Reconfigure Security

For information about configuring server security, see Configure Security.

To reconfigure server security to OPSYS provider only:

  1. Log on to TSO using an ID with read access to the BPX.FILEATTR.APF facility class.
  2. Using the name of the actual EDAHOME directory, change file attributes by entering the following TSO commands in ISPF Command Shell (option 6):
    OSHELL extattr +a /u/iadmin/ibi/srv93/home/bin/tscom300.out

OSHELL extattr +a /u/iadmin/ibi/srv93/home/bin/tsqprx.out
  3. Verify your changes by issuing the following commands:
    OSHELL ls -E /u/iadmin/ibi/srv93/home/bin/tscom300.out

OSHELL ls -E /u/iadmin/ibi/srv93/home/bin/tsqprx.out

    The extended attributes portion of the output should be a-s-.

  4. The libraries allocated to STEPLIB in IRUNJCL must be APF-authorized. Any non-APF-authorized libraries must be allocated the TASKLIB DDNAME.
  5. Test server security by repeating the process described in Test the Installation.

This step will need to be repeated after any server upgrade since these files are replaced during an upgrade.

Preventing Unsecured Starts After Upgrades

If the security provider is set to OPSYS in the configuration file and, additionally, the explicit environment variable EDAEXTSEC is set to OPSYS (or ON), and the server cannot impersonate users because it lacks platform-specific authorization steps, the server start aborts and error messages are written to the edaprint log.

This feature prevents an unsecured server start after a software upgrade if any of the required post-upgrade reauthorization steps are missed on a UNIX, IBM i, or z/OS USS deployment. This is not applicable to other platforms. The setting may be placed in any normal server start-up shell or profile that a site is using or in the server edaenv.cfg configuration file. The messages vary slightly by platform.

The edaprint messages are:

I Configured primary security is 'OPSYS' as set in configuration file
E Server security explicitly set to OPSYS, but lacks authority!      
Workspace initialization aborted.
(EDA13171) UNABLE TO START SERVER