Convert IZOI RACF to TSS
search cancel

Convert IZOI RACF to TSS

book

Article ID: 204927

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Convert  IZOI RACF commands to TSS commands.

 

RACF Commands:

SETROPTS RACLIST(STARTED) CLASSACT(STARTED)
SETROPTS CLASSACT(APPL)
SETROPTS CLASSACT(FACILITY)
SETROPTS CLASSACT(SERVER)
SETROPTS CLASSACT(EJBROLE)
SETROPTS CLASSACT(DIGTCERT)
SETROPTS CLASSACT(DIGTRING)
ADDGROUP HBOSTCGP OMVS(3701)
ADDUSER HBOSTCID DFLTGRP(HBOSTCGP) OMVS(UID(2701) HOME(/u/hbostcid)
PROGRAM(/bin/sh)) NAME('CDP UI Server Started Task USERID')
NOPASSWORD NOOIDCARD
ADDGROUP HBOUNGRP OMVS(GID(3703))
ADDUSER HBOGUEST RESTRICTED DFLTGRP(HBOUNGRP) OMVS(UID(2702))
NAME('CDPz Unauthenticated USERID') NOPASSWORD NOOIDCARD

ADDGROUP HBOUSRGP OMVS(GID(3702))
CONNECT JIS2569 GROUP(HBOUSRGP)
RDEF STARTED HBOCFGA.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEF STARTED HBOCFGT.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))

RDEF STARTED HBODS.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEF STARTED HBOLOGF.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
RDEF STARTED HBOSMF.* UACC(NONE) STDATA(USER(HBOSTCID)
GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))

RDEFINE SERVER BBG.ANGEL.HBOCFGA UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE)
RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE)
PERMIT BBG.ANGEL.HBOCFGA CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ)
ID(HBOSTCID)
RDEFINE APPL HBOCFGT UACC(NONE)
RDEFINE SERVER BBG.SECPFX.HBOCFGT UACC(NONE)
PERMIT BBG.SECPFX.HBOCFGT CLASS(SERVER) ACCESS(READ) ID(HBOSTCID)
RDEFINE FACILITY BBG.SYNC.HBOCFGT UACC(NONE)
PERMIT BBG.SYNC.HBOCFGT CLASS(FACILITY) ID(HBOSTCID)
ACCESS(CONTROL)
RDEFINE EJBROLE HBOCFGT.CDPUIServer.cdpUser UACC(NONE)
PERMIT HBOCFGT CLASS(APPL) ID(HBOSTCID) ACCESS(READ)
PERMIT HBOCFGT CLASS(APPL) ID(HBOGUEST) ACCESS(READ)
PERMIT HBOCFGT CLASS(APPL) ID(HBOUSRGP) ACCESS(READ)
PERMIT HBOCFGT.CDPUIServer.cdpUser CLASS(EJBROLE) ID(HBOUSRGP)
ACCESS(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(HBOSTCID)
ACCESS(READ)
RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('CDPz CA Certification'))
WITHLABEL('HBOCA') TRUST NOTAFTER(DATE(2023/12/31))
RACDCERT ID (HBOSTCID) GENCERT SUBJECTSDN(CN('CDPz DEFAULT CERT'))
WITHLABEL('HBODefaultCert')
SIGNWITH(CERTAUTH LABEL('HBOCA'))
NOTAFTER(DATE(2023/12/31))
RACDCERT ADDRING(HBO.Keyring.DFLT) ID(HBOSTCID)
RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBODefaultCert')
RING(HBO.Keyring.DFLT) DEFAULT)
RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBOCA')
RING(HBO.Keyring.DFLT) CERTAUTH)
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS RACLIST(SERVER) REFRESH
SETROPTS RACLIST(FACILITY) REFRESH
SETROPTS RACLIST(EJBROLE) REFRESH
SETROPTS RACLIST(APPL) REFRESH
SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH

define SAF resource profiles in the
"ZMFAPLA" class for the following SAF resources:
"IZUDFLT.ZOSMF.IBM_CDP.CONFIG.CDPConfiguration".


RDEFINE ZMFAPLA +
(IZUDFLT.ZOSMF.IBM_CDP.CONFIG.CDPConfiguration) UACC(NONE) PERMIT +
IZUDFLT.ZOSMF.IBM_CDP.CONFIG.CDPConfiguration +
CLASS(ZMFAPLA) ID(IZUADMIN) ACCESS(CONTROL) PERMIT +
IZUDFLT.ZOSMF.IBM_CDP.CONFIG.CDPConfiguration +
CLASS(ZMFAPLA) ID(IZUUSER) ACCESS(READ)

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

The convert IZOI RACF commands to TSS:



TSS CRE(HBOSTCGP) NAME('HBOSTCGP PROFILE') TYPE(PROFILE) DEPT(dept)
TSS CRE(HBOSTCG) NAME('HBOSTCGP GROUP') TYPE(GROUP) DEPT(dept) 
TSS ADD(HBOSTCG) GID(3701)


TSS CRE(HBOSTCID) NAME('CDP UI Server USERID') DEPT(dept) DEPT(dept) TYPE(USER) PROTECTED 
TSS ADD(HBOSTCID) GROUP(HBOSTCG) UID(2701)  HOME('/u/hbostcid') OMVSPGM(/u/hbostcid) 
TSS ADD(HBOSTCID)  PROFILE(HBOSTCGP) 




TSS CRE(HBOUNGRP) NAME('HBOUNGRP PROFILE') TYPE(PROFILE) DEPT(dept)
TSS CRE(HBOUNG) NAME('HBOUNG GROUP') TYPE(GROUP) DEPT(dept) 

TSS ADD(HBOUNG) GID(3703)


TSS CRE(HBOGUEST) NAME('CDPz Unauthenticated USERID')  TYPE(USER) PROFILE(HBOUNGRP) PROTECTED DEPT(dept)
TSS ADD(HBOGUEST) GROUP(HBOUNG) UID(2702)

TSS CRE(HBOUSRGP) NAME('HBOUSRGP PROFILE') TYPE(PROFILE) DEPT(dept)
TSS CRE(HBOUSRG) NAME('HBOUSRG GROUP') TYPE(GROUP) DEPT(dept) 
TSS ADD(HBOUSRG) GID(3702)







TSS ADD(HBOSTCID) GROUP(HBOSTCG)     
TSS ADD(HBOSTCID) PROFILE(HBOSTCGP)  





TSS ADD(STC) PROCN(HBOCFGT) ACID(HBOSTCID)

TSS ADD(STC) PROCN(HBODS) ACID(HBOSTCID)

TSS ADD(STC) PROCN(HBOLOGF) ACID(HBOSTCID)

TSS ADD(STC) PROCN(HBOSMF) ACID(HBOSTCID)


TSS ADD(owningacid) SERVER(BBG)


TSS PER(HBOSTCID) SERVER(BBG) ACC(READ)


TSS ADD(owningacid) APPL(HBOCFGT)

TSS ADD(owningacid) SERVER(BBG) * Previously done above

TSS PER(HBOSTCID) SERVER(BBG.SECPFX.HBOCFGT) ACCESS(READ) 

TSS ADD(owningacid) SERVER(BBG) * Previously done above

TSS ADD(owningacid) IBMFAC(BBG) 
TSS PER(HBOSTCID) IBMFAC(BBG.SYNC.HBOCFGT) ACC(CONTROL)

TSS ADD(owningacid) EJBROLE(HBOCFGT.)

TSS PER(HBOSTCID) APPL(HBOCFGT) 
TSS PER(HBOGUEST) APPL(HBOCFGT) 
TSS PER(HBOUSRGP) APPL(HBOCFGT) 


TSS PER(HBOUSRGP) EJBROLE(HBOCFGT.CDPUIServer.cdpUser) 


TSS PER(HBOSTCID) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)

TSS GENCERT(CERTAUTH) DIGICERT(HBOCA) LABLCERT(HBOCA) -     
NADATE(12/31/23) SUBJECTN('CN="CDPz CA Certification"')   


TSS ADD(CERTAUTH) DIGICERT(HBOCA) TRUST


TSS GENCERT(CERTSITE) DIGICERT(HBODEF) LABLCERT('HBODefaultCert') -
SIGNWITH(CERTAUTH,HBOCA) -
NADATE(12/31/23) SUBJECTN('CN="CDPz DEFAULT CERT"')




TSS ADD(HBOSTCID) KEYRING(HBORING) LABLRING('HBO.Keyring.DFLT')


TSS ADD(HBOSTCID) KEYRING(HBORING) RINGDATA(CERTSITE,HBODEF) -
USAGE(PERSONAL) DEFAULT

TSS ADD(HBOSTCID) KEYRING(HBORING) RINGDATA(CERTAUTH,HBOCA) -
USAGE(CERTAUTH)


* SETROPS not need in TSS since our resource classes are dynamically refreshed


TSS ADD(owningacid) ZMFAPLA(IZUDFLT.)


TSS PER(IZUADMIN) ACC(READ) -
ZMFAPLA(IZUDFLT.ZOSMF.IBM_CDP.CONFIG.CDPConfiguration)
TSS PER(IZUUSER) ACC(READ) -
ZMFAPLA(IZUDFLT.ZOSMF.IBM_CDP.CONFIG.CDPConfiguration)

TSS ADD(user_acid) PROFILE(IZUAMDIN)