IBM TechXchange Virtual WebSphere z/OS User Group

IBM TechXchange Virtual WebSphere z/OS User Group

WebSphere and JAVA continues to grow as workload on System Z. The virtual user group has been established to provide a community to share updates on technology and share customer experiences.

 View Only

Liberty z/OS Post #81- Messages.log and Angel Services

By David Follis posted 6 days ago

  

This post is part of a series exploring the unique aspects and capabilities of WebSphere Liberty when running on z/OS.
We'll also explore considerations when moving from WebSphere traditional on z/OS to Liberty on z/OS.

To start at the beginning, follow this link to the first post.

---------------

As promised, this time we’re taking a look at the messages related to specific Angel services.  If you’ll recall (or go re-read) the blog posts from way back about how the Angel works, each server provides the Angel with a load module containing the code for the authorized services it might need.  There’s a sort of index at the top of the module that lists all the services included and has a ‘name’ for them.  That name is used to generate the SAF entity name that the Angel checks to see if your server has access to use that particular authorized service.

Got all that?  So after the Angel does its checking it builds a little table of all the services and what the server can and can’t use.  And, trying to be helpful, the server issues messages after it finishes all this to let you know what service names were available and whether you’ve got access to them or not.

Each service you have access to will be listed in a CWWKB0103I message.  Each service you don’t have access to will be listed in a CWWKB0104I message.  At this point I was tempted to go through each of the currently defined services and explain them, but there’s already documentation and, to be honest, a lot of them are pretty obvious.  The “ZOSWLM” service group gets you access to z/OS WLM stuff.  The “TXRRS” service group gets you access to the RRS transaction services. 

So I looked at the messages from my server and I looked at the doc and concluded this would be a fine place to end this blog post.  Except….what’s “KERNEL”?  I didn’t set up a RACF profile granting access to that.  And it isn’t in the doc anywhere (that I could find, which..well…anyway).  Yet there’s a CWWKB0103I message saying my server has access to the KERNEL authorized services group.  What’s up with that?

It turns out that KERNEL represents some internal authorized functions that are required for the server if it is going to do stuff with the Angel.  If you’re authorized to the Angel then you’re going to get some storage allocated and stuff like that and the server needs some of its own authorized services.  We have to have it.  So, if your server is authorized to use an Angel and load an authorized services module, then it is automatically authorized to the KERNEL functions without you creating a separate security entity for it.  It is just there magically.

So, if your server uses an Angel you’re going to see it be authorized to the KERNEL services group.  It is just the server doing its thing, but we made use of the authorized services interfaces to do it so you get this message.  Not a big deal.  You can’t change it.  Don’t panic. 

And THAT is all I have to say about that.

0 comments
4 views

Permalink

https://community.ibm.com/community/user/blogs/david-follis/2025/06/19/liberty-zos-post-81-messageslog-and-angel-services