Convert RACF commands to Top Secret
search cancel

Convert RACF commands to Top Secret

book

Article ID: 136743

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Hi, we need the following commands converted from RACF to Top Secret:

** FYI Only **
STC_USRID = HBOSTCID
STC_GROUP = HBOSTCGP
AUTHORIZED_GROUP = HBOUSRGP
GUEST_USER = HBOGUEST
GUEST_GROUP = HBOUNGRP
AUTHORIZED_USER = HBOUSER
** The above are FYI only **

SETROPTS RACLIST(STARTED) CLASSACT(STARTED)
SETROPTS CLASSACT(APPL)
SETROPTS CLASSACT(FACILITY)
SETROPTS CLASSACT(SERVER)
SETROPTS CLASSACT(EJBROLE)
SETROPTS CLASSACT(DIGTCERT)
SETROPTS CLASSACT(DIGTRING)

ADDGROUP HBOSTCGP OMVS(GID(3701))
ADDGROUP HBOUSRGP OMVS(GID(3702))
ADDGROUP HBOUNGRP OMVS(GID(3703))
ADDUSER HBOSTCID DFLTGRP(HBOSTCGP) OMVS(UID(2701) HOME(/u/hbostcid)
        PROGRAM(/bin/sh)) NAME('CDP UI Server Started Task USERID')
        NOPASSWORD NOOIDCARD
ADDUSER HBOGUEST RESTRICTED DFLTGRP(HBOUNGRP) OMVS(UID(2702))
        NAME('CDPz Unauthenticated USERID') NOPASSWORD NOOIDCARD

CONNECT HBOUSER GROUP(HBOUSRGP)

RDEF STARTED HBOCFGA.* UACC(NONE) STDATA(USER(HBOSTCID)
     GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEF STARTED HBOCFGT.* UACC(NONE) STDATA(USER(HBOSTCID)
     GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEFINE SERVER BBG.ANGEL.HBOCFGA UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
PERMIT BBG.ANGEL.HBOCFGA CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ)
       ID(HBOSTCID)
RDEFINE APPL HBOCFGT UACC(NONE)
RDEFINE SERVER BBG.SECPFX.HBOCFGT UACC(NONE)
PERMIT BBG.SECPFX.HBOCFGT CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
RDEFINE FACILITY BBG.SYNC.HBOCFGT UACC(NONE)
PERMIT BBG.SYNC.HBOCFGT CLASS(FACILITY) ID(HBOSTCID)
       ACCESS(CONTROL)
RDEFINE EJBROLE HBOCFGT.CDPUIServer.cdpUser UACC(NONE)
PERMIT HBOCFGT CLASS(APPL) ID(HBOSTCID) ACCESS(READ)
PERMIT HBOCFGT CLASS(APPL) ID(HBOGUEST) ACCESS(READ)
PERMIT HBOCFGT CLASS(APPL) ID(HBOUSRGP) ACCESS(READ)
PERMIT HBOCFGT.CDPUIServer.cdpUser CLASS(EJBROLE) ID(HBOUSRGP)
       ACCESS(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(HBOSTCID)
       ACCESS(READ)
RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('CDPz CA Certification'))
         WITHLABEL('HBOCA') TRUST NOTAFTER(DATE(2023/12/31))
RACDCERT ID (HBOSTCID) GENCERT SUBJECTSDN(CN('CDPz DEFAULT CERT'))
         WITHLABEL('HBODefaultCert') SIGNWITH(CERTAUTH LABEL('HBOCA'))
         NOTAFTER(DATE(2023/12/31))
RACDCERT ADDRING(HBO.Keyring.DFLT) ID(HBOSTCID)
RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBODefaultCert')
         RING(HBO.Keyring.DFLT) DEFAULT)
RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBOCA')
         RING(HBO.Keyring.DFLT) CERTAUTH)

SETROPTS RACLIST(STARTED) REFRESH
SETROPTS RACLIST(SERVER) REFRESH
SETROPTS RACLIST(FACILITY) REFRESH
SETROPTS RACLIST(EJBROLE) REFRESH
SETROPTS RACLIST(APPL) REFRESH
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

Here are the RACF commands and the Top Secret equivalents (in red):


** FYI Only **

STC_USRID = HBOSTCID

STC_GROUP = HBOSTCGP

AUTHORIZED_GROUP = HBOUSRGP

GUEST_USER = HBOGUEST

GUEST_GROUP = HBOUNGRP

AUTHORIZED_USER = HBOUSER

** The above are FYI only **

SETROPTS RACLIST(STARTED) CLASSACT(STARTED)

SETROPTS CLASSACT(APPL)

SETROPTS CLASSACT(FACILITY)

SETROPTS CLASSACT(SERVER)

SETROPTS CLASSACT(EJBROLE)

SETROPTS CLASSACT(DIGTCERT)

SETROPTS CLASSACT(DIGTRING)


No TSS equivalents.


ADDGROUP HBOSTCGP OMVS(GID(3701))

ADDGROUP HBOUSRGP OMVS(GID(3702))

ADDGROUP HBOUNGRP OMVS(GID(3703))

ADDUSER HBOSTCID DFLTGRP(HBOSTCGP) OMVS(UID(2701) HOME(/u/hbostcid)

        PROGRAM(/bin/sh)) NAME('CDP UI Server Started Task USERID')

        NOPASSWORD NOOIDCARD

ADDUSER HBOGUEST RESTRICTED DFLTGRP(HBOUNGRP) OMVS(UID(2702))

        NAME('CDPz Unauthenticated USERID') NOPASSWORD NOOIDCARD


TSS Equivalents:

TSS CRE(HBOSTCGP) TYPE(GROUP) DEPT(dept) NAME(‘HBO Started Task Group’)

TSS ADD(HBOSTCGP) GID(3701)

TSS CRE(HBOUSRGP) TYPE(GROUP) DEPT(dept) NAME(‘HBO User Group’)

TSS CRE(HBOUSRGP) GID(3702)

TSS CRE(HBOUSRPR) TYPE(GROUP) DEPT(dept) NAME(‘HBO User PROFILE)

TSS CRE(HBOUNGRP) TYPE(GROUP) DEPT(dept) NAME(‘HBO Unauthorized Group’)

TSS CRE(HBOUNGRP) GID(3703)

TSS CRE(HBOSTCID) TYPE(USER) DEPT(dept) NAME('CDP UI Server Started Task USERID') PASS(xxxxx,0)

TSS ADD(HBOSTCID) UID(2701) GROUP(HBOSTCGP) DFLTGRP(HBOSTCGP) HOME(/u/hbostcid) OMVSPGM(/bin/sh))

TSS CRE(HBOGUEST) TYPE(USER) DEPT(dept) NAME('CDPz Unauthenticated USERID') PASS(NOPW,0)

TSS ADD(HBOGUEST) UID(2702) GROUP(HBOUNGP) DFLTGRP(HBOUNGP)

 

Where:

‘dept’ is the dept acid you want to own the group, profile, and user acids

We recommend that all started task (STC) acids be given a password and OPTIONS(4) be set in the TSS parameter file. OPTIONS(4) will eliminate the prompt for a password when the STC starts, but if someone tries to signon with the STC acid, he will need to know the password.

NOTE: In RACF, a GROUP can be an OMVS group as well as permitted resources. In Top Secret, a type GROUP acid is for OMVS but can not be permitted resources. Since there is a RACF permit later for HBOUSRGP, I created both a GROUP of HBOUSRGP and a profile of HBOUSRPR.


CONNECT HBOUSER GROUP(HBOUSRGP)


TSS Equivalents:

TSS ADD(HBOUSER) GROUP(HBOUSRGP) DFLTGRP(HBOUSRGP)

TSS ADD(HBOUSER) PROFILE(HBOUSRPR)


NOTE: There aren't any RACF commands that create userid HBOUSER.  


RDEF STARTED HBOCFGA.* UACC(NONE) STDATA(USER(HBOSTCID)

     GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))

RDEF STARTED HBOCFGT.* UACC(NONE) STDATA(USER(HBOSTCID)

     GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))


TSS Equivalents:

TSS ADD(STC) PROCNAME(HBOCFGA) ACID(HBOSTCID)

TSS ADD(STC) PROCNAME(HBOCFGT) ACID(HBOSTCID)


RDEFINE SERVER BBG.ANGEL.HBOCFGA UACC(NONE)

RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)

RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)

PERMIT BBG.ANGEL.HBOCFGA CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)

PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)

PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ)

       ID(HBOSTCID)


TSS Equivalents:

TSS ADD(dept) SERVER(BBG.) if not already done

TSS PER(HBOSTCID) SERVER(BBG.ANGEL.HBOCFGA) ACC(READ)

TSS PER(HBOSTCID) SERVER(BBG.AUTHMOD.BBGZSAFM) ACC(READ)

TSS PER(HBOSTCID) SERVER(BBG.AUTHMOD.BBGZSAFM.SAFCRED) ACC(READ)


Where:

‘dept’ is the dept acid you want to own the resources


RDEFINE APPL HBOCFGT UACC(NONE)

RDEFINE SERVER BBG.SECPFX.HBOCFGT UACC(NONE)

PERMIT BBG.SECPFX.HBOCFGT CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)

RDEFINE FACILITY BBG.SYNC.HBOCFGT UACC(NONE)

PERMIT BBG.SYNC.HBOCFGT CLASS(FACILITY) ID(HBOSTCID)

       ACCESS(CONTROL)

RDEFINE EJBROLE HBOCFGT.CDPUIServer.cdpUser UACC(NONE)

PERMIT HBOCFGT CLASS(APPL) ID(HBOSTCID) ACCESS(READ)

PERMIT HBOCFGT CLASS(APPL) ID(HBOGUEST) ACCESS(READ)

PERMIT HBOCFGT CLASS(APPL) ID(HBOUSRGP) ACCESS(READ)

PERMIT HBOCFGT.CDPUIServer.cdpUser CLASS(EJBROLE) ID(HBOUSRGP)

       ACCESS(READ)

PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(HBOSTCID)

       ACCESS(READ)


TSS Equivalents:

TSS ADD(dept) APPL(HBOCFGT)

TSS PER(HBOSTCID) SERVER(BBG.SECPFX.HBOCFGT) ACC(READ)

TSS ADD(dept) IBMFAC(BBG.) if not already done

TSS PER(HBOSTCID) IBMFAC(BBG.SYNC.HBOCFGT) ACC(CONTROL)

TSS ADD(dept) EJBROLE(HBOCFGT.CDPUIServer.cdpUser) (up to 26 characters for the resource name can be used in the TSS ADD command)

TSS PER(HBOSTCID) APPL(HBOCFGT) ACC(READ)

TSS PER(HBOGUEST) APPL(HBOCFGT) ACC(READ)

TSS PER(HBOUSRPR) APPL(HBOCFGT) ACC(READ)

TSS PER(HBOUSRPR) EJBROLE(HBOCFGT.CDPUIServer.cdpUser) ACC(READ)


TSS PER(HBOSTCID) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(READ)

Where:

‘dept’ is the dept acid you want to own the resources

RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('CDPz CA Certification'))

         WITHLABEL('HBOCA') TRUST NOTAFTER(DATE(2023/12/31))

RACDCERT ID (HBOSTCID) GENCERT SUBJECTSDN(CN('CDPz DEFAULT CERT'))

         WITHLABEL('HBODefaultCert') SIGNWITH(CERTAUTH LABEL('HBOCA'))

         NOTAFTER(DATE(2023/12/31))

RACDCERT ADDRING(HBO.Keyring.DFLT) ID(HBOSTCID)

RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBODefaultCert')

         RING(HBO.Keyring.DFLT) DEFAULT)

RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBOCA')

         RING(HBO.Keyring.DFLT) CERTAUTH)


TSS Equivalents:

TSS GENCERT(CERTAUTH) DIGICERT(digicertname) LABLCERT('HBOCA') –

SUBJECTN(‘CN=”CDPz CA Certification”’) NADATE(12/31/2023) TRUST

TSS GENCERT(HBOSTCID) DIGICERT(digicertname2) LABLCERT(‘HBODefaultCert') -

SUBJECTN(‘CN=”CDPz DEFAULT CERT”’) -

SIGNWITH(CERTAUTH,digicertname) NADATE(12/31/2023)

TSS ADD(HBOSTCID) KEYRING(ringname) LABLRING(‘HBO.Keyring.DFLT’)

TSS ADD(HBOSTCID) KEYRING(ringname) RINGDATA(HBOSTCID,digicertname2)

TSS ADD(HBOSTCID) KEYRING(ringname) RINGDATA(CERTAUTH,digicertname)


Where:

‘digicertname’ is the digital certificate name for the CA certificate (1 - 8 characters)

‘digicertname2’ is the digital certificate name for the default certificate (1 - 8 characters)

‘ringname’ is the keyring name (1-8 characters)


SETROPTS RACLIST(STARTED) REFRESH

SETROPTS RACLIST(SERVER) REFRESH

SETROPTS RACLIST(FACILITY) REFRESH

SETROPTS RACLIST(EJBROLE) REFRESH

SETROPTS RACLIST(APPL) REFRESH

SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH


No TSS equivalents.