Is any special setup needed for zRule Execution Server for z/OS when using CA ACF2?
search cancel

Is any special setup needed for zRule Execution Server for z/OS when using CA ACF2?

book

Article ID: 11016

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

zRule Execution Server for z/OS is a rule execution module for COBOL applications running on z/OS. zRule makes security calls to the security package on the z/OS system.



Is there any special setup required when CA ACF2 is the security package?

Environment

Release:
Component: ACF2MS

Resolution

zRule makes a RACROUTE call to check for security. The first RACROUTE call made is an EXTRACT call that makes the decision if more security calls should be made. An example of that call from a SECTRACE looks like this:

 

CAS21D0I TRACEID: TRC0001    EVENT#:  nnnnnnn                                  
CAS21D0I JOBNAME: xxxxxx USERID:  xxxxxx ASID: 0nnn                       
CAS21D1I PROGRAM: HBRMAIN  RB CURR: HBRMAIN  APF:  YES  SFR/RFR: N/A        
CAS21D3I SAFDEF:  GENXTRCT INTERNAL MODE: GLOBAL                              
CAS2200I RACROUTE REQUEST=EXTRACT,CLASS={=>}'HBRADMIN',RELEASE=2.1,           
CAS2200I          ENTITYX=({=>}'AB01.NO.SUBSYS.SECURITY'),FLDACC=NO,          
CAS2200I          GENERIC=ASIS,MSGSP=0,MATCHGN=NO,TYPE=EXTRACT,               
CAS2200I          WORKA={STRUCTURE SAFWORKA,=>,18EEF7F8}                      
CAS2203I REG. 1   DATA AREA FOLLOWS

 

 

 

The high-level name on the entity is site-specific.

 

zRule is looking for this EXTRACT call to fail with return codes of 4:8/0 which means NO PROFILE FOUND. Since CA ACF2 is setup to protect by default, and does not use profile records in the same way that RACF does, there needs to be a SAFDEF record in place to send back the return codes needed for the product. Here are some sample SAFDEF records:

 

**** / SAFDEF.HBRADMIN LAST CHANGED BY xxxxxx ON mm/dd/yy-hh:mm 
                    FUNCRET(8) FUNCRSN(0) ID(HBRADMIN) MODE(IGNORE)    
                    RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN            
                    ENTITYX=AB**.NO.SUBSYS.SECURITY) RETCODE(4)        
                                                                       
**** / SAFDEF.HBRCMD LAST CHANGED BY xxxxxx ON mm/dd/yy-hh:mm
                    FUNCRET(8) FUNCRSN(0) ID(HBRCMD) MODE(IGNORE)      
                    RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN            
                    ENTITYX=AB**.NO.COMMAND.SECURITY) RETCODE(4)       
                                                                       
**** / SAFDEF.HBRCONN LAST CHANGED BY xxxxxx ON mm/dd/yy-hh:mm
                    FUNCRET(8) FUNCRSN(0) ID(HBRCONN) MODE(IGNORE)     
                    RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN            
                    ENTITYX=AB**.NO.CONNECT.SECURITY) RETCODE(4)       
                                                                       
**** / SAFDEF.HBRRES LAST CHANGED BY xxxxxx ON mm/dd/yy-hh:mm
                    FUNCRET(8) FUNCRSN(0) ID(HBRRES) MODE(IGNORE)      
                    RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN            
                    ENTITYX=AB**.NO.RESCONSOLE.SECURITY) RETCODE(4)

 

 

 

You will need to adjust the entity for your site specifics.

 

The insert commands would look like this:

 

TSO ACF
SET CONTROL(GSO) SYSID(****)
INSERT SAFDEF.HBRADMIN ID(HBRADMIN) MODE(IGNORE) FUNCRET(8) RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN ENTITYX=AB**.NO.SUBSYS.SECURITY)
INSERT SAFDEF.HBRCMD ID(HBRCMD) MODE(IGNORE) FUNCRET(8) RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN ENTITYX=AB**.NO.COMMAND.SECURITY)
INSERT SAFDEF.HBRCONN ID(HBRCONN) MODE(IGNORE) FUNCRET(8) RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN ENTITYX=AB**.NO.CONNECT.SECURITY)
INSERT SAFDEF.HBRRES ID(HBRRES) MODE(IGNORE) FUNCRET(8) RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN ENTITYX=AB**.NO.RESCONSOLE.SECURITY)

 

 

 

then make sure you refresh the SAFDEF records to make them available to CA ACF2

 

F ACF2,REFRESH(SAFDEF)
Powered by Wolken Software