Translate RACF Kerberos support on z/OS, into ACF2 constructs from reference document Configuring Kerberos for CICS with RACF and Microsoft Active Directory.
Release : 16.0
Component : CA ACF2 for z/OS
Configuring Kerberos support on z/OS
Implement KDC on z/OS using the SAF registry with RACF. The KDC must be running on the same LPAR as the CICS region(s) that will be interacting with it.
Appropriate authorities are required to issue the commands detailed below. Some of the commands may require minor modifications to reflect your installation and conventions.
Required RACF definitions for the KDC
There are several RACF definitions that must be defined for the KDC.
1. Create the SKRBKDC user that will own the KDC STARTED task, using the following command. (Substitute the appropriate DFLTGRP for your systems):
ADDUSER SKRBKDC DFLTGRP(SYS1) NOPASSWORD OMVS(UID(0)
Note: if you are using z/OS V2R2 or later, you should use a unique non-zero UID instead, and ensure this ID is given access to the necessary directories and files.
To do this, replace UID(0) with AUTOUID and it will generate a new one.
You may remove the STC privilege in the userid insert above, and add a GSO STC record instead :
INSERT STC. SKRBKDC GROUP() LOGONID(SKRBKDC) STCID(SKRBKDC*)
Apply access controls to the ZFS directories and files used by Kerberos as follows:
Normally USS security is sufficient for HFS component unless ACF2 is mandated.
2. Activate the APPL class:
SETROPTS CLASSACT(APPL) RACLIST(APPL)
INSERT CLASMAP.APPL ENTITYLN(0) MUSID() RESOURCE(APPL) RSRCTYPE(APL)
3.Define the SKRBKDC application in the APPL class:
RDEFINE APPL SKRBKDC UACC(READ)
/* RDEFINE define protected resources */
There is no translation for this in CA ACF2. CA ACF2 uses a default
protection scheme, which assumes that the resource is protected.
This default scheme requires that rules be written to allow access to a resource
4. Refresh the APPL class:
SETROPTS RACLIST(APPL) REFRESH
*** F ACF2,REBUILD(APL)
5. Activate the PTKTDATA class:
SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
< See #6>
6. Define a key to mask values in RACF for the SKRBKDC application:
RDEFINE PTKTDATA SKRBKDC UACC(NONE)
Choose your own value for KEYMASKED here.
Alternatively, you could use KEYENCRYPTED instead of KEYMASKED.
SET PROFILE(PTKTDATA) DIVISION(SSIGNON)
INSERT SKRBKDC SSKEY(c237d18425cfe12d) NOMULT-USE/MULT-USE / Review PTKTDATA Profile Records for details.
7.Refresh the PTKTDATA class:
SETROPTS RACLIST(PTKTDATA) REFRESH
*** F ACF2,REBUILD(PTK),CLASS(P)
8. Define the IRR.RUSERMAP profile in the FACILITY class with READ access for SKRBKDC and the CICS user ID that is
used for Kerberos authentication, and refresh the FACILITY class:
RDEFINE FACILITY IRR.RUSERMAP UACC(NONE)
< There is no translation for RDEFINE in CA ACF2. >
PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(SKRBKDC) ACCESS(READ)
PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(JT1B) ACCESS(READ)
RECKEY IRR ADD(RUSERMAP UID((uid string for SKRBKDC)) SERVICE(READ) ALLOW)
RECKEY IRR ADD(RUSERMAP UID((uid string for JT1B)) SERVICE(READ) ALLOW)
SETROPTS RACLIST(FACILITY) REFRESH
*** F ACF2,REBUILD(FAC)
9.Define the STARTED tasks for SKRBKDC and refresh the STARTED class:
RDEFINE STARTED SKRBKDC.** STDATA(USER(SKRBKDC))
RDEFINE STARTED SKRBWTR.** STDATA(USER(SKRBKDC))
There is no translation in ACF2 for the above, however, this can be accomplished using GSO STC record to assign all 2 in the GSO STC record.
This will mirror the RDEFINE statements above.
SETROPTS RACLIST(STARTED) REFRESH
*** F ACF2, REFRESH(STC)
10. Define the KERBDFLT RACF REALM for the KDC.
The REALM must be KERBDFLT, but you must customize the value for KERBNAME to your system’s domain.
Set the password and values for ticket life (in seconds).
RDEFINE REALM KERBDFLT KERB(KERBNAME(WINMVS2C.HURSLEY.IBM.COM)
PASSWORD(long-non-obvious-password) MINTKTLFE(15) DEFTKTLFE(36000)
Note that this password can be up to 128 characters long, and due to the importance of the keys generated from this password, it should be a strong (long) password.
INSERT REALM.KERBDFLT REALM((WINMVS2C.HURSLEY.IBM.COM) MINTKTLFE(15) DEFTKTLFE(36000) MAXTKTLFE(86400) password(long-non-obvious-password))
Recommend reviewing – ACF2 - REALM GSO Record (REALM)-
11. Refresh the REALM class:
SETROPTS RACLIST(REALM) REFRESH
*** F ACF2,REFRESH(REALM)