Top Secret Converting the RACF IWNRACFC job commands for IBM CSM
Article ID: 136788
Updated On:
Products
Issue/Introduction
How to convert the RACF IWNRACFC job to Top Secret Commands.
Related IBM Copy Services Manager for z/OS Articles:
136788 Top Secret Converting the RACF IWNRACFC job commands for IBM CSM
136782 Top Secret Converting the RACF IWNRACF2 job commands for IBM CSM
136783 Top Secret Converting the RACF IWNRACF3 job commands for IBM CSM
136785 Top Secret Converting the RACF IWNRACF4 job commands for IBM CSM
136786 Top Secret Converting the RACF IWNRACF5 job commands for IBM CSM
Environment
Release : 16.0
Component : CA Top Secret for z/OS
Resolution
//IWNRACFC JOB <job parameters>
//*********************************************************************
//* LICENSED MATERIALS - PROPERTY OF IBM *
//* THIS PRODUCT CONTAINS "RESTRICTED MATERIALS OF IBM" *
//* (C) COPYRIGHT IBM CORPORATION 2007,2019. *
//* ALL RIGHTS RESERVED. *
//* *
//* IBM Copy Services Manager for z/OS *
//* *
//* CAUTION: This is neither a JCL procedure nor a complete job. *
//* Before using this job step, make the following *
//* modifications: *
//* *
//* This job creates a user in RACF and places the user into a *
//* facility class that is authorized to access the CLI and *
//* initiate scripts without the need for credential prompts. *
//* The user is validated against the specified facility and *
//* is required to have read access. If access is revoked, the user *
//* is not allowed to access the CLI. This user must also be *
//* added through the Administration panel with a valid user role. *
//* The default facility that is defined in this class is used unless*
//* a different one is specified in the repcli.properties file as *
//* facility=IWNSRV.CLIAUTH. *
//* *
//* The following requirements for using this feature include: *
//* 1) The CLI and Copy services manager GUI server must reside *
//* on the same system. *
//* 2) You must be logged in as a TSO user when running the command. *
//* 3) The TSO user that you are logged in as must be added to *
//* Copy Services Manager. *
//* 4) LDAP must be disabled through the IWNINSTL job, as follows: *
//* ENABLE_LDAP=FALSE, which is the default. *
//* If Copy Services Manager is already installed, IWNINSTL must *
//* be re-run to disable LDAP. *
//* 5) This feature is restricted to being used by one user unless *
//* write permission is given to the cliTrace.log file for other *
//* users in the group. *
//* 6) This job must be tailored to your environment and used as a *
//* guideline for permissions that are required for the *
//* function to work. *
//* 7) The following commands must be run under OMVS before you *
//* attempt to run a command using the SAF switch: *
//* - Give program control to the Java executable under *
//* Copy Services Manager: *
//* extattr +p /opt/IBM/CSM/Java/bin/java *
//* - Give the following authority for the CLI folders and the *
//* users home directory: *
//* chmod 775 /opt/IBM/CSM *
//* chmod 775 /opt/IBM/CSM/CLI *
//* chmod 775 /opt/IBM/CSM/CLI/cliTrace.log *
//* chmod 760 #ussPath/.sh_history *
//* *
//* 8) To enable the new login module, you must update the *
//* configuration file csm.conf as shown: *
//* The configuration file is located in the *
//* <CSM_ProductionRoot>/wlp/usr/servers/csmServer/properties/ *
//* directory, and must be replaced and updated with *
//* the following information: *
//* (OEDIT under TSO or upload using FTP in EBCDIC) *
//* *
//* CSMServer { *
//* com.ibm.csm.server.security.CertificateLoginModule SUFFICIENT; *
//* com.ibm.csm.server.security.SAFLoginModule SUFFICIENT; *
//* com.ibm.csm.server.security.WebSphereLoginModule SUFFICIENT; *
//* }; *
//* *
//* 9) The <CSM_ProductionRoot>/CLI/repcli.properties file requires *
//* the following lines to be added: *
//* (OEDIT under TSO or upload using FTP in EBCDIC) *
//* useSAF=true *
//* FACILITY=IWNSRV.CLIAUTH *
//* *
//* Note: The new optional parameter -saf can be used on the command *
//* line if you do not want to include it in the above file. *
//* (See the CLI Guide for examples of using the parameter with a *
//* command.) *
//* *
//* 10) Restart the IWNSRV job and ensure that the TSO user has been *
//* added. *
//* *
//* Steps to complete this job: *
//* 1) Change the job card to meet your system requirements. *
//* 2) Replace the following variables: *
//* #csm_id - User for auto login *
//* #csm_pw - Password for auto login *
//* #csm_grp - Group for the user as defined in IWNRACF1 *
//* #gid - Group id number *
//* #uid - User id number *
//* #ussPath - Home directory for #csm_id *
//* IWNSRV.CLIAUTH - Facility to authorize access for user *
//* as defined in repcli.properties on USS *
//* #srvr_id - Owner of IWNSRV created by IWNRACF2 *
//* *
//*********************************************************************
/*
//IWNRACFC EXEC PGM=IKJEFT01
//SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* Define CSM SAF user and group (if not already defined). */
ADDGROUP #csm_grp OMVS(GID(#gid))
ADDUSER #csm_id DFLTGRP(#csm_grp) OMVS(UID(#uid) +
HOME(#ussPath) +
PROGRAM(/bin/sh)) NAME('CSM SAF USER')
ALU #csm_id PASSWORD(#csm_pw) NOEXPIRE
TSS CRE(#user_id) TYPE(USER) NAME('HyperSwap Sockets') PASS(XXXX,0) DEPT(dept_acid)
TSS CRE(#group_name) TYPE(GROUP) NAME('#group_name') DEPT(dept_acid)
TSS ADD(#group_name) GID(xx)
TSS ADD(#user_id) UID(XX)
TSS ADD(#user_id) GROUP(#group_name) DFLTGRP(#group_name) HOME(#ussPath) OMVSPGM(/bin/sh)
/* Define the IWNSRV.CLIAUTH facility. */
RDEFINE FACILITY IWNSRV.CLIAUTH UACC(NONE)
PERMIT IWNSRV.CLIAUTH CLASS(FACILITY) +
ID(#csm_id) ACCESS(READ)
TSS ADD(owning_dept) IBMFAC(IWNSRV.)
TSS PER(#csm_id) IBMFAC(IWNSRV.CLIAUTH) ACCESS(READ)
/* The SAF native calls require that the user who is logged in to */
/* OMVS and the IWNSRV owner be granted access to */
/* BPX.SERVER and BPX.DAEMON. */
RDEFINE FACILITY BPX.SERVER UACC(NONE) OWNER(SYS1)
PERMIT BPX.DAEMON CLASS(FACILITY) ID(#csm_id) ACCESS(NONE)
PERMIT BPX.SERVER CLASS(FACILITY) ID(#csm_id) ACCESS(READ)
PERMIT BPX.SERVER CLASS(FACILITY) ID(#srvr_id) ACCESS(READ)
TSS ADD(owning_dept) IBMFAC(BPX)
TSS PER(#csm_id) IBMFAC(BPX.DAEMON) ACCESS(NONE)
TSS PER(#csm_id) IBMFAC(BPX.SERVER) ACCESS(READ)
TSS PER(#srvr_id) IBMFAC(BPX.SERVER) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
Feedback
