Velvet Prestige Review
general | April 07, 2026

Setting up RACF for z/OS Connect EE and Liberty JVMs - Documentation for BMC AMI Ops Monitor for Java Environments 4.1

The examples in the procedures use the following values:

Grant RACF authorization to EJBROLE objects

To grant RACF authorization to EJBROLE objects, specify the following definitions in the RACF interface:

Important

If RACF EJBROLE objects are not authorized on your system, check for generic resources that might already control your RACF access.

PE CLASS(APPL) <safProfilePrefix> + ID(<mvjePasUserId>) ACCESS(READ) PE <safProfilePrefix>.zos.connect.access.roles.zosConnectAccess + CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ) PE <safProfilePrefix>.zos.connect.access.roles.zosConnectAdmin + CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ) PERMIT <safProfilePrefix>.com.ibm.ws.management.security.resource.Reader + CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ) PERMIT + <safProfilePrefix>.com.ibm.ws.management.security.resource.Administrator + CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ) PERMIT + <safProfilePrefix>.com.ibm.ws.management.security.resource.allAuthenticatedUsers+ CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)

Create a certificate for the MVJE PAS 

Choose one of the following methods:

Important

  • The certificate should not restrict Key usage (EKU).

  • Update the keystore tags in the server.xml file with the zosconnect keyring.

  • Update the Keystore and Truststore parameters in the MJESSLxx member with the PAS keyring.

If you sign all of the Liberty JVMs into the system with the same CERTAUTH (CA), take the following steps:

  1. Find the CA for your Liberty JVM:
    1. In the server.xml, find the KeyRing name referenced in the SSL keyStoreRef.
    2. Specify RACDCERT listring(keyRing) id(liberty_userid)
    3. Ensure that the Truststore KeyRing contains the CA (and any additional certificates in the certificate chain back to the root CA).
  2. Use the CA to generate a default personal certificate for the MVJE PAS.
  3. (For z/OS Connect EE JVMs) Use the RADCERT MAP command to create a mapping of the PAS distinguished name back to the user ID.  
  4. In the RACF profile, create a KeyRing for the MVJE PAS:
    1. Add the certificate for the MVJE PAS.
    2. Add the CA chain to the KeyRing.
  5. Type ADDSEC on the command line and create a MJESSLxx member with the following values:

    • Member Suffix: xx (we recommend MV)

    • Description: JVM Security Definition

    • SSL=YES

    • KEYSTORE=mvjePasKeyRing

    • KEYPASS=password

    • KEYTYPE=JCERACFKS

    • TRUSTSTORE=mvjePasKeyRing

    • TRUSTPASS=password

    • TRUSTTYPE=JCERACFKS

    • USERID=PasUserId

If you sign the Liberty JVMs into the system with different CAs, take the following steps:

  1. Generate a CA for the MVJE PAS.

  2. Add the CA to the Truststore for all JVMs.

  3. Use the CA to generate a default personal certificate for the MVJE PAS.

  4. (For z/OS Connect EE JVMs) Use the RADCERT MAP command to create a mapping of the PAS distinguished name back to the user ID.  

  5. In the RACF profile, create a KeyRing for the MVJE PAS:

    1. Add certificate for the MVJE PAS.

    2. Add the CA for the MVJE PAS to the KeyRing.

    3. Add the CA chains for the Liberty JVMs to the Keyring.

  6. Type ADDSEC on the command line and create a MJESSLxx member with the following values:

    • Member Suffix: xx (we recommend MV)

    • Description: JVM Security Definition

    • SSL=YES

    • KEYSTORE=mvjePasKeyRing

    • KEYPASS=password

    • KEYTYPE=JCERACFKS

    • TRUSTSTORE=mvjePasKeyRing

    • TRUSTPASS=password

    • TRUSTTYPE=JCERACFKS

    • USERID=PasUserId

Grant access to CERTAUTH in a KeyRing

Depending on your security setup, grant access to one of the following facilities:

  • If RDATALIB is active on your system, grant access to PE CLASS RDATALIB:

    <zosConnectUserId>.<ringName>.LST user(<zosConnectUserId>)
<mvjePasUserId><ringName>.LST user(<mvjePasUserId>)

  • If RDATALIB is not active on your system, grant access to PE CLASS(FACILITY)  IRR.DIGTCERT.LIST or IRR.DIGTCERT.LISTRING: 

    PE CLASS(FACILITY) ID(<mvjePasUserId>, <zosConnectUserId>) IRR.DIGTCERT.LIST
or
PE CLASS(FACILITY) ID(<mvjePasUserId>, <zosConnectUserId>) IRR.DIGTCERT.LISTRING

Where to go from here

To complete setting up z/OS Connect EE and Liberty JVMs, complete the procedures in Enabling features in the server.xml file.

You Might Also Like

Stanley Sandler: How Old Was Stanley Sandler When He Died? 

17 Best Exercise Dresses for Every Need & Budget

Why TheraBreath Mouthwash Keeps Breath Fresh for 24 Hours