Conversion of RACF Commands To ACF2 for Zowe Web Tokens
search cancel

Conversion of RACF Commands To ACF2 for Zowe Web Tokens

book

Article ID: 210178

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 ACF2 - MISC

Issue/Introduction

The following document provides a RACF to ACF2 conversion for setting up Web Tokens in Zowe. For more information, please refer to Zowe documentation.

RACF commands for reference:

1. Allow user, which runs API ML (ZWESVUSR), generate Passticket for zOSMF APPL ID.
 
RDEFINE PTKTDATA IZUDFLT SSIGNON(KEYMASKED(66f4f9331e095436)) APPLDATA('NO REPLAY PROTECTION') UACC(NONE)
RDEFINE PTKTDATA IRRPTAUTH.IZUDFLT.* UACC(NONE)
PERMIT IZUDFLT CL(APPL) ACCESS(READ) ID(ZWESVUSR)
PERMIT IRRPTAUTH.IZUDFLT.* CL(PTKTDATA) ID(ZWESVUSR) ACCESS(UPDATE)
SETROPTS RACLIST(APPL) REFRESH
SETROPTS RACLIST(PTKTDATA) REFRESH
 
Check if the setup is correct:
 
RLIST PTKTDATA *
RLIST APPL *
  
2. Allow user, which runs API ML (ZWESVUSR), to use R_usermap(map certificate to zOS identity)
 
PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZWESVUSR)
PERMIT IRR.RUSERMAP CLASS(FACILITY) ACCESS(READ) ID(ZOWEAD3)
SETROPTS RACLIST(FACILITY) REFRESH
 
3. Create profile SO.ZWETOKEN and USER.ZWETOKEN in CRYPTOZ with ACCESS(CONTROL) for user (ZWESVUSR)
 
# define SO.token
RDEFINE CRYPTOZ SO.ZWETOKEN
PERMIT SO.ZWETOKEN ACCESS(UPDATE) CLASS(CRYPTOZ) ID(ZWESVUSR)
PERMIT SO.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)
# define USER.token
RDEFINE CRYPTOZ USER.ZWETOKEN
PERMIT USER.ZWETOKEN ACCESS(UPDATE) CLASS(CRYPTOZ) ID(ZWESVUSR)
PERMIT USER.ZWETOKEN ACCESS(CONTROL) CLASS(CRYPTOZ) ID(ZOWEAD3)
# activate or refresh
SETROPTS RACLIST(CRYPTOZ) CLASSACT(CRYPTOZ)
SETROPTS RACLIST(CRYPTOZ) REF

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

  1. Allow user, which runs API ML (ZWESVUSR), generate Passticket for zOSMF APPL ID.

    Any rules being written will assume that you are using ROLESETs and the USER parameter will be used.
    If you have rules defined as UID rule sets, you will need to define the UID of each user being referenced. 

ACF
SET PROFILE(PTKTDATA) DIV(SSIGNON)
INSERT IZUDFLT SSKEY(66f4f9331e095436) MULT-USE
F ACF2,REBUILD(PTK),CLASS(P)
END

ACF
SET RESOURCE(PTK)
RECKEY IRRPTAUTH ADD( IZUDFLT.- USER(ZWESVUSR) SERVICE(READ,UPDATE) ALLOW)
F ACF2,REBUILD(PTK)
END

*The default type for class APPL is SAF - you may have changed it to another type.
*issue a SHOW CLASMAP to locate the type being used.
* for example... the entry with EXT shows the type for class appl.
* in this example the type code would be APL. I am using the default values.
*  ********   APPL        APL    8                            EXT     3
*  ********   APPL        SAF    8                                       3

ACF
SET RESOURCE(SAF)
RECKEY IZUDFLT ADD( USER(ZWESVUSR) SERVICE(READ) ALLOW)
F ACF2,REBUILD(SAF)
END

  1. Allow user, which runs API ML (ZWESVUSR), to use R_usermap(map certificate to zOS identity)

ACF
SET RESOURCE(FAC)
RECKEY IRR ADD( RUSERMAP USER(ZWESVUSR) SERVICE(READ) ALLOW)
RECKEY IRR ADD( RUSERMAP USER(ZOWEAD3) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)
END

  1. Create profile SO.ZWETOKEN and USER.ZWETOKEN in CRYPTOZ with ACCESS(CONTROL) for user (ZWESVUSR)

ACF
SET R(CRY)
RECKEY SO ADD( ZWETOKEN USER(ZWESVUSR) SERVICE(UPDATE) ALLOW)
RECKEY SO ADD( ZWETOKEN USER(ZOWEAD3) SERVICE(DELETE) ALLOW)
RECKEY USER ADD( ZWETOKEN USER(ZWESVUSR) SERVICE(UPDATE) ALLOW)
RECKEY USER ADD( ZWETOKEN USER(ZOWEAD3) SERVICE(DELETE) ALLOW)
END

Powered by Wolken Software