Translate Omegamon RACF commands to ACF2
search cancel

Translate Omegamon RACF commands to ACF2

book

Article ID: 190654

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Translate Omegamon RACF commands to ACF2

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

In RACF define the classname OME3270 (used by OMIITOM). Take one of the following approaches:
To define a RACF class dynamically, use the following commands:
                                SETROPTS CLASSACT(CDT) RACLIST(CDT)
                                RDEFINE CDT OME3270 UACC(NONE) CDTINFO( +
                                CASE(UPPER) FIRST(ALPHA,NATIONAL) OTHER(ALPHA,NATIONAL,SPECIAL,NUMERIC) +
                                MAXLENGTH(246) MAXLENX(246) KEYQUALIFIERS(0) +
                                PROFILESALLOWED(YES) POSIT(nnn) GENERIC(ALLOWED) +
                                RACLIST(REQUIRED) )
                                SETROPTS RACLIST(CDT) REFRESH
                                SETROPTS RACLIST(OME3270)
                                SETROPTD GENERIC(OME3270)
                                SETROPTS CLASSACT(OME3270)
acf
set control(gso)
insert clasmap.OME3270 ENTITYLN(246) MUSID() RESOURCE(OME3270 ) RSRCTYPE(OME)
// OME refers to the typecode. RSRCTYPE specifies the explicit three-character resource type code associated with the class. To define a RESOURCE but do not define a RSRCTYPE, CA ACF2 uses the first three characters of the RESOURCE as the RSRCTYPE. Use this type code to write resource rules to perform validation. This value cannot be a mask. To mask the name of the resource in your resource rule key, add this type code to the GSO RESDIR or INFODIR record and perform a rebuild. For more information, see Resource Rules.
                                                 
Assuming that RACF is defined to, by default, deny access to undefined resources. You must update RACF to add the O4SRV resource used to secure near-term history (NTH).
                                RDEFINE OME3270  O4SRV.** UACC(NONE)
                                SETROPTS RACLIST(OME3270) REFRESH
                                PERMIT O4SRV.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
Set Resource(OME)
Comp * st
$key(04SRV) type(OME)
- UID(userid) service(read) allow
Allow all Omegamon users READ access:
                                                 
The enhanced 3270 user interface verifies a user's authority to log on by checking for access to an SAF resource named: KOB.LOGON.
                RDEFINE OME3270 KOB.LOGON.** UACC(NONE)
                PERMIT KOB.LOGON.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
                SETROPTS RACLIST(OME3270) REFRESH
                All Omegamon users should have READ access!
Set Resource(OME)
RECKEY $key(KOB.LOGON) type(OME)
 UID(userid) service(read) ALLOW
                                                 
The authority to issue query requests from the OMEGAMON enhanced 3270 user interface to a product agent is verified by checking for access to a product SAF resource, based on the specific product. These SAF resources start with:
                ? KCP - Omegamon for CICS
                ? KM5 - Omegamon for z/OS
                ? KD5 - Omegamon for DB2
                ? KD5 - Omegamon for DB2
                ? KMQ - Omegamon for Messaging (MQ)
                ? KQI - Omegamon for Messaging - Integration Bus
               
                RDEFINE OME3270 KCP.** UACC(NONE)
                PERMIT KCP.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
                RDEFINE OME3270 KM5.** UACC(NONE)
                PERMIT KM5.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
                RDEFINE OME3270 KDP.** UACC(NONE)
                PERMIT KDP.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
                RDEFINE OME3270 KD5.** UACC(NONE)
                PERMIT KD5.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
                RDEFINE OME3270 KMQ.** UACC(NONE)
                PERMIT KMQ.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
                RDEFINE OME3270 KQI.** UACC(NONE)
                PERMIT KQI.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
                SETROPTS RACLIST(OME3270) REFRESH
Allow all Omegamon users READ access
Set Resource(SAF)
Comp * st
$key(KCP) type(SAF)
- UID(userid) service(read) ALLOW
 
Comp * st
$key(KM5) type(SAF)
- UID(userid) service(read) ALLOW
 
Comp * st
$key(KDP) type(SAF)
- UID(userid) service(read) ALLOW
 
Comp * st
$key(KD5) type(SAF)
- UID(userid) service(read) ALLOW
 
Comp * st
$key(KMQ) type(SAF)
- UID(userid) service(read) ALLOW
 
Comp * st
$key(KQI) type(SAF)
- UID(userid) service(read) allow
 
f acf2,rebuild(saf)
                                                               
                                                 
In addition to Log-on, and product query profiles, profiles can be created to control authorization to perform administration tasks using the enhanced 3270 user interface, these rules start with: KOBUI.ADMIN:
                RDEFINE OME3270 KOBUI.ADMIN.** UACC(NONE)
                PERMIT KOBUI.ADMIN.USEHUB.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
                PERMIT KOBUI.ADMIN.PREFS.AUTOUPDATE ID(uuserid/group) ACCESS(READ) CLASS(OME3270)
                SETROPTS RACLIST(OME3270) REFRESH
Enterprise Automation Team will need UPDATE access to KOBUI.**  All other Omegamon users only need READ access to the KOBUI.ADMIN.USEHUB and KOBUI.ADMIN.PREFS.AUTOUPDATE resources.
Set Resource(OME)
comp * st
$key(KOBUI.ADMIN) type(OME)
USEHUB.- ID(userid) SERVICE(READ) ALLOW
PREFS.AUTOUPDATE ID(userid) SERVICE(READ) ALLOW
PassTicket generation
                                 
Requests to either display or zap memory from the OMIITOM require a secured sign-on from the enhanced 3270UI to the OMEGAMON on z/OS monitoring agent. The enhanced 3270UI will generate a PassTicket (a one time only password) and send it to the OMEGAMON on z/OS monitoring agent in the data request. In this way the monitoring agent can authenticate the request that comes from the user logged into the enhanced 3270UI.
In order for a PassTicket to be generated, the PTKTDATA security class must be activated. To activate the PTKTDATA class and the SETROPTS RACLIST processing, run the following command:
                SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA) GENERIC(PTKTDATA)
                                 
By using the PassTicket key class the security administrator can associate a RACF secured sign-on secret key with a particular mainframe application that uses RACF for user authentication. All profiles that contain PassTicket information are defined to the PTKTDATA class.
                                 
Define a profile in the PTKTDATA class definition for each OMEGAMON on z/OS monitoring agent which you wish to enable for memory list and/or memory zap functions. The KEYMASKED value may be any combination of 16 hex digits, in the examples below the KEYMASKED value is 0123456789ABCDEF:
                                 
                RDEFINE PTKTDATA OMIIECMS SSIGNON(KEYMASKED(0123456789ABCDEF))
                RDEFINE PTKTDATA OMIIKM3 SSIGNON(KEYMASKED(0123456789ABCDEF))
                RDEFINE PTKTDATA OMIIKMq SSIGNON(KEYMASKED(0123456789ABCDEF))
SET PROFILE(PTKTDATA) DIVISION(SSIGNON)
INSERT OMIIECMS SSKEY(0123456789ABCDEF

INSERT OMIIKM3 SSKEY(0123456789ABCDEF

INSERT OMIIKMq SSKEY(0123456789ABCDEF

F ACF2,REBUILD(PTK),CLASS(P)

                                               
                                 
Grant users and/or groups access to an OMEGAMON on z/OS's profile:
                PERMIT OMIIECMS CLASS(PTKTDATA) ID(userid/group) ACCESS(UPDATE)
                PERMIT OMIIKM3 CLASS(PTKTDATA) ID(userid/group) ACCESS(UPDATE)
                PERMIT OMIIKMQ CLASS(PTKTDATA) ID(userid/group) ACCESS(UPDATE)
                Allow the Enterprise Automation Team UPDATE access!
Set resource(PTK)
Reckey IRRPTAUTH add(OMIIECMS UID(uid) Service(UPDATE,READ) ALLOW)
Reckey IRRPTAUTH add(OMIIKM3 UID(uid) Service(UPDATE,READ) ALLOW)
Reckey IRRPTAUTH add(OMIIKMQ UID(uid) Service(UPDATE,READ) ALLOW)
F acf2,rebuild(ptk)

                                               
Each OMEGAMON on z/OS monitoring agent must also have a resource profile defined to the RACF application class (APPL). The same users and/or groups permitted to the OMEGAMON on z/OS monitoring agent's PTKTDATA profile should also be permitted to the agents profile defined to the APPL class. The following definitions apply to the APPL class.
                                 
To activate the APPL class and the SETROPTS RACLIST processing issue the following command:
                SETROPTS CLASSACT(APPL) RACLIST(APPL)
                 
Define a profile in the APPL class for each OMEGAMON on z/OS monitoring agent which you wish to enable for memory list and/or memory zap functions:
                                 
                RDEFINE APPL OMIIECMS UACC(NONE)
                RDEFINE APPL OMIIKM3 UACC(NONE)
                RDEFINE APPL OMIIKMQ UACC(NONE)
Grant user's access to the OMEGAMON on z/OS monitoring agent's APPL profile:
                PERMIT v CLASS(APPL) ID(userid/group) ACCESS(UPDATE)
                PERMIT OMIIKM3 CLASS(APPL) ID(userid/group) ACCESS(UPDATE)
                PERMIT OMIIKMq CLASS(APPL) ID(userid/group) ACCESS(UPDATE)
Allow Enterprise Automation Team UPDATE access
Show classmap
Find appl
Use class code, if your class for APPL is APL use the following example
Set resource(APL)
Reckey OMIIECMS add( uid(uid) SERVICE(READ,UPDATE) ALLOW)
Reckey OMIIKMq add( uid(uid) SERVICE(READ,UPDATE) ALLOW)
Reckey OMIIKM3 add( uid(uid) SERVICE(READ,UPDATE) ALLOW)
F acf2,rebuild(APL)
                                 
Once all the OMEGAMON on z/OS monitoring agent's resource profile definitions have been added to the PTKTDATA and APPL security classes issue the following command to refresh the security classes and activate the changes:
                                 
                SETROPTS RACLIST(PTKTDATA) REFRESH
                SETROPTS RACLIST(APPL) REFRESH
F acf2,rebuild(PTK)
F acf2,rebuild(APL)
Remove and Add Omegamon STCs :
                Remove:
  • OMIICUA
  • OMIIEPZM
  • OMIIETE
  • OMIIHDI
  • OMIIHIST
  • OMIIMVS
                               
                Add:
  • OMIITOM – same authority as OMIIECMS
Depends on if you have individual lids set up to run each STC.
If you want all OMEGAMON started procedures to use the same LID
Set Control(GSO)
INSERT STC.OMII LOGONID(LID) STCID(OMII-)
Access updates:
                All Omegamon STCs need READ access to the NETVIEW.CNMLINK dataset, the STC names are:
  • OMCCI01
  • OMIICSA
  • OMIIECMS
  • OMIIKMQx
  • OMIIKM3
  • OMIIRCOL
  • OMKCNDL
  • OMIITOM
SET RULE
RECKEY NETVIEW ADD(CNMLINK UID(userid) R(A))
                               
TEL1:
                STC OMIIKMQ1 needs READ access to MQ datasets:
  • MQ.TEL.PROD.SCSQAUTH <- Existing
  • MQ.TEL.PROD.SCSQANLE <- New
SET RULE
RECKEY MQ add(TEL.PROD.SCSQANLE UID(userid) R(A))
TEL2:
                STC OMIIKMQ2 needs READ access to MQ datasets:
  • MQ.TEL.DEV.SCSQAUTH <- Existing
  • MQ.TEL.DEV.SCSQANLE <- New
SET RULE
RECKEY MQ add(TEL.PROD.SCSQANLE UID(userid) R(A))
TELF:
                STC OMIIKMQ needs READ access to MQ datasets:
  • MQ.TELF.DEV.SCSQAUTH <- Existing
  • MQ.TELF.DEV.SCSQANLE <- New
SET RULE
RECKEY MQ add(TEL.PROD.SCSQANLE UID(userid) R(A))
                               
For access to the OMIITOM all Omegamon users need READ access to STCVHIB.OMEGAMON.** datasets!
SET RULE
RECKEY STCVHIB add(OMEGAMON.- UID(userid) R(A))