RACF AT-TLS Certificate commands to Top Secret
Article ID: 145431
Updated On:
Products
Top Secret
Top Secret - LDAP
Issue/Introduction
RACF AT-TLS Certificate commands to Top Secret.
Environment
Release : 16.0
Component : CA Top Secret for z/OS
Resolution
Configuring AT-TLS in z/OS guest systems:
1. RACF security definitions. Please note that some commands are case sensitive:
a) Define the RACF authorization for PAGENT started task and pasearch command
SETROPTS CLASSACT(STARTED)
SETROPTS RACLIST(STARTED)
SETROPTS GENERIC(STARTED)
There is no equivalent Top secret command for the RACF SETROPTS command. This is not needed in Top Secret.
1. RACF security definitions. Please note that some commands are case sensitive:
a) Define the RACF authorization for PAGENT started task and pasearch command
SETROPTS CLASSACT(STARTED)
SETROPTS RACLIST(STARTED)
SETROPTS GENERIC(STARTED)
There is no equivalent Top secret command for the RACF SETROPTS command. This is not needed in Top Secret.
RDEFINE STARTED PAGE-NT.*
RDEFINE STARTED SYSLOGD.*
AU PAGE-NT NAME( Iyour name') DFLTGRP(OMVS)
ALU PAGENT
RALTER STARTED PAGENT.*
MI-TER STARTED PAGENTI*
TSS ADD(STC) PROCNAME(PAGE-NT) ACID(TCPIP)
TSS ADD(STC) PROCNAME(SYSLOGD) ACID(TCPIP)
**The TCPIP acid already has GROUP(OMVSGRP) and DFLTGRP(OMVSGRP).
**The TCPIP acid has a complete OMVS Segment with UID(0).**
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED) REFRESH
SETROPTS CLASSACT(SERVAUTH)
SETROPTS RACLIST(SERVAUTH)
RDEFINE SERVAUTH UACC(READ)
RDEFINE SERVAUTH EZB.INITSTACK.OLNISYSI.TCPIP.* UACC(READ)
SETROPTS GENERIC(SERVAUTH) REFRESH
SETROPTS RACLIST(SERVAUTH) REFRESH
TSS ADD(dept) SERVAUTH(EZB.) ==>May already be done.
**Do not see where there is a permit for this resource but assume acid TCPIP needs it since it was defined:
TSS PERMIT(TCPIP) SERVAUTH(EZB.INITSTACK.OLNISYSI.TCPIP.) ACCESS(READ)
TSS PERMIT(TCPIP) SERVAUTH(EZB.INITSTACK.OLNISYSI.TCPIP.) ACCESS(READ)
Note: sysname = Ipar name, OLNISYSI or OLNISYS3
TCPImage = TCPIP started task name which is TCPIP
b) Define the RACF authorization for TCPIP started tasks.
AU TCPIP NAME(90ur name') DFLTGRP(OMVS) ALU TCPIP
RDEFINE STARTED UACC(NONE) OWNER(IBMUSER)
RALT STARTED DATACyour last name, first name - email address') + GROUP(OMVS))
SETROPTS REFRESH
SETROPTS REFRESH RACLIST(STARTED)
c) Add user authority for RACF RACDCERT command
SETROPTS CLASSACT(DIGTCERT DIGTRING)
RDEFINE FACILITY IRR,DIGTCERT.LISTRING UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
TSS ADD(dept) IBMFAC(IRR.) ==>May already be done.
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ACCESS(CONTROL) ID(TCPIP)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ACCESS(READ) ID(TCPIP)
SETROPTS RACLIST (DIGTRING) REFRESH SETROPTS RACLIST (DIGTCERT) REFRESH
SETROPTS RACLIST (FACILITY) REFRESH SETROPTS RACLIST(FACILITY) REFRESH
TSS PERMIT(TCPIP) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(CONTROL)
TSS PERMIT(TCPIP) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(UPDATE)
d) Generate CA certificate
RACDCERT CERTAUTH GENCERT +
O('IBM') L( I RaIeigh I ) SPCNC) CCUS')) + KEYUSAGE(CERTSIGN)
TSS GENCERT(CERTAUTH) DIGICERT(PAGECA) SUBJECTN('CN="Pagent CA" O="IBM" L="RaIeigh"') KEYUSAGE(CERTSIGN)
e) Generate a site certificate. This certificate must be associated with the user ID under which TCPIP runs
RACDCERT ID(TCPIP) GENCERT +
+
SIGNWITH(CERTAUTH
TSS GENCERT(TCPIP) DIGICERT(PAGESITE) SUBJECTN('CN="Pagent SITE" O="IBM"') SIGNWITH(CERTAUTH,PAGECA)
f) Define ITM keyring and store the certificate
RACDCERT ID(TCPIP) ADDRING(TCPkeyring)
RACDCERT ID(TCPIP) CONNECT(CERTAUTH +
RING(TCPkeyring))
+
RING(TCPkeyring) DEFAULT)
SETROPTS REFRESH RACLIST(STARTED)
TSS ADD(TCPIP) KEYRING(TCPRING) LABLRING('TCPkeyring')
TSS ADD(TCPIP) KEYRING(TCPRING) RINGDATA(CERTAUTH,PAGECA) USAGE(CERTAUTH)
TSS ADD(TCPIP) KEYRING(TCPRING) RINGDATA(TCPIP,PAGESITE) USAGE(PERSONAL) DEFAULT
Feedback
Yes
No
Powered by
