search cancel

ACF2 conversion from RACF for Kerberos support on z/OS

book

Article ID: 202174

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 - z/OS ACF2 - MISC

Issue/Introduction

Translate RACF Kerberos support on z/OS, into ACF2 constructs from reference document Configuring Kerberos for CICS with RACF and Microsoft Active Directory.

 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

Configuring Kerberos support on z/OS

Implement KDC on z/OS using the SAF registry with RACF. The KDC must be running on the same LPAR as the CICS region(s) that will be interacting with it.
Appropriate authorities are required to issue the commands detailed below. Some of the commands may require minor modifications to reflect your installation and conventions.

Required RACF definitions for the KDC

There are several RACF definitions that must be defined for the KDC.
         1. Create the SKRBKDC user that will own the KDC STARTED task, using the following command. (Substitute the appropriate DFLTGRP for your systems):
               ADDUSER SKRBKDC DFLTGRP(SYS1) NOPASSWORD OMVS(UID(0)
               PROGRAM('/bin/sh') HOME('/etc/skrb/home/kdc'))

 
***   ACF
        SET LID
          INSERT SKRBKDC GROUP(SYS1) UID(0) OMVSPGM(/bin/sh) -
          HOME(/etc/skrb/home/kdc)STC

Note: if you are using z/OS V2R2 or later, you should use a unique non-zero UID instead, and ensure this ID is given access to the necessary directories and files.
To do this, replace UID(0) with AUTOUID and it will generate a new one.

 You may remove the STC privilege in the userid insert above, and add a GSO  STC record instead :

***   ACF
         SET C(GSO)
           INSERT STC. SKRBKDC GROUP() LOGONID(SKRBKDC) STCID(SKRBKDC*)
      F ACF2,REFRESH(STC)

Apply access controls to the ZFS directories and files used by Kerberos as follows:

  • Ensure that the SKRBKDC user has write authority to /etc/skrb/home and /var/skrb, and their subdirectories.
  • The administrator user should own and have write access to /etc/skrb/krb5.conf. Everyone else should have read access.

Normally USS security is sufficient for HFS component unless ACF2 is mandated.

        2. Activate the APPL class:    
              SETROPTS CLASSACT(APPL) RACLIST(APPL)

***ACF
      SET C(GSO)
       INSERT CLASMAP.APPL ENTITYLN(0) MUSID() RESOURCE(APPL) RSRCTYPE(APL)

        3.Define the SKRBKDC application in the APPL class:  
             RDEFINE APPL SKRBKDC UACC(READ)

          
/* RDEFINE define protected resources */
            
There is no translation for this in CA ACF2. CA ACF2 uses a default
             protection scheme, which assumes that the resource is protected.
            This default scheme requires that rules be written to allow access to a resource

        4. Refresh the APPL class:
               SETROPTS RACLIST(APPL) REFRESH

 ***  F ACF2,REBUILD(APL)

        5. Activate the PTKTDATA class:    
              SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
            < See #6>

        6. Define a key to mask values in RACF for the SKRBKDC application:     
             RDEFINE PTKTDATA SKRBKDC UACC(NONE)
            
SSIGNON(KEYMASKED(3734343237343131))

         Choose your own value for KEYMASKED here.
         Alternatively, you could use KEYENCRYPTED instead of KEYMASKED.

*** ACF           
         SET PROFILE(PTKTDATA) DIVISION(SSIGNON)
      
          INSERT SKRBKDC SSKEY(c237d18425cfe12d) NOMULT-USE/MULT-USE  /                  
Review PTKTDATA Profile Records for details.

        7.Refresh the PTKTDATA class:    
              SETROPTS RACLIST(PTKTDATA) REFRESH
***  F ACF2,REBUILD(PTK),CLASS(P)

        8. Define the IRR.RUSERMAP profile in the FACILITY class with READ access for SKRBKDC and the CICS user ID that is
             used for Kerberos authentication, and refresh the FACILITY class:
             
RDEFINE FACILITY IRR.RUSERMAP UACC(NONE)

       
< There is no translation for RDEFINE in CA ACF2. >

          PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(SKRBKDC) ACCESS(READ)
          PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(JT1B) ACCESS(READ)

***  ACF
        SET R(FAC)
          RECKEY IRR ADD(RUSERMAP UID((uid string for SKRBKDC)) SERVICE(READ) ALLOW)
          RECKEY IRR ADD(RUSERMAP UID((uid string for JT1B)) SERVICE(READ) ALLOW)

         SETROPTS RACLIST(FACILITY) REFRESH

***  F ACF2,REBUILD(FAC)

        9.Define the STARTED tasks for SKRBKDC and refresh the STARTED class:
             RDEFINE STARTED SKRBKDC.** STDATA(USER(SKRBKDC))
            
RDEFINE STARTED SKRBWTR.** STDATA(USER(SKRBKDC))

    There is no translation in ACF2 for the above, however, this can be accomplished using GSO STC record to assign all 2 in the GSO STC record. 
    This will mirror the RDEFINE statements above. 

            SETROPTS RACLIST(STARTED) REFRESH
 
***  F ACF2, REFRESH(STC)

          10. Define the KERBDFLT RACF REALM for the KDC.
            The REALM must be KERBDFLT, but you must customize the value for KERBNAME to your system’s domain.
            Set the password and values for ticket life (in seconds).

            
RDEFINE REALM KERBDFLT KERB(KERBNAME(WINMVS2C.HURSLEY.IBM.COM)
             
PASSWORD(long-non-obvious-password) MINTKTLFE(15) DEFTKTLFE(36000)
             
MAXTKTLFE(86400))

             Note that this password can be up to 128 characters long, and due to the importance of the keys generated from this password, it should be a strong (long) password.

*** ACF 
       SET C(GSO)
        INSERT REALM.KERBDFLT REALM((WINMVS2C.HURSLEY.IBM.COM) MINTKTLFE(15) DEFTKTLFE(36000) MAXTKTLFE(86400) password(
long-non-obvious-password))
                     
Recommend reviewing – ACF2 - REALM GSO Record (REALM)-

           11. Refresh the REALM class:   
               SETROPTS RACLIST(REALM) REFRESH
 ***   F ACF2,REFRESH(REALM)