Convert IZOI RACF to TSS
Article ID: 204927
Updated On:
Products
Issue/Introduction
Convert IZOI RACF commands to TSS commands.
RACF Commands:
SETROPTS RACLIST(STARTED) CLASSACT(STARTED)
SETROPTS CLASSACT(APPL)
SETROPTS CLASSACT(FACILITY)
SETROPTS CLASSACT(SERVER)
SETROPTS CLASSACT(EJBROLE)
SETROPTS CLASSACT(DIGTCERT)
SETROPTS CLASSACT(DIGTRING)
ADDGROUP HBOSTCGP OMVS(3701)
ADDUSER HBOSTCID DFLTGRP(HBOSTCGP) OMVS(UID(2701) HOME(/u/hbostcid)
PROGRAM(/bin/sh)) NAME('CDP UI Server Started Task USERID')
NOPASSWORD NOOIDCARD
ADDGROUP HBOUNGRP OMVS(GID(3703))
ADDUSER HBOGUEST RESTRICTED DFLTGRP(HBOUNGRP) OMVS(UID(2702))
NAME('CDPz Unauthenticated USERID') NOPASSWORD NOOIDCARD
ADDGROUP HBOUSRGP OMVS(GID(3702))
CONNECT JIS2569 GROUP(HBOUSRGP)
RDEF STARTED HBOCFGA.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEF STARTED HBOCFGT.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEF STARTED HBODS.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEF STARTED HBOLOGF.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEF STARTED HBOSMF.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEFINE SERVER BBG.ANGEL.HBOCFGA UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
PERMIT BBG.ANGEL.HBOCFGA CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ)
ID(HBOSTCID)
RDEFINE APPL HBOCFGT UACC(NONE)
RDEFINE SERVER BBG.SECPFX.HBOCFGT UACC(NONE)
PERMIT BBG.SECPFX.HBOCFGT CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
RDEFINE FACILITY BBG.SYNC.HBOCFGT UACC(NONE)
PERMIT BBG.SYNC.HBOCFGT CLASS(FACILITY) ID(HBOSTCID)
ACCESS(CONTROL)
RDEFINE EJBROLE HBOCFGT.CDPUIServer.cdpUser UACC(NONE)
PERMIT HBOCFGT CLASS(APPL) ID(HBOSTCID) ACCESS(READ)
PERMIT HBOCFGT CLASS(APPL) ID(HBOGUEST) ACCESS(READ)
PERMIT HBOCFGT CLASS(APPL) ID(HBOUSRGP) ACCESS(READ)
PERMIT HBOCFGT.CDPUIServer.cdpUser CLASS(EJBROLE) ID(HBOUSRGP)
ACCESS(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(HBOSTCID)
ACCESS(READ)
RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('CDPz CA Certification'))
WITHLABEL('HBOCA') TRUST NOTAFTER(DATE(2023/12/31))
RACDCERT ID (HBOSTCID) GENCERT SUBJECTSDN(CN('CDPz DEFAULT CERT'))
WITHLABEL('HBODefaultCert')
SIGNWITH(CERTAUTH LABEL('HBOCA'))
NOTAFTER(DATE(2023/12/31))
RACDCERT ADDRING(HBO.Keyring.DFLT) ID(HBOSTCID)
RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBODefaultCert')
RING(HBO.Keyring.DFLT) DEFAULT)
RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBOCA')
RING(HBO.Keyring.DFLT) CERTAUTH)
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS RACLIST(SERVER) REFRESH
SETROPTS RACLIST(FACILITY) REFRESH
SETROPTS RACLIST(EJBROLE) REFRESH
SETROPTS RACLIST(APPL) REFRESH
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH
define SAF resource profiles in the
"ZMFAPLA" class for the following SAF resources:
"IZUDFLT.ZOSMF.IBM_CDP.CONFIG.CDPConfiguration".
RDEFINE ZMFAPLA +
(IZUDFLT.ZOSMF.IBM_CDP.CONFIG.CDPConfiguration) UACC(NONE) PERMIT +
IZUDFLT.ZOSMF.IBM_CDP.CONFIG.CDPConfiguration +
CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(CONTROL) PERMIT +
IZUDFLT.ZOSMF.IBM_CDP.CONFIG.CDPConfiguration +
CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)
Environment
Release : 16.0
Component : CA Top Secret for z/OS
Resolution
The convert IZOI RACF commands to TSS:
TSS CRE(HBOSTCGP) NAME('HBOSTCGP PROFILE') TYPE(PROFILE) DEPT(dept)
TSS CRE(HBOSTCG) NAME('HBOSTCGP GROUP') TYPE(GROUP) DEPT(dept)
TSS ADD(HBOSTCG) GID(3701)
TSS CRE(HBOSTCID) NAME('CDP UI Server USERID') DEPT(dept) DEPT(dept) TYPE(USER) PROTECTED
TSS ADD(HBOSTCID) GROUP(HBOSTCG) UID(2701) HOME('/u/hbostcid') OMVSPGM(/u/hbostcid)
TSS ADD(HBOSTCID) PROFILE(HBOSTCGP)
TSS CRE(HBOUNGRP) NAME('HBOUNGRP PROFILE') TYPE(PROFILE) DEPT(dept)
TSS CRE(HBOUNG) NAME('HBOUNG GROUP') TYPE(GROUP) DEPT(dept)
TSS ADD(HBOUNG) GID(3703)
TSS CRE(HBOGUEST) NAME('CDPz Unauthenticated USERID') TYPE(USER) PROFILE(HBOUNGRP) PROTECTED DEPT(dept)
TSS ADD(HBOGUEST) GROUP(HBOUNG) UID(2702)
TSS CRE(HBOUSRGP) NAME('HBOUSRGP PROFILE') TYPE(PROFILE) DEPT(dept)
TSS CRE(HBOUSRG) NAME('HBOUSRG GROUP') TYPE(GROUP) DEPT(dept)
TSS ADD(HBOUSRG) GID(3702)
TSS ADD(HBOSTCID) GROUP(HBOSTCG)
TSS ADD(HBOSTCID) PROFILE(HBOSTCGP)
TSS ADD(STC) PROCN(HBOCFGT) ACID(HBOSTCID)
TSS ADD(STC) PROCN(HBODS) ACID(HBOSTCID)
TSS ADD(STC) PROCN(HBOLOGF) ACID(HBOSTCID)
TSS ADD(STC) PROCN(HBOSMF) ACID(HBOSTCID)
TSS ADD(owningacid) SERVER(BBG)
TSS PER(HBOSTCID) SERVER(BBG) ACC(READ)
TSS ADD(owningacid) APPL(HBOCFGT)
TSS ADD(owningacid) SERVER(BBG) * Previously done above
TSS PER(HBOSTCID) SERVER(BBG.SECPFX.HBOCFGT) ACCESS(READ)
TSS ADD(owningacid) SERVER(BBG) * Previously done above
TSS ADD(owningacid) IBMFAC(BBG)
TSS PER(HBOSTCID) IBMFAC(BBG.SYNC.HBOCFGT) ACC(CONTROL)
TSS ADD(owningacid) EJBROLE(HBOCFGT.)
TSS PER(HBOSTCID) APPL(HBOCFGT)
TSS PER(HBOGUEST) APPL(HBOCFGT)
TSS PER(HBOUSRGP) APPL(HBOCFGT)
TSS PER(HBOUSRGP) EJBROLE(HBOCFGT.CDPUIServer.cdpUser)
TSS PER(HBOSTCID) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
TSS GENCERT(CERTAUTH) DIGICERT(HBOCA) LABLCERT(HBOCA) -
NADATE(12/31/23) SUBJECTN('CN="CDPz CA Certification"')
TSS ADD(CERTAUTH) DIGICERT(HBOCA) TRUST
TSS GENCERT(CERTSITE) DIGICERT(HBODEF) LABLCERT('HBODefaultCert') -
SIGNWITH(CERTAUTH,HBOCA) -
NADATE(12/31/23) SUBJECTN('CN="CDPz DEFAULT CERT"')
TSS ADD(HBOSTCID) KEYRING(HBORING) LABLRING('HBO.Keyring.DFLT')
TSS ADD(HBOSTCID) KEYRING(HBORING) RINGDATA(CERTSITE,HBODEF) -
USAGE(PERSONAL) DEFAULT
TSS ADD(HBOSTCID) KEYRING(HBORING) RINGDATA(CERTAUTH,HBOCA) -
USAGE(CERTAUTH)
* SETROPS not need in TSS since our resource classes are dynamically refreshed
TSS ADD(owningacid) ZMFAPLA(IZUDFLT.)
TSS PER(IZUADMIN) ACC(READ) -
ZMFAPLA(IZUDFLT.ZOSMF.IBM_CDP.CONFIG.CDPConfiguration)
TSS PER(IZUUSER) ACC(READ) -
ZMFAPLA(IZUDFLT.ZOSMF.IBM_CDP.CONFIG.CDPConfiguration)
TSS ADD(user_acid) PROFILE(IZUAMDIN)
Feedback
