Is there an ACF2 equivalent script to the RACF PKI Authorization script?
search cancel

Is there an ACF2 equivalent script to the RACF PKI Authorization script?

book

Article ID: 12312

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction



Is there an ACF2 equivalent script to the RACF PKI Authorization script?

Environment

Release:
Component: ACF2MS

Resolution

//PKIACF JOB your standard job card information
//*=============================================================    
//*
//* PKIACF       Commands for configuring PKI authorization
//*
//* Notes:                                                          
//*                                                                
//* 1) The following Sample job includes the RACF comments and                                                                
//*    RACF commands as comments ('*' in column 1) followed by                                                            
//*    the ACF2 equivalent commands.                                                            
//* 2) The UID string in rules that are created and modified        
//*    must be updated to conform to a site's UID string for        
//*    the logonids as identified by:                              
//*    "UID(UID string for WSSR1)".                                
//* 3) There is no logonid for RACF GROUP PKIGRP    
//*    Any rules with "UID(UID string for PKIGRP)" should be
//*    updated to conform to a site's UID string to include any
//*    logonid UID string that is associated with GROUP PKIGRP.
//*                                                                                                                            
//*=============================================================    
//STEP1  EXEC PGM=ACFBATCH
//SYSPRINT DD  SYSOUT=*
//SYSIN    DD  *
**************
* PKI authorization
* Creating users and groups ...
* ADDUSER  PKISRVD name('PKI Srvs Daemon')  nopassword  omvs(uid(554)
*    assize(256000000)  threads(512))
* ADDUSER  PKISERV nopassword   omvs(uid(555))  
*    name('PKI Srvs Surrogate')
* ADDGROUP  PKIGRP OMVS(GID(655))
*
**************
*
SET LID
INSERT PKISRVD NAME(PKI Srvs Daemon) RESTRICT UID(554) -
 ASSIZE(256000000) THREADS(512)
INSERT PKISERV RESTRICT UID(555) NAME(PKI Srvs Surrogate)
SET PROFILE(GROUP) DIV(OMVS)
INSERT PKIGRP GID(655)
*
*************
*
* SETROPTS EGN GENERIC(DATASET)
* ADDSD 'PKISRVD.**' UACC(NONE)
* PERMIT 'PKISRVD.**' ID(PKISRVD) ACCESS(ALTER)
*
**************
*
SET RULE
RECKEY PKISRVD ADD( - UID(UID string for PKISRVD) ALLOC(A))
*
**************
*
* Allowing administrators to access PKI VSAM databases ...
* PERMIT 'PKISRVD.**' ID(PKIGRP) ACCESS(CONTROL)
* SETROPTS GENERIC(DATASET) REFRESH
*
**************
*
SET RULE
RECKEY PKISRVD ADD( - UID(UID string for PKIGRP) WRITE(A))
*
**************
*
* Creating the CA certificate ...
* RACDCERT GENCERT CERTAUTH SUBJECTSDN(OU('ROOTCA ITSO PKI Red Book')
*  O('IBM') C('US'))  WITHLABEL('ROOTCA PKI CA')
*  NOTAFTER(DATE(2035/11/17)) SIZE(2048)
*
**************
*
GENCERT CERTAUTH.ROOTCA -
SUBJ(CN='ROOTCA ITSO PKI Red Book' O='IBM' C='US') -
LABEL(ROOTCA PKI CA) EXPIRE(11/17/2035) SIZE(2048)
*
**************
*
* Backing up the CA certificate ...
* RACDCERT CERTAUTH EXPORT(LABEL('ROOTCA PKI CA'))  
* DSN('PKISRVD.ROOTCA.KEY.BACKUP.P12BIN') FORMAT(PKCS12DER)  
* PASSWORD('******')
*
**************
*
EXPORT CERTAUTH.ROOTCA DSN('PKISRVD.ROOTCA.KEY.BACKUP.P12BIN') -
 FORMAT(PKCS12DER)  PASSWORD(******)
*
**************
*
* Marking CA certificate as HIGHTRUST ...
* RACDCERT CERTAUTH ALTER(LABEL('ROOTCA PKI CA')) HIGHTRUST
*
**************
*
SET PROFILE(USER) DIV(CERTDATA)    
CHANGE CERTAUTH.ROOTCA TRUST
*
**************
*
* Saving the CA certificate to a data set ...
* RACDCERT CERTAUTH EXPORT(LABEL('ROOTCA PKI CA'))  
* DSN('PKISRVD.ROOTCA.CACERT.DERBIN') FORMAT(CERTDER)
*
**************
*
EXPORT CERTAUTH.ROOTCA DSN('PKISRVD.ROOTCA.CACERT.DERBIN') -
FORMAT(CERTDER)
*
**************
*
* Creating the RA certificate ...
* RACDCERT ID(PKISRVD) GENCERT
* SUBJECTSDN(CN('Registration Authority')
* OU('ROOTCA ITSO PKI Red Book') O('IBM') C('US'))  
* KEYUSAGE(HANDSHAKE) SIGNWITH(CERTAUTH LABEL('ROOTCA PKI CA'))  
* NOTAFTER(DATE(2035/11/17)) WITHLABEL('ROOTCA PKI RA')
*
**************
*
GENCERT PKISRVD.CERT SUBJ(CN='Registration Authority' -
OU='ROOTCA ITSO PKI Red Book' O='IBM' C='US') -
LABEL(ROOTCA PKI RA) SIGNWITH(certauth Label(ROOTCA PKI CA)) -
EXPIRE(11/17/2020) KEYUSAGE(HANDSHAKE) SIZE(2048)
*
**************
*
* Backing up RA certificate ...
* RACDCERT ID(PKISRVD) EXPORT(LABEL('ROOTCA PKI RA'))  
* DSN('PKISRVD.ROOTCA.RAKEY.BACKUP.P12BIN') FORMAT(PKCS12DER)  
* PASSWORD('******')
*
**************
*
EXPORT PKISRVD.CERT DSN('PKISRVD.ROOTCA.RAKEY.BACKUP.P12BIN') -
 FORMAT(PKCS12DER)  PASSWORD(******)
*
**************
*
* Creating the PKI Services keyring ...
* RACDCERT ADDRING(CAring.ROOTCA) ID(PKISRVD)
* RACDCERT ID(PKISRVD) CONNECT(CERTAUTH  LABEL('ROOTCA PKI CA')  
*   RING(CAring.ROOTCA) USAGE(PERSONAL) DEFAULT)
* RACDCERT ID(PKISRVD) CONNECT(LABEL('ROOTCA PKI RA')  
*   RING(CAring.ROOTCA) USAGE(PERSONAL))
*
**************
*
SET PROFILE(USER) DIV(KEYRING)    
INSERT PKISRVD.RING RINGNAME(CAring.ROOTCA)
CONNECT CERTDATA(CERTAUTH.ROOTCA) KEYRING(PKISRVD.RING) -
 USAGE(PERSONAL) DEFAULT
CONNECT CERTDATA(PKISRVD.CERT) KEYRING(PKISRVD.RING) USAGE(PERSONAL)
*            
**************
*
* Creating the Webserver SSL certificate and keyring ...
* RACDCERT GENCERT ID(WEBSRV)
*  SIGNWITH(CERTAUTH  LABEL('ROOTCA PKI CA'))  WITHLABEL('SSL Cert')
*  SUBJECTSDN(CN('wtscnet.itso.ibm.com') O('IBM') L('Poughkeepsie')
*  SP('New York') C('US'))  NOTAFTER(DATE(2020/11/17))
* RACDCERT ADDRING(SSLring) ID(WEBSRV)
* RACDCERT  ID(WEBSRV) CONNECT(ID(WEBSRV)  LABEL('SSL Cert')
*  RING(SSLring) USAGE(PERSONAL) DEFAULT)
* RACDCERT  ID(WEBSRV) CONNECT(CERTAUTH  LABEL('ROOTCA PKI CA')
*  RING(SSLring))
**************
*
GENCERT WEBSRV.CERT SUBJ(CN=‘wtscnet.itso.ibm.com’ O='IBM' -
L='Poughkeepsie' SP='New York' C=US) -
LABEL(SSL Cert) SIGNWITH(certauth Label(ROOTCA PKI CA)) -
EXPIRE(11/17/2020) SIZE(2048)
*
SET PROFILE(USER) DIV(KEYRING)    
INSERT WEBSRV.RING RINGNAME(SSLring)
CONNECT CERTDATA(CERTAUTH.ROOTCA) KEYRING(WEBSRV.RING) -
USAGE(CERTAUTH)
CONNECT CERTDATA(WEBSRV.CERT) KEYRING(WEBSRV.RING) USAGE(PERSONAL) -
 DEFAULT
*
**************
*
* Saving the webserver's root CA certificate to a  data set for OPUT
* RACDCERT CERTAUTH EXPORT(LABEL('ROOTCA PKI CA'))  
*  DSN('PKISRVD.ROOTCA.WEBROOT.DERBIN') FORMAT(CERTDER)
*
**************
*
EXPORT CERTAUTH.ROOTCA DSN('PKISRVD.ROOTCA.WEBROOT.DERBIN') -
FORMAT(CERTDER)
*
**************
*
* Giving PKISRVD access to BPX.SERVER ...
* RDEFINE FACILITY BPX.SERVER
* PERMIT BPX.SERVER CLASS(FACILITY)  ID(PKISRVD) ACCESS(READ)
*
**************
*
SET RESOURCE(FAC)
RECKEY BPX ADD( SERVER UID(UID string for PKISRVD) -
SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
*
**************
*
* Allowing the PKI Services daemon to act as a CA ..
* RDEFINE FACILITY IRR.DIGTCERT.GENCERT
* RDEFINE FACILITY IRR.DIGTCERT.LISTRING
* PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY)  ID(PKISRVD)
*  ACCESS(CONTROL)
* PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY)  ID(PKISRVD)
*  ACCESS(READ)
*
**************
*
SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.GENCERT UID(UID string for PKISRVD) -
 SERVICE(DELETE) ALLOW)
RECKEY IRR ADD( DIGTCERT.LISTRING UID(UID string for PKISRVD) -
SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
*
**************
*
* Allowing the Webserver to access its keyring ...
* PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY)  ID(WEBSRV)
* ACCESS(READ)
*
**************
*
SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.LISTRING UID(UID string for WEBSRV) -
SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
*
**************
*
* Allowing the Webserver to switch identity to PKISERV ...
* SETROPTS CLASSACT(SURROGAT)
* RDEFINE SURROGAT BPX.SRV.PKISERV
* PERMIT BPX.SRV.PKISERV CLASS(SURROGAT)  ID(WEBSRV) ACCESS(READ)
* SETROPTS RACLIST(SURROGAT) REFRESH
*
**************
*
SET RESOURCE(SUR)
RECKEY BPX ADD( SRV.PKISERV UID(UID string for WEBSRV) -
SERVICE(READ) ALLOW)
F ACF2,REBUILD(SUR)
*
**************
*
* Allowing the PKI Services daemon to use ICSF ...
* SETROPTS  GENERIC(CSFKEYS CSFSERV)
* SETROPTS  GENERIC(CSFKEYS CSFSERV) REFRESH
* RDEFINE CSFKEYS IRR.DIGTCERT.CERTIFAUTH.* UACC(NONE)
* PERMIT IRR.DIGTCERT.CERTIFAUTH.* CLASS(CSFKEYS)  ID(PKISRVD)
*  ACCESS(READ)
* SETROPTS CLASSACT(CSFKEYS) RACLIST(CSFKEYS)
* SETROPTS RACLIST(CSFKEYS) REFRESH
*
**************
* Because the CSFKEYS class is defined with the SAF code, you may
* wish to override the definition with a CLASMAP record.
*
SET CONTROL(GSO)
INSERT CLASMAP.CSFKEYS RESOURCE(CSFKEYS) RSRCTYPE(CSF)
F ACF2,REFRESH(CLASMAP)
*
SET RESOURCE(CSF)
RECKEY IRR ADD( DIGTCERT.CERTIFAUTH.- UID(UID string for PKISRVD) -
SERVICE(READ) ALLOW)
F ACF2,REBUILD(CSF)
*
**************
*
* Creating the STARTED class profile for the daemon ...
* RDEFINE STARTED PKISERVD.* STDATA(USER(PKISRVD))
* SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
* SETROPTS RACLIST(STARTED) REFRESH
*
**************
*
SET CONTROL(GSO)
INSERT STC.PKISRVD LOGONID(PKISRVD) STCID(PKISERVD)
F ACF2,REFRESH(STC)
*
**************
*
* Allowing PKISERV to request certificate functions ...
* SETR GENERIC(FACILITY)
* RDEFINE FACILITY IRR.RPKISERV.*.ROOTCA
* PERMIT IRR.RPKISERV.*.ROOTCA CLASS(FACILITY)  ID(PKISERV)
*  ACCESS(CONTROL)
*
**************
*
SET RESOURCE(FAC)
RECKEY IRR ADD( RPKISERV.-.ROOTCA UID(UID string for PKISERV) -
SERVICE(DELETE) ALLOW)
F ACF2,REBUILD(FAC)
*
**************
*
* Creating the profile to protect PKI Admin functions ...
* RDEFINE FACILITY IRR.RPKISERV.PKIADMIN.ROOTCA
* PERMIT IRR.RPKISERV.PKIADMIN.ROOTCA CLASS(FACILITY) ID(PKIGRP)
*  ACCESS(UPDATE)
* PERMIT IRR.RPKISERV.PKIADMIN.ROOTCA CLASS(FACILITY) ID(PKISERV)
*  ACCESS(NONE)
* SETROPTS RACLIST(FACILITY) REFRESH
*
**************
*
SET RESOURCE(FAC)
RECKEY IRR ADD( RPKISERV.PKIADMIN.ROOTCA -
UID(UID string for PKIGRP) SERVICE(UPDATE) ALLOW)
RECKEY IRR ADD( RPKISERV.PKIADMIN.ROOTCA -
 UID(UID string for PKISERV) PREVENT)
F ACF2,REBUILD(FAC)
*
**************
//*