The Liberty angel process

The angel process is required by Liberty to call z/OS® authorized services such as System Authorization Facility (SAF), Resource Recovery services (RRS), and SVCDUMP. SAF is used by Liberty security mechanisms to call RACF®. RRS is used by IBM® MQ resource adapter when the connection to IBM MQ is made by using BINDINGS mode.

The angel process is started from the MVS™ console, and can be given a name. If the angel process is not given a name, it becomes the default angel. For more information on named angels, see Named angel in WebSphere Application Server for z/OS Liberty product documentation. All the Liberty servers that are running on a z/OS image can share a single angel. This is regardless of the level of code that the servers are running or whether they are running in a CICS® JVM server.

Important: Install the latest version of the angel process, regardless of which product it is bundled with. The latest version might be bundled with other IBM software, and might supersede the version that is bundled with CICS.

Many Liberty servers, including CICS Liberty JVM servers, can use the default or a named angel process.

The angel process started task

The angel process started task JCL procedure is included with CICS in the USSHOME directory, for example:

/usr/lpp/cicsts52/wlp/templates/zos/procs/bbgzangl.jcl.

The JCL must be copied to a JES procedure library and modified. ROOT can be set to the value USSHOME/wlp, for example:

/usr/lpp/cicsts52/wlp.

An angel can be named by coding the NAME parameter on the operator START command. An installation of Liberty can use its own named angel. Therefore, the installation can be serviced without taking down all Liberty server instances on the LPAR. The angel name is 1 - 54 characters inclusive, and must use only the following characters: A-Z 0-9 ! # $ + - / : < > = ? @ [ ] ˆ _ ` { } | ˜ The angel process must be running before the Liberty JVM server starts. To start the angel process and name the angel, give the following operator command:

START BBGZANGL,NAME=<name>

To stop the angel process, give the following operator command:

STOP BBGZANGL

To display the Liberty JVM servers that are connected to the angel process, give the following operator command:

MODIFY BBGZANGL,DISPLAY,SERVERS

The returned message lists the CICS regions that have an active Liberty JVM server and other Liberty JVM servers that are connected to the angel process.

The angel process started task SAF rules

The user ID that the angel process runs under needs the SAF STARTED profile, for example:

RDEFINE STARTED BBGZANGL.* UACC(NONE) STDATA(USER(WLPUSER))
SETROPTS RACLIST(STARTED) REFRESH

The CICS Liberty JVM server runs under the authority of the CICS region user ID. This user ID needs to be able to connect to the angel process to use authorized services. The only authorized services that are supported in a CICS Liberty JVM server are the z/OS user registry services and SAF authorization services (SAFCRED) that are implemented by the CICS Liberty security feature. If you are not using this feature, you do not need to run the angel process.

To allow the CICS Liberty JVM server to connect to the angel process, create a process for the angel process (BBG.ANGEL) in the SERVER class. Give the CICS region user ID (cics_region_user) authority to access it, for example, in RACF:

RDEFINE SERVER BBG.ANGEL UACC(NONE)
PERMIT BBG.ANGEL CLASS(SERVER) ACCESS(READ) ID(cics_region_user)

To allow the CICS Liberty JVM server to access the services necessary for the CICS Liberty security feature, create a profile for the SAF authorized user registry services and SAF authorization services (SAFCRED) in the SERVER class. Give the CICS region user ID (cics_region_user) authority to access it, for example, in RACF:

RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(cics_region_user)

To allow a Liberty server to use the z/OS authorized services, create a SERVER profile for the authorized module BBGZSAFM and allow the CICS region user ID (cics_region_user) to the profile. This action allows a Liberty server to use the z/OS Authorized services. To allow a CICS region where the region user ID is cics_region_user to access the authorized module:

RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(cics_region_user)

Create a SERVER profile for the IFAUSAGE services (PRODMGR) and allow the CICS region user ID. This allows the Liberty JVM server to register and unregister from IFAUSAGE when the CICS JVM server is enabled and disabled. To allow a CICS region where the region user ID is cics_region_user to register and unregister from IFAUSAGE:

RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.PRODMGR UACC(NONE)
PERMIT BBG.AUTHMOD.BBGZSAFM.PRODMGR CLASS(SERVER) ACCESS(READ) ID(cics_region_user)

Refresh the SERVER resource:

SETROPTS RACLIST(SERVER) REFRESH

For more information, see Liberty profile: Process types on z/OS in WebSphere Application Server for z/OS product documentation.