Is there an ACF2 Equivalent list of Commands for RACFMSTR for SSRE and TKLM security setup?
Article ID: 11138
Updated On:
Products
ACF2
ACF2 - DB2 Option
ACF2 for zVM
ACF2 - z/OS
ACF2 - MISC
PanApt
PanAudit
Issue/Introduction
This document supplies equivalent ACF2 commands to replace the RACF commands in the RACFMSTR REXX. There is not a one-for-one correspondence in commands since ACF2 accomplishes the same objective differently. The commands define two user ids, xxxxADM and xxxxCFG, their profile records, certificates and keyrings. Included are samples of appropriate rules to provide the necessary access to the related resources.
Environment
Release:
Component: ACF2MS
Component: ACF2MS
Resolution
First, issue a SHOW CLASMAP and ensure you have a CLASMAP record for each of the following classes and that the class is mapped to a resource type other than SAF.
APPL, CBIND, FACILITY, SERVER, EJBROLE, OPERCMDS
If the class is mapped to SAF, then insert a CLASMAP record to map the class to a more meaningful 3-character resource type code. Where indicated this example uses type codes that can be replaced with others of your choice.
DIGTNMAP and SECLABEL references in the original document have been bypassed. If you require this level of security, please contact CA ACF2 Technical Support for follow up.
Where resource rules are indicated, check whether you already have a $KEY for that resource and TYPE code. If you do, modify the existing rule set accordingly.
Continuation characters (-) appear at the end of a line when the input is to be processed in a batch job. If the command is to be entered from TSO, omit the continuation character and wrap the command text to the next input line.
/* Create WAS configuration group.
ACF
SET PROFILE(GROUP) DIV(OMVS)
INSERT xxxxGRP GID(nnnn)
/* Adding WAS admin userid.
ACF
SET LID
INSERT xxxxADM NAME(SSRE Administrator) RESTRICT GROUP(xxxxGRP) UID(nnnn) -
HOME(/tmp) OMVSPGM(/bin/sh) FILEPROC(nnnnn)
/* APPL class setup.
ACF
SET R(APL) <----NEW TYPE CODE
COMPILE
$KEY(xxxxcell) TYPE(APL)
UID(uid of xxxxADM) SERVICE(READ) ALLOW
/* Defining CBIND CB.BIND.domain_name.
ACF
SET R(CBI) <----NEW TYPE CODE
COMPILE
$KEY(CB) TYPE(CBI)
xxxxcell.SSRE- UID(*) SERVICE(READ) ALLOW
xxxxcell.- UID(*) PREVENT
BIND.xxxxcell.SSRE- UID(*) SERVICE(READ) ALLOW
BIND.xxxxcell.SSRE- UID(uid of xxxxADM) SERVICE(DEL) ALLOW
BIND.xxxxcell.- UID(*) PREVENT
/* Defining SERVER CB.cluster.generic_server rules.
ACF
SET R(SVR) <----NEW TYPE CODE
COMPILE
$KEY(CB) TYPE(SVR)
-.SSRE- UID(uid of xxxxADM) SERVICE(READ) ALLOW
-.SSRE- UID(*) PREVENT
- UID(*) PREVENT
/* Authorize servants to WLM Services if WBI server.
ACF
SET R(FAC)
COMPILE
$KEY(BPX) TYPE(FAC)
WLMSERVER UID(uid of xxxxADM) SERVICE(READ) ALLOW
WLMSERVER UID(*) PREVENT
COMPILE
$KEY(IRR) TYPE(FAC)
DIGTCERT.LISTRING UID(uid of xxxxADM) SERVICE(READ) ALLOW
DIGTCERT.LISTRING UID(*) PREVENT
DIGTCERT.LIST UID(uid of xxxxADM) SERVICE(READ) ALLOW
DIGTCERT.LIST UID(*) PREVENT
/* Create CA Certificate for WebSphere Security Domain.
/* FORMAT_DATE IS 2015/12/31
GENCERT CERTAUTH.certName SUBJSDN(CN='####' -
OU='####') LABEL(labelName) TRUST -
EXPIRE(2015/12/31)
/* Generating certificates for WebSphere servers
GENCERT xxxxADM.CERT SUBJSDN(CN=####) -
LABEL(admcertLabelName) SIGNWITH(CERTAUTH.certName) EXPIRE(2015/12/31)
/* Creating SSL keyrings for WebSphere servers.
SET PROFILE(USER) DIV(KEYRING)
INSERT xxxxADM.RING RINGNAME(ringName)
/* Connecting Server Certificates to their keyrings.
CONNECT CERTDATA(xxxxADM.CERT) KEYRING(xxxxADM.RING) DEFAULT USAGE(PERSONAL)
/* Connect WAS CA Certificates to Server's keyring.
CONNECT CERTDATA(CERTAUTH.certName) KEYRING(xxxxADM.RING) USAGE(CERTAUTH)
/* Connect Commercial CAs to Server's keyring.
/* This assumes CERTDATA records have been inserted for each CERTAUTH.
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 1) -
KEYRING(xxxxADM.RING) USAGE(CERTAUTH)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 2) -
KEYRING(xxxxADM.RING) USAGE(CERTAUTH)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 3) -
KEYRING(xxxxADM.RING) USAGE(CERTAUTH)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 4) KEYRING(xxxxADM.RING) -
USAGE(CERTAUTH)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 5) USAGE(CERTAUTH) -
KEYRING(xxxxADM.RING)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 6) USAGE(CERTAUTH) -
KEYRING(xxxxADM.RING)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 7) -
USAGE(CERTAUTH) KEYRING(xxxxADM.RING)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 8) -
USAGE(CERTAUTH) KEYRING(xxxxADM.RING)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 9) -
KEYRING(xxxxADM.RING) USAGE(CERTAUTH)
/* Setting up EJBRoles Rules
ACF
SET R(EJB)
COMPILE
$KEY(xxxxcell) TYPE(EJB)
administrator UID(uid of xxxxADM) SERVICE(READ) ALLOW
monitor UID(uid of xxxxADM) SERVICE(READ) ALLOW
configurator UID(uid of xxxxADM) SERVICE(READ) ALLOW
operator UID(uid of xxxxADM) SERVICE(READ) ALLOW
deployer UID(uid of xxxxADM) SERVICE(READ) ALLOW
CosNamingRead UID(*) SERVICE(READ) ALLOW
CosNamingWrite UID(uid of xxxxADM) SERVICE(READ) ALLOW
CosNamingCreate UID(uid of xxxxADM) SERVICE(READ) ALLOW
CosNamingDelete UID(uid of xxxxADM) SERVICE(READ) ALLOW
All#Role UID(*) SERVICE(READ) ALLOW
/* Define BBO.SYNC.SSREcell.-
ACF
SET R(FAC)
COMPILE
$KEY(BBO) TYPE(FAC)
SYNC.xxxxcell.- UID(*) PREVENT
TRUSTEDAPPS.xxxxcell.- UID(uid of xxxxADM) SERVICE(READ) ALLOW
/* Multi-level Seclabel processing (omitted)
/* JG02 addition starts here */
ACF
SET LID
INSERT xxxxCFG NAME(SSRE Config) PASSWORD(your pswd) GROUP(nnnnGRP) -
UID(1235) HOME(/tmp) OMVSPGM(/bin/sh) LIDZMAX MAXDAYS(0) NOPSWD-EXP -
FILEPROC(nnnnn)
/* Generating certificate for SSRECFG
GENCERT xxxxCFG.CERT SUBJSDN(CN=xxxxCFG.SSRE O=companyName OU=xxxxcell) -
LABEL(DefaultWASCert.SSRE) SIGNWITH(CERTAUTH.certName) EXPIRE(2015/12/31)
/* Creating SSL keyrings for SSRE Config.
ACF
SET PROFILE(USER) DIV(KEYRING)
INSERT xxxxCFG.RING RINGNAME(ringName)
/* Connect CFG Certificate to its keyring.
CONNECT CERTDATA(xxxxCFG.CERT) KEYRING(xxxxCFG.RING) DEFAULT USAGE(PERSONAL)
/* Connect CA Signing Certificate to CFG keyring.
CONNECT CERTDATA(CERTAUTH.certName) KEYRING(xxxxCFG.RING) USAGE(CERTAUTH)
/* Connect Commercial CAs to CFG keyring.
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 1) -
KEYRING(xxxxCFG.RING) USAGE(CERTAUTH)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 2) -
KEYRING(xxxxCFG.RING) USAGE(CERTAUTH)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 3) -
KEYRING(xxxxCFG.RING) USAGE(CERTAUTH)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 4) KEYRING(xxxxCFG.RING) -
USAGE(CERTAUTH)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 5 USAGE(CERTAUTH) -
KEYRING(xxxxCFG.RING)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 6) USAGE(CERTAUTH) -
KEYRING(xxxxCFG.RING)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 7) -
USAGE(CERTAUTH) KEYRING(xxxxCFG.RING)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 8) -
USAGE(CERTAUTH) KEYRING(xxxxCFG.RING)
CONNECT CERTDATA(CERTAUTH) LABEL(CA label name 9) -
KEYRING(xxxxCFG.RING) USAGE(CERTAUTH)
/* Define rule for starting SSRE
ACF
SET R(OPR)
$KEY(MVS) TYPE(OPR)
START.STC.SSRE.- UID(*) PREVENT
START.STC.SSRE.- UID(uid of xxxxCFG) SERVICE(UPDATE) ALLOW
/* Rebuild Rules and OMVS Profiles (Assumes these type codes are in INFODIR)
F ACF2,REBUILD(APL)
F ACF2,REBUILD(FAC)
F ACF2,REBUILD(EJB)
F ACF2,REBUILD(CBI)
F ACF2,REBUILD(SRV)
F ACF2,REBUILD(OPR)
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,REBUILD(GRP),CLASS(P)
F ACF2,OMVS
Feedback
Yes
No
Powered by
