OpenSSH setup translation of RACF commands to CA ACF2
search cancel

OpenSSH setup translation of RACF commands to CA ACF2

book

Article ID: 137655

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

The following commands require translation from RACF to ACF2 for OpenSSH setup.


  1. ADDUSER SSHDAEM DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) NOPASSWORD 
  2. RDEFINE FACILITY BPX.DAEMON UACC(NONE) 
  3. PERMIT BPX.DAEMON CLASS(FACILITY) ID(SSHDAEM) ACCESS(READ) 
  4. SETROPTS RACLIST(FACILITY) REFRESH 
  5. ADDGROUP SSHDG OMVS(GID(999)) 
  6. ADDUSER SSHD DFLTGRP(SSHDG) OMVS(UID(999) HOME(’/var/empty’) PROGRAM(’/bin/false’)) NOPASSWORD
  7. RDEFINE STARTED SSHD.* STDATA(USER(SSHDAEM) GROUP(OMVSGRP) TRUSTED(NO)) 
  8. SETROPTS RACLIST(STARTED) REFRESH

Environment

Release : 15.0

Component : CA ACF2 for z/OS

Resolution

1 ADDUSER SSHDAEM DFLTGRP(OMVSGRP)  OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) NOPASSWORD

 

ACF

SET LID

INSERT SSHDAEM NAME (SSH DAEMON) GROUP(OMVSGRP) UID(0) HOME(/) OMVSPGM(/bin/sh) STC

END  


2 RDEFINE FACILITY BPX.DAEMON UACC(NONE)

no requirement in ACF2 to define the resource


3 PERMIT BPX.DAEMON CLASS(FACILITY) ID(SSHDAEM) ACCESS(READ)


 This rule will depend on how you have defined BPX rules in class(facility).

 you will need to issue ..


ACF2

SET R(FAC)

LIST LIKE(BPX-)

END


Then review the rules that you have

If there is a $KEY(BPX.DAEMON) TYPE(FAC) rule you should use that.

If the rule uses UID definitions ...


ACF

SET RESOURCE(FAC)

RECKEY BPX.DAEMON ADD(UID(<uid for SSHDAEM>) SERVICE(READ) ALLOW

END

 

If the rule is a ROLESET


ACF

SET RESOURCE(FAC)

RECKEY BPX.DAEMON ADD(USER(SSHDAEM) SERVICE(READ) ALLOW

END


If the rule uses UID definitions ...

If there is only a $KEY(BPX)


ACF

SET RESOURCE(FAC) 

RECKEY BPX ADD(DAEMON UID(<uid for SSHDAEM>) SERVICE(READ) ALLOW 

END 

If the rule is a ROLESET


ACF 

SET RESOURCE(FAC) 

RECKEY BPX ADD(DAEMON USER(SSHDAEM) SERVICE(READ) ALLOW 

END


4 SETROPTS RACLIST(FACILITY) REFRESH

ACF

F ACF2,REFRESH(FAC)

END


5 ADDGROUP SSHDG OMVS(GID(999))


ACF

SET PROFILE(GROUP) DIV(OMVS)

INSERT SSHDG GID(999)

F ACF2,REBUILD(GRP),CLASS(P)

END


6 ADDUSER SSHD DFLTGRP(SSHDG) OMVS(UID(999) HOME(’/var/empty’) PROGRAM(’/bin/false’)) NOPASSWORD

ACF

SET LID 

INSERT SSHD NAME (SSHD STC) GROUP(SSHDG) UID(999) HOME(/var/empty) OMVSPGM(/bin/false) STC 

END

 

7 RDEFINE STARTED SSHD.* STDATA(USER(SSHDAEM) GROUP(OMVSGRP) TRUSTED(NO))

done via STC attribute on lid


8 SETROPTS RACLIST(STARTED) REFRESH

not needed

Powered by Wolken Software