Conversion of RACF Commands To ACF2 for Zowe
search cancel

Conversion of RACF Commands To ACF2 for Zowe

book

Article ID: 210178

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

1. Allow user, which runs API ML (ZWESVUSR), generate Passticket for zOSMF APPL ID.
 
RDEFINE PTKTDATA IZUDFLT SSIGNON(KEYMASKED(66f4f9331e095436)) APPLDATA('NO REPLAY PROTECTION') UACC(NONE)
RDEFINE PTKTDATA IRRPTAUTH.IZUDFLT.* UACC(NONE)
PERMIT IZUDFLT CL(APPL) ACCESS(READ) ID(ZWESVUSR)
PERMIT IRRPTAUTH.IZUDFLT.* CL(PTKTDATA) ID(ZWESVUSR) ACCESS(UPDATE)
SETROPTS RACLIST(APPL) REFRESH
SETROPTS RACLIST(PTKTDATA) REFRESH
 
Check if the setup is correct:
 
RLIST PTKTDATA *
RLIST APPL *
  
2. Allow user, which runs API ML (ZWESVUSR), to use R_usermap(map certificate to zOS identity)
 
PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR)
PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZOWEAD3)
SETROPTS RACLIST(FACILITY) REFRESH
 
3. Create profile SO.ZWETOKEN and USER.ZWETOKEN in CRYPTOZ with ACCESS(CONTROL) for user (ZWESVUSR)
 
# define SO.token
RDEFINE CRYPTOZ SO.ZWETOKEN
PERMIT SO.ZWETOKEN ACCESS(UPDATE) CLASS(CRYPTOZ) ID(ZWESVUSR)
PERMIT SO.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)
# define USER.token
RDEFINE CRYPTOZ USER.ZWETOKEN
PERMIT USER.ZWETOKEN ACCESS(UPDATE) CLASS(CRYPTOZ) ID(ZWESVUSR)
PERMIT USER.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)
# activate or refresh
SETROPTS RACLIST(CRYPTOZ) CLASSACT(CRYPTOZ)
SETROPTS RACLIST(CRYPTOZ) REF


For more information also refer to Zowe documentation here:
https://docs.zowe.org/stable/user-guide/configure-certificates-keystore.html#using-web-tokens-for-sso-on-zlux-and-zss

Environment

Release : 16.0

Component : CA ACF2 for z/OS

Resolution

here is the conversion of the RACF commands.
ACF2 comments and commands are in RED,. 

  1. Allow user, which runs API ML (ZWESVUSR), generate Passticket for zOSMF APPL ID.

   Any rules being written will assume that you are using ROLESETs and the USER parameter will be used.

   If you have rules defined as UID rule sets, you will need to define the UID of each user being referenced. 

RDEFINE PTKTDATA IZUDFLT SSIGNON(KEYMASKED(66f4f9331e095436)) APPLDATA('NO REPLAY PROTECTION') UACC(NONE)

ACF
SET PROFILE(PTKTDATA) DIV(SSIGNON)
INSERT IZUDFLT SSKEY(66f4f9331e095436) MULT-USE
F ACF2,REBUILD(PTK),CLASS(P)
END

RDEFINE PTKTDATA IRRPTAUTH.IZUDFLT.* UACC(NONE)
PERMIT IZUDFLT CL(APPL) ACCESS(READ) ID(ZWESVUSR)
PERMIT IRRPTAUTH.IZUDFLT.* CL(PTKTDATA) ID(ZWESVUSR) ACCESS(UPDATE)
SETROPTS RACLIST(APPL) REFRESH
SETROPTS RACLIST(PTKTDATA) REFRESH

ACF
SET RESOURCE(PTK)
RECKEY IRRPTAUTH ADD( IZUDFLT.- USER(ZWESVUSR) SERVICE(READ,UPDATE) ALLOW)
F ACF2,REBUILD(PTK)
END

*The default type for class APPL is SAF - you may have changed it to another type.
*issue a SHOW CLASMAP to locate the type being used.
* for example... the entry with EXT shows the type for class appl.
* in this example the type code would be APL. I am using the default values.
*  ********   APPL        APL    8                            EXT     3
*  ********   APPL        SAF    8                                       3

ACF
SET RESOURCE(SAF)
RECKEY IZUDFLT ADD( USER(ZWESVUSR) SERVICE(READ) ALLOW)
F ACF2,REBUILD(SAF)
END

Check if the setup is correct:
RLIST PTKTDATA *
RLIST APPL *

  1. Allow user, which runs API ML (ZWESVUSR), to use R_usermap(map certificate to zOS identity)

PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR)
PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZOWEAD3)
SETROPTS RACLIST(FACILITY) REFRESH

 

ACF
SET RESOURCE(FAC)
RECKEY IRR ADD( RUSERMAP USER(ZWESVUSR) SERVICE(READ) ALLOW)
RECKEY IRR ADD( RUSERMAP USER(ZOWEAD3) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
END

  1. Create profile SO.ZWETOKEN and USER.ZWETOKEN in CRYPTOZ with ACCESS(CONTROL) for user (ZWESVUSR)

 # define SO.token
RDEFINE CRYPTOZ SO.ZWETOKEN
PERMIT SO.ZWETOKEN ACCESS(UPDATE) CLASS(CRYPTOZ) ID(ZWESVUSR)
PERMIT SO.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)

# define USER.token

RDEFINE CRYPTOZ USER.ZWETOKEN
PERMIT USER.ZWETOKEN ACCESS(UPDATE) CLASS(CRYPTOZ) ID(ZWESVUSR)
PERMIT USER.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)

# activate or refresh

SETROPTS RACLIST(CRYPTOZ) CLASSACT(CRYPTOZ)
SETROPTS RACLIST(CRYPTOZ) REF

ACF
SET R(CRY)
RECKEY SO ADD( ZWETOKEN USER(ZWESVUSR) SERVICE(UPDATE) ALLOW)
RECKEY SO ADD( ZWETOKEN USER(ZOWEAD3) SERVICE(DELETE) ALLOW)
RECKEY USER ADD( ZWETOKEN USER(ZWESVUSR) SERVICE(UPDATE) ALLOW)
RECKEY USER ADD( ZWETOKEN USER(ZOWEAD3) SERVICE(DELETE) ALLOW)
END

Powered by Wolken Software