RACF to ACF2 security conversion for z/OS 2.2 IBM HTTP Server/Apache V9
search cancel

RACF to ACF2 security conversion for z/OS 2.2 IBM HTTP Server/Apache V9

book

Article ID: 10412

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

A conversion is needed for RACF instructions to ACF2 equivalent so as to implement ACF2 rules for z/OS 2.2 IBM HTTP Server

As per IBM HTTP Server guide to run IBM HTTP Server, you must set the following z/OS system configurations:

  • Set the memlimit parameter.
  • Configure a mechanism for allowing access to low ports.

Required System Authorization Facility (SAF) configurations:

  • Create a user ID and group for IBM HTTP Server.
  • Set program control for required MVS data sets.
  • Set program control for HFS files.
  • Set program control for z/OS System SSL.
  • Access to SAF key rings.
  • Permitting user IDs to CSFSERV for hardware encryption.
  • Using cryptographic hardware for key storage (optional).
  • Setting environment variable * _BPX_JOBNAME (optional).

Resolution

  1. Create a user ID and group for IBM HTTP Server

    Password example (RACF) 
    ADDGROUP WWWGROUP OMVS(GID(999)) 
    ADDUSER WWWSERV DFLTGRP(WWWGROUP) OMVS(UID(999)) PASSWORD(password)

    Password phrase example (RACF)
    ADDGROUP WWWGROUP OMVS(GID(999))
    ADDUSER WWWSERV DFLTGRP(WWWGROUP) OMVS(UID(999)) PHRASE('passwordphrase')

    ACF2 equivalent:

    SET PROFILE(GROUP) DIV(OMVS)
    INSERT WWWGROUP GID(999)
    INSERT WWWSERV GROUP(WWWGROUP) PASSWORD(password) UID(999)  => If Password is used

    Or

    INSERT WWWSERV GROUP(WWWGROUP) PASSWORDPHRASE(passwordphrase) => If password phrase is used.

  2. To use a cataloged procedure named WEBSRV1:

    RDEFINE STARTED WEBSRV1.* STDATA(USER(WWWSERV) GROUP(WWWGROUP) TRACE(YES))

    Where a resource is not protected by default, RDEFINE is used in RACF to define resources. There is no counterpart to this in ACF2. ACF2 uses a default protection scheme, which assumes that the resource is protected. This default scheme requires that rules be written to allow access to a resource.

  3. Program control using RACF

    RALTER PROGRAM * ADDMEM(’hlq.LINKLIB’//NOPADCHK) UACC(READ)
    RALTER PROGRAM * ADDMEM(’hlq.SCEERUN’//NOPADCHK) UACC(READ)

    NOPADCHK means the means this library is trusted. There is no ACF2 equivalent.

    RALTER PROGRAM * ADDMEM(’hlq.SCLBDLL’) UACC(READ)

    This would be the same as adding PGM/LIB to an ACF2 rule with PROGRAM(xxxxx) and the LIB being hlq.SCLBDLL.

    SETROPTS WHEN(PROGRAM) REFRESH

    This activates the PROGRAM class.  ACF2 ignores PROGRAM calls by default.  

    PROGMCHK JOBNAME=********   USERID=********   PROGRAM=********   RB=********
             RETCODE=4          SAFDEF=INTERNAL   MODE=IGNORE        SUBSYS=ACF2
             FUNCRET=4          FUNCRSN=0                                        
                                                                                 
             RACROUTE REQUEST=FASTAUTH,REQSTOR='PROGMCHK',SUBSYS='CONTENTS'      

    You need to override this SAFDEF.  This will turn on validation for ALL programs on your system, so make sure rules are in place to allow access to the majority of programs with a default rule and resident rules or no one will get any work done on the system.  See SAF Program Validation for more information.

  4. Access to SAF key rings.

    The following commands are RACF commands. Replace WWWSERV with the actual user ID under which IBM HTTP Server is started.

    RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
    PE IRR.DIGTCERT.LIST CLASS(FACILITY) ID(WWWSERV) ACCESS(READ)
    RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
    PE IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(WWWSERV) ACCESS(READ)
    SETR CLASSACT(FACILITY)
    SETR RACLIST(FACILITY) REFRESH

    ACF2 equivalent:
    SET RESOURCE(FAC)
    RECKEY IRR ADD(DIGTCERT.LIST UID(UID string of WWWSERV) SERVICE(READ) ALLOW)
    RECKEY IRR ADD( DIGTCERT.LISTRING UID(UID string for WWWSERV) SERVICE(READ) ALLOW)
    F ACF2,REBUILD(FAC)

  5. The following example shows how to permit the WWWSERV ID and the PUBLIC ID access to profiles in CSFSERV.

    SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV)
    RDEFINE CSFSERV CSF* UACC(NONE)
    PERMIT CSF%%C CLASS(CSFSERV) ID(WWWSERV PUBLIC) ACCESS(READ)
    PERMIT CSFPK% CLASS(CSFSERV) ID(WWWSERV PUBLIC) ACCESS(READ)
    PERMIT CSFCK% CLASS(CSFSERV) ID(WWWSERV PUBLIC) ACCESS(READ)
    SETROPTS CLASSACT(CSFSERV)
    SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) REFRESH

    ACF2 equivalent:
    Create CLAMAP record to map resource CSFSERV to TYPE(CSF) rather than the default TYPE(SAF)

    SET CONTROL(GSO)
    INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF) ENTITYLN(8)
    F ACF2,REFRESH(CLASMAP)

    Add the CSFSERV resource rules:
    SET RESOURCE(CSF)
    RECKEY CSF%%C ADD( UID(UID string for WWWSERV PUBLIC)) SERVICE(READ) ALLOW)
    RECKEY CSFPK% ADD( UID(UID string for WWWSERV PUBLIC)) SERVICE(READ) ALLOW)
    RECKEY CSFCK% ADD( UID(UID string for WWWSERV PUBLIC)) SERVICE(READ) ALLOW)
    F ACF2,REBUILD(CSF)

  6. The following example shows how to give user IDs and the WWWSERV ID access to profiles in CSFSERV.

    SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV)
    RDEFINE CSFSERV CSF%%C UACC(READ)
    RDEFINE CSFSERV CSFPK% UACC(READ)
    RDEFINE CSFSERV CSFCK% UACC(READ)
    SETROPTS CLASSACT(CSFSERV)
    SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) REFRESH

    Where a resource is not protected by default, RDEFINE is used in RACF to define resources. There is no counterpart to this in ACF2.

  7. If you use the _BPX_JOBNAME variable to set the jobname, the user ID which you use to run the server must have read access to the SAF FACILITY profile BPX.JOBNAME. For example:

    RDEFINE FACILITY BPX.JOBNAME UACC(NONE)
    SETROPTS RACLIST(FACILITY) REFRESH
    PERMIT BPX.JOBNAME CLASS(FACILITY) ACCESS(READ) ID(WWWSERV)
    SETROPTS RACLIST(FACILITY) REFRESH
    RLIST FACILITY BPX.JOBNAME ALL

    ACF2 equivalent:
    SET RESOURCE(FAC)
    RECKEY BPX ADD(JOBNAME UID(UID string of WWWSERV) SERVICE(READ) ALLOW)
    F ACF2,REBUILD(FAC)

Additional Information

Commands were provided based on IBM HTTP Server z/OS V2R2.0 HTTP Server - Powered by Apache User's Guide