ACF2 setup for z/OS Connect Enterprise Edition V3.0

book

Article ID: 142172

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

ACF2 setup for z/OS Connect Enterprise Edition V3.0

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

//ACFZCEE JOB MSGCLASS=C,MSGLEVEL=(1,1),USER=XXXXXXX,NOTIFY=XXXXXXX 
//********************************************************************/
//*                                                                  */
//*  ACF2 Setup for z/OS Connect Enterprise Edition V3.0             */
//*                                                                  */
//*  Note this sample job contains ACF2 UID based rules. For sites   */
//*     that want to use ROLE base rules the X(ROL) records should   */
//*     be created and the RECKEY commands should be updated         */
//*     replacing the UID parameters with the appropriate ROLE       */
//*     parameters.                                                  */
//*                                                                  */
//*  1. This job contains sample security definitions that           */
//*     should be reviewed based on the RACF documentation provided  */
//*  2. This job contains statements that may need to be             */
//*     modified for installation-dependent data, e.g.               */
//*     if non-default names were chosen.                            */
//*  4. The statements below are intended for use with               */
//*     z/OS Security Server (ACF2).                                 */
//*  5. Note this job create ACF2 GSO CLASMAP records to change      */
//*     the default Resource Class SERVER to TYPE(SRV) and           */
//*     the default Resource Class APPL to TYPE(APL). If you site    */
//*     already have GSO CLASMAP records for these Resource Classes  */
//*     the GSO CLASMAP records and SET RESOURCE(ttt) should be      */
//*     modified accordingly.                                        */
//********************************************************************/
//STEP010  EXEC PGM=ACFBATCH                     
//SYSPRINT DD  SYSOUT=*                          
//SYSIN    DD  * 
* Reference: z/OS Connect Enterprise Edition V3.0
*  Getting Started Guide
*  for CICS, IMS, Db2 and MQ
*
* Section: Using RACF for TLS and trust/key store management 
* RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('CA for zCEE') O('MANULIFE') - 
* OU('INSURANCE')) WITHLABEL('LibertyCA.ZCEE') TRUST -                  
* SIZE(2048) NOTAFTER(DATE(2020/12/31))  

* ACF2
GENCERT CERTAUTH.libzcee -
 SUBJ(CN='CA for zCEE' O='MANULIFE' OU='INSURANCE') -
 LABEL(LibertyCA.ZCEE) SIZE(2048) EXPIRE(12/31/2020)
*

* RACDCERT CERTAUTH EXPORT(LABEL('LibertyCA.ZCEE')) -  
* DSN('MANULIFE.ZCEE30.CERTAUTH.CRT') FORMAT(CERTDER)

* ACF2
EXPORT CERTAUTH.libzcee DSN('MANULIFE.ZCEE30.CERTAUTH.CRT') FORMAT(CERTDER)
*

* RACDCERT ID(ZCEEPOC1) GENCERT SUBJECTSDN(CN('manulifej.manulife.com') -  
* O('MANULIFE') OU('INSURANCE')) WITHLABEL('zceepoc1Cert.ZCEE') -                
* SIGNWITH(CERTAUTH LABEL('LibertyCA.ZCEE')) SIZE(2048) -              
* NOTAFTER(DATE(2020/12/31))

* ACF2
GENCERT ZCEEPOC1.cert -
 SUBJ(CN='manulifej.manulife.com' O='MANULIFE' OU='INSURANCE') -
 LABEL(zceepoc1Cert.ZCEE) SIZE(2048) EXPIRE(12/31/2020) -
 SIGNWITH(certauth Label(LibertyCA.ZCEE))
*

* RACDCERT ID(ZCEEPOC1) ADDRING(Keyring.ZCEEPOC1)

* ACF2
SET PROFILE(USER) DIV(KEYRING)     
INSERT ZCEEPOC1.RING RINGNAME(Keyring.ZCEEPOC1)
*

* RACDCERT CONNECT(ID(ZCEEPOC1) -                             
* LABEL('zceepoc1Cert.ZCEE') RING(Keyring.ZCEEPOC1)) -  
* ID(ZCEEPOC1)
* RACDCERT CONNECT(CERTAUTH LABEL('LibertyCA.ZCEE') -        
* RING(Keyring.ZCEEPOC1)) ID(ZCEEPOC1) 

* ACF2
CONNECT CERTDATA(ZCEEPOC1.cert) KEYRING(Keyring.ZCEEPOC1) 
CONNECT CERTDATA(CERTAUTH.libzcee) KEYRING(Keyring.ZCEEPOC1)
*
* SETR RACLIST(DIGTCERT DIGTRING) REFRESH    

* ACF2
F ACF2,REBUILD(USR),CLASS(P)        
F ACF2,OMVS
*
* PERMIT IRR.DIGTCERT.LISTRING -               
* CLASS(FACILITY) ID(ZCEEPOC1) ACCESS(READ)  

* ACF2
SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.LISTRING UID(UID string for ZCEEPOC1) -
 SERVICE(READ) ALLOW)
*
* PERMIT IRR.DIGTCERT.LIST -                   
* CLASS(FACILITY) ID(ZCEEPOC1) ACCESS(READ)

* ACF2
SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.LIST UID(UID string for ZCEEPOC1) -
 SERVICE(READ) ALLOW)
*  
* SETR RACLIST(FACILITY) REFRESH 

* ACF2
F ACF2,REBUILD(FAC)
*
* RACDCERT ID(FRED) GENCERT SUBJECTSDN(CN('Fred D. Client') -
* O('MANULIFE') OU('INSURANCE')) WITHLABEL('FRED') -
* SIGNWITH(CERTAUTH LABEL('LibertyCA.ZCEE')) SIZE(2048) - 
* NOTAFTER(DATE(2020/12/31)) 

* ACF2
GENCERT FRED.CERT SUBJ(CN='Fred D. Client' OU='INSURANCE' O='MANULIFE') -
 LABEL(FRED) SIZE(2048) EXPIRE(12/31/2020) -                   
 SIGNWITH(CERTAUTH LABEL(LibertyCA.ZCEE)) 
*
* RACDCERT ID(FRED) EXPORT(LABEL('FRED')) - 
* DSN('USER.FRED.P12') FORMAT(PKCS12DER) -
* PASSWORD('secret') 

* ACF2
EXPORT FRED.CERT DSN('USER.FRED.P12') FORMAT(PKCS12DER) PASSWORD(secret)
*
* RACDCERT ID(FRED) EXPORT(LABEL('FRED')) - 
* DSN('USER.FRED.PEM') -
* PASSWORD('secret')

* ACF2
EXPORT FRED.CERT DSN('USER.FRED.PEM') PASSWORD(secret)
* Note if no FORMAT is specified with PASSWORD the default format is PKCS12DER for both ACF2 and RACF
* SETR RACLIST(DIGTCERT DIGTRING) REFRESH

* ACF2
F ACF2,REBUILD(USR),CLASS(P)        
F ACF2,OMVS
*
* Section: RACF Certificate Mapping and Filtering 
* RACDCERT ID(APP1USER) MAP SDNFILTER('OU=Insurance.O=Manulife') -
* IDNFILTER('CN=App1 CA.OU=Insurance.O=Manulife') withlabel('APP1 USERS')
* RACDCERT ID(OTHERUSR) MAP SDNFILTER('O=Manulife') -
* IDNFILTER('CN=App1 CA.OU=Insurance.O=Manulife') withlabel('OTHER USERS')

* ACF2
SET CONTROL(GSO)
INSERT CERTMAP.APP1USER SDNFILTR(OU=Insurance.O=Manulife) USER(APP1USER) -
 IDNFILTR('CN=App1 CA.OU=Insurance.O=Manulife') LABEL(APP1 USERS)
INSERT CERTMAP.OTHERUSR SDNFILTR(O=Manulife) USER(OTHERUSR) -
 IDNFILTR('CN=App1 CA.OU=Insurance.O=Manulife') LABEL(OTHER USERS)

* SETR RACLIST(DIGTNMAP) REFRESH
*  # Define the APPL class based on the default security prefix called MYPROFIL.  

* ACF2
F ACF2,REFRESH(CERTMAP)
*  
* Using SAF for registry and access role checking
* RDEFINE APPL MYPROFIL UACC(NONE) 

* ACF2
* Not required with ACF2
*         
* # Activate the APPL class.   
* SETROPTS CLASSACT(APPL)

* ACF2
SET CONTROL(GSO)
INSERT CLASMAP.appl RESOURCE(APPL) RSRCTYPE(APL)
F ACF2,REFRESH(CLASMAP)
*      
* # Create an identity that will be used for SAF checks during the unauthenticated 
* state prior to the actual authentication of SAF identity and password.   
* ADDGROUP WSGUESTG OMVS(AUTOGID) OWNER(SYS1) 

* ACF2
SET P(GROUP) DIV(OMVS)
INSERT WSGUESTG AUTOGID

* ADDUSER WSGUEST RESTRICTED DFLTGRP(WSGUESTG) -
* OMVS(AUTOUID HOME(/u/wsguest) PROGRAM(/bin/sh)) -
* NAME('UNAUTHENTICATED USER') NOPASSWORD NOOIDCARD        

* ACF2
SET LID
INSERT WSGUEST NAME(UNAUTHENTICATED USER) GROUP(WSGUESTG) AUTOUID -
 HOME(/u/wsguest) PROGRAM(/bin/sh) LIMITED
*
* Create an identity that will be used for SAF checks during the 
* unauthenticated state prior to the actual authentication of SAF identity and password.   
* ADDGROUP WSGUESTG OMVS(AUTOGID) OWNER(SYS1) 
* ADDUSER WSGUEST RESTRICTED DFLTGRP(WSGUESTG) -
* OMVS(AUTOUID HOME(/u/wsguest) PROGRAM(/bin/sh)) -
* NAME('UNAUTHENTICATED USER') NOPASSWORD NOOIDCARD "

* ACF2
SET LID
INSERT WSGUEST NAME(UNAUTHENTICATED USER) GROUP(WSGUESTG) AUTOUID -
 HOME(/u/wsguest) PROGRAM(/bin/sh) RESTRICT
* NOOIDCARD for ACF2 NOT required

* # If the client certificate is associated with a RACF user ID value of FRED, 
* # assign FRED and Unauthenticated user READ access to the APPLID in the APPL class.
* PERMIT MYPROFIL ID(FRED) ACCESS(READ) CLASS(APPL)
* PERMIT MYPROFIL ID(WSGUEST) ACCESS(READ) CLASS(APPL) "

* ACF2
SET RESOURCE(APL)
RECKEY MYPROFIL ADD( UID(UID string for FRED) -
 SERVICE(READ) ALLOW)
RECKEY MYPROFIL ADD( UID(UID string for WSGUEST) -
 SERVICE(READ) ALLOW)
*
* # Grant the server permission to make authentication calls. Where  serverId is 
* # the userid under which the z/OS Connect EE server runs.  
* RDEFINE SERVER BBG.SECPFX.MYPROFIL UACC(NONE)  

* ACF2
SET CONTROL(GSO)
INSERT CLASMAP.server RESOURCE(SERVER) RSRCTYPE(SRV)
F ACF2,REFRESH(CLASMAP)

* PERMIT BBG.SECPFX.MYPROFIL ID(ZCEEPOC1) ACCESS(READ) CLASS(SERVER)"

* ACF2
SET RESOURCE(SRV)
RECKEY BBG ADD( SECPFX.MYPROFIL UID(UID string for ZCEEPOC1) -
 SERVICE(READ) ALLOW)
*
* # Define the required EJBROLE resource and grant access 
* RDEFINE EJBROLE MYPROFIL.zos.connect.access.roles.zosConnectAccess UACC(NONE)

* ACF2
* Not required with ACF2
*  
* PERMIT MYPROFIL.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) ID(FRED) ACCESS(READ)
* PERMIT MYPROFIL.zos.connect.access.roles.zosConnectAccess CLASS(EJBROLE) ID(WSGUEST) ACCESS(READ)

* ACF2
SET RESOURCE(EJB)
RECKEY MYPROFIL ADD( zos.connect.access.roles.zosConnectAccess -
 UID(UID string for FRED) SERVICE(READ) ALLOW)
RECKEY MYPROFIL ADD( zos.connect.access.roles.zosConnectAccess -
 UID(UID string for WSGUEST) SERVICE(READ) ALLOW)
*
* SETR RACLIST(EJBROLE) REFRESH"
* ACF2
F ACF2,REBUILD(EJB)
*
* Using SAF for controlling z/OS Connect EE access
*
* Add two new groups will using the ADDGROUP command, e.g.
*  ADDGROUP GMADMIN OMVS(AUTOGID)
*  ADDGROUP GMINVOKE OMVS(AUTOGID)
*
* ACF2
SET PROFILE(GROUP) DIVISION(OMVS)
INSERT GMADMIN AUTOGID
INSERT GMINVOKE AUTOGID
F ACF2,REBUILD(GRP),CLASS(P)
*
* Connect user FRED to group GMADMIN using the CONNECT command, e.g.
*  CONNECT FRED GROUP(GMADMIN)
* Connect user USER1 to group GMINVOKE using the CONNECT command, e.g.
*  CONNECT USER1 GROUP(GMINVOKE)
SET RESOURCE(TGR)
* ADD GMADMIN as an OMVS Supplemental GROUP for FRED
RECKEY GMADMIN ADD( USER(FRED) ALLOW)
* ADD GMINVOKE as an OMVS Supplemental GROUP for USER1
RECKEY GMINVOKE ADD( USER(USER1) ALLOW)
F ACF2,REBUILD(TGR)
/*