Attached is a zip file with 3 MS Word documents (BLZRACFL, BLZRACF, and BLZRACFT) with the RACF commands and the CA Top Secret equivalents (in red).
- ‘dept’ in any TSS command is the department acid you want to own the acids that are created and resources that are defined.
- There are several RACF commands to create RACF GROUP ids. In RACF, a GROUP id can function as both an OMVS group and a Top Secret profile. In Top Secret, the OMVS GROUP and PROFILE are separate ACIDs. For each RACF GROUP id that is created, the TSS commands to create both a TYPE(GROUP) and TYPE(PROFILE) ACID are provided. The TYPE(GROUP) ACID is used for OMVS (ie contains a GID and can be added as a GROUP and DFLTGRP to an ACID that is to use OMVS). The TYPE(PROFILE) ACID can be permitted resources.
- It is recommend that all started task (STC) ACIDs be given a password and OPTIONS(4) be set in the TSS parameter file. OPTIONS(4) will eliminate the prompt for a password when the STC starts, but if someone tries to signon with the STC acid, he will need to know the password. That is why the TSS CRE commands for STC acids have PASS(xxxx,0) in them.
- In the RACDCERT GENCERT commands, there will be 2 different 1-8 character digital certificate names (represented in the commands as ‘digicertname’ and ‘digicertname2’.
- In the section ‘# Connect commercial CAs to controller keyring’ in member BLZRACFL', TSS LIST(CERTAUTH) DIGICERT(ALL) should be issued to see if the certificates with the following labels are in the output. If not, the command to add any certificates not in CERTAUTH should not be issued.
LABEL = Verisign Class 3 Primary CA
LABEL = Verisign Class 1 Primary CA
LABEL = RSA Secure Server CA
LABEL = Thawte Server CA
LABEL = Thawte Premium Server CA
LABEL = Thawte Personal Basic CA
LABEL = Thawte Personal Freemail CA
LABEL = Thawte Personal Premium CA
LABEL = Verisign International Svr CA
- In the section ‘# permit required groups to the various ejbrole profiles’ in member BLZRACFL, the EJBROLE resource supports mixed case resource names. When the TSS ADD and TSS PERMIT commands are issued for these resources, be sure the location (ie TSO READY prompt, ISPF option 6, batch job, etc) is not uppercasing all text. Otherwise, the TSS ADD and PERMIT commands will be for upper case resource names.
- In BLZRACFL, there is a RACF command: PERMIT BLZZSRV CLASS(APPL) ACCESS(READ) ID(WSGUEST), but nowhere in this member is id WSGUEST created.
- Member BLZRACF creates many of the same GROUP and PROFILE acids as member BLZRACFL. If the ACID already exists, the TSS CRE command will fail with: TSS0315E ACID ALREADY EXISTS.
- Member BLZRACFT also creates many of the same GROUP and PROFILE ACIDs as member BLZRACFL. If the ACID already exists, the TSS CRE command will fail with: TSS0315E ACID ALREADY EXISTS.
- The BLZRACFT member has a section on passtickets. Normally with CA Top Secret and passtickets, a PSTKAPPL entry is added to the NDT and a permit for the PTKTDATA resource class with resource name in the format:
'applname' is the application name (defined in the PSTKAPPL entry in the NDT)
'userid' is the user id
In this case, RACF is not using the PTKTDATA(IRRPTAUTH.applname.userid) permit. Instead,
RACF is defining and permitting FACILITY BLZ.CONNECT.BLZAPPL, which the CA Top Secret
equivalent is IBMFAC BLZ.CONNECT.BLZAPPL. The RACF commands have been translated as
they are, but in the event the PTKTDATA permit is necessary:
TSS WHOHAS PTKTDATA(IRRPTAUTH.BLZAPPL)
TSS ADD(dept) PTKTDATA(IRRPTAUT)
TSS PER(JAZZWORP) PTKTDATA(IRRPTAUTH.BLZAPPL.) ACC(UPDATE) APPLDATA('NO
REPLAY PROTECTION - DO NOT CHANGE')