Hi, we need the following commands converted from RACF to Top Secret:
** FYI Only **
STC_USRID = HBOSTCID
STC_GROUP = HBOSTCGP
AUTHORIZED_GROUP = HBOUSRGP
GUEST_USER = HBOGUEST
GUEST_GROUP = HBOUNGRP
AUTHORIZED_USER = HBOUSER
** The above are FYI only **
SETROPTS RACLIST(STARTED) CLASSACT(STARTED)
SETROPTS CLASSACT(APPL)
SETROPTS CLASSACT(FACILITY)
SETROPTS CLASSACT(SERVER)
SETROPTS CLASSACT(EJBROLE)
SETROPTS CLASSACT(DIGTCERT)
SETROPTS CLASSACT(DIGTRING)
ADDGROUP HBOSTCGP OMVS(GID(3701))
ADDGROUP HBOUSRGP OMVS(GID(3702))
ADDGROUP HBOUNGRP OMVS(GID(3703))
ADDUSER HBOSTCID DFLTGRP(HBOSTCGP) OMVS(UID(2701) HOME(/u/hbostcid)
PROGRAM(/bin/sh)) NAME('CDP UI Server Started Task USERID')
NOPASSWORD NOOIDCARD
ADDUSER HBOGUEST RESTRICTED DFLTGRP(HBOUNGRP) OMVS(UID(2702))
NAME('CDPz Unauthenticated USERID') NOPASSWORD NOOIDCARD
CONNECT HBOUSER GROUP(HBOUSRGP)
RDEF STARTED HBOCFGA.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEF STARTED HBOCFGT.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEFINE SERVER BBG.ANGEL.HBOCFGA UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
PERMIT BBG.ANGEL.HBOCFGA CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ)
ID(HBOSTCID)
RDEFINE APPL HBOCFGT UACC(NONE)
RDEFINE SERVER BBG.SECPFX.HBOCFGT UACC(NONE)
PERMIT BBG.SECPFX.HBOCFGT CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
RDEFINE FACILITY BBG.SYNC.HBOCFGT UACC(NONE)
PERMIT BBG.SYNC.HBOCFGT CLASS(FACILITY) ID(HBOSTCID)
ACCESS(CONTROL)
RDEFINE EJBROLE HBOCFGT.CDPUIServer.cdpUser UACC(NONE)
PERMIT HBOCFGT CLASS(APPL) ID(HBOSTCID) ACCESS(READ)
PERMIT HBOCFGT CLASS(APPL) ID(HBOGUEST) ACCESS(READ)
PERMIT HBOCFGT CLASS(APPL) ID(HBOUSRGP) ACCESS(READ)
PERMIT HBOCFGT.CDPUIServer.cdpUser CLASS(EJBROLE) ID(HBOUSRGP)
ACCESS(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(HBOSTCID)
ACCESS(READ)
RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('CDPz CA Certification'))
WITHLABEL('HBOCA') TRUST NOTAFTER(DATE(2023/12/31))
RACDCERT ID (HBOSTCID) GENCERT SUBJECTSDN(CN('CDPz DEFAULT CERT'))
WITHLABEL('HBODefaultCert') SIGNWITH(CERTAUTH LABEL('HBOCA'))
NOTAFTER(DATE(2023/12/31))
RACDCERT ADDRING(HBO.Keyring.DFLT) ID(HBOSTCID)
RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBODefaultCert')
RING(HBO.Keyring.DFLT) DEFAULT)
RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBOCA')
RING(HBO.Keyring.DFLT) CERTAUTH)
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS RACLIST(SERVER) REFRESH
SETROPTS RACLIST(FACILITY) REFRESH
SETROPTS RACLIST(EJBROLE) REFRESH
SETROPTS RACLIST(APPL) REFRESH
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH
Release : 16.0
Component : CA Top Secret for z/OS
Here are the RACF commands and the Top Secret equivalents (in red):
** FYI Only **
STC_USRID = HBOSTCID
STC_GROUP = HBOSTCGP
AUTHORIZED_GROUP = HBOUSRGP
GUEST_USER = HBOGUEST
GUEST_GROUP = HBOUNGRP
AUTHORIZED_USER = HBOUSER
** The above are FYI only **
SETROPTS RACLIST(STARTED) CLASSACT(STARTED)
SETROPTS CLASSACT(APPL)
SETROPTS CLASSACT(FACILITY)
SETROPTS CLASSACT(SERVER)
SETROPTS CLASSACT(EJBROLE)
SETROPTS CLASSACT(DIGTCERT)
SETROPTS CLASSACT(DIGTRING)
No TSS equivalents.
ADDGROUP HBOSTCGP OMVS(GID(3701))
ADDGROUP HBOUSRGP OMVS(GID(3702))
ADDGROUP HBOUNGRP OMVS(GID(3703))
ADDUSER HBOSTCID DFLTGRP(HBOSTCGP) OMVS(UID(2701) HOME(/u/hbostcid)
PROGRAM(/bin/sh)) NAME('CDP UI Server Started Task USERID')
NOPASSWORD NOOIDCARD
ADDUSER HBOGUEST RESTRICTED DFLTGRP(HBOUNGRP) OMVS(UID(2702))
NAME('CDPz Unauthenticated USERID') NOPASSWORD NOOIDCARD
TSS Equivalents:
TSS CRE(HBOSTCGP) TYPE(GROUP) DEPT(dept) NAME(‘HBO Started Task Group’)
TSS ADD(HBOSTCGP) GID(3701)
TSS CRE(HBOUSRGP) TYPE(GROUP) DEPT(dept) NAME(‘HBO User Group’)
TSS CRE(HBOUSRGP) GID(3702)
TSS CRE(HBOUSRPR) TYPE(GROUP) DEPT(dept) NAME(‘HBO User PROFILE)
TSS CRE(HBOUNGRP) TYPE(GROUP) DEPT(dept) NAME(‘HBO Unauthorized Group’)
TSS CRE(HBOUNGRP) GID(3703)
TSS CRE(HBOSTCID) TYPE(USER) DEPT(dept) NAME('CDP UI Server Started Task USERID') PASS(xxxxx,0)
TSS ADD(HBOSTCID) UID(2701) GROUP(HBOSTCGP) DFLTGRP(HBOSTCGP) HOME(/u/hbostcid) OMVSPGM(/bin/sh))
TSS CRE(HBOGUEST) TYPE(USER) DEPT(dept) NAME('CDPz Unauthenticated USERID') PASS(NOPW,0)
TSS ADD(HBOGUEST) UID(2702) GROUP(HBOUNGP) DFLTGRP(HBOUNGP)
Where:
‘dept’ is the dept acid you want to own the group, profile, and user acids
We recommend that all started task (STC) acids be given a password and OPTIONS(4) be set in the TSS parameter file. OPTIONS(4) will eliminate the prompt for a password when the STC starts, but if someone tries to signon with the STC acid, he will need to know the password.
NOTE: In RACF, a GROUP can be an OMVS group as well as permitted resources. In Top Secret, a type GROUP acid is for OMVS but can not be permitted resources. Since there is a RACF permit later for HBOUSRGP, I created both a GROUP of HBOUSRGP and a profile of HBOUSRPR.
CONNECT HBOUSER GROUP(HBOUSRGP)
TSS Equivalents:
TSS ADD(HBOUSER) GROUP(HBOUSRGP) DFLTGRP(HBOUSRGP)
TSS ADD(HBOUSER) PROFILE(HBOUSRPR)
NOTE: There aren't any RACF commands that create userid HBOUSER.
RDEF STARTED HBOCFGA.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEF STARTED HBOCFGT.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
TSS Equivalents:
TSS ADD(STC) PROCNAME(HBOCFGA) ACID(HBOSTCID)
TSS ADD(STC) PROCNAME(HBOCFGT) ACID(HBOSTCID)
RDEFINE SERVER BBG.ANGEL.HBOCFGA UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
PERMIT BBG.ANGEL.HBOCFGA CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ)
ID(HBOSTCID)
TSS Equivalents:
TSS ADD(dept) SERVER(BBG.) if not already done
TSS PER(HBOSTCID) SERVER(BBG.ANGEL.HBOCFGA) ACC(READ)
TSS PER(HBOSTCID) SERVER(BBG.AUTHMOD.BBGZSAFM) ACC(READ)
TSS PER(HBOSTCID) SERVER(BBG.AUTHMOD.BBGZSAFM.SAFCRED) ACC(READ)
Where:
‘dept’ is the dept acid you want to own the resources
RDEFINE APPL HBOCFGT UACC(NONE)
RDEFINE SERVER BBG.SECPFX.HBOCFGT UACC(NONE)
PERMIT BBG.SECPFX.HBOCFGT CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
RDEFINE FACILITY BBG.SYNC.HBOCFGT UACC(NONE)
PERMIT BBG.SYNC.HBOCFGT CLASS(FACILITY) ID(HBOSTCID)
ACCESS(CONTROL)
RDEFINE EJBROLE HBOCFGT.CDPUIServer.cdpUser UACC(NONE)
PERMIT HBOCFGT CLASS(APPL) ID(HBOSTCID) ACCESS(READ)
PERMIT HBOCFGT CLASS(APPL) ID(HBOGUEST) ACCESS(READ)
PERMIT HBOCFGT CLASS(APPL) ID(HBOUSRGP) ACCESS(READ)
PERMIT HBOCFGT.CDPUIServer.cdpUser CLASS(EJBROLE) ID(HBOUSRGP)
ACCESS(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(HBOSTCID)
ACCESS(READ)
TSS Equivalents:
TSS ADD(dept) APPL(HBOCFGT)
TSS PER(HBOSTCID) SERVER(BBG.SECPFX.HBOCFGT) ACC(READ)
TSS ADD(dept) IBMFAC(BBG.) if not already done
TSS PER(HBOSTCID) IBMFAC(BBG.SYNC.HBOCFGT) ACC(CONTROL)
TSS ADD(dept) EJBROLE(HBOCFGT.CDPUIServer.cdpUser) (up to 26 characters for the resource name can be used in the TSS ADD command)
TSS PER(HBOSTCID) APPL(HBOCFGT) ACC(READ)
TSS PER(HBOGUEST) APPL(HBOCFGT) ACC(READ)
TSS PER(HBOUSRPR) APPL(HBOCFGT) ACC(READ)
TSS PER(HBOUSRPR) EJBROLE(HBOCFGT.CDPUIServer.cdpUser) ACC(READ)
TSS PER(HBOSTCID) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(READ)
Where:
‘dept’ is the dept acid you want to own the resources
RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('CDPz CA Certification'))
WITHLABEL('HBOCA') TRUST NOTAFTER(DATE(2023/12/31))
RACDCERT ID (HBOSTCID) GENCERT SUBJECTSDN(CN('CDPz DEFAULT CERT'))
WITHLABEL('HBODefaultCert') SIGNWITH(CERTAUTH LABEL('HBOCA'))
NOTAFTER(DATE(2023/12/31))
RACDCERT ADDRING(HBO.Keyring.DFLT) ID(HBOSTCID)
RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBODefaultCert')
RING(HBO.Keyring.DFLT) DEFAULT)
RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBOCA')
RING(HBO.Keyring.DFLT) CERTAUTH)
TSS Equivalents:
TSS GENCERT(CERTAUTH) DIGICERT(digicertname) LABLCERT('HBOCA') –
SUBJECTN(‘CN=”CDPz CA Certification”’) NADATE(12/31/2023) TRUST
TSS GENCERT(HBOSTCID) DIGICERT(digicertname2) LABLCERT(‘HBODefaultCert') -
SUBJECTN(‘CN=”CDPz DEFAULT CERT”’) -
SIGNWITH(CERTAUTH,digicertname) NADATE(12/31/2023)
TSS ADD(HBOSTCID) KEYRING(ringname) LABLRING(‘HBO.Keyring.DFLT’)
TSS ADD(HBOSTCID) KEYRING(ringname) RINGDATA(HBOSTCID,digicertname2)
TSS ADD(HBOSTCID) KEYRING(ringname) RINGDATA(CERTAUTH,digicertname)
Where:
‘digicertname’ is the digital certificate name for the CA certificate (1 - 8 characters)
‘digicertname2’ is the digital certificate name for the default certificate (1 - 8 characters)
‘ringname’ is the keyring name (1-8 characters)
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS RACLIST(SERVER) REFRESH
SETROPTS RACLIST(FACILITY) REFRESH
SETROPTS RACLIST(EJBROLE) REFRESH
SETROPTS RACLIST(APPL) REFRESH
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH
No TSS equivalents.