ACF2 conversion from RACF for Kerberos support on z/OS
search cancel

ACF2 conversion from RACF for Kerberos support on z/OS

book

Article ID: 202174

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 - z/OS ACF2 - MISC

Issue/Introduction

Translate RACF Kerberos support on z/OS, into ACF2 constructs from reference document Configuring Kerberos for CICS with RACF and Microsoft Active Directory.

 

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

Configuring Kerberos support on z/OS

Implement KDC on z/OS using the SAF registry with RACF. The KDC must be running on the same LPAR as the CICS region(s) that will be interacting with it.
Appropriate authorities are required to issue the commands detailed below. Some of the commands may require minor modifications to reflect your installation and conventions.

Required RACF definitions for the KDC

There are several RACF definitions that must be defined for the KDC.
         1. Create the USER001 user that will own the KDC STARTED task, using the following command. (Substitute the appropriate DFLTGRP for your systems):
               ADDUSER USER001 DFLTGRP(SYS1) NOPASSWORD OMVS(UID(0)
               PROGRAM('/bin/sh') HOME('/etc/skrb/home/kdc'))

 
***   ACF
        SET LID
          INSERT USER001 GROUP(SYS1) UID(0) OMVSPGM(/bin/sh) -
          HOME(/etc/skrb/home/kdc)STC

Note: if you are using z/OS V2R2 or later, you should use a unique non-zero UID instead, and ensure this ID is given access to the necessary directories and files.
To do this, replace UID(0) with AUTOUID and it will generate a new one.

 You may remove the STC privilege in the userid insert above, and add a GSO  STC record instead :

***   ACF
         SET C(GSO)
           INSERT STC. USER001 GROUP() LOGONID(USER001) STCID(USER001*)
      F ACF2,REFRESH(STC)

Apply access controls to the ZFS directories and files used by Kerberos as follows:

  • Ensure that the USER001 user has write authority to /etc/skrb/home and /var/skrb, and their subdirectories.
  • The administrator user should own and have write access to /etc/skrb/krb5.conf. Everyone else should have read access.

Normally USS security is sufficient for HFS component unless ACF2 is mandated.

        2. Activate the APPL class:    
              SETROPTS CLASSACT(APPL) RACLIST(APPL)

***ACF
      SET C(GSO)
       INSERT CLASMAP.APPL ENTITYLN(0) MUSID() RESOURCE(APPL) RSRCTYPE(APL)

        3.Define the USER001 application in the APPL class:  
             RDEFINE APPL USER001 UACC(READ)

          
/* RDEFINE define protected resources */
            
There is no translation for this in CA ACF2. CA ACF2 uses a default
             protection scheme, which assumes that the resource is protected.
            This default scheme requires that rules be written to allow access to a resource

        4. Refresh the APPL class:
               SETROPTS RACLIST(APPL) REFRESH

 ***  F ACF2,REBUILD(APL)

        5. Activate the PTKTDATA class:    
              SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA)
            < See #6>

        6. Define a key to mask values in RACF for the USER001 application:     
             RDEFINE PTKTDATA USER001 UACC(NONE)
            
SSIGNON(KEYMASKED(3734343237343131))

         Choose your own value for KEYMASKED here.
         Alternatively, you could use KEYENCRYPTED instead of KEYMASKED.

*** ACF           
         SET PROFILE(PTKTDATA) DIVISION(SSIGNON)
      
          INSERT USER001 SSKEY(c237d18425cfe12d) NOMULT-USE/MULT-USE  /                  
Review PTKTDATA Profile Records for details.

        7.Refresh the PTKTDATA class:    
              SETROPTS RACLIST(PTKTDATA) REFRESH
***  F ACF2,REBUILD(PTK),CLASS(P)

        8. Define the IRR.RUSERMAP profile in the FACILITY class with READ access for USER001 and the CICS user ID that is
             used for Kerberos authentication, and refresh the FACILITY class:
             
RDEFINE FACILITY IRR.RUSERMAP UACC(NONE)

       
< There is no translation for RDEFINE in CA ACF2. >

          PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(USER001) ACCESS(READ)
          PERMIT IRR.RUSERMAP CLASS(FACILITY) ID(XXXX) ACCESS(READ)

***  ACF
        SET R(FAC)
          RECKEY IRR ADD(RUSERMAP UID((uid string for USER001)) SERVICE(READ) ALLOW)
          RECKEY IRR ADD(RUSERMAP UID((uid string for XXXX)) SERVICE(READ) ALLOW)

         SETROPTS RACLIST(FACILITY) REFRESH

***  F ACF2,REBUILD(FAC)

        9.Define the STARTED tasks for USER001 and refresh the STARTED class:
             RDEFINE STARTED USER001.** STDATA(USER(USER001))
            
RDEFINE STARTED SKRBWTR.** STDATA(USER(USER001))

    There is no translation in ACF2 for the above, however, this can be accomplished using GSO STC record to assign all 2 in the GSO STC record. 
    This will mirror the RDEFINE statements above. 

            SETROPTS RACLIST(STARTED) REFRESH
 
***  F ACF2, REFRESH(STC)

          10. Define the KERBDFLT RACF REALM for the KDC.
            The REALM must be KERBDFLT, but you must customize the value for KERBNAME to your system’s domain.
            Set the password and values for ticket life (in seconds).

            
RDEFINE REALM KERBDFLT KERB(KERBNAME(WINMVS2C.HURSLEY.IBM.COM)
             
PASSWORD(long-non-obvious-password) MINTKTLFE(15) DEFTKTLFE(36000)
             
MAXTKTLFE(86400))

             Note that this password can be up to 128 characters long, and due to the importance of the keys generated from this password, it should be a strong (long) password.

*** ACF 
       SET C(GSO)
        INSERT REALM.KERBDFLT REALM((WINMVS2C.HURSLEY.IBM.COM) MINTKTLFE(15) DEFTKTLFE(36000) MAXTKTLFE(86400) password(
long-non-obvious-password))
                     
Recommend reviewing – ACF2 - REALM GSO Record (REALM)-

           11. Refresh the REALM class:   
               SETROPTS RACLIST(REALM) REFRESH
 ***   F ACF2,REFRESH(REALM)