search cancel

Convert BBOWBRAC member version 8.5.5.9 build cf091608.04 from RACF to Top Secret

book

Article ID: 190748

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Need BBOWBRAC converted from RACF to TSS.

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

BBOWBRAC version 8.5.5.9 build cf091608.04  


/* REXX */
/* ================================================================ */
/* */
/* COPYRIGHT = */
/* Licensed Material - Property of IBM */
/* */
/* 5724-I63, 5724-H88, 5655-N01, 5733-W61 */
/* (C) Copyright IBM Corp. 1999, 2008 */
/* All Rights Reserved */
/* US Government Users Restricted Rights - Use, duplication or */
/* disclosure restricted by GSA ADP Schedule Contract with IBM Corp.*/
/* */
/* ================================================================ */
/* File tailored on 2020/05/04 at 09:26 by FOXBR03 */
/* WCT version 8.5.5.9 build cf091608.04 */
/* ================================================================ */


say 'WebSphere Application Server RACF Setup'
say '-- Management'
say '-- Cell name:' BCELB85I
say '-- Server name:' B85IMGR
say '-- Config group:' CBCFG31
say '-- Generated on 2020/05/04 at 09:26'

/* ---------------------------------------------------------------- */
/* Determines RACF certificate size. */
/* ---------------------------------------------------------------- */
certsize = "2048"
if syscalls('ON')<4 then
do
address syscall 'uname uts.'
say '-- Machine: ' uts.U_MACHINE
if uts.U_MACHINE < "2084" then certsize = "1024"
call syscalls('OFF')
end
else say 'Unable to establish the SYSCALL environment'
say '-- Certificate size: ' certsize
trace commands


/* ---------------------------------------------------------------- */
/* CLASS = SERVER */
/* PROFILE = CB.. */
/* Used for: Determining if a servant region can initialize */
/* ---------------------------------------------------------------- */
say 'Defining SERVER CB.cluster.generic_server '
say 'Used for determining if a servant region can initialize.'


"TSS ADD(ownginacid) SERVER(CB.)"

say

/* ---------------------------------------------------------------- */
/* AsynchBeans for z/OS, require servants to have access to WLM */
/* services. */
/* ---------------------------------------------------------------- */
say 'Authorize servants to use WLM Services'

"TSS ADD(owningacid) IBMFAC(BPX.)
say

"TSS PER(CBCFG31) IBMFAC(BPX.WLMSERVER) ACCESS(READ)"
say

"SETROPTS RACLIST(FACILITY) REFRESH"
say

/* ---------------------------------------------------------------- */
/* Create STARTED task profiles for each runtime server identity */
/* and define any additionaal User Identities needed */
/* ---------------------------------------------------------------- */


say 'Assign daemon controller ID to started task'

"TSS ADD(STC) PROCN(B85ID31) ACID(B85IC31)"

say

say 'Assign AppServer controller ID to started task'

"TSS ADD(STC) PROCN(B85IM31) ACID(B85IC31)"
say

say 'Assign AppServer servant ID to started task'

"TSS ADD(STC) PROCN(B85IMGRS) ACID(B85IS31)"

say 'Define permissions to work with certificates'

"TSS ADD(owningacid) IBMFAC(IRR.)
say

"TSS PERMIT(CBCFG31) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)"

say

/* ---------------------------------------------------------------- */
/* Define a user ID to be used for unauthenticated requests. */
/* ---------------------------------------------------------------- */
say 'Adding WAS unauthenticated user ID'

"TSS CRE(B85IU31) NAME('WAS DEFAULT USER') PASS(password) - "
" DEPT(dept) UID(0310000426) HOME('/u/users/wasusrB85I/CBCFG31') -"
" OMVSPGM('/bin/sh') GROUP(CBCFG31) DFLTGRP(CBCFG31)"
say

/* ---------------------------------------------------------------- */
/* Activating additional RACF classes used by WebSphere for z/OS */
/* security. */
/* ---------------------------------------------------------------- */

/* --------------------------------------------------------------------- */
/* CLASS=CBIND */
/* OS/390 WebSphere PROFILES */
/* --------------------------------------------------------------------- */
/* CLASS = CBIND */
/* PROFILE = CB.BIND. */
/* (CB.BIND.CLUSTER) */
/* Used for: determining if a client can "BIND" (access) a controller */
/* region. */
/* Notes: */
/* 1. Any userid can gain access to the controller region if it has READ */
/* access to the CB.BIND.cluster_name profile. */
/* 2. A userid can still gain access to the Controller Region if the */
/* session owner has control access. */
/* 3. Within a local session (or SSL client certificate session) */
/* the session owner is the userid of the client or controller */
/* region (if server-as-client) that issued the message. */
/* Otherwise, ownership is assigned to the first userid which */
/* has successfully accessed the controller region. */
/* --------------------------------------------------------------------- */
say 'Define and permit CB.BIND. profile to CBIND class'
say 'Used for determining if a client can access a controller region'
say 'Any userid can gain access to the controller region if it has READ access to the CB.BIND.cluster_name profile'

"TSS ADD(ownginacid) CBIND(CB.)"
"TSS PERMIT(CBCFG31) CBIND(CB.BIND.B85ICELL.) ACCESS(CONTROL)"
say
/* ---------------------------------------------------------------- */
/* RACF CLASS = EJBROLE */
/* Used for: EJB Role Access. Needed for SAF Authorization */
/* */
/* The EJBROLE class is used to control access to roles. */
/* The Administrative roles are for access to functions in the */
/* administrative console and the wsadmin scripting interface. The */
/* Naming roles are for access to the JNDI namespace */
/* ---------------------------------------------------------------- */
say 'Defining and Permitting EJBROLE Administrative profiles...'

"TSS ADD(owningacid) EJBROLE(B85ICELL.)"
say

"TSS PERMIT(B85IA31) EJBROLE(B85ICELL.adminsecuritymanager) ACCESS(READ)"
say

"TSS PERMIT(CBCFG31) EJBROLE(B85ICELL.administrator) ACCESS(READ)"
say

"TSS PERMIT(CBCFG31) EJBROLE(B85ICELL.iscadmins) ACCESS(READ)"
say

"TSS PERMIT(CBCFG31) EJBROLE(B85ICELL.auditor) ACCESS(READ)"

say

say 'Defining and Permitting EJBROLE Naming profiles...'

"TSS PERMIT(B85IU31) EJBROLE(B85ICELL.CosNamingRead) ACCESS(READ)"
say

"TSS PERMIT(CBCFG31) EJBROLE(B85ICELL.CosNamingWrite) ACCESS(READ)"
say

"TSS PERMIT(CBCFG31) EJBROLE(B85ICELL.CosNamingCreate) ACCESS(READ)"
say

"TSS PERMIT(CBCFG31) EJBROLE(B85ICELL.CosNamingDelete) ACCESS(READ)"
say

/* ---------------------------------------------------------------- */
/* RACF CLASS = APPL */
/* */
/* The APPL Class profile controls whether an authenticated user */
/* can access any application in a cell. */
/* */
/* PERMIT SAF_profile_prefix CLASS(APPL) ID(all userids) */
/* ACCESS(READ) */
/* TSS PERMIT(all userids) APPL(SAF_profile_prefix) */
/* ACCESS(READ) */
/* ---------------------------------------------------------------- */
say 'Defining and Permitting APPL profiles...'
say 'Used to control client access to a WebSphere Application Server for z/OS cell or group of cells.'

"TSS ADD(owningacid) APPL(B85ICELL)"
say

"TSS PER(CBCFG31) APPL(B85ICELL) ACC(READ)"
say

"TSS PER(B85IU31) APPL(B85ICELL) ACC(READ)"
say

/* ---------------------------------------------------------------- */
/* SSL SET-UP */
/* This sets up a WAS Test Certificate Authority for use for */
/* creating all certificates needed on both client and */
/* servers, for test purposes. */
/* See "RACF Security Administrator's Guide" for more */
/* information on Digital Certicates. */
/* ---------------------------------------------------------------- */
say 'Create SSL Certificate Authority certificate'
say 'This will be used to sign client and server certs'

"TSS GENCERT(CERTAUTH) DIGICERT(WASCA) LABLCERT('WebSphereCA') - "
" SIZE(" || certsize || ")" NADATE(12/31/2022) TRUST - "
" SUBJECTN('CN="WAS CertAuth for Security Domain" OU="BCELB85I"')

say 'Create WebSphere controller personal certificate'

"TSS GENCERT(CERTSITE) DIGICERT(DEFCERT) LABLCERT('DefaultWASCert.BCELB85I') -"
" SUBJECTN('CN="usilca31.lvn.broadcom.net" O="IBM" OU="BCELB85I"') -"
" SIGNWITH(CERTAUTH,WASCA) SIZE(" || certsize || ") - "
" NADATE(12/31/2022)"
say

say 'Create WebSphere controller keyring'

"TSS ADD(B85IC31) KEYRING(WASRING) LABLRING("WASKeyring.BBOCELL")"
say


say 'Connect controller certificate to controller keyring '

"TSS ADD(B85IC31) KEYRING(WASRING) RINGDATA(CERTSITE,DEFCERT) -"
" USAGE(PERSONAL) DEFAULT"
say

say 'Connect WebSphere CA certificate to controller keyring '

"TSS ADD(B85IC31) KEYRING(WASRING) RINGDATA(CERTAUTH,WASCA) -"
" USAGE(CERTAUTH)"
say

say 'Connect commercial CAs to controller keyring '

"TSS ADD(B85IC31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say
Add your 'Verisign Class 3 Primary CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IC31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Verisign Class 1 Primary CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IC31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'RSA Secure Server CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IC31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Premium Server CA' DIGICERT name to your keyring with the following command.)
"TSS ADD(B85IC31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Personal Basic CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IC31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Personal Freemail CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IC31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Personal Premium CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IC31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Verisign International Svr CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IC31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

say 'Create WebSphere servant keyring'

"TSS ADD((B85IS31) KEYRING(WASRING) LABLRING('WASKeyring.BBOCELL')"

say

say 'Connect WAS CA Certificate to servant keyring'

"TSS ADD((B85IS31) KEYRING(WASRING) RINGDATA(CERTAUTH,WASCA) -"
" USAGE(CERTAUTH)"
say

say 'Connect Commercial CAs to servant keyring'

Add your 'Verisign Class 3 Primary CA' DIGICERT name to your keyring with the following command.
"TSS ADD((B85IS31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Verisign Class 1 Primary CA' DIGICERT name to your keyring with the following command.
"TSS ADD((B85IS31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'RSA Secure Server CA' DIGICERT name to your keyring with the following command.
"TSS ADD((B85IS31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Server CA' DIGICERT name to your keyring with the following command.
"TSS ADD((B85IS31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Premium Server CA' DIGICERT name to your keyring with the following command.
"TSS ADD((B85IS31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Personal Basic CA' DIGICERT name to your keyring with the following command.
"TSS ADD((B85IS31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Personal Freemail CA' DIGICERT name to your keyring with the following command.
"TSS ADD((B85IS31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Personal Premium CA' DIGICERT name to your keyring with the following command.
"TSS ADD((B85IS31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Verisign International Svr CA' DIGICERT name to your keyring with the following command.
"TSS ADD((B85IS31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

say 'Creating SSL keyrings for WebSphere administrator '

"TSS ADD(B85IA31) KEYRING(WASRING) LABLRING('WASKeyring.BBOCELL')"
say

say 'Connect WAS CA Certificate to WebSphere administrator keyring'

"TSS ADD(B85IA31) KEYRING(WASRING) RINGDATA(CERTAUTH,WASCA) -"
" USAGE(CERTAUTH)"
say

say 'Connect Commercial CAs to WebSphere administrator keyring'
Add your 'Verisign Class 3 Primary CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IA31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Verisign Class 1 Primary CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IA31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'RSA Secure Server CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IA31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Server CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IA31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Premium Server CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IA31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Personal Basic CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IA31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Personal Freemail CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IA31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Thawte Personal Premium CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IA31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

Add your 'Verisign International Svr CA' DIGICERT name to your keyring with the following command.
"TSS ADD(B85IA31) KEYRING(WASRING) RINGDATA(CERTAUTH,xxxxxxx) -"
" USAGE(CERTAUTH)"
say

"TSS ADD(B85IC31) KEYRING(WASROOT) LABLRING('WASKeyring.BBOCELL.Root')"
say


"TSS ADD(B85IC31) KEYRING(WASSIGN) LABLRING('WASKeyring.BBOCELL.Signers')"
say

say 'Connect root CA certificates to the root keyrings '

"TSS ADD(B85IA31) KEYRING(WASROOT) RINGDATA(CERTAUTH,WASCA) -"
" USAGE(CERTAUTH)"
say


say 'Connect default signers to the default signers keyring '

"TSS ADD(B85IA31) KEYRING(WASSIGN) RINGDATA(CERTAUTH,WASCA) -"
" USAGE(CERTAUTH)"
say

/* ---------------------------------------------------------------- */
/* Synch to OS Thread setup */
/* ---------------------------------------------------------------- */
say 'Creating Sync-to-thread profile '
say 'Used for: Enabling Sync-to-thread. '
say 'Controller region user ID needs READ or CONTROL access to enable Sync-to-thread. '
say 'With READ access, only security environments representing users in the SURROGATE class are allowed, while CONTROL allows for security environments to represent any user. '

"TSS ADD(owningacid) IBMFAC(BBO.)"
say

/* ---------------------------------------------------------------- */
/* Trusted applications setup */
/* ---------------------------------------------------------------- */
say 'Creating EnableTrustedApplications profile '
say 'Used for: Allowing applications to perform operations normally reserved for privileged users. '
say 'Permit default WAS Configuration group to EnableTrustedApplications profile. '

" TSS PERMIT(CBCFG31) IBMFAC(BBO.TRUSTEDAPPS.BCELB85I.) -"
" ACCESS(READ)"
say

/* ---------------------------------------------------------------- */
/* Writable keyring support setup */
/* ---------------------------------------------------------------- */

say

"TSS ADD(owningacid) RDATALIB(B85IC31.)"
say

"TSS ADD(owningacid) RDATALIB(B85IS31.)"
say

"TSS PERMIT(CBCFG31) RDATALIB(B85IC31.) ACC(CONTROL) "
say

"TSS PERMIT(B85IC31) RDATALIB(B85IC31.) ACC(CONTROL) "
say

"TSS PERMIT(B85IC31) RDATALIB(B85IS31.) ACC(CONTROL) "
say

"TSS PERMIT(B85IS31) RDATALIB(B85IS31.) ACC(CONTROL) "
say

"TSS ADD(owningacid) RDATALIB(B85IA31.)"
say

"TSS PERMIT(CBCFG31) RDATALIB(B85IA31.) ACC(READ) "
say

"TSS PERMIT(B85IA31) RDATALIB(B85IA31.) ACC(CONTROL) "
say

"TSS PERMIT(B85IA31) RDATALIB(B85IA31.) ACC(CONTROL) "
say