search cancel

Conversion of RACF security setup to ACF2 security setup for TKE Host Transaction Program product

book

Article ID: 202430

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC LDAP SERVER FOR Z/OS PAM CLIENT FOR LINUX ON MAINFRAME WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

TKE security setup from RACF commands to ACF2 commands

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

RACF commands are in black type, ACF2 commands are in red type

You will associate a RACF profile or group with the TKE Host Transaction Program.
The STCuser associated with the TKE host transaction program must be authorized
to all the APIs in the CSFSERV class it will use.

Create a STARTED class profile to assign a user ID to the TKE HTP STC.
SETR CLASSACT(STARTED)
SETR RACLIST(STARTED)
RDEFINE STARTED CSFTTCP.CSFTTCP STDATA(USER(STCuser))
SETROPTS RACLIST(STARTED) REFRESH

Create a logonid and then create a C(GSO) stc record to relate the logonid
to the procedure.

ACF
SET LID
INSERT STCuser STC NAME(TKE HTP STC)
SET CONTROL(GSO)

INSERT STC.TKE LOGONID(STCuser) STCID(CSFTTCP)
F ACF2,REFRESH(STC)
END

Permit the HTPUSER user ID to the ICSF services the HTP requires.
PERMIT CSFCRC CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKIM CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKRC CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKRD CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKRR CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKRW CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKYT CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFKYT2 CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFPCI CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFPKRC CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFPKRW CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
PERMIT CSFPKI CLASS(CSFSERV) ID(STCuser) ACCESS(READ)
SETROPTS RACLIST(CSFSERV) REFRESH

ACF
SET R(CSF)
RECKEY CSFCRC ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKIM ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKRC ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKRD ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKRR ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKRW ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKYT ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFKYT2 ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFPCI ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFPKRC ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFPKRW ADD( USER(STCuser) SERVICE(READ) ALLOW)
RECKEY CSFPKI ADD( USER(STCuser) SERVICE(READ) ALLOW)
F ACF2,REFRESH(CSF)

To protect module CSFTTKE from unauthorized users, you must protect it
using the installed External Security Manager.

This example permits the user ID or group assigned to the CSFTTCP started
task to the CSFTTKE profile in the FACILITY class:

SETR CLASSACT(FACILITY)
SETR RACLIST(FACILITY)
RDEFINE FACILITY CSFTTKE UACC(NONE)
PERMIT CSFTTKE CLASS(FACILITY) ID(STCuser) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

ACF
SET R(FAC)
RECKEY CSFTTKE ADD( USER(STCuser) SEVICE(READ) ALLOW)
F ACF2,REFRESH(FAC)
END

The module (CSFTTKE) must also be protected, using the APPL class to
control which users (using the TKE) can use the application when they enter the system.

SETR CLASSACT(APPL)
SETR RACLIST(APPL)
RDEFINE APPL CSFTTKE UACC(NONE)
PERMIT CSFTTKE CLASS(APPL) ID(TKEuser) ACCESS(READ)
SETROPTS RACLIST(APPL) REFRESH

The default type code for CLASS(APPL) is SAF.
If you wish to change this you will need to add a clasmap record
and optionally an INFODIR entry

ACF
SET CONTROL(GSO)
INSERT CLASMAP.APPL RESOURCE(APPL) RSRCTYPE(APP)
CHANGE INFODIR TYPES(R-RAPP) ADD
F ACF2,REFRESH(CLASMAP)
F ACF2,REFRESH(INFODIR)
SET R(APP)
RECKEY CSFTTKE ADD( USER(TKEuser) SERVICE(READ) ALLOW)
F ACF2,REBUILD(APP)
END