ACF2 commands for IBM z/OS Connect Enterprise Edition V3.0
Release : 16.0
Component : CA ACF2 for z/OS
//ACFZCEE JOB MSGCLASS=C,MSGLEVEL=(1,1),USER=XXXXXXX,NOTIFY=XXXXXXX
//********************************************************************/
//* */
//* ACF2 Setup for z/OS Connect Enterprise Edition V3.0 */
//* */
//* Note this sample job contains ACF2 UID based rules. For sites */
//* that want to use ROLE base rules the X(ROL) records should */
//* be created and the RECKEY commands should be updated */
//* replacing the UID parameters with the appropriate ROLE */
//* parameters. */
//* */
//* 1. This job contains sample security definitions that */
//* should be reviewed based on the RACF documentation provided */
//* 2. This job contains statements that may need to be */
//* modified for installation-dependent data, e.g. */
//* if non-default names were chosen. */
//* 4. The statements below are intended for use with */
//* z/OS Security Server (ACF2). */
//* 5. Note this job create ACF2 GSO CLASMAP records to change */
//* the default Resource Class SERVER to TYPE(SRV) and */
//* the default Resource Class APPL to TYPE(APL). If you site */
//* already have GSO CLASMAP records for these Resource Classes */
//* the GSO CLASMAP records and SET RESOURCE(ttt) should be */
//* modified accordingly. */
//********************************************************************/
//STEP010 EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
* Reference: z/OS Connect Enterprise Edition V3.0
* Getting Started Guide
* for CICS, IMS, Db2 and MQ
*
* Section: Using RACF for TLS and trust/key store management
* RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('CA for zCEE') O('COMPANY') -
* OU('INSURANCE')) WITHLABEL('LibertyCA.ZCEE') TRUST -
* SIZE(2048) NOTAFTER(DATE(2020/12/31))
*
* ACF2
GENCERT CERTAUTH.libzcee -
SUBJ(CN='CA for zCEE' O='COMPANY' OU='INSURANCE') -
LABEL(LibertyCA.ZCEE) SIZE(2048) EXPIRE(12/31/2020)
*
*
* RACDCERT CERTAUTH EXPORT(LABEL('LibertyCA.ZCEE')) -
* DSN('COMPANY.ZCEE30.CERTAUTH.CRT') FORMAT(CERTDER)
*
* ACF2
EXPORT CERTAUTH.libzcee DSN('COMPANY.ZCEE30.CERTAUTH.CRT') FORMAT(CERTDER)
*
*
* RACDCERT ID(ZCEEPOC1) GENCERT SUBJECTSDN(CN('companyx.company.com') -
* O('COMPANY') OU('INSURANCE')) WITHLABEL('zceepoc1Cert.ZCEE') -
* SIGNWITH(CERTAUTH LABEL('LibertyCA.ZCEE')) SIZE(2048) -
* NOTAFTER(DATE(2020/12/31))
*
* ACF2
GENCERT ZCEEPOC1.cert -
SUBJ(CN='companyx.company.com' O='COMPANY' OU='INSURANCE') -
LABEL(zceepoc1Cert.ZCEE) SIZE(2048) EXPIRE(12/31/2020) -
SIGNWITH(certauth Label(LibertyCA.ZCEE))
*
*
* RACDCERT ID(ZCEEPOC1) ADDRING(Keyring.ZCEEPOC1)
*
* ACF2
SET PROFILE(USER) DIV(KEYRING)
INSERT ZCEEPOC1.RING RINGNAME(Keyring.ZCEEPOC1)
*
*
* RACDCERT CONNECT(ID(ZCEEPOC1) -
* LABEL('zceepoc1Cert.ZCEE') RING(Keyring.ZCEEPOC1)) -
* ID(ZCEEPOC1)
* RACDCERT CONNECT(CERTAUTH LABEL('LibertyCA.ZCEE') -
* RING(Keyring.ZCEEPOC1)) ID(ZCEEPOC1)
*
* ACF2
CONNECT CERTDATA(ZCEEPOC1.cert) KEYRING(Keyring.ZCEEPOC1)
CONNECT CERTDATA(CERTAUTH.libzcee) KEYRING(Keyring.ZCEEPOC1)
*
* SETR RACLIST(DIGTCERT DIGTRING) REFRESH
*
* ACF2
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS
*
* PERMIT IRR.DIGTCERT.LISTRING -
* CLASS(FACILITY) ID(ZCEEPOC1) ACCESS(READ)
*
* ACF2
SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.LISTRING UID(UID string for ZCEEPOC1) -
SERVICE(READ) ALLOW)
*
* PERMIT IRR.DIGTCERT.LIST -
* CLASS(FACILITY) ID(ZCEEPOC1) ACCESS(READ)
*
* ACF2
SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.LIST UID(UID string for ZCEEPOC1) -
SERVICE(READ) ALLOW)
*
* SETR RACLIST(FACILITY) REFRESH
*
* ACF2
F ACF2,REBUILD(FAC)
*
* RACDCERT ID(USER1) GENCERT SUBJECTSDN(CN('Test User') -
* O('COMPANY') OU('INSURANCE')) WITHLABEL('USER1') -
* SIGNWITH(CERTAUTH LABEL('LibertyCA.ZCEE')) SIZE(2048) -
* NOTAFTER(DATE(2020/12/31))
*
* ACF2
GENCERT USER1.CERT SUBJ(CN='Test User' OU='INSURANCE' O='COMPANY') -
LABEL(USER1) SIZE(2048) EXPIRE(12/31/2020) -
SIGNWITH(CERTAUTH LABEL(LibertyCA.ZCEE))
*
* RACDCERT ID(USER1) EXPORT(LABEL('USER1')) -
* DSN('USER.USER1.P12') FORMAT(PKCS12DER) -
* PASSWORD('secret')
*
* ACF2
EXPORT USER1.CERT DSN('USER.USER1.P12') FORMAT(PKCS12DER) PASSWORD(secret)
*
* RACDCERT ID(USER1) EXPORT(LABEL('USER1')) -
* DSN('USER.USER1.PEM') -
* PASSWORD('secret')
*
* ACF2
EXPORT USER1.CERT DSN('USER.USER1.PEM') PASSWORD(secret)
* Note if no FORMAT is specified with PASSWORD the default format is PKCS12DER for both ACF2 and RACF
* SETR RACLIST(DIGTCERT DIGTRING) REFRESH
*
* ACF2
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS
*
* Section: RACF Certificate Mapping and Filtering
* RACDCERT ID(APP1USER) MAP SDNFILTER('OU=Insurance.O=Company') -
* IDNFILTER('CN=App1 CA.OU=Insurance.O=Company') withlabel('APP1 USERS')
* RACDCERT ID(OTHERUSR) MAP SDNFILTER('O=Company') -
* IDNFILTER('CN=App1 CA.OU=Insurance.O=Company') withlabel('OTHER USERS')
*
* ACF2
SET CONTROL(GSO)
INSERT CERTMAP.APP1USER SDNFILTR(OU=Insurance.O=Company) USER(APP1USER) -
IDNFILTR('CN=App1 CA.OU=Insurance.O=Company') LABEL(APP1 USERS)
INSERT CERTMAP.OTHERUSR SDNFILTR(O=Company) USER(OTHERUSR) -
IDNFILTR('CN=App1 CA.OU=Insurance.O=Company') LABEL(OTHER USERS)
*
* SETR RACLIST(DIGTNMAP) REFRESH
* # Define the APPL class based on the default security prefix called MYPROFIL.
*
* ACF2
F ACF2,REFRESH(CERTMAP)
*
* Using SAF for registry and access role checking
* RDEFINE APPL MYPROFIL UACC(NONE)
*
* ACF2
* Not required with ACF2
*
* # Activate the APPL class.
* SETROPTS CLASSACT(APPL)
*
* ACF2
SET CONTROL(GSO)
INSERT CLASMAP.appl RESOURCE(APPL) RSRCTYPE(APL)
F ACF2,REFRESH(CLASMAP)
*
* # Create an identity that will be used for SAF checks during the unauthenticated
* state prior to the actual authentication of SAF identity and password.
* ADDGROUP WSGUESTG OMVS(AUTOGID) OWNER(SYS1)
*
* ACF2
SET P(GROUP) DIV(OMVS)
INSERT WSGUESTG AUTOGID
*
* ADDUSER WSGUEST RESTRICTED DFLTGRP(WSGUESTG) -
* OMVS(AUTOUID HOME(/u/wsguest) PROGRAM(/bin/sh)) -
* NAME('UNAUTHENTICATED USER') NOPASSWORD NOOIDCARD
*
* ACF2
SET LID
INSERT WSGUEST NAME(UNAUTHENTICATED USER) GROUP(WSGUESTG) AUTOUID -
HOME(/u/wsguest) PROGRAM(/bin/sh) LIMITED
*
* Create an identity that will be used for SAF checks during the
* unauthenticated state prior to the actual authentication of SAF identity and password.
* ADDGROUP WSGUESTG OMVS(AUTOGID) OWNER(SYS1)
* ADDUSER WSGUEST RESTRICTED DFLTGRP(WSGUESTG) -
* OMVS(AUTOUID HOME(/u/wsguest) PROGRAM(/bin/sh)) -
* NAME('UNAUTHENTICATED USER') NOPASSWORD NOOIDCARD "
*
* ACF2
SET LID
INSERT WSGUEST NAME(UNAUTHENTICATED USER) GROUP(WSGUESTG) AUTOUID -
HOME(/u/wsguest) PROGRAM(/bin/sh) RESTRICT
* NOOIDCARD for ACF2 NOT required
*
* # If the client certificate is associated with a RACF user ID value of USER1,
* # assign USER1 and Unauthenticated user READ access to the APPLID in the APPL class.
* PERMIT MYPROFIL ID(USER1) ACCESS(READ) CLASS(APPL)
* PERMIT MYPROFIL ID(WSGUEST) ACCESS(READ) CLASS(APPL) "
*
* ACF2
SET RESOURCE(APL)
RECKEY MYPROFIL ADD( UID(UID string for USER1) -
SERVICE(READ) ALLOW)
RECKEY MYPROFIL ADD( UID(UID string for WSGUEST) -
SERVICE(READ) ALLOW)
*
* # Grant the server permission to make authentication calls. Where serverId is
* # the userid under which the z/OS Connect EE server runs.
* RDEFINE SERVER BBG.SECPFX.MYPROFIL UACC(NONE)
*
* ACF2
SET CONTROL(GSO)
INSERT CLASMAP.server RESOURCE(SERVER) RSRCTYPE(SRV)
F ACF2,REFRESH(CLASMAP)
*
* PERMIT BBG.SECPFX.MYPROFIL ID(ZCEEPOC1) ACCESS(READ) CLASS(SERVER)"
*
* ACF2
SET RESOURCE(SRV)
RECKEY BBG ADD( SECPFX.MYPROFIL UID(UID string for ZCEEPOC1) -
SERVICE(READ) ALLOW)
*
* # Define the required EJBROLE resource and grant access
* RDEFINE EJBROLE MYPROFIL.zos.connect.access.roles.zosConnectAccess UACC(NONE)
*
* ACF2
* Not required with ACF2
*
* PERMIT MYPROFIL.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) ID(USER1) ACCESS(READ)
* PERMIT MYPROFIL.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ)
*
* ACF2
SET RESOURCE(EJB)
RECKEY MYPROFIL ADD( zos.connect.access.roles.zosConnectAccess -
UID(UID string for USER1) SERVICE(READ) ALLOW)
RECKEY MYPROFIL ADD( zos.connect.access.roles.zosConnectAccess -
UID(UID string for WSGUEST) SERVICE(READ) ALLOW)
*
* SETR RACLIST(EJBROLE) REFRESH"
* ACF2
F ACF2,REBUILD(EJB)
*
* Using SAF for controlling z/OS Connect EE access
*
* Add two new groups will using the ADDGROUP command, e.g.
* ADDGROUP GMADMIN OMVS(AUTOGID)
* ADDGROUP GMINVOKE OMVS(AUTOGID)
*
* ACF2
SET PROFILE(GROUP) DIVISION(OMVS)
INSERT GMADMIN AUTOGID
INSERT GMINVOKE AUTOGID
F ACF2,REBUILD(GRP),CLASS(P)
*
* Connect user USER1 to group GMADMIN using the CONNECT command, e.g.
* CONNECT USER1 GROUP(GMADMIN)
* Connect user USER1 to group GMINVOKE using the CONNECT command, e.g.
* CONNECT USER1 GROUP(GMINVOKE)
SET RESOURCE(TGR)
* ADD GMADMIN as an OMVS Supplemental GROUP for USER1
RECKEY GMADMIN ADD( USER(USER1) ALLOW)
* ADD GMINVOKE as an OMVS Supplemental GROUP for USER1
RECKEY GMINVOKE ADD( USER(USER1) ALLOW)
F ACF2,REBUILD(TGR)
/*