search cancel

Converting RACF Commands To Top Secret for Zowe

book

Article ID: 210171

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Requesting assistance converting the following RACF command to TSS to enable the use of web tokens for SSO on ZLUX and ZSS.  

1. Allow user, which runs API ML (ZWESVUSR), generate Passticket for zOSMF APPL ID.
 
RDEFINE PTKTDATA IZUDFLT SSIGNON(KEYMASKED(66f4f9331e095436)) APPLDATA('NO REPLAY PROTECTION') UACC(NONE)
RDEFINE PTKTDATA IRRPTAUTH.IZUDFLT.* UACC(NONE)
PERMIT IZUDFLT CL(APPL) ACCESS(READ) ID(ZWESVUSR)
PERMIT IRRPTAUTH.IZUDFLT.* CL(PTKTDATA) ID(ZWESVUSR) ACCESS(UPDATE)
SETROPTS RACLIST(APPL) REFRESH
SETROPTS RACLIST(PTKTDATA) REFRESH
 
Check if the setup is correct:
 
RLIST PTKTDATA *
RLIST APPL *
 
 
2. Allow user, which runs API ML (ZWESVUSR), to use R_usermap(map certificate to zOS identity)
 
PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR)
PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZOWEAD3)
SETROPTS RACLIST(FACILITY) REFRESH
 
3. Create profile SO.ZWETOKEN and USER.ZWETOKEN in CRYPTOZ with ACCESS(CONTROL) for user (ZWESVUSR)
 
# define SO.token
RDEFINE CRYPTOZ SO.ZWETOKEN
PERMIT SO.ZWETOKEN ACCESS(UPDATE) CLASS(CRYPTOZ) ID(ZWESVUSR)
PERMIT SO.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)
# define USER.token
RDEFINE CRYPTOZ USER.ZWETOKEN
PERMIT USER.ZWETOKEN ACCESS(UPDATE) CLASS(CRYPTOZ) ID(ZWESVUSR)
PERMIT USER.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)
# activate or refresh
SETROPTS RACLIST(CRYPTOZ) CLASSACT(CRYPTOZ)
SETROPTS RACLIST(CRYPTOZ) REF

For more information also refer to Zowe documentation here:

https://docs.zowe.org/stable/user-guide/configure-certificates-keystore.html#using-web-tokens-for-sso-on-zlux-and-zss

 

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

1. Allow user, which runs API ML (ZWESVUSR), generate Passticket for zOSMF APPL ID.
 
RDEFINE PTKTDATA IZUDFLT SSIGNON(KEYMASKED(66f4f9331e095436)) APPLDATA('NO REPLAY PROTECTION') UACC(NONE)
RDEFINE PTKTDATA IRRPTAUTH.IZUDFLT.* UACC(NONE)
PERMIT IZUDFLT CL(APPL) ACCESS(READ) ID(ZWESVUSR)
PERMIT IRRPTAUTH.IZUDFLT.* CL(PTKTDATA) ID(ZWESVUSR) ACCESS(UPDATE)
SETROPTS RACLIST(APPL) REFRESH
SETROPTS RACLIST(PTKTDATA) REFRESH
 
Check if the setup is correct:
 
RLIST PTKTDATA *
RLIST APPL *

Top Secret equivalents:
Issue TSS LIST(RDT) RESCLASS(PTKTDATA) to confirm whether or not the PTKTDATA resource class is defined to Top Secret. If it is not, you can use the following command to define it to the RDT: 

TSS ADD(RDT) RESCLASS(PTKTDATA) ACLST(ALL,UPDATE=8000,READ,NONE) MAXLEN(37)

Once the PTKTDATA resource class is defined, the Top Secret equivalents of the above are:

TSS ADD(NDT) PSTKAPPL(IZUDFLT) SESSKEY(66f4f9331e095436) SIGNMULTI 

NOTE: SIGNMULTI allows the same PassTicket to be used multiple times. This attribute is the equivalent of IBM RACF operand APPLDATA('NO REPLAY PROTECTION').

TSS ADD(dept) PTKTDATA(IRRPTAUT)     (if not already done)
TSS ADD(dept) APPL(IZUDFLT)   (if not already done)
TSS PERMIT(ZWESVUSR) APPL(IZUDFLT)
TSS PERMIT(ZWESVUSR) PTKTDATA(IRRPTAUTH.IZUDFLT.) ACCESS(UPDATE) 

TSS WHOHAS PTKTDATA(IRRPTAUTH.IZUDFLT.)
TSS WHOHAS APPL(IZUDFLT)
 
2. Allow user, which runs API ML (ZWESVUSR), to use R_usermap(map certificate to zOS identity)
 
PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR)
PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZOWEAD3)
SETROPTS RACLIST(FACILITY) REFRESH
 
Top Secret equivalents:
TSS PERMIT(ZWESVUSR) IBMFAC(IRR.RUSERMAP) ACCESS(READ)
TSS PERMIT(ZOWEAD3) IBMFAC(IRR.RUSERMAP) ACCESS(READ)

3. Create profile SO.ZWETOKEN and USER.ZWETOKEN in CRYPTOZ with ACCESS(CONTROL) for user (ZWESVUSR)
 
# define SO.token
RDEFINE CRYPTOZ SO.ZWETOKEN
PERMIT SO.ZWETOKEN ACCESS(UPDATE) CLASS(CRYPTOZ) ID(ZWESVUSR)
PERMIT SO.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)
# define USER.token
RDEFINE CRYPTOZ USER.ZWETOKEN
PERMIT USER.ZWETOKEN ACCESS(UPDATE) CLASS(CRYPTOZ) ID(ZWESVUSR)
PERMIT USER.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)
# activate or refresh
SETROPTS RACLIST(CRYPTOZ) CLASSACT(CRYPTOZ)
SETROPTS RACLIST(CRYPTOZ) REF
For more information also refer to Zowe documentation here:

https://docs.zowe.org/stable/user-guide/configure-certificates-keystore.html#using-web-tokens-for-sso-on-zlux-and-zss

Top Secret equivalents:
TSS ADD(dept) CRYPTOZ(SO.ZWETOKEN)
TSS PERMIT(ZWESVUSR) CRYPTOZ(SO.ZWETOKEN) ACCESS(UPDATE)
TSS PERMIT(ZOWEAD3) CRYPTOZ(SO.ZWETOKEN) ACCESS(CONTROL)
TSS ADD(dept) CRYPTOZ(USER.ZWETOKEN)
TSS PERMIT(ZWESVUSR) CRYPTOZ(USER.ZWETOKEN) ACCESS(UPDATE)
TSS PERMIT(ZOWEAD3) CRYPTOZ(USER.ZWETOKEN) ACCESS(CONTROL)