ACF2ACF2 - DB2 OptionACF2 for zVMACF2 - z/OSACF2 - MISCLDAP SERVER FOR Z/OSPAM CLIENT FOR LINUX ON MAINFRAMEWEB ADMINISTRATOR FOR TOP SECRET
Issue/Introduction
Translate Omegamon RACF commands to ACF2
Environment
Release : 16.0
Component : CA ACF2 for z/OS
Resolution
In RACF define the classname OME3270 (used by OMIITOM). Take one of the following approaches: To define a RACF class dynamically, use the following commands: SETROPTS CLASSACT(CDT) RACLIST(CDT) RDEFINE CDT OME3270 UACC(NONE) CDTINFO( + CASE(UPPER) FIRST(ALPHA,NATIONAL) OTHER(ALPHA,NATIONAL,SPECIAL,NUMERIC) + MAXLENGTH(246) MAXLENX(246) KEYQUALIFIERS(0) + PROFILESALLOWED(YES) POSIT(nnn) GENERIC(ALLOWED) + RACLIST(REQUIRED) ) SETROPTS RACLIST(CDT) REFRESH SETROPTS RACLIST(OME3270) SETROPTD GENERIC(OME3270) SETROPTS CLASSACT(OME3270) acf set control(gso) insert clasmap.OME3270 ENTITYLN(246) MUSID() RESOURCE(OME3270 ) RSRCTYPE(OME) // OME refers to the typecode. RSRCTYPE specifies the explicit three-character resource type code associated with the class. To define a RESOURCE but do not define a RSRCTYPE, CA ACF2 uses the first three characters of the RESOURCE as the RSRCTYPE. Use this type code to write resource rules to perform validation. This value cannot be a mask. To mask the name of the resource in your resource rule key, add this type code to the GSO RESDIR or INFODIR record and perform a rebuild. For more information, see Resource Rules. Assuming that RACF is defined to, by default, deny access to undefined resources. You must update RACF to add the O4SRV resource used to secure near-term history (NTH). RDEFINE OME3270 O4SRV.** UACC(NONE) SETROPTS RACLIST(OME3270) REFRESH PERMIT O4SRV.** ID(userid/group) ACCESS(READ) CLASS(OME3270) Set Resource(OME) Comp * st $key(04SRV) type(OME) - UID(userid) service(read) allow Allow all Omegamon users READ access: The enhanced 3270 user interface verifies a user's authority to log on by checking for access to an SAF resource named: KOB.LOGON. RDEFINE OME3270 KOB.LOGON.** UACC(NONE) PERMIT KOB.LOGON.** ID(userid/group) ACCESS(READ) CLASS(OME3270) SETROPTS RACLIST(OME3270) REFRESH All Omegamon users should have READ access! Set Resource(OME) RECKEY $key(KOB.LOGON) type(OME) UID(userid) service(read) ALLOW The authority to issue query requests from the OMEGAMON enhanced 3270 user interface to a product agent is verified by checking for access to a product SAF resource, based on the specific product. These SAF resources start with: ? KCP - Omegamon for CICS ? KM5 - Omegamon for z/OS ? KD5 - Omegamon for DB2 ? KD5 - Omegamon for DB2 ? KMQ - Omegamon for Messaging (MQ) ? KQI - Omegamon for Messaging - Integration Bus RDEFINE OME3270 KCP.** UACC(NONE) PERMIT KCP.** ID(userid/group) ACCESS(READ) CLASS(OME3270) RDEFINE OME3270 KM5.** UACC(NONE) PERMIT KM5.** ID(userid/group) ACCESS(READ) CLASS(OME3270) RDEFINE OME3270 KDP.** UACC(NONE) PERMIT KDP.** ID(userid/group) ACCESS(READ) CLASS(OME3270) RDEFINE OME3270 KD5.** UACC(NONE) PERMIT KD5.** ID(userid/group) ACCESS(READ) CLASS(OME3270) RDEFINE OME3270 KMQ.** UACC(NONE) PERMIT KMQ.** ID(userid/group) ACCESS(READ) CLASS(OME3270) RDEFINE OME3270 KQI.** UACC(NONE) PERMIT KQI.** ID(userid/group) ACCESS(READ) CLASS(OME3270) SETROPTS RACLIST(OME3270) REFRESH Allow all Omegamon users READ access Set Resource(SAF) Comp * st $key(KCP) type(SAF) - UID(userid) service(read) ALLOW Comp * st $key(KM5) type(SAF) - UID(userid) service(read) ALLOW Comp * st $key(KDP) type(SAF) - UID(userid) service(read) ALLOW Comp * st $key(KD5) type(SAF) - UID(userid) service(read) ALLOW Comp * st $key(KMQ) type(SAF) - UID(userid) service(read) ALLOW Comp * st $key(KQI) type(SAF) - UID(userid) service(read) allow f acf2,rebuild(saf) In addition to Log-on, and product query profiles, profiles can be created to control authorization to perform administration tasks using the enhanced 3270 user interface, these rules start with: KOBUI.ADMIN: RDEFINE OME3270 KOBUI.ADMIN.** UACC(NONE) PERMIT KOBUI.ADMIN.USEHUB.** ID(userid/group) ACCESS(READ) CLASS(OME3270) PERMIT KOBUI.ADMIN.PREFS.AUTOUPDATE ID(uuserid/group) ACCESS(READ) CLASS(OME3270) SETROPTS RACLIST(OME3270) REFRESH Enterprise Automation Team will need UPDATE access to KOBUI.** All other Omegamon users only need READ access to the KOBUI.ADMIN.USEHUB and KOBUI.ADMIN.PREFS.AUTOUPDATE resources. Set Resource(OME) comp * st $key(KOBUI.ADMIN) type(OME) USEHUB.- ID(userid) SERVICE(READ) ALLOW PREFS.AUTOUPDATE ID(userid) SERVICE(READ) ALLOW PassTicket generation Requests to either display or zap memory from the OMIITOM require a secured sign-on from the enhanced 3270UI to the OMEGAMON on z/OS monitoring agent. The enhanced 3270UI will generate a PassTicket (a one time only password) and send it to the OMEGAMON on z/OS monitoring agent in the data request. In this way the monitoring agent can authenticate the request that comes from the user logged into the enhanced 3270UI. In order for a PassTicket to be generated, the PTKTDATA security class must be activated. To activate the PTKTDATA class and the SETROPTS RACLIST processing, run the following command: SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA) GENERIC(PTKTDATA) By using the PassTicket key class the security administrator can associate a RACF secured sign-on secret key with a particular mainframe application that uses RACF for user authentication. All profiles that contain PassTicket information are defined to the PTKTDATA class. Define a profile in the PTKTDATA class definition for each OMEGAMON on z/OS monitoring agent which you wish to enable for memory list and/or memory zap functions. The KEYMASKED value may be any combination of 16 hex digits, in the examples below the KEYMASKED value is 0123456789ABCDEF: RDEFINE PTKTDATA OMIIECMS SSIGNON(KEYMASKED(0123456789ABCDEF)) RDEFINE PTKTDATA OMIIKM3 SSIGNON(KEYMASKED(0123456789ABCDEF)) RDEFINE PTKTDATA OMIIKMq SSIGNON(KEYMASKED(0123456789ABCDEF)) SET PROFILE(PTKTDATA) DIVISION(SSIGNON) INSERT OMIIECMS SSKEY(0123456789ABCDEF) INSERT OMIIKM3 SSKEY(0123456789ABCDEF) INSERT OMIIKMq SSKEY(0123456789ABCDEF) F ACF2,REBUILD(PTK),CLASS(P) Grant users and/or groups access to an OMEGAMON on z/OS's profile: PERMIT OMIIECMS CLASS(PTKTDATA) ID(userid/group) ACCESS(UPDATE) PERMIT OMIIKM3 CLASS(PTKTDATA) ID(userid/group) ACCESS(UPDATE) PERMIT OMIIKMQ CLASS(PTKTDATA) ID(userid/group) ACCESS(UPDATE) Allow the Enterprise Automation Team UPDATE access! Set resource(PTK) Reckey IRRPTAUTH add(OMIIECMS UID(uid) Service(UPDATE,READ) ALLOW) Reckey IRRPTAUTH add(OMIIKM3 UID(uid) Service(UPDATE,READ) ALLOW) Reckey IRRPTAUTH add(OMIIKMQ UID(uid) Service(UPDATE,READ) ALLOW) F acf2,rebuild(ptk)
Each OMEGAMON on z/OS monitoring agent must also have a resource profile defined to the RACF application class (APPL). The same users and/or groups permitted to the OMEGAMON on z/OS monitoring agent's PTKTDATA profile should also be permitted to the agents profile defined to the APPL class. The following definitions apply to the APPL class. To activate the APPL class and the SETROPTS RACLIST processing issue the following command: SETROPTS CLASSACT(APPL) RACLIST(APPL) Define a profile in the APPL class for each OMEGAMON on z/OS monitoring agent which you wish to enable for memory list and/or memory zap functions: RDEFINE APPL OMIIECMS UACC(NONE) RDEFINE APPL OMIIKM3 UACC(NONE) RDEFINE APPL OMIIKMQ UACC(NONE) Grant user's access to the OMEGAMON on z/OS monitoring agent's APPL profile: PERMIT v CLASS(APPL) ID(userid/group) ACCESS(UPDATE) PERMIT OMIIKM3 CLASS(APPL) ID(userid/group) ACCESS(UPDATE) PERMIT OMIIKMq CLASS(APPL) ID(userid/group) ACCESS(UPDATE) Allow Enterprise Automation Team UPDATE access Show classmap Find appl Use class code, if your class for APPL is APL use the following example Set resource(APL) Reckey OMIIECMS add( uid(uid) SERVICE(READ,UPDATE) ALLOW) Reckey OMIIKMq add( uid(uid) SERVICE(READ,UPDATE) ALLOW) Reckey OMIIKM3 add( uid(uid) SERVICE(READ,UPDATE) ALLOW) F acf2,rebuild(APL) Once all the OMEGAMON on z/OS monitoring agent's resource profile definitions have been added to the PTKTDATA and APPL security classes issue the following command to refresh the security classes and activate the changes: SETROPTS RACLIST(PTKTDATA) REFRESH SETROPTS RACLIST(APPL) REFRESH F acf2,rebuild(PTK) F acf2,rebuild(APL) Remove and Add Omegamon STCs : Remove:
OMIICUA
OMIIEPZM
OMIIETE
OMIIHDI
OMIIHIST
OMIIMVS
Add:
OMIITOM – same authority as OMIIECMS
Depends on if you have individual lids set up to run each STC. If you want all OMEGAMON started procedures to use the same LID Set Control(GSO) INSERT STC.OMII LOGONID(LID) STCID(OMII-) Access updates: All Omegamon STCs need READ access to the NETVIEW.CNMLINK dataset, the STC names are:
OMCCI01
OMIICSA
OMIIECMS
OMIIKMQx
OMIIKM3
OMIIRCOL
OMKCNDL
OMIITOM
SET RULE RECKEY NETVIEW ADD(CNMLINK UID(userid) R(A)) TEL1: STC OMIIKMQ1 needs READ access to MQ datasets:
MQ.TEL.PROD.SCSQAUTH <- Existing
MQ.TEL.PROD.SCSQANLE <- New
SET RULE RECKEY MQ add(TEL.PROD.SCSQANLE UID(userid) R(A)) TEL2: STC OMIIKMQ2 needs READ access to MQ datasets:
MQ.TEL.DEV.SCSQAUTH <- Existing
MQ.TEL.DEV.SCSQANLE <- New
SET RULE RECKEY MQ add(TEL.PROD.SCSQANLE UID(userid) R(A)) TELF: STC OMIIKMQ needs READ access to MQ datasets:
MQ.TELF.DEV.SCSQAUTH <- Existing
MQ.TELF.DEV.SCSQANLE <- New
SET RULE RECKEY MQ add(TEL.PROD.SCSQANLE UID(userid) R(A)) For access to the OMIITOM all Omegamon users need READ access to STCVHIB.OMEGAMON.** datasets! SET RULE RECKEY STCVHIB add(OMEGAMON.- UID(userid) R(A))