Perform required z/OS system configurations

Before starting IBM HTTP Server, there are required z/OS® system configurations that you must set up.


About this task

In order to run IBM HTTP Server, you must set the following z/OS system configurations:


Procedure

  • Requirements for integrating with System Management Facility (SMF)

    The IBM HTTP Server user ID must have read authority to the BPX.SMF facility. For more information, see Configure IBM HTTP Server for SMF recording.

  • Requirements for using the zEnterprise® Data Compression (zEDC) feature

    When you configure the mod_deflate module, zEDC is automatically used when it is available on the system.

  • Verify the MEMLIMIT parameter. The MEMLIMIT parameter controls the amount of virtual memory higher than 2 gigabytes for a particular address space. The default setting for the MEMLIMIT parameter is 2 GB in z/OS V1R10 and later and is sufficient for the default server configuration. However, if the ThreadsPerChild directive is increased from the default of 100, increase the MEMLIMIT parameter by the same factor.

    • The MEMLIMIT parameter can be set in the OMVS segment of the user ID that is used to run the server: 
      ALTUSER WWWSERV OMVS(MEMLIMIT(2048M))

    • The MEMLIMIT parameter can also be set in the SMFPRMxx parmlib member. Set the SMFPRMxx parmlib member to establish the system-wide MEMLIMIT parameter default.

    For a complete description of how to set the MEMLIMIT parameter, see Limiting the use of memory objects in z/OS V1R10.0 MVS Programming: Extended Addressability Guide (SA22-7614-06).

    IBM HTTP Server requires a minimum of 5.4 MB of 64-bit virtual memory per thread. The minimum recommended MEMLIMIT setting for proper IBM HTTP Server operation is (ThreadsPerChild + 3) × 12 MB.

  • Configure a mechanism for allowing access to low ports. The Web server user ID must have access to the TCP ports on which it will handle client connections. If port values less than 1024 are used, such as Web server ports 80 and 443, special configuration is required to allow the Web server to bind to the port. We can use one of the following mechanisms to allow access to low ports:

    • Set the PORT directive in the TCP/IP configuration.

    • Disable RESTRICTLOWPORTS in the TCP/IP configuration.

    • Code the Web server job name on a PORT statement in the TCP/IP configuration.

    • Code a wildcard for the job name on a PORT statement in the TCP/IP configuration.

    • Code SAF and a safname value on the PORT statement in the TCP/IP configuration, and permit the Web server user ID read access to the SAF FACILITY class profile EZB.PORTACCESS.sysname.stackname.safname.

    For more information on configuration methods for allowing access to low ports, refer to the sections Port access control and Set up reserved port number definitions in PROFILE.TCPIP in z/OS Communications Server IP Configuration Guide (SC31-8775). We can link to this document from the z/OS Internet Library.

    For an explanation of how Unix System Services jobnames (such as those for IBM HTTP Server instances) are determined, refer to the section Generating jobnames for OMVS address spaces in z/OS UNIX System Services Planning (GA22-7800). Link to this document from the z/OS Internet Library.

  • Required System Authorization Facility (SAF) configurations.

    • Create a user ID and group for IBM HTTP Server.We can use a new or existing user ID. It must have an OMVS segment and the UID cannot be zero. The following example contains RACF® commands to create a new user and group. 
      Password example

ADDGROUP WWWGROUP OMVS(GID(999))
ADDUSER  WWWSERV  DFLTGRP(WWWGROUP) OMVS(UID(999)) PASSWORD(password)

      Password phrase example

ADDGROUP WWWGROUP OMVS(GID(999))
ADDUSER  WWWSERV  DFLTGRP(WWWGROUP) OMVS(UID(999)) PHRASE('my0users@99#701_workgroup')

      The security administrator should define the password for the Web server user ID, instead of allowing it to default, to prevent an unauthorized user from being able to log in with that user ID. The ALTUSER command can be used to modify the password of an existing user ID. Note: If you use a JCL cataloged procedure to start an IBM HTTP Server instance, create a SAF STARTED profile to assign the server user ID and group ID to the server started task. For example, to use a cataloged procedure named WEBSRV1:

      RDEFINE STARTED WEBSRV1.* STDATA(USER(WWWSERV) GROUP(WWWGROUP) TRACE(YES))

    • Set program control for required MVS data sets. Ensure that program control is turned on for the following MVS data sets. For hlq, enter the high level qualifier for your system installation, for example: SYS1.LINKLIB.

      • hlq.LINKLIB

      • hlq.SCEERUN

      • hlq.SCEERUN2

      • hlq.SCLBDLL

      The following example shows how to turn on program control using RACF commands. If you are using another security product, refer to that product's documentation for instructions. If you are turning on program control for the first time, you should use RDEFINE statements instead of RALTER statements:

      RALTER PROGRAM * ADDMEM('hlq.LINKLIB'//NOPADCHK) UACC(READ)
RALTER PROGRAM * ADDMEM('hlq.SCEERUN'//NOPADCHK) UACC(READ)
RALTER PROGRAM * ADDMEM('hlq.SCLBDLL') UACC(READ)
SETROPTS WHEN(PROGRAM) REFRESH

      In this example, an asterisk (*) is used to specify all programs in the data set.

    • Set program control for HFS files.The SMP/E installation logic enables the program control bit for the provided libraries and executable files that need it. If you install custom plug-in modules, use the extattr command to enable the APF and Program Control flags. For example: 
      # extattr +ap /opt/IBM/HTTPServer/modules/mod_jauth.so

      In this example, substitute the IBM HTTP Server installation location for /opt/IBM/HTTPServer/. (We can build custom plug-in modules using the apxs script that is provided.)

    • Set program control for z/OS System SSL. If you set up your IBM HTTP Server to provide secure communications over the Internet, IBM HTTP Server uses z/OS System Secure Sockets Layer (SSL) to establish the secure connections. Before IBM HTTP Server can use System SSL, you must:

      • Add the System SSL load library (hlq.SIEALNKE) to the system link list or to the STEPLIB DD concatenation in the HTTP Server cataloged procedure

      • Set program control hlq.SIEALNKE in RACF.

      The variable hlq is the high level qualifier for your system installation, for example: SYS1.SIEALNKE. To turn on program control using RACF, issue the following command: 

      RALTER PROGRAM * ADDMEM('hlq.SIEALNKE'//NOPADCHK) UACC(READ)
SETROPTS WHEN(PROGRAM) REFRESH

      If you are turning on program control for the first time, use the RDEFINE statements instead of the RALTER statements. If you are using another security product, refer to that product's documentation for instructions.

    • Access to SAF key rings.The SSL and LDAP authentication support can optionally use certificates stored in SAF key rings. This requires that the Web server user ID have certain SAF permissions. Specifically, the Web server user ID must be permitted to the IRR.DIGTCERT.LISTRING facility in order to use key rings. Here are the general steps required:

      1. Define the IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING resources with universal access of None.

      2. Permit the Web server user ID read access to the IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING resources in the FACILITY class.

      3. Activate the FACILITY general resource class.

      4. Refresh the FACILITY general resource class.

      The following commands are RACF commands. Replace WWWSERV with the actual user ID under which IBM HTTP Server is started.

      RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
PE IRR.DIGTCERT.LIST CLASS(FACILITY) ID(WWWSERV) ACCESS(READ)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PE IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(WWWSERV) ACCESS(READ)
SETR CLASSACT(FACILITY)
SETR RACLIST(FACILITY) REFRESH

      For a complete guide to RACF commands, refer to z/OS Security Server RACF Security Administrator's Guide (SA22-7683). We can link to this document from the z/OS Internet Library.

    • Permitting user IDs to CSFSERV for hardware encryption:

      Integrated Cryptographic Services Facility (ICSF) is the software interface to the cryptographic hardware. If you plan to run IBM HTTP Server with cryptographic hardware capability, we can restrict the use of ICSF services. To restrict the use of ICSF services, we can permit user IDs to certain profiles in the CSFSERV general resource class. CSFSERV controls the use of ICSF software. If you have defined your IBM HTTP Server to execute with a nonzero user ID, we can give the nonzero user ID READ access to CSFSERV. If you are using a security product other than RACF, refer to that product's documentation for instructions.

      To restrict the use of ICSF services, issue RACF commands similar to the commands in the following examples. If you have applications other than IBM HTTP Server that are using ICSF, you must customize the examples. Otherwise, the other applications will no longer have access to ICSF services.

      Important: Modern Transport Layer Security (TLS) support requires the CSFSERV general resource class to be configured and accessible by the IBM HTTP Server user ID. This configuration is necessary because random number generation by the server generates CSFRNG calls during normal operation.

      CSFSERV permissions vary from situation to situation depending on the cipher suites involved. To ensure that the IBM HTTP Server userid can access cryptographic operations in the hardware, the IBM HTTP Server userid needs READ access to the CSFSERV resources outlined in the tables presented in RACF CSFSERV resource requirements .

      The following command example illustrates how to permit the CSF resource for the WWWSERV ID to resource CSFSERVresource. 
      SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV)
RDEFINE CSFSERV CSFSERVresource UACC(NONE)
PERMIT CSFSERVresource CLASS(CSFSERV) ID(WWWSERV) ACCESS(READ)
SETROPTS CLASSACT(CSFSERV)
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) REFRESH

      The following command example illustrates how to permit the WWWSERV ID to resource CSFPKE.

      SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV)
RDEFINE CSFSERV CSFPKE UACC(NONE)
PERMIT CSFPKE CLASS(CSFSERV) ID(WWWSERV) ACCESS(READ)
SETROPTS CLASSACT(CSFSERV)
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) REFRESH

    • Use cryptographic hardware for key storage (optional):

      To perform key storage on cryptographic devices refer to the section Integrated Cryptographic Service Facility (ICSF) Considerations in z/OS Security Server RACF Security Administrator's Guide (SA22-7683).

      For information on ICSF options refer to the section Use Hardware Cryptographic Features with System SSL in z/OS Cryptographic Services System Secure Sockets Layer (SSL) Programming (SC24-5901).

      We can link to both of these documents from the z/OS Internet Library.

  • Setting environment variable * _BPX_JOBNAME (optional): IBM HTTP Server provides the file <installroot>/bin/envvars for setting environment variables for the httpd processes. We can set the environmental variable * _BPX_JOBNAME to give the server a distinct jobname. This allows you to:

    • See the server in MVS operator commands and System Display and Search Facility (SDSF).

    • Categorize the server in workload management (WLM) to give web traffic adequate priority.

    • Use syslogd isolation for the server.

    • Use PORT statements in the TCP/IP configuration that select by job name.

    A typical setting is: export _BPX_JOBNAME=HTTPD. The default is to append an incrementing integer to your jobname, such as HTTPD1, HTTPD2, HTTPD3. For more information refer to the section Generating jobnames for OMVS address spaces in z/OS UNIX System Services Planning (GA22-7800). Link to this document from the z/OS Internet Library.

    If you use the _BPX_JOBNAME variable to set the jobname, the user ID which you use to run the server must have read access to the SAF FACILITY profile BPX.JOBNAME. For example: 
    RDEFINE FACILITY BPX.JOBNAME  UACC(NONE)
SETROPTS RACLIST(FACILITY) REFRESH 
PERMIT BPX.JOBNAME CLASS(FACILITY) ACCESS(READ) ID(WWWSERV) 
SETROPTS RACLIST(FACILITY) REFRESH 
RLIST FACILITY BPX.JOBNAME ALL

    For more information refer to the section Set up the BPX.* FACILITY class profiles in z/OS UNIX System Services Planning (GA22-7800). Link to this document from the z/OS Internet Library.


Related tasks


Related