Hardware Interface Service requires the BCPii authority to retrieve information from the HMC.
Note: In the following examples, community_name must be in uppercase (for example, BCPII) and cpc_name must be a full SNA network name of the CPC (for example, IBM390PS.MF01).
Example: CA ACF2 for z/OS
To define the security resources and grant the service access to BCPii, issue CA ACF2 for z/OS commands in TSO, for example:
$KEY(HWI) TYPE(FAC)
$USERDATA('community_name')
APPLNAME.HWISERV UID(hisrv_user_id) SERVICE(READ) ALLOW
CAPREC.- UID(hisrv_user_id) SERVICE(READ) ALLOW
CAPREC.cpc_name UID(*************STCSYS) SERVICE(READ) ALLOW
CAPREC.cpc_name.- UID(*************STCSYS) SERVICE(UPDATE) ALLOW
UID(*) SERVICE(READ) ALLOW
TARGET.- UID(hisrv_user_id) SERVICE(READ) ALLOW
TARGET.cpc_name UID(*************STCSYS) SERVICE(READ) ALLOW
TARGET.cpc_name.- UID(*************STCSYS) SERVICE(UPDATE) ALLOW
UID(*) SERVICE(READ) ALLOW
Example: CA Top Secret for z/OS
To define the security resources and grant the service access to BCPii, issue CA Top Secret for z/OS commands in TSO, for example:
TSS ADDTO(tssdept) IBMFAC(HWI)
TSS PER(hisrv_user_id) IBMFAC(HWI.APPLNAME.HWISERV) ACCESS(READ)
TSS PER(hisrv_user_id) IBMFAC(HWI.TARGET.cpc_name) ACCESS(READ) APPLDATA('community_name')
TSS PER(hisrv_user_id) IBMFAC(HWI.TARGET.cpc_name.*) ACCESS(READ)
TSS PER(hisrv_user_id) IBMFAC(HWI.CAPREC.cpc_name) ACCESS(READ)
TSS PER(hisrv_user_id) IBMFAC(HWI.CAPREC.cpc_name.*) ACCESS(READ)
Example: RACF
To define the security resources and grant the service access to BCPii, issue the RACF commands in TSO, for example:
RDEFINE FACILITY HWI.TARGET.cpc_name UACC(NONE) APPLDATA('community_name')
RDEFINE FACILITY HWI.TARGET.cpc_name.* UACC(NONE) APPLDATA('community_name')
RDEFINE FACILITY HWI.CAPREC.cpc_name UACC(NONE) APPLDATA('community_name')
RDEFINE FACILITY HWI.CAPREC.cpc_name.* UACC(NONE) APPLDATA('community_name')
RDEFINE FACILITY HWI.APPLNAME.HWISERV UACC(NONE)
PERMIT HWI.APPLNAME.HWISERV CLASS(FACILITY) ID(hisrv_user_id) ACCESS(READ)
PERMIT HWI.TARGET.cpc_name CLASS(FACILITY) ID(hisrv_user_id) ACCESS(READ)
PERMIT HWI.TARGET.cpc_name.* CLASS(FACILITY) ID(hisrv_user_id) ACCESS(READ)
PERMIT HWI.CAPREC.cpc_name CLASS(FACILITY) ID(hisrv_user_id) ACCESS(READ)
PERMIT HWI.CAPREC.cpc_name.* CLASS(FACILITY) ID(hisrv_user_id) ACCESS(READ)
To validate that you have configured security correctly, review the service HISLOG after the service has started.
If the security configuration is correct, HISLOG has the following messages:
NK8030 HIS INITIAL TOPOLOGY COLLECTION STARTING. H/W INTERFACE: BCPII NKAA20 10 - COLLECTING INFORMATION ABOUT THIS SYSTEM NS1001 HISRV SUBSYSTEM INITIALIZATION COMPLETE. SSID: HIS NKAA20 20 - RETRIEVING ALL CPC NAMES NKAA20 30 - BUILDING TOPOLOGY UNDER CPCS … NK8031 HIS INITIAL TOPOLOGY COLLECTION FINISHED. H/W INTERFACE: BCPII ENTITIES: nn
If the security configuration is incorrect, HISLOG has the following messages:
NK8030 HIS INITIAL TOPOLOGY COLLECTION STARTING. H/W INTERFACE: BCPII NKAA20 10 - COLLECTING INFORMATION ABOUT THIS SYSTEM NS1001 HISRV SUBSYSTEM INITIALIZATION COMPLETE. SSID: HIS NKAA73 UNABLE TO CONTACT BCPII A/S. REQUEST: 1 TYPE: operation_type (BCPII RC D/X: 3842 00000F02) NK8032 HIS INITIAL TOPOLOGY COLLECTION ERROR. H/W INTERFACE: BCPII
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|