Installation Options › VM Batch System Support

VM Batch System Support

The VM Batch system components let users submit batch jobs for execution in the VM environment. Installing the CA ACF2 for z/VM support for the VM batch components extends CA ACF2 for z/VM security controls to users submitting these batch jobs.

Whenever users submit jobs to VM Batch, CA ACF2 for z/VM ensures that each job inherits the submitter's logonid. As each job initiates in the component, CA ACF2 for z/VM does normal validation processing. It makes a decision on whether to allow processing to continue based on the access authority and privileges of the submitter.

Installing VM Batch Facility Support

Follow the steps below to implement CA ACF2 for z/VM support for the IBM VM Batch Facility (product number 5664‑364).

1. Make sure your VM Batch monitor machine and all task machines have read access to the system Y‑disk (usually MAINT 19E) and the system S‑disk (usually MAINT 190).

   
   $key(maint)
    v0190.‑.‑ uid(batch) read(a)
    v019E.‑.‑ uid(batch) read(a)
   

2. Set up logonids for the monitor and task machines. We provide two logonid privileges to define batch machines, VMD4TARG and VMD4AUTH. VM Batch task machines (defined by TASK keywords in the CONTROL FILE the VM Batch Facility uses) and targets of the alternate user diagnose x'D4' require the VMD4TARG privilege. The VM Batch monitor and issuers of the alternate user diagnose x'D4' require the VMD4AUTH privilege. Because VMBATCH does not use DIAG 84 on VM systems, the DG84DIR privilege is not necessary.

   Give the VMD4TARG and VMD4AUTH privileges to the appropriate logonids. For details about giving logonid privileges to virtual machines, see the Administrator Guide.

   Besides giving the VM Batch task machine the VMD4TARG logonid privilege, assign this machine the privilege necessary to log onto your system, defined through the VMCHK operand in the OPTS VMO record.

   We strongly recommend you also assign the AUTOONLY privilege to the VM Batch task machine so it cannot be logged onto a terminal device. Do not assign the VM Batch task machine additional CA ACF2 for z/VM privileges. The only privileges that should be granted to this machine are VMD4TARG, the system VMCHK value, and AUTOONLY.

   If you do not assign the VMD4TARG privilege to the VM Batch task machine or do not assign the VMD4AUTH privilege to the VM Batch monitor machine, the following message appears on the VM Batch monitor machine console:

   
   003W VM Batch Facility monitor machine not set up for RACF
   surrogate operation
   

   Examine the CLASSES and TASK keywords in the VM Batch Facility control file. If you are using the AUTOLOG class, be sure to give the VM Batch monitor machine the authority to autolog all virtual machines. There are two ways to do this:

   1. Assign the AUTOALL logonid record privilege to the monitor machine. CA ACF2 for z/VM writes a resource SMF record (ACFRPTRV) whenever the monitor autologs a machine. This method lets the monitor autolog all user machines without a valid password and without requiring rules.
   2. Create a CA ACF2 for z/VM logonid record for each task virtual machine and the monitor machine:
      • If you do not assign the AUTOALL attribute to the monitor machine, assign the AUTONOPW attribute to each task machine so you can autolog them without requiring the true CA ACF2 for z/VM password.
      • Make sure the PREFIX field equals the logonid. For example, PREFIX(BATCH1) for the BATCH1 task virtual machine logonid record.
      • Assign the AUTOONLY logonid record attribute to each task virtual machine. AUTOONLY lets users autolog task machines, but prevents users from actually logging onto the machine.
3. Define each VM Batch task machine strictly as a class G virtual machine in the VM directory.
4. Write resource rules that allow the monitor machine to autolog certain user machines. This controls which virtual machines the monitor can autolog. For example, to let the monitor machine autolog the USER1, USER2, and USER3 virtual machines, you might write the following rules:

   $KEY(user1) TYPE(alg)
    UID(batch) ALLOW
   
   

   $KEY(user2) TYPE(alg)
    UID(batch) ALLOW
   
   

   $KEY(user3) TYPE(alg)
    UID(batch) ALLOW
   
   

   This example assumes you specified the default of ALG in the AUTOLOG field of the RESCLASS VMO record. For additional information about writing resource rules see the Administrator Guide.

5. Tailor the TASK keyword in the VM Batch Facility CONTROL FILE:

   The syntax for the TASK control statement in the CONTROL file is:

   TASK userid *NOPASS* *NOPASS* .ABCD 0000 2400
   

   userid

   The user ID of the user attempting the link

   *NOPASS*

   Indicates no directory logon password is necessary

   *NOPASS*

   Indicates no link password is necessary to link read/write to the task machine's 191 disk.

   Note: If your task virtual machines use a 191 minidisk password (DIRMDPW=RESPECT only), be sure the WRITE password is the same as the password used in the VM directory. If you do not use 191 minidisk passwords, specify the password as *NOPASS*.

6. Write minidisk rules to let the VM Batch monitor machine access (read, write, and execute) the 191 minidisks of all the task virtual machines.

   $key(batchx)
    v0191.‑‑uid(batch) read(a) write(a) exec(a)
   

7. The ACCTVLD operand of the OPTS VMO record determines if VM account validation is in effect. If you set ACCTVLD to NO, it turns off account validation; if you set ACCTVLD to FULL or LID, it turns on account validation. (For complete details on these settings, see the Administrator Guide. Issue the following subcommand of the ACF command to determine the ACCTVLD setting at your site:

   SHOW ACTIVE
   

   If the ACCTVLD operand is set to FULL or LID, you must modify the DGRUJB EXEC, DGRUCD EXEC, and the DGRBATCH EXEC.

8. The DGRUJB EXEC normally resides on the VM Batch Facility monitor machine 191 disk.

   Locate the following two lines of code:

   allow = 0;           /* Reject remote job submission */
   allow = 1;          /* Allow remote job submission  */
   

   Reverse their order to permit remote jobs.

   About 20 lines farther down, locate the following line:

   when called = 'RECVD' then do;
   

   Add the following lines to enable account validation:

   
   /* Following section added to support CA‑ACF2 account validation.*/
      if jobacct = '*' then exitrc = 3
             else do
                'ACFBATCH' jobuser jobacct
                if rc ^= 0 then exitrc = 3
             end
   
   /* End of CA‑ACF2 section */
   

   Locate the following section, located 17 lines after the position where you entered the above account validation lines:

   
   /*     queue 'ALTID' jobuser jobnode jobname 'NETJOB'   */
   /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
   

   Insert the following lines to allow a remote user to run a job under the same logonid as the remote ID or to provide a translation outline to fill in the local logonid in the JOBALTUSER variable:

   
   /* CA‑ACF2 change for remote job submission */
          queue 'ALTID' jobuser jobnode jobname jobaltuser
   /* End CA‑ACF2 change */
   

   Locate the following section:

   
   /*     otherwise                                            */
   /*       queue 'ALTID' jobuser jobnode jobname jobaltuser   */
   /*     end                                                  */
   /*  end                                                     */
   /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
   

   Insert the following lines to allow a remote user to run a job under the same logonid as the remote ID or to provide a translation outline to fill in the local logonid in the JOBALTUSER variable:

   
   /* CA‑ACF2 change for remote job submission */
          queue 'ALTID' jobuser jobnode jobname jobaltuser
   /* End CA‑ACF2 change */
   Locate the following lines:
   /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
   /*                   EXAMPLE                            */
   /*  Reject CHJOB command if account field not equal to  */
   /*  job owners user id but allow the job to proceed.    */
   /*                                                      */
   /*  if Jobacct ^= Jobuser then exitrc = 4 ;             */
   /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑*/
   Add the following two lines to allow account validation:
   'ACFBATCH' jobuser jobacct
   if rc ^= 0 then exitrc = 4
   Locate the following section of code toward the bottom of the exec:
      /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
      /*                    EXAMPLE                             */
      /* Reject all jobs that do not have the account field set */
      /* equal to the job owners user id                        */
      /*                                                        */
      /*                                                        */
      /* if Jobacct ^= Jobuser then exitrc = 3;                 */
      /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
   end;
   

   Change it to:

   
      /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
      /*                    EXAMPLE                             */
      /* Reject all jobs that do not have the account field set */
      /* equal to the job owners user id                        */
      /*                                                        */
      /*                                                        */
      /* if Jobacct ^= Jobuser then exitrc = 3;                 */
      /* ‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑ */
     'ACFBATCH' jobuser jobacct
     if rc ^= 0 then exitrc = 3
   end;
   
   

9. The DGRBATCH EXEC normally resides on the 19E Y‑disk. Locate the following section near the beginning of the exec:

   
   o.submit.id      = hour||min||sec;  o.submit.account  = '*';
   o.submit.class   = 'A';             o.submit.seconds  = '*';
   o.submit.print   = '*';             o.submit.punch    = '*';
   o.submit.wbegin  = '*';             o.submit.wend     = '*';
   o.submit.restart = 'YES';           o.submit.error    ='DUMP';
   o.submit.pj      = '9';             o.submit.date     = date(u);
   o.submit.parms   = '*';             o.submit.append   = 'NO';
   o.submit.chain   = '*';             o.submit.password = '*';
   

   Add the following seven lines between the first and second line so the exec reads:

   
        o.submit.id      = hour||min||sec;  o.submit.account  = '*';
   Add >'MAKEBUF'
   Add >'EXECIO * CP (STRING QUERY ACCOUNT'
   Add >if rc = 0 then do
   Add >parse pull . o.submit.account .
   Add >o.submit.account = '*'o.submit.account
   Add >end
   Add >'DROPBUF'
        o.submit.class   = 'A';             o.submit.seconds  = '*';
        o.submit.print   = '*';             o.submit.punch    = '*';
        o.submit.wbegin  = '*';             o.submit.wend     = '*';
        o.submit.restart = 'YES';           o.submit.error    ='DUMP';
        o.submit.pj      = '9';             o.submit.date     = date(u);
        o.submit.parms   = '*';             o.submit.append   = 'NO';
        o.submit.chain   = '*';             o.submit.password = '*';
   

   Further down in the same exec (about line 335), the following line occurs:

   if acc then o.func.account = '*' || o.func.account;
   

   Insert the following line immediately after it:

   else o.func.account = '*'o.submit.account
   

10. The DGRUCD EXEC normally resides on the VM Batch Facility monitor machine 191 disk. Locate and reverse the following two lines to allow remote commands:

    
    allow = 0;           /* Reject remote commands */
    allow = 1;           /* Allow remote commands  */
    

    Installation is complete.