............ 15 Internal communication ......... 48 Audit logging ............. 17 TCP/IP port reservation ......... 48 Audit control ............. 17 LDAP considerations .......... 48 Audit processing ........... 17 Overriding default TCP/IP behavior ...... 49 Audit data.............. 17 Delayed ACK............. 49 JES security .............. 18 Multi-stack (CINET) ........... 49 Actions against jobs - target limitations .... 18 Distributed Dynamic VIPA ......... 49 Actions against jobs - execution limitations ... 20 Restricting port selection ......... 50 Actions against jobs - console ....... 21 Sample setup ............. 53 Access to spool files .......... 22 Encrypted communication ......... 22 Chapter 4. WLM considerations .... 55 Client authentication using X.509 certificates ... 24 Workload classification .......... 55 © Copyright IBM Corp. 2017 iii Classification rules ........... 56 Primary system ............. 98 Setting goals .............. 57 Push-to-client metadata .......... 98 Considerations for goal selection ...... 57 Metadata location ........... 98 STC ................ 58 Metadata security ........... 99 OMVS ............... 59 Metadata space usage .......... 99 JES ................ 59 Client configuration control ........ 100 ASCH ............... 60 Client version control........... 100 Multiple developer groups ......... 100 Chapter 5. Tuning considerations ... 61 Activation ............. 100 Resource usage ............. 61 Group concatenations ......... 101 Overview .............. 62 Workspace binding .......... 102 Address space count .......... 63 Group metadata location ........ 103 Process count............. 64 Group name limitations ......... 103 Thread count ............. 67 Setup steps ............. 104 Temporary resource usage ........ 70 LDAP-based group selection ........ 105 Storage usage.............. 70 LDAP schema ............ 106 Java heap size limit........... 70 LDAP server selection ......... 107 Address space size limit ......... 71 LDAP server location.......... 107 Size estimate guidelines ......... 71 Sample setup ............ 108 Sample storage usage analysis ....... 72 SAF-based group selection ......... 110 z/OS UNIX file system space usage ...... 76 Sample setup ............ 112 Key resource definitions .......... 79 Grace period for rejecting changes ..... 113 /etc/zexpl/rse.env ........... 79 SYS1.PARMLIB(BPXPRMxx) ........ 80 Chapter 8. User exit considerations 115 Various resource definitions ......... 82 User exit characteristics .......... 115 EXEC card in the server JCL........ 82 User exit activation .......... 115 FEK.#CUST.PARMLIB(FEJJCNFG) ...... 82 Writing a user exit routine ........ 115 SYS1.PARMLIB(IEASYSxx) ........ 83 Console messages ........... 116 SYS1.PARMLIB(IVTPRMxx) ........ 83 Executing with a variable user ID ..... 116 SYS1.PARMLIB(ASCHPMxx) ....... 83 Available exit points ........... 117 Monitoring .............. 84 audit.action ............. 117 Monitoring RSE ............ 84 logon.action ............. 118 Monitoring z/OS UNIX ......... 85 Monitoring the network ......... 87 Chapter 9. Customizing the TSO Monitoring z/OS UNIX file systems ..... 87 environment ............ 119 Sample setup .............. 87 The TSO Commands service ........ 119 Thread pool count ........... 87 Access methods ........... 119 Determine minimum limits ........ 88 Using the Legacy ISPF Gateway access method .. 119 Defining limits ............ 88 ISPF.conf .............. 119 Monitor resource usage ......... 89 Use existing ISPF profiles ........ 120 Using an allocation exec ......... 120 Chapter 6. Performance considerations 91 Use multiple allocation execs ....... 121 Use zFS file systems ........... 91 Multiple ISPF.conf files with multiple z/OS Avoid use of STEPLIB ........... 91 Explorer setups............ 121 Improve access to system libraries ....... 91 Language Environment (LE) runtime libraries .. 91 Chapter 10. Running multiple Application development ......... 92 instances ............. 123 Improving performance of security checking ... 92 Fixed Java heap size ........... 93 Identical setup across a sysplex ....... 123 Class sharing between JVMs......... 93 Identical software level, different configuration files 124 rse.env Enable class sharing .......... 93 Nearly identical ......... 124 rse.env Cache size limits............ 94 Different ........... 125 Cache security ............ 94 Automated synchronizing ........ 126 SYS1.PARMLIB(BPXPRMxx) ........ 94 All other situations ........... 127 Disk space.............. 94 Cache management utilities ........ 94 Chapter 11. Troubleshooting configuration problems ....... 129 Chapter 7. Push-to-client Log and setup analysis using FEKLOGS .... 129 considerations ........... 97 Log files ............... 130 Introduction .............. 97 JES Job Monitor logging ......... 131 iv IBM Explorer for z/OS: Host Configuration Reference Guide RSE daemon and thread pool logging .... 131 Activate encryption by creating a new RSE daemon 150 RSE user logging ........... 132 Test the connection ........... 151 fekfivpi IVP test logging......... 133 (Optional) Enable FIPS 140-2 compliancy .... 152 Dump files .............. 133 (Optional) Add X.509 client authentication support 153 MVS dumps............. 133 Manage encryption protocols and ciphers .... 153 Java dumps ............. 134 Managing encryption ciphers ....... 154 z/OS UNIX dump locations ....... 135 Managing encryption protocols ...... 154 Tracing ............... 135 Support for SSLv3 (deprecated) ...... 154 JES Job Monitor tracing ......... 135 RSE tracing ............. 136 Chapter 13. Setting up TCP/IP .... 157 z/OS UNIX permission bits ........ 136 Hostname dependency .......... 157 SETUID file system attribute ....... 136 Understanding resolvers.......... 158 Program Control authorization ...... 137 Understanding search orders