The user who is going to install, configure and run Tectia Server for IBM z/OS requires authority to make changes normally restricted to special users. You may use any user with RACF SPECIAL and UID 0 to perform this role.

In addition, the installing user needs some authorities which may well not be granted already. This step generates a job which will allow the installing user to permit program-control rights and to issue console commands. The job must be run at least on the first install of the product.

It is necessary for the C Runtime Library to be marked program-controlled in order for Tectia Server for IBM z/OS to perform functions such as allowing authenticated users to log on.

This step generates a job which will allow the installing user to alter the C Runtime Library program-control status. The job must be run at least on the first install of the product.

Tectia Server for IBM z/OS should be run by a user dedicated for that purpose and granted the appropriate rights.

This step generates a job which will allow the installing user to define the SSH server started-task user, granting it permissions to run as a daemon and to create SMF records, as well as ownership of the SSH server and Certificate server started tasks. The job must be run at least on the first install of the product.

The SOCKS Proxy server should be run by a user dedicated for that purpose and granted the appropriate rights.

This step generates a job which will allow the installing user to define the SOCKS Proxy server started-task user, granting it ownership of the SOCKS Proxy server started task, as well as creating the home directory it requires. If the SOCKS Proxy is to be run as a started task, this job must be run at least on the first install of the product.

To take advantage of cryptographic hardware and to manage its use, we recommend you to define access permissions.

This step generates a job which will grant permissions to all users to access certain features of ICSF cryptographic support needed for efficient SSH operations. If access to ICSF is to be restricted, this job should be run at least on the first install of the product.

Access to the SSH port may be controlled via the servauth RACF class, limiting binding this port to specific UIDs.

This step generates a job which will deny general access to the SSH port and allow only the defined SSH server user and the OpenSSH SSHDAEM user to bind the port. This job should be run if you want to control access to the SSH port (a recommended but not necessary practice).

When upgrading or re-installing, it is convenient to reuse some data from the previous installation.

This step generates a job which will create a tar archive of the contents of the customization and ephemeral data directories etc and var for later restoration after the install. This job should be run when upgrading an existing installation and you want to carry customizations forward.

The Tectia Server for IBM z/OS installation is done into a separate zFS data set for control and manageability.

This step generates a job which will allocate a new zFS data set, format and mount it onto the defined mount point, using names and attributes given in the settings panel. This job must be run on each install or upgrade of the product.

The Tectia Server for IBM z/OS product is supplied as a tar file which is loaded into a previously defined and mounted zFS.

This step generates a job which will load the product into the file system and ensure that the appropriate ownership, permissions and authorizations are set. This job must be run on each install or upgrade of the product.

When upgrading or re-installing, it is convenient to reuse some data from the previous installation.

This step generates a job which will restore the contents of the customization and ephemeral data directories etc and var saved prior to the install. This job should be run if its complementary SAVE job had been run.

The Tectia Server for IBM z/OS product must be run from the path /opt/tectia, which is a symlink to the installation location.

This step generates a job which will create a symlink to the product installation directory. it is necessary for /opt to be mounted read-write when this job is run. This job must be run on each installation or upgrade.

Sample jobs for a variety of SSH tasks as well as the recommended environment settings are provided.

This step generates a job which will create PDS libraries for the sample jobs and parameters, loading them with appropriately tailored content. This job should be run on each installation or upgrade.

Customized procedures for the Tectia Server for IBM z/OS started tasks are installed to the specified system proclib.

This step generates a job which will install tailored JCL procedures for the SSH server, Certificate server and SOCKS Proxy to the proclib requested in settings, as well as installing a BPXPRMSZ member in the requested parmlib to facilitate mounting the SSZ zFS at OMVS start time. This job must be run on each installation or upgrade.

The Tectia Server and client tools for z/OS licenses are supplied in a separate tar file for installation.

This step generates a job which will extract the product licenses from the tar file supplied separately by SSH Customer Support, converting them and installing them in the required location. If the tar file is gzipped (.gz), the gzip utility must be available in the path. This job must be run on first install and whenever licenses change. On other occasions, it is easier to use the SAVE/RESTORE jobs to carry the licenses forward.

An SSH server public/private host key pair is required for server operations.

This step generates a job which will create a set of host keys for the SSH server and install them in the required location with correct permissions. This job must be run on first install. For a re-installation or upgrade, it may be desirable to reuse existing host keys via the SAVE/RESTORE jobs and skip this step.