Top Secret RACF conversion for build new WAS v9.0 WXCELL TopSecret rules
Article ID: 123176
Updated On:
Products
Top Secret
Top Secret - LDAP
Issue/Introduction
Looking for the Top Secret equivalence to the RACF commands in the WAS v9.0 REXX
Environment
Release:
Component: TSSMVS
Component: TSSMVS
Resolution
/* REXX */
/* ================================================================ */
/* */
/* COPYRIGHT = */
/* Licensed Material - Property of IBM */
/* */
/* 5724-I63, 5724-H88, 5655-N01, 5733-W61 */
/* (C) Copyright IBM Corp. 1999, 2013 */
/* All Rights Reserved */
/* US Government Users Restricted Rights - Use, duplication or */
/* disclosure restricted by GSA ADP Schedule Contract with IBM Corp.*/
/* */
/* ================================================================ */
/* File tailored on 2018/11/15 at 14:05 by D4355 */
/* WCT version 9.0.0.9 build cf091835.01 */
/* ================================================================ */
say 'WebSphere Application Server RACF Setup'
say '-- Management'
say '-- Cell name:' WXCELL
say '-- Server name:' WXDMGR
say '-- Config group:' WXCFG
say '-- Generated on 2018/11/15 at 14:05'
/* ---------------------------------------------------------------- */
/* Determines RACF certificate size. */
/* ---------------------------------------------------------------- */
certsize = "2048"
if syscalls('ON')<4 then
do
address syscall 'uname uts.'
say '-- Machine: ' uts.U_MACHINE
if uts.U_MACHINE < "2084" then certsize = "1024"
call syscalls('OFF')
end
else say 'Unable to establish the SYSCALL environment'
say '-- Certificate size: ' certsize
trace commands
/* ---------------------------------------------------------------- */
/* Activates all RACF classes which are needed regardless of */
/* which WebSphere security scheme is chosen. */
/* ---------------------------------------------------------------- */
say 'Activating RACF classes which are needed regardless of security scheme.'
"SETROPTS CLASSACT(SERVER)"
say
"SETROPTS RACLIST(SERVER) GENERIC(SERVER)"
say
"SETROPTS CLASSACT(STARTED)"
say
"SETROPTS RACLIST(STARTED) GENERIC(STARTED)"
say
"SETROPTS CLASSACT(FACILITY)"
say
"SETROPTS RACLIST(FACILITY) GENERIC(FACILITY)"
say
"SETROPTS GRPLIST"
say
there is not a TSS equivalent.
/* ---------------------------------------------------------------- */
/* Defines the WebSphere configuration group */
/* ---------------------------------------------------------------- */
say 'Creates WebSphere configuration group.'
"ADDGROUP WXCFG OMVS(GID(90010))"
Say
TSS CREATE(WXCFG) TYPE(GROUP) NAME(‘configuration group’) GID(90010)
/* ---------------------------------------------------------------- */
/* Defines the WebSphere servant group */
/* ---------------------------------------------------------------- */
say 'Creates WebSphere servant region group.'
"ADDGROUP WXSRVG OMVS(GID(90011))"
say
TSS CREATE(WXSRVG) TYPE(GROUP) NAME(‘servant region group’) GID(90011)
/* ---------------------------------------------------------------- */
/* Defines the WebSphere unauthenticated group */
/* ---------------------------------------------------------------- */
say 'Creates group for WebSphere unauthenticated userid.'
"ADDGROUP WXGUESTG OMVS(GID(90012))"
say
TSS CREATE(WXGUESTG) TYPE(GROUP) NAME(‘unauthenticated userid’) GID(90012)
/* ---------------------------------------------------------------- */
/* Defines the WebSphere controller user ID */
/* ---------------------------------------------------------------- */
say 'Creates WebSphere controller user ID.'
"ADDUSER WXACRU DFLTGRP(WXCFG) OMVS(UID(90013) HOME(/wasv9config/wxcell/home/" || ,
"WXCFG) PROGRAM(/bin/sh)) NAME('WAS CR OWNER') NOPASSWORD NOOIDCARD"
say
"TSS CREATE(WXACRU) DFLTGRP(WXCFG) HOME(/wasv9config/wxcell/home/WXCFG),”
"FAC(IMWEB) OMVSPGM(/bin/sh) NAME('WAS CR OWNER')",
"DEPT(WASDEPT) PASS(WXACRU,0)"
"TSS ADDTO(WXACRU) UID(90013) GROUP(WXCFG)"
/* ---------------------------------------------------------------- */
/* Defines the WebSphere servant user ID and connects it to the */
/* configuration group */
/* ---------------------------------------------------------------- */
say 'Creates WebSphere servant user ID.'
"ADDUSER WXASRU DFLTGRP(WXSRVG) OMVS(UID(90014)" || ,
" HOME(/wasv9config/wxcell/home/WXSRVG) PROGRAM(/bin/sh)) NAME('WAS APPSVR SR')" || ,
" NOPASSWORD NOOIDCARD"
say
"TSS CREATE(WXASRU) DFLTGRP(WXSRVG) HOME(/wasv9config/wxcell/home/WXSRVG),”
"FAC(IMWEB) OMVSPGM(/bin/sh) NAME('WAS APPSVR SR')",
"DEPT(WASDEPT) PASS(WXACRU,0)"
"TSS ADDTO(WXASRU) UID(90014) GROUP(WXSRVG)"
say 'Connecting servant to the WebSphere configuration group. '
"CONNECT WXASRU GROUP(WXCFG)"
say
say 'Allow 10000 concurrently open files.'
"ALU WXASRU OMVS(FILEPROC(10000))"
say
"TSS ADD(WXASRU) OEFILEP(10000)"
/* ---------------------------------------------------------------- */
/* Defines the WebSphere administrator user ID */
/* ---------------------------------------------------------------- */
say 'Adding WebSphere administrator user ID'
"ADDUSER WXADMIN DFLTGRP(WXCFG) OMVS(UID(90011)" || ,
" HOME(/wasv9config/wxcell/home/WXCFG) PROGRAM(/bin/sh)) NAME('WAS ADMINISTRATOR') " || ,
" NOPASSWORD NOOIDCARD"
say
"TSS CREATE(WXADMIN) DFLTGRP(WXCFG) HOME(/wasv9config/wxcell/home/WXCFG),”
"FAC(IMWEB) OMVSPGM(/bin/sh) NAME('WAS ADMINISTRATOR')",
"DEPT(WASDEPT) PASS(WXADMIN,0)"
"TSS ADDTO(WXASRU) UID(90011) GROUP(WXCFG)"
/* ---------------------------------------------------------------- */
/* Defines a user ID to be used for unauthenticated requests. */
/* ---------------------------------------------------------------- */
say 'Creates WebSphere unauthenticated user ID'
"ADDUSER WXGUEST RESTRICTED DFLTGRP(WXGUESTG) " || ,
"OMVS(UID(90012) HOME(/wasv9config/wxcell/home/WXGUESTG) " || ,
"PROGRAM(/bin/sh)) NAME('WAS DEFAULT USER') NOPASSWORD NOOIDCARD"
say
"TSS CREATE(WXGUEST) DFLTGRP(WXGUESTG) HOME(/wasv9config/wxcell/home/WXGUESTG),”
"FAC(IMWEB) OMVSPGM(/bin/sh) NAME('WAS DEFAULT USER')",
"DEPT(WASDEPT) PASS(WXGUEST,0)"
"TSS ADDTO(WXGUEST) UID(90012) GROUP(WXGUESTG)"
/* ---------------------------------------------------------------- */
/* Synch to OS Thread setup */
/* ---------------------------------------------------------------- */
say 'Creating Sync-to-thread profile '
say 'Used for: Enabling Sync-to-thread. '
say 'Controller region user ID needs READ or CONTROL access to enable Sync-to-thread. '
say 'With READ access, only security environments representing users in the SURROGATE class are allowed, while CONTROL allows for security environments to represent any user. '
"RDEFINE FACILITY BBO.SYNC.WXCELL.** UACC(NONE)"
say
/* ---------------------------------------------------------------- */
/* Trusted applications setup */
/* ---------------------------------------------------------------- */
say 'Creating EnableTrustedApplications profile '
say 'Used for: Allowing applications to perform operations normally reserved for privileged users. '
"RDEFINE FACILITY BBO.TRUSTEDAPPS.WXCELL.** UACC(NONE)"
Say
“TSS ADD(owningacid) IBMFAC(BBO.)”
say 'Permit default WAS Configuration group to EnableTrustedApplications profile. '
"PERMIT BBO.TRUSTEDAPPS.WXCELL.** " || ,
" CLASS(FACILITY) ID(WXCFG) ACCESS(READ)"
say
“TSS PER(WXCFG) IBMFAC(BBO.TRUSTEDAPPS. WXCELL.**) ACC(READ)”
/* ---------------------------------------------------------------- */
/* CLASS = SERVER */
/* PROFILE = CB.<cluster>.<generic server> */
/* Used for: Determining if a servant region can initialize */
/* ---------------------------------------------------------------- */
say 'Defining SERVER CB.cluster.generic_server '
say 'Used for determining if a servant region can initialize.'
"RDEFINE SERVER CB.* UACC(NONE)"
say
"RDEFINE SERVER CB.*.WXDMGR.* UACC(NONE)"
say
say 'Permitting SERVER class access. '
"PERMIT CB.*.WXDMGR.* CLASS(SERVER) ID(WXASRU) ACC(READ)"
Say
"TSS ADD(WASDEPT) SERVER(CB.)"
"TSS PER(WXASRU) SERVER(CB.*. WXDMGR.*) ACC(READ)"
"SETROPTS RACLIST(SERVER) GENERIC(SERVER) REFRESH"
say
there is not a TSS equivalent.
/* ---------------------------------------------------------------- */
/* AsynchBeans for z/OS, require servants to have access to WLM */
/* services. */
/* ---------------------------------------------------------------- */
say 'Authorize servants to use WLM Services'
"RDEFINE FACILITY (BPX.WLMSERVER) UACC(NONE)"
say
"TSS ADD(WASDEPT) IBMFAC(BPX.)"
"PERMIT BPX.WLMSERVER ACCESS(READ) ID(WXSRVG) CL(FACILITY)"
say
"TSS PER(WXSRVG) IBMFAC(BPX.WLMSERVER) ACC(READ)"
/* ---------------------------------------------------------------- */
/* Creates STARTED task profiles for each runtime server identity */
/* ---------------------------------------------------------------- */
say 'Assigning user IDs to started tasks. '
say 'Assign daemon ID to started task'
"RDEFINE STARTED WXDEMN.* STDATA(USER(WXACRU) " || ,
"GROUP(WXCFG) TRACE(YES))"
Say
"TSS ADD(STC) PROCNAME(WXDEMN) ACID(WXACRU)"
say 'Assign controller ID to started task'
"RDEFINE STARTED WXDCR.* STDATA(USER(WXACRU) " || ,
"GROUP(WXCFG) TRACE(YES))"
Say
"TSS ADD(STC) PROCNAME(WXDCR) ACID(WXACRU)"
say 'Assign servant ID to started task'
"RDEFINE STARTED WXDMGRS.* STDATA(USER(WXASRU) " || ,
"GROUP(WXCFG) TRACE(YES))"
say
"TSS ADD(STC) PROCNAME(WXDMGRS) ACID(WXACRU)"
"SETROPTS RACLIST(STARTED) GENERIC(STARTED) REFRESH"
say
there is not a TSS equivalent.
/* --------------------------------------------------------------------- */
/* CLASS=CBIND */
/* OS/390 WebSphere PROFILES */
/* --------------------------------------------------------------------- */
/* CLASS = CBIND */
/* PROFILE = CB.BIND.<cluster name> */
/* (CB.BIND.CLUSTER) */
/* Used for: determining if a client can "BIND" (access) a controller */
/* region. */
/* Notes: */
/* 1. Any userid can gain access to the controller region if it has READ */
/* access to the CB.BIND.cluster_name profile. */
/* 2. A userid can still gain access to the Controller Region if the */
/* session owner has control access. */
/* 3. Within a local session (or SSL client certificate session) */
/* the session owner is the userid of the client or controller */
/* region (if server-as-client) that issued the message. */
/* Otherwise, ownership is assigned to the first userid which */
/* has successfully accessed the controller region. */
/* --------------------------------------------------------------------- */
"SETROPTS CLASSACT(CBIND)"
say
"SETROPTS RACLIST(CBIND) GENERIC(CBIND)"
say
say 'Define and permit CB.BIND.<cluster name> profile to CBIND class'
say 'Used for determining if a client can access a controller region'
say 'Any userid can gain access to the controller region if it has READ access to the CB.BIND.cluster_name profile'
"RDEFINE CBIND CB.BIND.WXCELL.** UACC(READ)"
"PERMIT CB.BIND.WXCELL.** CLASS(CBIND) ID(WXCFG) ACCESS(CONTROL)"
Say
"TSS ADD(WASDEPT) CBIND(CB.)"
"TSS PER(WXCFG) CBIND(CB.BIND. WXCELL.**) ACCESS(CONTROL)"
"SETROPTS RACLIST(CBIND) REFRESH"
say
there is not a TSS equivalent.
/* ---------------------------------------------------------------- */
/* Activating additional RACF classes used by WebSphere for z/OS */
/* security. */
/* ---------------------------------------------------------------- */
say 'Activating classes needed only for z/OS security. '
"SETROPTS CLASSACT(SURROGAT) GENERIC(SURROGAT)"
say
there is not a TSS equivalent.
/* ---------------------------------------------------------------- */
/* RACF CLASS = EJBROLE */
/* Used for: EJB Role Access. Needed for SAF Authorization */
/* */
/* The EJBROLE class is used to control access to roles. */
/* The Administrative roles are for access to functions in the */
/* administrative console and the wsadmin scripting interface. The */
/* Naming roles are for access to the JNDI namespace */
/* ---------------------------------------------------------------- */
say 'Setting up EJBRoles Profiles for admin roles when using SAF authorization'
"SETROPTS CLASSACT(EJBROLE)"
say
there is not a TSS equivalent.
"SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE)"
say
there is not a TSS equivalent.
say 'Defining and Permitting EJBROLE Administrative profiles...'
"RDEFINE EJBROLE WXCELL.administrator UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.iscadmins UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.auditor UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.monitor UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.configurator UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.operator UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.deployer UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.adminsecuritymanager UACC(NONE)"
say
"TSS ADD(WASDEPT) EJBROLE(WXCELL.)"
"PERMIT WXCELL.adminsecuritymanager CLASS(EJBROLE) ID(WXADMIN) ACCESS(READ)"
Say
"TSS PER(WXADMIN) EJBROLE(WXCELL.adminsecuritymanager)"
"PERMIT WXCELL.administrator CLASS(EJBROLE) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) EJBROLE(WXCELL.administrator)"
"PERMIT WXCELL.iscadmins CLASS(EJBROLE) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) EJBROLE(WXCELL.iscadmins)"
"PERMIT WXCELL.auditor CLASS(EJBROLE) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) EJBROLE(WXCELL.auditor)"
say 'Defining and Permitting EJBROLE Naming profiles...'
"RDEFINE EJBROLE WXCELL.CosNamingRead UACC(READ)"
say
"PERMIT WXCELL.CosNamingRead CLASS(EJBROLE) ID(WXGUEST) ACCESS(READ)"
say
"TSS PER(WXGUEST) EJBROLE(WXCELL.CosNamingRead)"
"RDEFINE EJBROLE WXCELL.CosNamingWrite UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.CosNamingCreate UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.CosNamingDelete UACC(NONE)"
say
"PERMIT WXCELL.CosNamingWrite CLASS(EJBROLE) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) EJBROLE(WXCELL.CosNamingWrite)
"PERMIT WXCELL.CosNamingCreate CLASS(EJBROLE) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) EJBROLE(WXCELL.CosNamingCreate)
"PERMIT WXCELL.CosNamingDelete CLASS(EJBROLE) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) EJBROLE(WXCELL.CosNamingDelete)
"RDEFINE EJBROLE WXCELL.scaAllAuthorizedUsers UACC(READ)"
say
say 'EJBROLE class refresh'
"SETROPTS RACLIST(EJBROLE) REFRESH"
say
there is not a TSS equivalent.
/* ---------------------------------------------------------------- */
/* RACF CLASS = APPL */
/* */
/* The APPL Class profile controls whether an authenticated user */
/* can access any application in a cell. */
/* */
/* PERMIT WXCELL CLASS(APPL) ID(all userids) ACCESS(READ) */
/* ---------------------------------------------------------------- */
say 'Defining and Permitting APPL profiles...'
say 'Used to control client access to a WebSphere Application Server for z/OS cell or group of cells.'
"RDEFINE APPL WXCELL UACC(NONE)"
say
"TSS ADD(WASDEPT) APPL(WXCELL)"
"PERMIT WXCELL CLASS(APPL) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) APPL(WXCELL)"
"PERMIT WXCELL CLASS(APPL) ID(WXGUEST) ACCESS(READ)"
say
"TSS PER(WXGUEST) APPL(WXCELL)"
say 'APPL class refresh'
"SETROPTS RACLIST(APPL) REFRESH"
say
say 'Defines permissions to work with certificates'
"RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)"
Say
"TSS ADD(WASDEPT) IBMFAC(IRR.)"
"RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)"
say
"PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(WXCFG) ACC(READ)"
Say
"TSS PER(WXCFG) IBMFAC(IRR.DIGTCERT.LIST) ACC(READ)"
"PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(WXCFG) ACC(READ)"
say
"TSS PER(WXCFG) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(READ)"
/* ---------------------------------------------------------------- */
/* SSL SET-UP */
/* This sets up the required WebSphere certificates and key rings. */
/* See "RACF Security Administrator's Guide" for more information */
/* on Digital Certificates. */
/* ---------------------------------------------------------------- */
/* ---------------------------------------------------------------- */
/* Creates WebSphere controller keyring */
/* ---------------------------------------------------------------- */
say 'Creates SSL keyring for WXACRU user id'
"RACDCERT ADDRING(" || ,
"WASKeyring.WXCELL)" || ,
" ID(WXACRU)"
say
say 'Creates personal certificate for WXACRU user id'
"RACDCERT ID (WXACRU) GENCERT SUBJECTSDN(CN('syshost.ftb.ca.gov') " || ,
" O('IBM') OU('WXCELL'))" || ,
" WITHLABEL('DefaultWASCert.WXCELL')" || ,
" SIGNWITH(CERTAUTH LABEL('PKICRTCT'))" || ,
" SIZE(" || certsize || ")" ,
" NOTAFTER(DATE(2026/01/06))"
say
"TSS GENCERT(CERTAUTH) DIGICERT(WAS90CA)",
"SUBJECTN('CN=”'syshost.ftb.ca.gov'OU='WXCELL'O="IBM" ’)",
"SIGNWITH(CERTAUTH,PKICRTCT)",
"LABLCERT('DefaultWASCert.WXCELL'),
NADATE(01/06/26)
say 'Connects personal certificate to WXACRU keyring '
"RACDCERT ID(WXACRU) CONNECT (LABEL('DefaultWASCert.WXCELL') " || ,
"RING(WASKeyring.WXCELL)" || ,
" DEFAULT)"
say
"TSS ADD(WXACRU) KEYRING(WAS90KR) RINGDATA(CERTSITE,DFWAS90C) DEFAULT"
say 'Connects WebSphere CA Certificate to WXACRU keyring'
"RACDCERT ID(WXACRU) CONNECT " || ,
"(RING(WASKeyring.WXCELL)" || ,
" LABEL('PKICRTCT') CERTAUTH)"
say
/* ---------------------------------------------------------------- */
/* Creates WebSphere servant keyring */
/* ---------------------------------------------------------------- */
say 'Creates SSL keyring for WXASRU user id'
"RACDCERT ADDRING(" || ,
"WASKeyring.WXCELL)" || ,
" ID(WXASRU)"
TSS ADD(WXASRU) KEYRING(WAS90KR) LABLRING(WASKeyring.WXCELL)
say 'Connects WebSphere CA Certificate to WXASRU keyring'
"RACDCERT ID(WXASRU) CONNECT " || ,
"(RING(WASKeyring.WXCELL)" || ,
" LABEL('PKICRTCT') CERTAUTH)"
say
/* ---------------------------------------------------------------- */
/* Creates WebSphere administrator keyring */
/* ---------------------------------------------------------------- */
say 'Creates SSL keyring for WXADMIN user id'
"RACDCERT ADDRING(" || ,
"WASKeyring.WXCELL)" || ,
" ID(WXADMIN)"
say
say 'Connects WebSphere CA Certificate to WXADMIN keyring'
"RACDCERT ID(WXADMIN) CONNECT " || ,
"(RING(WASKeyring.WXCELL)" || ,
" LABEL('PKICRTCT') CERTAUTH)"
say
TSS ADD(WXASRU) KEYRING(WAS90KR) RINGDATA(CERTAUTH,PKICRTCT) USAGE(CERTAUTH)
/* ---------------------------------------------------------------- */
/* Creates Root and Signers keyrings */
/* ---------------------------------------------------------------- */
say 'Creating Root and Signers keyrings '
"RACDCERT ADDRING(" || ,
"WASKeyring.WXCELL.Root)" || ,
" ID(WXACRU)"
say
"RACDCERT ADDRING(" || ,
"WASKeyring.WXCELL.Signers)" || ,
" ID(WXACRU)"
say
TSS ADD(WXACRU) KEYRING(WXCELLRT) LABLRING(WASKeyring.WXCELL.Root)
Note: Substitute WXCELLRT with whatever keyring name you prefer.
say 'Connect root CA certificates to the root keyrings '
"RACDCERT ID(WXACRU) CONNECT " || ,
"(RING(WASKeyring.WXCELL.Root)" || ,
" LABEL('PKICRTCT') CERTAUTH)"
say
TSS ADD(WXACRU) KEYRING(WXCELLRT) RINGDATA(CERTAUTH,PKICRTCT) USAGE(CERTAUTH)
Note: Substitue WXCELLRT with whatever keyring name you prefer.
say 'Connect default signers to the default signers keyring '
"RACDCERT ID(WXACRU) CONNECT " || ,
"(RING(WASKeyring.WXCELL.Signers)" || ,
" LABEL('PKICRTCT') CERTAUTH)"
say
TSS ADD(WXACRU) KEYRING(WXCELLSIG) LABLRING(WASKeyring.WXCELL.Signers)
Note: Substitue WXCELLSIG with whatever keyring name you prefer.
say 'Facility class refresh'
"SETROPTS RACLIST(FACILITY) REFRESH"
say
there is not a TSS equivalent.
/* ================================================================ */
/* */
/* COPYRIGHT = */
/* Licensed Material - Property of IBM */
/* */
/* 5724-I63, 5724-H88, 5655-N01, 5733-W61 */
/* (C) Copyright IBM Corp. 1999, 2013 */
/* All Rights Reserved */
/* US Government Users Restricted Rights - Use, duplication or */
/* disclosure restricted by GSA ADP Schedule Contract with IBM Corp.*/
/* */
/* ================================================================ */
/* File tailored on 2018/11/15 at 14:05 by D4355 */
/* WCT version 9.0.0.9 build cf091835.01 */
/* ================================================================ */
say 'WebSphere Application Server RACF Setup'
say '-- Management'
say '-- Cell name:' WXCELL
say '-- Server name:' WXDMGR
say '-- Config group:' WXCFG
say '-- Generated on 2018/11/15 at 14:05'
/* ---------------------------------------------------------------- */
/* Determines RACF certificate size. */
/* ---------------------------------------------------------------- */
certsize = "2048"
if syscalls('ON')<4 then
do
address syscall 'uname uts.'
say '-- Machine: ' uts.U_MACHINE
if uts.U_MACHINE < "2084" then certsize = "1024"
call syscalls('OFF')
end
else say 'Unable to establish the SYSCALL environment'
say '-- Certificate size: ' certsize
trace commands
/* ---------------------------------------------------------------- */
/* Activates all RACF classes which are needed regardless of */
/* which WebSphere security scheme is chosen. */
/* ---------------------------------------------------------------- */
say 'Activating RACF classes which are needed regardless of security scheme.'
"SETROPTS CLASSACT(SERVER)"
say
"SETROPTS RACLIST(SERVER) GENERIC(SERVER)"
say
"SETROPTS CLASSACT(STARTED)"
say
"SETROPTS RACLIST(STARTED) GENERIC(STARTED)"
say
"SETROPTS CLASSACT(FACILITY)"
say
"SETROPTS RACLIST(FACILITY) GENERIC(FACILITY)"
say
"SETROPTS GRPLIST"
say
there is not a TSS equivalent.
/* ---------------------------------------------------------------- */
/* Defines the WebSphere configuration group */
/* ---------------------------------------------------------------- */
say 'Creates WebSphere configuration group.'
"ADDGROUP WXCFG OMVS(GID(90010))"
Say
TSS CREATE(WXCFG) TYPE(GROUP) NAME(‘configuration group’) GID(90010)
/* ---------------------------------------------------------------- */
/* Defines the WebSphere servant group */
/* ---------------------------------------------------------------- */
say 'Creates WebSphere servant region group.'
"ADDGROUP WXSRVG OMVS(GID(90011))"
say
TSS CREATE(WXSRVG) TYPE(GROUP) NAME(‘servant region group’) GID(90011)
/* ---------------------------------------------------------------- */
/* Defines the WebSphere unauthenticated group */
/* ---------------------------------------------------------------- */
say 'Creates group for WebSphere unauthenticated userid.'
"ADDGROUP WXGUESTG OMVS(GID(90012))"
say
TSS CREATE(WXGUESTG) TYPE(GROUP) NAME(‘unauthenticated userid’) GID(90012)
/* ---------------------------------------------------------------- */
/* Defines the WebSphere controller user ID */
/* ---------------------------------------------------------------- */
say 'Creates WebSphere controller user ID.'
"ADDUSER WXACRU DFLTGRP(WXCFG) OMVS(UID(90013) HOME(/wasv9config/wxcell/home/" || ,
"WXCFG) PROGRAM(/bin/sh)) NAME('WAS CR OWNER') NOPASSWORD NOOIDCARD"
say
"TSS CREATE(WXACRU) DFLTGRP(WXCFG) HOME(/wasv9config/wxcell/home/WXCFG),”
"FAC(IMWEB) OMVSPGM(/bin/sh) NAME('WAS CR OWNER')",
"DEPT(WASDEPT) PASS(WXACRU,0)"
"TSS ADDTO(WXACRU) UID(90013) GROUP(WXCFG)"
/* ---------------------------------------------------------------- */
/* Defines the WebSphere servant user ID and connects it to the */
/* configuration group */
/* ---------------------------------------------------------------- */
say 'Creates WebSphere servant user ID.'
"ADDUSER WXASRU DFLTGRP(WXSRVG) OMVS(UID(90014)" || ,
" HOME(/wasv9config/wxcell/home/WXSRVG) PROGRAM(/bin/sh)) NAME('WAS APPSVR SR')" || ,
" NOPASSWORD NOOIDCARD"
say
"TSS CREATE(WXASRU) DFLTGRP(WXSRVG) HOME(/wasv9config/wxcell/home/WXSRVG),”
"FAC(IMWEB) OMVSPGM(/bin/sh) NAME('WAS APPSVR SR')",
"DEPT(WASDEPT) PASS(WXACRU,0)"
"TSS ADDTO(WXASRU) UID(90014) GROUP(WXSRVG)"
say 'Connecting servant to the WebSphere configuration group. '
"CONNECT WXASRU GROUP(WXCFG)"
say
say 'Allow 10000 concurrently open files.'
"ALU WXASRU OMVS(FILEPROC(10000))"
say
"TSS ADD(WXASRU) OEFILEP(10000)"
/* ---------------------------------------------------------------- */
/* Defines the WebSphere administrator user ID */
/* ---------------------------------------------------------------- */
say 'Adding WebSphere administrator user ID'
"ADDUSER WXADMIN DFLTGRP(WXCFG) OMVS(UID(90011)" || ,
" HOME(/wasv9config/wxcell/home/WXCFG) PROGRAM(/bin/sh)) NAME('WAS ADMINISTRATOR') " || ,
" NOPASSWORD NOOIDCARD"
say
"TSS CREATE(WXADMIN) DFLTGRP(WXCFG) HOME(/wasv9config/wxcell/home/WXCFG),”
"FAC(IMWEB) OMVSPGM(/bin/sh) NAME('WAS ADMINISTRATOR')",
"DEPT(WASDEPT) PASS(WXADMIN,0)"
"TSS ADDTO(WXASRU) UID(90011) GROUP(WXCFG)"
/* ---------------------------------------------------------------- */
/* Defines a user ID to be used for unauthenticated requests. */
/* ---------------------------------------------------------------- */
say 'Creates WebSphere unauthenticated user ID'
"ADDUSER WXGUEST RESTRICTED DFLTGRP(WXGUESTG) " || ,
"OMVS(UID(90012) HOME(/wasv9config/wxcell/home/WXGUESTG) " || ,
"PROGRAM(/bin/sh)) NAME('WAS DEFAULT USER') NOPASSWORD NOOIDCARD"
say
"TSS CREATE(WXGUEST) DFLTGRP(WXGUESTG) HOME(/wasv9config/wxcell/home/WXGUESTG),”
"FAC(IMWEB) OMVSPGM(/bin/sh) NAME('WAS DEFAULT USER')",
"DEPT(WASDEPT) PASS(WXGUEST,0)"
"TSS ADDTO(WXGUEST) UID(90012) GROUP(WXGUESTG)"
/* ---------------------------------------------------------------- */
/* Synch to OS Thread setup */
/* ---------------------------------------------------------------- */
say 'Creating Sync-to-thread profile '
say 'Used for: Enabling Sync-to-thread. '
say 'Controller region user ID needs READ or CONTROL access to enable Sync-to-thread. '
say 'With READ access, only security environments representing users in the SURROGATE class are allowed, while CONTROL allows for security environments to represent any user. '
"RDEFINE FACILITY BBO.SYNC.WXCELL.** UACC(NONE)"
say
/* ---------------------------------------------------------------- */
/* Trusted applications setup */
/* ---------------------------------------------------------------- */
say 'Creating EnableTrustedApplications profile '
say 'Used for: Allowing applications to perform operations normally reserved for privileged users. '
"RDEFINE FACILITY BBO.TRUSTEDAPPS.WXCELL.** UACC(NONE)"
Say
“TSS ADD(owningacid) IBMFAC(BBO.)”
say 'Permit default WAS Configuration group to EnableTrustedApplications profile. '
"PERMIT BBO.TRUSTEDAPPS.WXCELL.** " || ,
" CLASS(FACILITY) ID(WXCFG) ACCESS(READ)"
say
“TSS PER(WXCFG) IBMFAC(BBO.TRUSTEDAPPS. WXCELL.**) ACC(READ)”
/* ---------------------------------------------------------------- */
/* CLASS = SERVER */
/* PROFILE = CB.<cluster>.<generic server> */
/* Used for: Determining if a servant region can initialize */
/* ---------------------------------------------------------------- */
say 'Defining SERVER CB.cluster.generic_server '
say 'Used for determining if a servant region can initialize.'
"RDEFINE SERVER CB.* UACC(NONE)"
say
"RDEFINE SERVER CB.*.WXDMGR.* UACC(NONE)"
say
say 'Permitting SERVER class access. '
"PERMIT CB.*.WXDMGR.* CLASS(SERVER) ID(WXASRU) ACC(READ)"
Say
"TSS ADD(WASDEPT) SERVER(CB.)"
"TSS PER(WXASRU) SERVER(CB.*. WXDMGR.*) ACC(READ)"
"SETROPTS RACLIST(SERVER) GENERIC(SERVER) REFRESH"
say
there is not a TSS equivalent.
/* ---------------------------------------------------------------- */
/* AsynchBeans for z/OS, require servants to have access to WLM */
/* services. */
/* ---------------------------------------------------------------- */
say 'Authorize servants to use WLM Services'
"RDEFINE FACILITY (BPX.WLMSERVER) UACC(NONE)"
say
"TSS ADD(WASDEPT) IBMFAC(BPX.)"
"PERMIT BPX.WLMSERVER ACCESS(READ) ID(WXSRVG) CL(FACILITY)"
say
"TSS PER(WXSRVG) IBMFAC(BPX.WLMSERVER) ACC(READ)"
/* ---------------------------------------------------------------- */
/* Creates STARTED task profiles for each runtime server identity */
/* ---------------------------------------------------------------- */
say 'Assigning user IDs to started tasks. '
say 'Assign daemon ID to started task'
"RDEFINE STARTED WXDEMN.* STDATA(USER(WXACRU) " || ,
"GROUP(WXCFG) TRACE(YES))"
Say
"TSS ADD(STC) PROCNAME(WXDEMN) ACID(WXACRU)"
say 'Assign controller ID to started task'
"RDEFINE STARTED WXDCR.* STDATA(USER(WXACRU) " || ,
"GROUP(WXCFG) TRACE(YES))"
Say
"TSS ADD(STC) PROCNAME(WXDCR) ACID(WXACRU)"
say 'Assign servant ID to started task'
"RDEFINE STARTED WXDMGRS.* STDATA(USER(WXASRU) " || ,
"GROUP(WXCFG) TRACE(YES))"
say
"TSS ADD(STC) PROCNAME(WXDMGRS) ACID(WXACRU)"
"SETROPTS RACLIST(STARTED) GENERIC(STARTED) REFRESH"
say
there is not a TSS equivalent.
/* --------------------------------------------------------------------- */
/* CLASS=CBIND */
/* OS/390 WebSphere PROFILES */
/* --------------------------------------------------------------------- */
/* CLASS = CBIND */
/* PROFILE = CB.BIND.<cluster name> */
/* (CB.BIND.CLUSTER) */
/* Used for: determining if a client can "BIND" (access) a controller */
/* region. */
/* Notes: */
/* 1. Any userid can gain access to the controller region if it has READ */
/* access to the CB.BIND.cluster_name profile. */
/* 2. A userid can still gain access to the Controller Region if the */
/* session owner has control access. */
/* 3. Within a local session (or SSL client certificate session) */
/* the session owner is the userid of the client or controller */
/* region (if server-as-client) that issued the message. */
/* Otherwise, ownership is assigned to the first userid which */
/* has successfully accessed the controller region. */
/* --------------------------------------------------------------------- */
"SETROPTS CLASSACT(CBIND)"
say
"SETROPTS RACLIST(CBIND) GENERIC(CBIND)"
say
say 'Define and permit CB.BIND.<cluster name> profile to CBIND class'
say 'Used for determining if a client can access a controller region'
say 'Any userid can gain access to the controller region if it has READ access to the CB.BIND.cluster_name profile'
"RDEFINE CBIND CB.BIND.WXCELL.** UACC(READ)"
"PERMIT CB.BIND.WXCELL.** CLASS(CBIND) ID(WXCFG) ACCESS(CONTROL)"
Say
"TSS ADD(WASDEPT) CBIND(CB.)"
"TSS PER(WXCFG) CBIND(CB.BIND. WXCELL.**) ACCESS(CONTROL)"
"SETROPTS RACLIST(CBIND) REFRESH"
say
there is not a TSS equivalent.
/* ---------------------------------------------------------------- */
/* Activating additional RACF classes used by WebSphere for z/OS */
/* security. */
/* ---------------------------------------------------------------- */
say 'Activating classes needed only for z/OS security. '
"SETROPTS CLASSACT(SURROGAT) GENERIC(SURROGAT)"
say
there is not a TSS equivalent.
/* ---------------------------------------------------------------- */
/* RACF CLASS = EJBROLE */
/* Used for: EJB Role Access. Needed for SAF Authorization */
/* */
/* The EJBROLE class is used to control access to roles. */
/* The Administrative roles are for access to functions in the */
/* administrative console and the wsadmin scripting interface. The */
/* Naming roles are for access to the JNDI namespace */
/* ---------------------------------------------------------------- */
say 'Setting up EJBRoles Profiles for admin roles when using SAF authorization'
"SETROPTS CLASSACT(EJBROLE)"
say
there is not a TSS equivalent.
"SETROPTS RACLIST(EJBROLE) GENERIC(EJBROLE)"
say
there is not a TSS equivalent.
say 'Defining and Permitting EJBROLE Administrative profiles...'
"RDEFINE EJBROLE WXCELL.administrator UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.iscadmins UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.auditor UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.monitor UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.configurator UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.operator UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.deployer UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.adminsecuritymanager UACC(NONE)"
say
"TSS ADD(WASDEPT) EJBROLE(WXCELL.)"
"PERMIT WXCELL.adminsecuritymanager CLASS(EJBROLE) ID(WXADMIN) ACCESS(READ)"
Say
"TSS PER(WXADMIN) EJBROLE(WXCELL.adminsecuritymanager)"
"PERMIT WXCELL.administrator CLASS(EJBROLE) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) EJBROLE(WXCELL.administrator)"
"PERMIT WXCELL.iscadmins CLASS(EJBROLE) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) EJBROLE(WXCELL.iscadmins)"
"PERMIT WXCELL.auditor CLASS(EJBROLE) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) EJBROLE(WXCELL.auditor)"
say 'Defining and Permitting EJBROLE Naming profiles...'
"RDEFINE EJBROLE WXCELL.CosNamingRead UACC(READ)"
say
"PERMIT WXCELL.CosNamingRead CLASS(EJBROLE) ID(WXGUEST) ACCESS(READ)"
say
"TSS PER(WXGUEST) EJBROLE(WXCELL.CosNamingRead)"
"RDEFINE EJBROLE WXCELL.CosNamingWrite UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.CosNamingCreate UACC(NONE)"
say
"RDEFINE EJBROLE WXCELL.CosNamingDelete UACC(NONE)"
say
"PERMIT WXCELL.CosNamingWrite CLASS(EJBROLE) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) EJBROLE(WXCELL.CosNamingWrite)
"PERMIT WXCELL.CosNamingCreate CLASS(EJBROLE) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) EJBROLE(WXCELL.CosNamingCreate)
"PERMIT WXCELL.CosNamingDelete CLASS(EJBROLE) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) EJBROLE(WXCELL.CosNamingDelete)
"RDEFINE EJBROLE WXCELL.scaAllAuthorizedUsers UACC(READ)"
say
say 'EJBROLE class refresh'
"SETROPTS RACLIST(EJBROLE) REFRESH"
say
there is not a TSS equivalent.
/* ---------------------------------------------------------------- */
/* RACF CLASS = APPL */
/* */
/* The APPL Class profile controls whether an authenticated user */
/* can access any application in a cell. */
/* */
/* PERMIT WXCELL CLASS(APPL) ID(all userids) ACCESS(READ) */
/* ---------------------------------------------------------------- */
say 'Defining and Permitting APPL profiles...'
say 'Used to control client access to a WebSphere Application Server for z/OS cell or group of cells.'
"RDEFINE APPL WXCELL UACC(NONE)"
say
"TSS ADD(WASDEPT) APPL(WXCELL)"
"PERMIT WXCELL CLASS(APPL) ID(WXCFG) ACCESS(READ)"
say
"TSS PER(WXCFG) APPL(WXCELL)"
"PERMIT WXCELL CLASS(APPL) ID(WXGUEST) ACCESS(READ)"
say
"TSS PER(WXGUEST) APPL(WXCELL)"
say 'APPL class refresh'
"SETROPTS RACLIST(APPL) REFRESH"
say
say 'Defines permissions to work with certificates'
"RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)"
Say
"TSS ADD(WASDEPT) IBMFAC(IRR.)"
"RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)"
say
"PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(WXCFG) ACC(READ)"
Say
"TSS PER(WXCFG) IBMFAC(IRR.DIGTCERT.LIST) ACC(READ)"
"PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(WXCFG) ACC(READ)"
say
"TSS PER(WXCFG) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(READ)"
/* ---------------------------------------------------------------- */
/* SSL SET-UP */
/* This sets up the required WebSphere certificates and key rings. */
/* See "RACF Security Administrator's Guide" for more information */
/* on Digital Certificates. */
/* ---------------------------------------------------------------- */
/* ---------------------------------------------------------------- */
/* Creates WebSphere controller keyring */
/* ---------------------------------------------------------------- */
say 'Creates SSL keyring for WXACRU user id'
"RACDCERT ADDRING(" || ,
"WASKeyring.WXCELL)" || ,
" ID(WXACRU)"
say
say 'Creates personal certificate for WXACRU user id'
"RACDCERT ID (WXACRU) GENCERT SUBJECTSDN(CN('syshost.ftb.ca.gov') " || ,
" O('IBM') OU('WXCELL'))" || ,
" WITHLABEL('DefaultWASCert.WXCELL')" || ,
" SIGNWITH(CERTAUTH LABEL('PKICRTCT'))" || ,
" SIZE(" || certsize || ")" ,
" NOTAFTER(DATE(2026/01/06))"
say
"TSS GENCERT(CERTAUTH) DIGICERT(WAS90CA)",
"SUBJECTN('CN=”'syshost.ftb.ca.gov'OU='WXCELL'O="IBM" ’)",
"SIGNWITH(CERTAUTH,PKICRTCT)",
"LABLCERT('DefaultWASCert.WXCELL'),
NADATE(01/06/26)
say 'Connects personal certificate to WXACRU keyring '
"RACDCERT ID(WXACRU) CONNECT (LABEL('DefaultWASCert.WXCELL') " || ,
"RING(WASKeyring.WXCELL)" || ,
" DEFAULT)"
say
"TSS ADD(WXACRU) KEYRING(WAS90KR) RINGDATA(CERTSITE,DFWAS90C) DEFAULT"
say 'Connects WebSphere CA Certificate to WXACRU keyring'
"RACDCERT ID(WXACRU) CONNECT " || ,
"(RING(WASKeyring.WXCELL)" || ,
" LABEL('PKICRTCT') CERTAUTH)"
say
/* ---------------------------------------------------------------- */
/* Creates WebSphere servant keyring */
/* ---------------------------------------------------------------- */
say 'Creates SSL keyring for WXASRU user id'
"RACDCERT ADDRING(" || ,
"WASKeyring.WXCELL)" || ,
" ID(WXASRU)"
TSS ADD(WXASRU) KEYRING(WAS90KR) LABLRING(WASKeyring.WXCELL)
say 'Connects WebSphere CA Certificate to WXASRU keyring'
"RACDCERT ID(WXASRU) CONNECT " || ,
"(RING(WASKeyring.WXCELL)" || ,
" LABEL('PKICRTCT') CERTAUTH)"
say
/* ---------------------------------------------------------------- */
/* Creates WebSphere administrator keyring */
/* ---------------------------------------------------------------- */
say 'Creates SSL keyring for WXADMIN user id'
"RACDCERT ADDRING(" || ,
"WASKeyring.WXCELL)" || ,
" ID(WXADMIN)"
say
say 'Connects WebSphere CA Certificate to WXADMIN keyring'
"RACDCERT ID(WXADMIN) CONNECT " || ,
"(RING(WASKeyring.WXCELL)" || ,
" LABEL('PKICRTCT') CERTAUTH)"
say
TSS ADD(WXASRU) KEYRING(WAS90KR) RINGDATA(CERTAUTH,PKICRTCT) USAGE(CERTAUTH)
/* ---------------------------------------------------------------- */
/* Creates Root and Signers keyrings */
/* ---------------------------------------------------------------- */
say 'Creating Root and Signers keyrings '
"RACDCERT ADDRING(" || ,
"WASKeyring.WXCELL.Root)" || ,
" ID(WXACRU)"
say
"RACDCERT ADDRING(" || ,
"WASKeyring.WXCELL.Signers)" || ,
" ID(WXACRU)"
say
TSS ADD(WXACRU) KEYRING(WXCELLRT) LABLRING(WASKeyring.WXCELL.Root)
Note: Substitute WXCELLRT with whatever keyring name you prefer.
say 'Connect root CA certificates to the root keyrings '
"RACDCERT ID(WXACRU) CONNECT " || ,
"(RING(WASKeyring.WXCELL.Root)" || ,
" LABEL('PKICRTCT') CERTAUTH)"
say
TSS ADD(WXACRU) KEYRING(WXCELLRT) RINGDATA(CERTAUTH,PKICRTCT) USAGE(CERTAUTH)
Note: Substitue WXCELLRT with whatever keyring name you prefer.
say 'Connect default signers to the default signers keyring '
"RACDCERT ID(WXACRU) CONNECT " || ,
"(RING(WASKeyring.WXCELL.Signers)" || ,
" LABEL('PKICRTCT') CERTAUTH)"
say
TSS ADD(WXACRU) KEYRING(WXCELLSIG) LABLRING(WASKeyring.WXCELL.Signers)
Note: Substitue WXCELLSIG with whatever keyring name you prefer.
say 'Facility class refresh'
"SETROPTS RACLIST(FACILITY) REFRESH"
say
there is not a TSS equivalent.
Feedback
Yes
No
Powered by
