Domino Go Webserver Installation

Servers › Lotus Domino Go Webserver › Domino Go Webserver Installation

Domino Go Webserver Installation

The examples in the following steps reflect default procnames, typical group names, and typical GID value. These commands ensure that a valid OMVS UID and GID exist for each of the started tasks that access OMVS.

The process to install Domino Go Webserver is:

Ensure that previously defined USS and TCP/IP requirements are completed.
Create a TSS FACILITY for the web server. Use this facility to add each user ACID that is allowed to log on to the web server. Tailor the following command and then add it to the existing CA Top Secret startup control options:
```
TSS MODIFY FAC(USERx=NAME=IMWEB)
```

The Domino Go Webserver requires an ACID for the web server started task and for a web administrator. Both of these ACIDs must be connected to an OMVS Group ID for the web server. The following commands accomplish this using the IBM default values.

The IMWEBSRV web server started task is referred to by IBM as the web server daemon. Also, changing the ID of the web administrator is recommended; however, this change must be coordinated with updates to the web server configuration file.

TSS CRE(IMWEB) TYPE(GROUP) 
               NAME(‘WEBSERVER GROUP’)
               DEPT(anydept)

TSS ADD(IMWEB)  GID(205)

TSS CRE(WEBADM) TYPE(USER)
                NAME(‘WEB ADMINISTRATOR’)
                DEPT(anydept)
                FAC(IMWEB)
                PASSWORD(password,0)

TSS ADD(WEBADM) UID(206)
                GROUP(IMWEB)
                DFLTGRP(IMWEB)
                HOME(/usr/lpp/internet)
                OMVSPGM(/bin/sh)

TSS CRE(WEBSRV) TYPE(USER)
                NAME(‘WEBSERVER
                DAEMON/STC’)
                DEPT(dept)
                FAC(STC,IMWEB)
                PASSWORD(password,0)

TSS ADD(WEBSRV) UID(0) GROUP(IMWEB)
                DFLTGRP(IMWEB)
                HOME(/usr/lpp/internet)
                OMVSPGM(/bin/sh)
                MASTFAC(IMWEB)
TSS ADD(STC) PROCNAME(IMWEBSRV)
             ACID(WEBSRV)

Three other user ACIDs, each having their own connected group, are required unless “surrogate user” support is disabled. This feature permits users to access the web server without requiring a signon. Disable this feature for security reasons.

To disable this feature, change the “Userid” option to “%%CLIENT%%” within the web server configuration file. See IBM documentation. If not disabled, the following commands will create ACIDs and groups for surrogate support following IBM examples:

TSS CRE(EXTERNAL) TYPE(GROUP)
                  NAME(‘WEB GROUP’)
                  DEPT(dept)

TSS ADD(EXTERNAL) GID(999)

TSS CRE(EMPLOYEE) TYPE(GROUP)
                  NAME(‘WEB GROUP’)
                  DEPT(dept)

TSS ADD(EMPLOYEE) GID(500)

TSS CRE(SPECIAL) TYPE(GROUP)
                 NAME(‘WEB GROUP’)
                 DEPT(dept)

TSS ADD(SPECIAL) GID(255)

TSS CRE(PUBLIC) TYPE(USER)
                NAME(‘WEB SURROGATE ID’)
                DEPT(dept)
                FAC(IMWEB)
                PASSWORD(NOPW,0)

TSS ADD(PUBLIC) UID(998)
                GROUP(EXTERNAL)
                DFLTGRP(EXTERNAL)
                HOME(/)
                OMVSPGM(/bin/sh)

TSS CRE(INTERNAL) TYPE(USER)
                  NAME(‘WEB SURROGATE ID’)
                  DEPT(dept)
                  FAC(IMWEB)
                  PASSWORD(NOPW,0)

TSS ADD(INTERNAL) UID(537)
                  GROUP(EMPLOYEE)
                  DFLTGRP(EMPLOYEE)
                  HOME(/)
                  OMVSPGM(/bin/sh)

TSS CRE(PRIVATE) TYPE(USER)
                 NAME(‘WEB SURROGATE ID’)
                 DEPT(dept)
                 FAC(IMWEB)
                  PASSWORD(NOPW,0)

TSS ADD(PRIVATE) UID(416)
                 GROUP(SPECIAL)
                 DFLTGRP(SPECIAL)
                 HOME(/)
                 OMVSPGM(/bin/sh)

The ACID for the web server started task (that is, Daemon) requires access to the following IBMFAC and SURROGAT resources. Note that the final three permits are not needed if surrogate support is disabled:

TSS ADD(dept) IBMFAC(BPX.)

TSS PERMIT(WEBSRV) IBMFAC(BPX.DAEMON)
                   ACCESS(READ)
TSS PERMIT(WEBSRV) IBMFAC(BPX.SERVER)
                   ACCESS(UPDATE)

TSS ADD(dept) SURROGAT(BPX.)

TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.WEBADM)
                   ACCESS(READ)

TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.PUBLIC)
                   ACCESS(READ)

TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.PRIVATE)
                   ACCESS(READ)

TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.INTERNAL)
                   ACCESS(READ)

IBM documentation includes:
- One install step where “RACF program control” is discussed. In the first part of this step, all users are given read access to three load libraries related to the web server. This part translates to:
```
	TSS ADD(dept) DSNAME(CEE.)
```
```
	TSS ADD(dept) DSNAME(IMW.)
```
```
	TSS ADD(dept) DSNAME(SYS1.)
```
```
	TSS PERMIT(ALL) DSNAME(CEE.V1R5M0.SCEERUN)
                   ACCESS(READ)
```
```
	TSS PERMIT(ALL) DSNAME(IMW.V1R1M0.IMWMOD1)
                   ACCESS(READ)
```
```
	TSS PERMIT(ALL) DSNAME(SYS1.LINKLIB)
                   ACCESS(READ)
```
  This step also describes several (RDEFINE and SETROPTS) commands needed to exempt the above libraries from RACF “PADS” checking. These commands are not applicable to CA Top Secret and can be skipped.
  
  (To RACF, these commands mark all programs in these libraries as “NOPADCHK”. This means that any program‑restricted data set access should not have to list any of the programs from these libraries. In other words, this marks all programs from these libraries as being trusted and therefore exempt from any program accessed data set / PADS checks. These commands are not applicable to CA Top Secret.)
- Install steps, which discuss permission bits are related to OMVS file security itself and are unrelated to RACF. Follow these steps as described.