Installation

Implementing Security for Non-CA Products › Lotus Domino GO Webserver › Installation

Installation

If UNIX Systems Server has been previously setup, some or all of this step might be already complete. An ACID must exist for the OMVS, INETD, and TCPIP started tasks. In addition, these ACIDs must be connected to at least one OMVS group ACID.

The examples given below reflect default procedure names, typical group names, and typical GID values.

Overall, these commands simply ensure that a valid OMVS UID and GID exist for each of the started tasks that access OMVS:

TSS CREATE(OMVSGRP) TYPE(GROUP)
                    NAME('DEFAULT OMVS GROUP')
                    DEPARTMENT(anydept)

TSS ADDTO(OMVSGRP) GID(1)

TSS CREATE(TTY) TYPE(GROUP)
                NAME('REQ''D OMVS TTY GROUP')
                DEPARTMENT(anydept)

TSS ADDTO(TTY) GID(2)

TSS CREATE(OMVS) TYPE(USER)
                 NAME('OPENMVS STC ID')
                 DEPARTMENT(anydept)
                 FACILITY(STC,APPC)
                 PASSWORD(NOPW,0)

TSS ADDTO(OMVS) UID(0)
                GROUP(OMVSGRP,TTY)
                DFLTGRP(OMVSGRP)

TSS CREATE(INETD) TYPE(USER)
                  NAME('OMVS INETD STC')
                  DEPARTMENT(anydept)
                  FACILITY(STC)
                  PASSWORD(NOPW,0)

TSS ADDTO(INETD) UID(0)
                 GROUP(OMVSGRP)
                 DFLTGRP(OMVSGRP)
                 HOME(/) OMVSPGM(/bin/sh)

TSS CREATE(TCPIP) TYPE(USER)
                  NAME('TCP/IP STC ID')
                  DEPARTMENT(anydept)
                  FACILITY(STC)
                  PASSWORD(NOPW,0)
TSS ADDTO(TCPIP) UID(0)
                 GROUP(OMVSGRP)
                 DFLTGRP(OMVSGRP)

TSS MODI OMVSTABS

TSS ADDTO(STC) PROCNAME(OMVS)
               ACID(OMVS)

TSS ADDTO(STC) PROCNAME(INETD)
               ACID(INETD)

TSS ADDTO(STC) PROCNAME(TCPIP)
               ACID(TCPIP)

A TSS FACILITY should be created for the web server. Once created, this facility can be added to each user ACID that is allowed to logon to the web server. Tailor the command, and then add it to the existing CA Top Secret startup control options shown below.
```
TSS MODIFY FACILITY(USERx=NAME=IMWEB)
```

The Lotus Domino GO Webserver requires an ACID for the web server started task and for a web administrator. Both of these ACIDS must be connected to an OMVS Group ID for the web server. The commands shown below accomplish this using values following the IBM defaults.

Note: The web server started task, whose procedure name is IMWEBSRV, is also referred to by IBM as the web server daemon.

Changing the ID of the web administrator is also recommended; however, this change must be coordinated with updates to the web server configuration file.

TSS CREATE(IMWEB) TYPE(GROUP)
                  NAME('WEBSERVER GROUP')
                  DEPARTMENT(anydept)

TSS ADDTO(IMWEB) GID(205)

TSS CREATE(WEBADM) TYPE(USER)
                   NAME('WEB ADMINISTRATOR')
                   DEPARTMENT(anydept)
                   FACILITY(IMWEB)
                   PASSWORD(password)

TSS ADDTO(WEBADM) UID(206) GROUP(IMWEB)
                  DFLTGRP(IMWEB)
                  HOME(/usr/lpp/internet)
                  OMVSPGM(/bin/sh)

TSS CREATE(WEBSRV) TYPE(USER)
                   NAME('WEBSERVER DAEMON/STC')
                   DEPARTMENT(anydept)
                   FACILITY(STC,IMWEB)
                   PASSWORD(NOPW,0)

TSS ADDTO(WEBSRV) UID(0)
                  GROUP(IMWEB)
                  DFLTGRP(IMWEB)
                  HOME(/usr/lpp/internet)
                  OMVSPGM(/bin/sh)
TSS MODI OMVSTABS
TSS ADDTO(STC) PROCNAME(IMWEBSRV)
               ACID(WEBSRV)

Three other user ACIDs, each having their own connected group, are required unless "surrogate user" support is disabled. This feature permits users to access the web server without requiring a signon. CA recommends that this feature be disabled for security reasons. To disable this feature, change the "Userid" option to "%%CLIENT%%" within the web server configuration file (see IBM documentation). If it is not disabled, the following commands will create ACIDs and groups for surrogate support following IBM examples:

TSS CREATE(EXTERNAL) TYPE(GROUP)
                     NAME('WEB GROUP')
                     DEPARTMENT(anydept)
TSS ADDTO(EXTERNAL) GID(999)
TSS CREATE(EMPLOYEE) TYPE(GROUP)
                     NAME('WEB GROUP')
                     DEPARTMENT(anydept)
TSS ADDTO(EMPLOYEE) GID(500)
TSS CREATE(SPECIAL) TYPE(GROUP)
                    NAME('WEB GROUP')
                    DEPARTMENT(anydept)
TSS ADDTO(SPECIAL) GID(255)
TSS CREATE(PUBLIC) TYPE(USER)
                   NAME('WEB SURROGATE ID')
                   DEPARTMENT(anydept)
                   FACILITY(IMWEB)
                   PASSWORD(NOPW,0)
TSS ADDTO(PUBLIC) UID(998)
                  GROUP(EXTERNAL)
                  DFLTGRP(EXTERNAL)
                  HOME(/) OMVSPGM(/bin/sh)
TSS CREATE(INTERNAL) TYPE(USER)
                     NAME('WEB SURROGATE ID')
                     DEPARTMENT(anydept)
                     FACILITY(IMWEB)
                     PASSWORD(NOPW,0)
TSS ADDTO(INTERNAL) UID(537)
                    GROUP(EMPLOYEE)
                    DFLTGRP(EMPLOYEE)
                    HOME(/)
                    OMVSPGM(/bin/sh)
TSS CREATE(PRIVATE) TYPE(USER)
                    NAME('WEB SURROGATE ID')
                    DEPARTMENT(anydept)
                    FACILITY(IMWEB)
                    PASSWORD(NOPW,0)
TSS ADDTO(PRIVATE) UID(416)
                   GROUP(SPECIAL)
                   DFLTGRP(SPECIAL)
                   HOME(/)
                   OMVSPGM(/bin/sh)
TSS MODI OMVSTABS

The ACID for the web server started task (the daemon) requires access to the following IBMFAC and SURROGAT resources. The final three permits are not needed if surrogate support is disabled:

TSS ADDTO(anydept) IBMFAC(BPX.)
TSS PERMIT(WEBSRV) IBMFAC(BPX.DAEMON)
                   ACCESS(READ)
TSS PERMIT(WEBSRV) IBMFAC(BPX.SERVER)
                   ACCESS(UPDATE)
TSS ADDTO(anydept) SURROGAT(BPX.)
TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.WEBADM)
                   ACCESS(READ)
TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.PUBLIC)
                   ACCESS(READ)
TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.PRIVATE)
                   ACCESS(READ)
TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.INTERNAL)
                   ACCESS(READ)

IBM documentation includes one installation step where RACF program control is discussed. In the first part of this step, all users are given READ access to three load libraries related to the web server. This part is easily translated as follows:
```
TSS ADDTO(anydept) DSNAME(CEE.)
TSS ADDTO(anydept) DSNAME(IMW.)
TSS ADDTO(anydept) DSNAME(SYS1.)
TSS PERMIT(ALL) DSNAME(CEE.V1R5M0.SCEERUN)
                ACCESS(READ)
TSS PERMIT(ALL) DSNAME(IMW.V1R1M0.IMWMOD1)
                ACCESS(READ)
TSS PERMIT(ALL) DSNAME(SYS1.LINKLIB)
                ACCESS(READ)
```
Additionally, this step also describes several (RDEFINE and SETROPTS) commands needed to exempt the above libraries from RACF "PADS" checking. These commands are not applicable to CA Top Secret and can be skipped.

(To RACF, these commands mark all programs in these libraries as NOPADCHK. To RACF this means that any program‑restricted data set access should not have to list any of the programs from these libraries. In other words, this marks all programs from these libraries as being trusted, and therefore exempt, from any program accessed data set/PADS checks. These commands are not applicable to CA Top Secret.)
A batch jobstream which contains all of the above commands is available from CA to replace the IBM supplied, RACF‑based, install jobstreams named IMVJSEC, IMVJSECA, IMVRACLS, and IMVJPASS. The job can be found as member IMVSECUR within CA Top Secret CAI.SAMPJCL (file 9) in genlevel 9609 and above.
Install steps which discuss permission bits and the "sticky bit" are related to OMVS file security itself and are unrelated to RACF. Therefore, such steps should be followed as described.