Top Secret conversion of RACF Commands for TADz ANALYZER

book

Article ID: 144231

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

//*********************************************************************
//* Licensed Materials - Property of IBM                            ***
//* 5698-AA4 © Copyright IBM Corp. 2011, 2013. All Rights Reserved. ***
//*                                                                 ***
//*Change Activity:                                                 ***
//*Flg=Reason   Vers Date    Name Description                       ***
//*-----------  ---- ------- ---- ----------------------------------***
//*$P1=RTC63820,V8R1,20Dec12,ADL                                    ***
//*********************************************************************
//* To enable TADz Analyzer to use HTTP secure (HTTPS) the following  *
//* steps should be implemented by your site's RACF Administrator:    *
//* 1. Delete KEYRING(TADZ_KEYRING) and certificates with the         *
//*    labels TADZCERT and LOCALCA.                                   *
//* 2. Activate RACF Classes required for digital certificates.       *
//* 3. Define Keyring TADZ_KEYRING.                                   *
//* 4. Generate certificate.                                          *
//* 5. Connect to Keyring.                                            *
//* 6. Refresh RACF Classes required for digital certificates.        *
//* 7. Permit access to the Facility Class profiles and refresh.      *
//*                                                                   *
//*                                                                   *
//* The following JCL demonstrates a sample implementation:           *
//* 1. Update all occurrences of "HSI" to reflect *
//*    your TADz HTTPS environment.                                   *
//*                                                                   *
//* Do not change the RACF keyring 'TADZ_KEYRING' or label 'TADZCERT' *
//* unless you update the corresponding values in Analyzer PARMLIB    *
//* member HSISANP2 and restart the Analyzer STC/Job.                 *
//*-------------------------------------------------------------------*
//RACFDEF    EXEC  PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT   DD    SYSOUT=*
//SYSTSIN    DD    *
 PROF NOPREF

 RACDCERT DELETE(LABEL('LOCALCA')) CERTAUTH
 RACDCERT DELETE(LABEL('TADZCERT')) ID(HSI)
 RACDCERT ID(HSI) DELRING(TADZ_KEYRING)

 SETROPTS CLASSACT(DIGTCERT,DIGTNMAP)

 RACDCERT ID(HSI) ADDRING(TADZ_KEYRING)

 RACDCERT ID(HSI) CERTAUTH GENCERT -
 SUBJECTSDN( O('TIVOLI ASSET DISCOVERY')   -
 CN('syshost.company')                    -
 C('US')) TRUST                       -
 WITHLABEL('LOCALCA')                 -
 KEYUSAGE(CERTSIGN)

 RACDCERT ID(HSI) GENCERT -
 SUBJECTSDN (CN('TADZCERT')                   -
 OU('SYSTEM SOFTWARE SUPPORT.')                             -
 C('US'))                                     -
 WITHLABEL('TADZCERT')                        -
 SIGNWITH(CERTAUTH                            -
 LABEL('LOCALCA'))

 RACDCERT ID(HSI)                             -
 CONNECT(ID(HSI)                              -
 LABEL('TADZCERT')                            -
 RING(TADZ_KEYRING)                           -
 DEFAULT                                      -
 USAGE(PERSONAL))

 RACDCERT ID(HSI)                             -
 CONNECT(ID(HSI) CERTAUTH -
 LABEL('LOCALCA')                             -
 RING(TADZ_KEYRING)                           -
 USAGE(CERTAUTH))

 SETROPTS RACLIST(DIGTCERT,DIGTNMAP) REFRESH
/*
//PERMIT     EXEC  PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT   DD    SYSOUT=*
//SYSTSIN    DD    *
 PROF NOPREF

 
  SETR RACLIST(FACILITY) REFRESH
/*
-----------------------------------------------------------


//*                                                                   *
//* To enable TADz Analyzer to use HTTP secure (HTTPS) using an       *
//* existing CA certificate, 'Entrust Secure Server Root CA' in our   *
//* example, the following steps should be implemented by your site's *
//* RACF Administrator:                                               *
//*                                                                   *
//* 1. Delete KEYRING(TADZ_KEYRING) and certificate with the          *
//*    LABEL('TADZCERT').                                             *
//* 2. Activate RACF Classes required for digital certificates.       *
//* 3. Define Keyring TADZ_KEYRING.                                   *
//* 4. Connect the existing CA certificate to the Keyring.            *
//* 5. Refresh RACF Classes required for digital certificates.        *
//* 6. Permit access to the Facility Class profiles.                  *
//*                                                                   *
//*                                                                   *
//* The following JCL demonstrates a sample implementation:           *
//* 1. Update all occurrences of "Userid-running-HSISANLO" to reflect *
//*    your TADz HTTPS environment.                                   *
//*                                                                   *
//* Do not change the RACF keyring 'TADZ_KEYRING' or label 'TADZCERT' *
//* unless you update the corresponding values in Analyzer PARMLIB    *
//* member HSISANP2 and restart the Analyzer STC/Job.                 *
//*-------------------------------------------------------------------*
//RACFDEF    EXEC  PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT   DD    SYSOUT=*
//SYSTSIN    DD    *
 PROF NOPREF

 RACDCERT DELETE(LABEL('TADZCERT')) ID(Userid-running-HSISANLO)
 RACDCERT ID(Userid-running-HSISANLO) DELRING(TADZ_KEYRING)

 SETROPTS CLASSACT(DIGTCERT,DIGTNMAP)

 RACDCERT ID(Userid-running-HSISANLO) ADDRING(TADZ_KEYRING)

 RACDCERT ID(Userid-running-HSISANLO) GENCERT -
 SUBJECTSDN (CN('TADZCERT')                   -
 OU('Your Dept.')                             -
 C('US'))                                     -
 WITHLABEL('TADZCERT')

 RACDCERT ID(Userid-running-HSISANLO)         -
 CONNECT(ID(Userid-running-HSISANLO)          -
 LABEL('TADZCERT')                            -
 RING(TADZ_KEYRING)                           -
 DEFAULT                                      -
 USAGE(PERSONAL))

 RACDCERT ID(Userid-running-HSISANLO)         -
 CONNECT(ID(Userid-running-HSISANLO) CERTAUTH -
 LABEL('Entrust Secure Server Root CA')       -
 RING(TADZ_KEYRING)                           -
 USAGE(CERTAUTH))

 SETROPTS RACLIST(DIGTCERT,DIGTNMAP) REFRESH
/*
//PERMIT     EXEC  PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT   DD    SYSOUT=*
//SYSTSIN    DD    *
 PROF NOPREF

  RDEL FACILITY IRR.DIGTCERT.LIST
  RDEL FACILITY IRR.DIGTCERT.LISTRING

  RDEFINE FACILITY IRR.DIGTCERT.LIST  UACC(NONE)
  RDEFINE FACILITY IRR.DIGTCERT.LISTRING  UACC(NONE)

  PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY)     -
  ID(Userid-running-HSISANLO) AC(READ)

  PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) -
  ID(Userid-running-HSISANLO) AC(READ)

  SETR RACLIST(FACILITY) REFRESH
/*

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

//* Licensed Materials - Property of IBM                            ***
//* 5698-AA4 © Copyright IBM Corp. 2011, 2013. All Rights Reserved. ***
//*                                                                 ***
//*Change Activity:                                                 ***
//*Flg=Reason   Vers Date    Name Description                       ***
//*-----------  ---- ------- ---- ----------------------------------***
//*$P1=RTC63820,V8R1,20Dec12,ADL                                    ***
//*********************************************************************
//* To enable TADz Analyzer to use HTTP secure (HTTPS) the following  *
//* steps should be implemented by your site's RACF Administrator:    *
//* 1. Delete KEYRING(TADZ_KEYRING) and certificates with the         *
//*    labels TADZCERT and LOCALCA.                                   *
//* 2. Activate RACF Classes required for digital certificates.       *
//* 3. Define Keyring TADZ_KEYRING.                                   *
//* 4. Generate certificate.                                          *
//* 5. Connect to Keyring.                                            *
//* 6. Refresh RACF Classes required for digital certificates.        *
//* 7. Permit access to the Facility Class profiles and refresh.      *
//*                                                                   *
//*                                                                   *
//* The following JCL demonstrates a sample implementation:           *
//* 1. Update all occurrences of "HSI" to reflect *
//*    your TADz HTTPS environment.                                   *
//*                                                                   *
//* Do not change the RACF keyring 'TADZ_KEYRING' or label 'TADZCERT' *
//* unless you update the corresponding values in Analyzer PARMLIB    *
//* member HSISANP2 and restart the Analyzer STC/Job.                 *
//*-------------------------------------------------------------------*
//RACFDEF    EXEC  PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT   DD    SYSOUT=*
//SYSTSIN    DD    *
 PROF NOPREF

 RACDCERT DELETE(LABEL('LOCALCA')) CERTAUTH
 RACDCERT DELETE(LABEL('TADZCERT')) ID(HSI)
 RACDCERT ID(HSI) DELRING(TADZ_KEYRING
TSS REMOVE(CERTAUTH) DIGICERT(LOCALCA)
TSS REMOVE(HSI) DIGICERT(TADZCERT)
TSS REMOVE(HSI) KEYRING(TADZRING)

 SETROPTS CLASSACT(DIGTCERT,DIGTNMAP)
**No equivelant TSS command for SETROPTS.**

 RACDCERT ID(HSI) ADDRING(TADZ_KEYRING)
TSS ADD(HSI) KEYRING(TADZRING) LABLRING('TADZ_KEYRING')

 RACDCERT ID(HSI) CERTAUTH GENCERT -
 SUBJECTSDN( O('TIVOLI ASSET DISCOVERY')   -
 CN('syshost.company')                    -
 C('US')) TRUST                       -
 WITHLABEL('LOCALCA')                 -
 KEYUSAGE(CERTSIGN)
TSS GENCERT(CERTAUTH) DIGICERT(LOCALCA) SUBJECTN('CN="syshost.company" O="TIVOLI ASSET DISCOVERY" C="US" ') KEYUSAGE(CERTSIGN) LABLCERT('LOCALCA')

 RACDCERT ID(HSI) GENCERT -
 SUBJECTSDN (CN('TADZCERT')                   -
 OU('SYSTEM SOFTWARE SUPPORT.')                             -
 C('US'))                                     -
 WITHLABEL('TADZCERT')                        -
 SIGNWITH(CERTAUTH                            -
 LABEL('LOCALCA'))
TSS GENCERT(HSI) DIGICERT(TADZCERT) SUBJECTN('CN="TADZCERT" OU="SYSTEM
SOFTWARE SUPPORT." C="US" ') LABLCERT('TADZCERT') SIGNWITH
(CERTAUTH,LOCALCA)


 RACDCERT ID(HSI)                             -
 CONNECT(ID(HSI)                              -
 LABEL('TADZCERT')                            -
 RING(TADZ_KEYRING)                           -
 DEFAULT                                      -
 USAGE(PERSONAL))
TSS ADD(HSI) KEYRING(TADZRING) RINGDATA(HSI,TADZCERT) USAGE(PERSONAL)
DEFAULT


 RACDCERT ID(HSI)                             -
 CONNECT(ID(HSI) CERTAUTH -
 LABEL('LOCALCA')                             -
 RING(TADZ_KEYRING)                           -
 USAGE(CERTAUTH))
TSS ADD(HSI) KEYRING(TADZRING) RINGDATA(CERTAUTH,LOCALCA) USAGE
(CERTAUTH)


 SETROPTS RACLIST(DIGTCERT,DIGTNMAP) REFRESH
**No equivelant TSS command for SETROPTS.**
/*
//PERMIT     EXEC  PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT   DD    SYSOUT=*
//SYSTSIN    DD    *
 PROF NOPREF
 
  SETR RACLIST(FACILITY) REFRESH
**No equivelant TSS command.**
/*
-----------------------------------------------------------
//*                                                                   *
//* To enable TADz Analyzer to use HTTP secure (HTTPS) using an       *
//* existing CA certificate, 'Entrust Secure Server Root CA' in our   *
//* example, the following steps should be implemented by your site's *
//* RACF Administrator:                                               *
//*                                                                   *
//* 1. Delete KEYRING(TADZ_KEYRING) and certificate with the          *
//*    LABEL('TADZCERT').                                             *
//* 2. Activate RACF Classes required for digital certificates.       *
//* 3. Define Keyring TADZ_KEYRING.                                   *
//* 4. Connect the existing CA certificate to the Keyring.            *
//* 5. Refresh RACF Classes required for digital certificates.        *
//* 6. Permit access to the Facility Class profiles.                  *
//*                                                                   *
//*                                                                   *
//* The following JCL demonstrates a sample implementation:           *
//* 1. Update all occurrences of "Userid-running-HSISANLO" to reflect *
//*    your TADz HTTPS environment.                                   *
//*                                                                   *
//* Do not change the RACF keyring 'TADZ_KEYRING' or label 'TADZCERT' *
//* unless you update the corresponding values in Analyzer PARMLIB    *
//* member HSISANP2 and restart the Analyzer STC/Job.                 *
//*-------------------------------------------------------------------*
//RACFDEF    EXEC  PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT   DD    SYSOUT=*
//SYSTSIN    DD    *
 PROF NOPREF

 RACDCERT DELETE(LABEL('TADZCERT')) ID(Userid-running-HSISANLO)
 RACDCERT ID(Userid-running-HSISANLO) DELRING(TADZ_KEYRING)
TSS REMOVE(Acid-running-HSISANLO) DIGICERT(TADZCERT)
TSS REMOVE(Acid-running-HSISANLO) KEYRING(TADZRING)


 SETROPTS CLASSACT(DIGTCERT,DIGTNMAP)
**No equivelant TSS command for SETROPTS.**

 RACDCERT ID(Userid-running-HSISANLO) ADDRING(TADZ_KEYRING)
 TSS ADD(Acid-running-HSISANLO) KEYRING(TADZRING) LABLRING( 'TADZ_KEYRING')

 RACDCERT ID(Userid-running-HSISANLO) GENCERT -
 SUBJECTSDN (CN('TADZCERT')                   -
 OU('Your Dept.')                             -
 C('US'))                                     -
 WITHLABEL('TADZCERT')
TSS GENCERT(Acid-running-HSISANLO) DIGICERT(TADZCERT) SUBJECTN
('CN="TADZCERT" OU="Your Dept" C="US" ') LABLCERT(TADZCERT)

 RACDCERT ID(Userid-running-HSISANLO)         -
 CONNECT(ID(Userid-running-HSISANLO)          -
 LABEL('TADZCERT')                            -
 RING(TADZ_KEYRING)                           -
 DEFAULT                                      -
 USAGE(PERSONAL))
TSS ADD(Acid-running-HSISANLO) KEYRING(TADZRING) RINGDATA(Acid-running-
HSISANLO,TADZCERT) USAGE(PERSONAL) DEFAULT

 RACDCERT ID(Userid-running-HSISANLO)         -
 CONNECT(ID(Userid-running-HSISANLO) CERTAUTH -
 LABEL('Entrust Secure Server Root CA')       -
 RING(TADZ_KEYRING)                           -
 USAGE(CERTAUTH))
**Note** This command assumes that you have gotten the Entrust Secure Server Root CA and added it to
acid CERTAUTH.  We will use the DIGICERT name of tadzca for the below command.**
TSS ADD(Acid-running-HSISANLO) KEYRING(TADZRING) RINGDATA(CERTAUTH,tadzca)
USAGE(CERTAUTH)


 SETROPTS RACLIST(DIGTCERT,DIGTNMAP) REFRESH
 **No equivelant TSS command for SETROPTS.**
/*
//PERMIT     EXEC  PGM=IKJEFT01,DYNAMNBR=30
//SYSTSPRT   DD    SYSOUT=*
//SYSTSIN    DD    *
 PROF NOPREF

  RDEL FACILITY IRR.DIGTCERT.LIST
  RDEL FACILITY IRR.DIGTCERT.LISTRING

  RDEFINE FACILITY IRR.DIGTCERT.LIST  UACC(NONE)
  RDEFINE FACILITY IRR.DIGTCERT.LISTRING  UACC(NONE)
**The above command is to define ownership for IBMFAC(IRR.) resources.  If you have worked with
digital certificates this is most likely already done.**
 TSS ADD(dept) IBMFAC(IRR.)

  PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY)     -
  ID(Userid-running-HSISANLO) AC(READ)
  PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) -
  ID(Userid-running-HSISANLO) AC(READ)
**In Top Secret the Access level of UPDATE is used for the IBMFAC(IRR.) permits when the owner of the
personal certificate is also the owner of the Keyring.**
 TSS PERMIT(Acid-running-HSISANLO) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(UPDATE)
 TSS PERMIT(Acid-running-HSISANLO) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(UPDATE)


  SETR RACLIST(FACILITY) REFRESH
**No equivelant command in Top Secret.**
/*