Converting RACF Commands To Top Secret for Zowe
Article ID: 210171
Updated On:
Products
Issue/Introduction
Requesting assistance converting the following RACF command to Top Secret to enable the use of web tokens for SSO on ZLUX and ZSS.
RDEFINE PTKTDATA IRRPTAUTH.IZUDFLT.* UACC(NONE)
PERMIT IZUDFLT CL(APPL) ACCESS(READ) ID(ZWESVUSR)
PERMIT IRRPTAUTH.IZUDFLT.* CL(PTKTDATA) ID(ZWESVUSR) ACCESS(UPDATE)
SETROPTS RACLIST(APPL) REFRESH
SETROPTS RACLIST(PTKTDATA) REFRESH
RLIST APPL *
PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZOWEAD3)
SETROPTS RACLIST(FACILITY) REFRESH
RDEFINE CRYPTOZ SO.ZWETOKEN
PERMIT SO.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)
# define USER.token
RDEFINE CRYPTOZ USER.ZWETOKEN
PERMIT USER.ZWETOKEN ACCESS(UPDATE) CLASS(CRYPTOZ) ID(ZWESVUSR)
PERMIT USER.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)
# activate or refresh
SETROPTS RACLIST(CRYPTOZ) CLASSACT(CRYPTOZ)
SETROPTS RACLIST(CRYPTOZ) REF
Environment
Release : 16.0
Component : CA Top Secret for z/OS
Resolution
1. Allow user, which runs API ML (ZWESVUSR), generate Passticket for zOSMF APPL ID.
RDEFINE PTKTDATA IZUDFLT SSIGNON(KEYMASKED(12346789101112131415)) APPLDATA('NO REPLAY PROTECTION') UACC(NONE)
RDEFINE PTKTDATA IRRPTAUTH.IZUDFLT.* UACC(NONE)
PERMIT IZUDFLT CL(APPL) ACCESS(READ) ID(ZWESVUSR)
PERMIT IRRPTAUTH.IZUDFLT.* CL(PTKTDATA) ID(ZWESVUSR) ACCESS(UPDATE)
SETROPTS RACLIST(APPL) REFRESH
SETROPTS RACLIST(PTKTDATA) REFRESH
Check if the setup is correct:
RLIST PTKTDATA *
RLIST APPL *
Top Secret equivalents:
Issue TSS LIST(RDT) RESCLASS(PTKTDATA) to confirm whether or not the PTKTDATA resource class is defined to Top Secret. If it is not, you can use the following command to define it to the RDT:
TSS ADD(RDT) RESCLASS(PTKTDATA) ACLST(ALL,UPDATE=8000,READ,NONE) MAXLEN(37)
Once the PTKTDATA resource class is defined, the Top Secret equivalents of the above are:
TSS ADD(NDT) PSTKAPPL(IZUDFLT) SESSKEY(123456789101112131415) SIGNMULTI
NOTE: SIGNMULTI allows the same PassTicket to be used multiple times. This attribute is the equivalent of IBM RACF operand APPLDATA('NO REPLAY PROTECTION').
TSS ADD(dept) PTKTDATA(IRRPTAUT) (if not already done)
TSS ADD(dept) APPL(IZUDFLT) (if not already done)
TSS PERMIT(ZWESVUSR) APPL(IZUDFLT)
TSS PERMIT(ZWESVUSR) PTKTDATA(IRRPTAUTH.IZUDFLT.) ACCESS(UPDATE)
TSS WHOHAS PTKTDATA(IRRPTAUTH.IZUDFLT.)
TSS WHOHAS APPL(IZUDFLT)
2. Allow user, which runs API ML (ZWESVUSR), to use R_usermap(map certificate to zOS identity)
PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR)
PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZOWEAD3)
SETROPTS RACLIST(FACILITY) REFRESH
Top Secret equivalents:
TSS PERMIT(ZWESVUSR) IBMFAC(IRR.RUSERMAP) ACCESS(READ)
TSS PERMIT(ZOWEAD3) IBMFAC(IRR.RUSERMAP) ACCESS(READ)
3. Create profile SO.ZWETOKEN and USER.ZWETOKEN in CRYPTOZ with ACCESS(CONTROL) for user (ZWESVUSR)
# define SO.token
RDEFINE CRYPTOZ SO.ZWETOKEN
PERMIT SO.ZWETOKEN ACCESS(UPDATE) CLASS(CRYPTOZ) ID(ZWESVUSR)
PERMIT SO.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)
# define USER.token
RDEFINE CRYPTOZ USER.ZWETOKEN
PERMIT USER.ZWETOKEN ACCESS(UPDATE) CLASS(CRYPTOZ) ID(ZWESVUSR)
PERMIT USER.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)
# activate or refresh
SETROPTS RACLIST(CRYPTOZ) CLASSACT(CRYPTOZ)
SETROPTS RACLIST(CRYPTOZ) REF
For more information also refer to Zowe documentation here:
https://docs.zowe.org/stable/user-guide/configure-certificates-keystore.html#using-web-tokens-for-sso-on-zlux-and-zss
Top Secret equivalents:
TSS ADD(dept) CRYPTOZ(SO.ZWETOKEN)
TSS PERMIT(ZWESVUSR) CRYPTOZ(SO.ZWETOKEN) ACCESS(UPDATE)
TSS PERMIT(ZOWEAD3) CRYPTOZ(SO.ZWETOKEN) ACCESS(CONTROL)
TSS ADD(dept) CRYPTOZ(USER.ZWETOKEN)
TSS PERMIT(ZWESVUSR) CRYPTOZ(USER.ZWETOKEN) ACCESS(UPDATE)
TSS PERMIT(ZOWEAD3) CRYPTOZ(USER.ZWETOKEN) ACCESS(CONTROL)
Feedback
