Translate Commands For OMEGAMON Enhanced 3270UI from RACF to Top Secret

Products

Top Secret

Issue/Introduction

Is there a document showing the RACF to TSS commands for implementing OMEGAMON Enhanced 3270UI?

Resolution

In RACF define the classname OME3270 (used by OMIITOM). Take one of the following approaches:
To define a RACF class dynamically, use the following commands:
SETROPTS CLASSACT(CDT) RACLIST(CDT)
RDEFINE CDT OME3270 UACC(NONE) CDTINFO( +
CASE(UPPER) FIRST(ALPHA,NATIONAL) OTHER(ALPHA,NATIONAL,SPECIAL,NUMERIC) +
MAXLENGTH(246) MAXLENX(246) KEYQUALIFIERS(0) +
PROFILESALLOWED(YES) POSIT(nnn) GENERIC(ALLOWED) +
RACLIST(REQUIRED) )
SETROPTS RACLIST(CDT) REFRESH
SETROPTS RACLIST(OME3270)
SETROPTD GENERIC(OME3270)
SETROPTS CLASSACT(OME3270)

TSS equivalents:
TSS ADD(RDT) RESCLASS(OME3270) RESCODE(nnn) MAXLEN(246) POSIT(ppp) ACLST(ALL,UPDATE=6000,READ=4000,NONE) DEFACC(READ)

Where:
‘nnn’ is a rescode between x’101’ through x’13F’ that is not currently in use. This will make the resource class maskable and allow up to 26 characters in the resource ownerships.
‘ppp’ is a decimal value between 19 -- 56, and 128 – 527.

Assuming that RACF is defined to, by default, deny access to undefined resources. You must update RACF to add the O4SRV resource used to secure near-term history (NTH).
RDEFINE OME3270 O4SRV.** UACC(NONE)
SETROPTS RACLIST(OME3270) REFRESH
PERMIT O4SRV.** ID(userid/group) ACCESS(READ) CLASS(OME3270)

TSS equivalents:
TSS ADD(dept) OME3270(O4SRV.)
TSS PERMIT(acid) OME3270(O4SRV.) ACCESS(READ)

Where
‘dept’ is the department acid you want to own the resource
‘acid’ is the user’s acid, an attached profile, or the ALL record if all users should have access

Allow all Omegamon users READ access:

The enhanced 3270 user interface verifies a user's authority to log on by checking for access to an SAF resource named: KOB.LOGON.
RDEFINE OME3270 KOB.LOGON.** UACC(NONE)
PERMIT KOB.LOGON.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
SETROPTS RACLIST(OME3270) REFRESH
All Omegamon users should have READ access!

TSS equivalents:
TSS ADD(dept) OME3270(KOB.LOGON.)
TSS PERMIT(acid) OME3270(KOB.LOGON.) ACCESS(READ)

Where
‘dept’ is the department acid you want to own the resource
‘acid’ is the user’s acid, an attached profile, or the ALL record if all users should have access

The authority to issue query requests from the OMEGAMON enhanced 3270 user interface to a product agent is verified by checking for access to a product SAF resource, based on the specific product. These SAF resources start with:
? KCP - Omegamon for CICS
? KM5 - Omegamon for z/OS
? KD5 - Omegamon for DB2
? KD5 - Omegamon for DB2
? KMQ - Omegamon for Messaging (MQ)
? KQI - Omegamon for Messaging - Integration Bus

RDEFINE OME3270 KCP.** UACC(NONE)
PERMIT KCP.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
RDEFINE OME3270 KM5.** UACC(NONE)
PERMIT KM5.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
RDEFINE OME3270 KDP.** UACC(NONE)
PERMIT KDP.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
RDEFINE OME3270 KD5.** UACC(NONE)
PERMIT KD5.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
RDEFINE OME3270 KMQ.** UACC(NONE)
PERMIT KMQ.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
RDEFINE OME3270 KQI.** UACC(NONE)
PERMIT KQI.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
SETROPTS RACLIST(OME3270) REFRESH
Allow all Omegamon users READ access

TSS equivalents:
TSS ADD(dept) OME3270(KCP.)
TSS PERMIT(acid) OME3270(KCP.) ACCESS(READ)
TSS ADD(dept) OME3270(KM5.)
TSS PERMIT(acid) OME3270(KM5.) ACCESS(READ)
TSS ADD(dept) OME3270(KDP.)
TSS PERMIT(acid) OME3270(KDP.) ACCESS(READ)
TSS ADD(dept) OME3270(KD5.)
TSS PERMIT(acid) OME3270(KD5.) ACCESS(READ)
TSS ADD(dept) OME3270(KMQ.)
TSS PERMIT(acid) OME3270(KMQ.) ACCESS(READ)
TSS ADD(dept) OME3270(KQI.)
TSS PERMIT(acid) OME3270(KQI.) ACCESS(READ)

Where
‘dept’ is the department acid you want to own the resource
‘acid’ is the user’s acid, an attached profile, or the ALL record if all users should have access

In addition to Log-on, and product query profiles, profiles can be created to control authorization to perform administration tasks using the enhanced 3270 user interface, these rules start with: KOBUI.ADMIN:
RDEFINE OME3270 KOBUI.ADMIN.** UACC(NONE)
PERMIT KOBUI.ADMIN.USEHUB.** ID(userid/group) ACCESS(READ) CLASS(OME3270)
PERMIT KOBUI.ADMIN.PREFS.AUTOUPDATE ID(uuserid/group) ACCESS(READ) CLASS(OME3270)
SETROPTS RACLIST(OME3270) REFRESH
Enterprise Automation Team will need UPDATE access to KOBUI.** All other Omegamon users only need READ access to the KOBUI.ADMIN.USEHUB and KOBUI.ADMIN.PREFS.AUTOUPDATE resources.

TSS equivalents:
TSS ADD(dept) OME3270(KOBUI.ADMIN.)
TSS PERMIT(acid) OME3270(KOBUI.ADMIN.USEHUB.) ACCESS(READ)
TSS PERMIT(acid) OME3270(KOBUI.ADMIN.PREFS.AUTOUPDATE) ACCESS(READ)

Where
‘dept’ is the department acid you want to own the resource
‘acid’ is the user’s acid, an attached profile, or the ALL record if all users should have access

PassTicket generation

Requests to either display or zap memory from the OMIITOM require a secured sign-on from the enhanced 3270UI to the OMEGAMON on z/OS monitoring agent. The enhanced 3270UI will generate a PassTicket (a one time only password) and send it to the OMEGAMON on z/OS monitoring agent in the data request. In this way the monitoring agent can authenticate the request that comes from the user logged into the enhanced 3270UI.
In order for a PassTicket to be generated, the PTKTDATA security class must be activated. To activate the PTKTDATA class and the SETROPTS RACLIST processing, run the following command:
SETROPTS CLASSACT(PTKTDATA) RACLIST(PTKTDATA) GENERIC(PTKTDATA)

No TSS equivalent.

By using the PassTicket key class the security administrator can associate a RACF secured sign-on secret key with a particular mainframe application that uses RACF for user authentication. All profiles that contain PassTicket information are defined to the PTKTDATA class.

Define a profile in the PTKTDATA class definition for each OMEGAMON on z/OS monitoring agent which you wish to enable for memory list and/or memory zap functions. The KEYMASKED value may be any combination of 16 hex digits, in the examples below the KEYMASKED value is 0123456789ABCDEF:

RDEFINE PTKTDATA OMIIECMS SSIGNON(KEYMASKED(0123456789ABCDEF))
RDEFINE PTKTDATA OMIIKM3 SSIGNON(KEYMASKED(0123456789ABCDEF))
RDEFINE PTKTDATA OMIIKMq SSIGNON(KEYMASKED(0123456789ABCDEF))

TSS equivalents:
TSS ADD(NDT) PSTKAPPL(OMIIECMS) SESSKEY(key-descr) SIGNMULTI
TSS ADD(NDT) PSTKAPPL(OMIIKM3) SESSKEY(key-descr) SIGNMULTI
TSS ADD(NDT) PSTKAPPL(OMIIKMQ) SESSKEY(key-descr) SIGNMULTI

SESSKEY
Specifies an up to 16-character hexadecimal "password" that is unique to each application defined by a PSTKAPPL keyword. You must supply a SESSKEY with PSTKAPPL. You can specify whatever you’d like for the SESSKEY as long as it’s not being used for SESSKEY in another application in the NDT.

* Normally with passtickets, there is a RACF REDEFINE and PERMIT command for a PTKTDATA resource, but they are not in the list of RACF commands. For example:

RDEFINE PTKTDATA IRRPTAUTH.OMIIECMS.* UACC(NONE)
PERMIT IRRPTAUTH.OMIIECMS.* CL(PTKTDATA) ID(xxxxxx) ACCESS(UPDATE)
SETROPTS RACLIST(PTKTDATA) REFRESH
RDEFINE PTKTDATA IRRPTAUTH.OMIIKM3.* UACC(NONE)
PERMIT IRRPTAUTH.OMIIKM3.* CL(PTKTDATA) ID(xxxxxx) ACCESS(UPDATE)
SETROPTS RACLIST(PTKTDATA) REFRESH
RDEFINE PTKTDATA IRRPTAUTH.OMIIKMQ.* UACC(NONE)
PERMIT IRRPTAUTH.OMIIKMQ.* CL(PTKTDATA) ID(xxxxxx) ACCESS(UPDATE)
SETROPTS RACLIST(PTKTDATA) REFRESH

For which the TSS equivalent commands are:
TSS ADD(dept) PTKTDATA(IRRPTAUT) (if not already done)
TSS PER(acid) PTKTDATA(IRRPTAUTH.OMIIECMS.) ACCESS(UPDATE)
TSS PER(acid) PTKTDATA(IRRPTAUTH.OMIIKM3.) ACCESS(UPDATE)
TSS PER(acid) PTKTDATA(IRRPTAUTH.OMIIKMQ.) ACCESS(UPDATE)