RACF AT-TLS Certificate commands to Top Secret

book

Article ID: 145431

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

RACF AT-TLS Certificate commands to Top Secret.

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

Configuring AT-TLS in z/OS guest systems:
1. RACF security definitions. Please note that some commands are case sensitive:
a) Define the RACF authorization for PAGENT started task and pasearch command
SETROPTS CLASSACT(STARTED)
SETROPTS RACLIST(STARTED)
SETROPTS GENERIC(STARTED)
There is no equivelant Top secret command for the RACF SETROPTS command.  This is not needed in Top Secret.

RDEFINE STARTED PAGE-NT.*  
RDEFINE STARTED SYSLOGD.*
AU PAGE-NT NAME( Iyour name') DFLTGRP(OMVS)
ALU PAGENT
RALTER STARTED PAGENT.*
MI-TER STARTED PAGENTI*
TSS ADD(STC) PROCNAME(PAGE-NT) ACID(TCPIP)
TSS ADD(STC) PROCNAME(SYSLOGD) ACID(TCPIP)
**The TCPIP acid already has GROUP(OMVSGRP) and DFLTGRP(OMVSGRP). 
**We think this should be fine.  The TCPIP acid has a complete OMVS Segment with UID(0).**

SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED) REFRESH
SETROPTS CLASSACT(SERVAUTH)
SETROPTS RACLIST(SERVAUTH)
RDEFINE SERVAUTH   UACC(READ)
RDEFINE SERVAUTH EZB.INITSTACK.OLNISYSI.TCPIP.* UACC(READ)
SETROPTS GENERIC(SERVAUTH) REFRESH
SETROPTS RACLIST(SERVAUTH) REFRESH
TSS ADD(dept) SERVAUTH(EZB.) ==>May already be done.
**I do not see where there is a permit for this resource but I assume acid  TCPIP needs it since it was defined:
TSS PERMIT(TCPIP) SERVAUTH(EZB.INITSTACK.OLNISYSI.TCPIP.) ACCESS(READ)

Note: sysname = Ipar name, OLNISYSI or OLNISYS3
TCPImage = TCPIP started task name which is TCPIP
b) Define the RACF authorization for TCPIP started tasks.
AU TCPIP NAME(90ur name') DFLTGRP(OMVS) ALU TCPIP
RDEFINE STARTED UACC(NONE) OWNER(IBMUSER)
RALT STARTED DATACyour last name, first name - email address') + GROUP(OMVS))
SETROPTS REFRESH
SETROPTS REFRESH RACLIST(STARTED)
c) Add user authority for RACF RACDCERT command
SETROPTS CLASSACT(DIGTCERT DIGTRING)
RDEFINE FACILITY IRR,DIGTCERT.LISTRING UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
TSS ADD(dept) IBMFAC(IRR.) ==>May already be done.

PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ACCESS(CONTROL) ID(TCPIP)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ACCESS(READ) ID(TCPIP)
SETROPTS RACLIST (DIGTRING) REFRESH SETROPTS RACLIST (DIGTCERT) REFRESH
SETROPTS RACLIST (FACILITY) REFRESH SETROPTS RACLIST(FACILITY) REFRESH
TSS PERMIT(TCPIP) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(CONTROL)
TSS PERMIT(TCPIP) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(UPDATE)

d) Generate CA certificate
RACDCERT CERTAUTH GENCERT +
O('IBM') L( I RaIeigh I ) SPCNC) CCUS')) + KEYUSAGE(CERTSIGN)
TSS GENCERT(CERTAUTH) DIGICERT(PAGECA) SUBJECTN('CN="Pagent CA" O="IBM" L="RaIeigh"') KEYUSAGE(CERTSIGN)

e) Generate a site certificate. This certificate must be associated with the user ID under which TCPIP runs
RACDCERT ID(TCPIP) GENCERT +
  +
SIGNWITH(CERTAUTH
TSS GENCERT(TCPIP) DIGICERT(PAGESITE) SUBJECTN('CN="Pagent SITE" O="IBM"') SIGNWITH(CERTAUTH,PAGECA)
 
f) Define ITM keyring and store the certificate
RACDCERT ID(TCPIP) ADDRING(TCPkeyring)
RACDCERT ID(TCPIP) CONNECT(CERTAUTH  +
RING(TCPkeyring))
  +
RING(TCPkeyring) DEFAULT)
SETROPTS REFRESH RACLIST(STARTED)
TSS ADD(TCPIP) KEYRING(TCPRING) LABLRING('TCPkeyring')
TSS ADD(TCPIP) KEYRING(TCPRING) RINGDATA(CERTAUTH,PAGECA) USAGE(CERTAUTH)
TSS ADD(TCPIP) KEYRING(TCPRING) RINGDATA(TCPIP,PAGESITE) USAGE(PERSONAL) DEFAULT