AZFRACFX AZF configuration RACF command convert Top Secret
search cancel

AZFRACFX AZF configuration RACF command convert Top Secret

book

Article ID: 219368

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

RACF documentation provided by IBM translating RACF to Top Secret commands

 

Environment

Release : 16.0

Component : Top Secret for z/OS

Resolution

//********************************************************************/

//* 5655-MA1                                                         */

//* All Rights Reserved.                                             */

//********************************************************************/

//* AZFRACFX - Initial version                                       */

//********************************************************************/

//* DESCRIPTION:                                                     */

//*   Sample RACF commands for various AZF configuration use cases.  */

//********************************************************************/

//*                                                                  */

//* MODIFICATION INSTRUCTIONS:                                       */

//*                                                                  */

//* - CHANGE ?STCUSERID? to the User ID under which AZF#IN00 runs.   */

//*                                                                  */

//* - CHANGE ?WEBUSERID? to the User ID under which AZF#IN01 runs.   */

//*                                                                  */

//* - CHANGE ?ADMINUSERID? to an security administrator User ID that */

//*   will configure STC and Factor settings via the AZFEXEC ISPF    */

//*   panel interface.                                               */

//*                                                                  */

//* - CHANGE ?PKCS11TOKEN? to the name of a PKCS#11 token to create  */

//*   and use for multiple AZF-related purposes.                     */

//*                                                                  */

//* - CHANGE ?PAGENTUSERID? to the User ID under which PAGENT runs.  */

//*                                                                  */

//* - CHANGE ?TCPIPUSERID? to the User ID under which TCPIP runs.    */

//*                                                                  */

//********************************************************************/

//*

//* Section 1 - Preparing to manage STC and factor settings using the

//*             MFADEF and FACILITY classes.

//*

//*

//* 1.1 Activate generic profile checking and command processing for

//*     the MFADEF class:

APAR #: RO94909 new RDT class was introduced MFADEF, with rescode X'15F'

//*

//*     SETROPTS GENERIC(MFADEF) GENCMD(MFADEF)

//*

//* 1.2 RACLIST and activate the MFADEF class:

//*

//*     SETROPTS RACLIST(MFADEF) CLASSACT(MFADEF)

//*

//* 1.3 Define an MFADEF profile to hold the STC settings:

//*

//*     RDEFINE MFADEF FACTOR.AZFSTC OWNER(?ADMINUSERID?)

TSS ADD(owning_acid) MFADEF(FACTOR.AZFSTC)

//*

//* 1.4 Define a FACILITY class profile to protect access to STC

//*     settings:

//*

//*     RDEFINE FACILITY IRR.RFACTOR.MFADEF.AZFSTC OWNER(?ADMINUSERID?)

TSS ADD(owning_acid) IBMFAC(IRR.)

//*

//*     Allow an administrator to read and write STC settings data:

//*

//*     PERMIT IRR.RFACTOR.MFADEF.AZFSTC ACCESS(UPDATE) CLASS(FACILITY)

//*            ID(?ADMINUSERID?)

TSS PER(ADMINUSERID) IBMFAC(IRR.RFACTOR.MFADEF.AZFSTC) ACC(UPDATE)

 

 

//*

//*     Allow the web services started task AZF#IN01 to read STC

//*     settings:

//*

//*     PERMIT IRR.RFACTOR.MFADEF.AZFSTC ACCESS(READ) CLASS(FACILITY)

//*            ID(?WEBUSERID?)

TSS PER(WEBUSERID) IBMFAC(IRR.RFACTOR.MFADEF.AZFSTC) ACC(READ)

 

//*

//* 1.5 Define MFADEF profiles for all Factors you wish to use, define

//*     FACILITY class profiles to control access to settings, allow

//*     an administrator to read/write settings, and (if applicable)

//*     allow the web services started task to read settings.

//*

//*   Certificate authentication (including smart cards):

//*

//*     RDEFINE MFADEF FACTOR.AZFCERT1 OWNER(?ADMINUSERID?)

//*     RDEFINE FACILITY IRR.RFACTOR.MFADEF.AZFCERT1

//*             OWNER(?ADMINUSERID?)

TSS ADD(owning_acid) MFADEF(FACTOR.AZFCERT1)

//*     PERMIT IRR.RFACTOR.MFADEF.AZFCERT1 ACCESS(UPDATE)

//*            CLASS(FACILITY) ID(?ADMINUSERID?)

TSS PER(ADMINUSERID) IBMFAC(IRR.RFACTOR.MFADEF.AZFCERT1) ACC(UPDATE)

//*     PERMIT IRR.RFACTOR.MFADEF.AZFCERT1 ACCESS(READ)

//*            CLASS(FACILITY) ID(?WEBUSERID?)

//*

TSS PER(WEBUSERID) IBMFAC(IRR.RFACTOR.MFADEF.AZFCERT1) ACC(READ)

 

//*   Integration with IBM Security Access Manager pick-up OTP pattern:

//*

//*     RDEFINE MFADEF FACTOR.AZFISAM1 OWNER(?ADMINUSERID?)

//*     RDEFINE FACILITY IRR.RFACTOR.MFADEF.AZFISAM1

//*             OWNER(?ADMINUSERID?)

TSS ADD(owning_acid) MFADEF(FACTOR.AZFISAM1)

//*     PERMIT IRR.RFACTOR.MFADEF.AZFISAM1 ACCESS(UPDATE)

//*            CLASS(FACILITY) ID(?ADMINUSERID?)

TSS PER(ADMINUSERID) IBMFAC(IRR.RFACTOR.MFADEF.AZFISAM1) ACC(UPDATE)

//*     PERMIT IRR.RFACTOR.MFADEF.AZFISAM1 ACCESS(READ)

//*            CLASS(FACILITY) ID(?WEBUSERID?)

TSS PER(WEBUSERID) IBMFAC(IRR.RFACTOR.MFADEF.AZFISAM1) ACC(READ)

 

//*

//*   LDAP simple bind:

//*

//*     RDEFINE MFADEF FACTOR.AZFLDAP1 OWNER(?ADMINUSERID?)

//*     RDEFINE FACILITY IRR.RFACTOR.MFADEF.AZFLDAP1

//*             OWNER(?ADMINUSERID?)

TSS ADD(owning_acid) MFADEF(FACTOR. AZFLDAP1)

 

//*     PERMIT IRR.RFACTOR.MFADEF.AZFLDAP1 ACCESS(UPDATE)

//*            CLASS(FACILITY) ID(?ADMINUSERID?)

TSS PER(ADMINUSERID) IBMFAC(IRR.RFACTOR.MFADEF. AZFLDAP1) ACC(UPDATE)

 

//*     PERMIT IRR.RFACTOR.MFADEF.AZFLDAP1 ACCESS(READ)

//*            CLASS(FACILITY) ID(?WEBUSERID?)

TSS PER(WEBUSERID) IBMFAC(IRR.RFACTOR.MFADEF. AZFLDAP1) ACC(READ)

 

//*

//*   SAF password (out-of-band only):

//*

//*     RDEFINE MFADEF FACTOR.AZFPASS1 OWNER(?ADMINUSERID?)

//*     RDEFINE FACILITY IRR.RFACTOR.MFADEF.AZFPASS1

//*             OWNER(?ADMINUSERID?)

TSS ADD(owning_acid) MFADEF(FACTOR.AZFPASS1)

 

//*     PERMIT IRR.RFACTOR.MFADEF.AZFPASS1 ACCESS(UPDATE)

//*            CLASS(FACILITY) ID(?ADMINUSERID?)

TSS PER(ADMINUSERID) IBMFAC(IRR.RFACTOR.MFADEF. AZFPASS1) ACC(UPDATE)

 

//*     PERMIT IRR.RFACTOR.MFADEF.AZFPASS1 ACCESS(READ)

//*            CLASS(FACILITY) ID(?WEBUSERID?)

TSS PER(WEBUSERID) IBMFAC(IRR.RFACTOR.MFADEF. AZFPASS1) ACC(READ)

 

//*

//*   RACF PassTickets:

//*

//*     RDEFINE MFADEF FACTOR.AZFPTKT1 OWNER(?ADMINUSERID?)

TSS ADD(owning_acid) MFADEF(FACTOR. AZFPTKT1)

//*     RDEFINE FACILITY IRR.RFACTOR.MFADEF.AZFSTC

 

//*             OWNER(?ADMINUSERID?)

//*     PERMIT IRR.RFACTOR.MFADEF.AZFPTKT1 ACCESS(UPDATE)

//*            CLASS(FACILITY) ID(?ADMINUSERID?)

TSS PER(ADMINUSERID) IBMFAC(IRR.RFACTOR.MFADEF. AZFPTKT1) ACC(UPDATE)

 

//*

//*   RADIUS authentication via UDP or TCP:

//*

//*     RDEFINE MFADEF FACTOR.AZFRADP1 OWNER(?ADMINUSERID?)

//*     RDEFINE FACILITY IRR.RFACTOR.MFADEF.AZFRADP1

//*             OWNER(?ADMINUSERID?)

TSS ADD(owning_acid) MFADEF(FACTOR. AZFRADP1)

//*     PERMIT IRR.RFACTOR.MFADEF.AZFRADP1 ACCESS(UPDATE)

//*            CLASS(FACILITY) ID(?ADMINUSERID?)

TSS PER(ADMINUSERID) IBMFAC(IRR.RFACTOR.MFADEF. AZFRADP1) ACC(UPDATE)

//*     PERMIT IRR.RFACTOR.MFADEF.AZFRADP1 ACCESS(READ)

//*            CLASS(FACILITY) ID(?WEBUSERID?)

TSS PER(WEBUSERID) IBMFAC(IRR.RFACTOR.MFADEF. AZFRADP1) ACC(READ)

//*

//*   RADIUS authentication via UDP with special handling for SafeNet

//*   servers:

//*

//*     RDEFINE MFADEF FACTOR.AZFSFNP1 OWNER(?ADMINUSERID?)

//*     RDEFINE FACILITY IRR.RFACTOR.MFADEF.AZFSFNP1

//*             OWNER(?ADMINUSERID?)

TSS ADD(owning_acid) MFADEF(FACTOR. AZFSFNP1)

 

//*     PERMIT IRR.RFACTOR.MFADEF.AZFSFNP1 ACCESS(UPDATE)

//*            CLASS(FACILITY) ID(?ADMINUSERID?)

TSS PER(ADMINUSERID)  IBMFAC(IRR.RFACTOR.MFADEF. AZFSFNP1) ACC(UPDATE)

 

//*     PERMIT IRR.RFACTOR.MFADEF.AZFSFNP1 ACCESS(READ)

//*            CLASS(FACILITY) ID(?WEBUSERID?)

TSS PER(WEBUSERID)  IBMFAC(IRR.RFACTOR.MFADEF. AZFSFNP1) ACC(READ)

 

//*

//*   RSA SecurId authentication via RSA UDP protocol:

//*

//*     RDEFINE MFADEF FACTOR.AZFSIDP1 OWNER(?ADMINUSERID?)

//*     RDEFINE FACILITY IRR.RFACTOR.MFADEF.AZFSIDP1

//*             OWNER(?ADMINUSERID?)

TSS ADD(owning_acid) MFADEF(FACTOR. AZFSIDP1)

 

//*     PERMIT IRR.RFACTOR.MFADEF.AZFSIDP1 ACCESS(UPDATE)

//*            CLASS(FACILITY) ID(?ADMINUSERID?)

TSS PER(ADMINUSERID)  IBMFAC(IRR.RFACTOR.MFADEF. AZFSIDP1) ACC(UPDATE)

 

//*     PERMIT IRR.RFACTOR.MFADEF.AZFSIDP1 ACCESS(READ)

//*            CLASS(FACILITY) ID(?WEBUSERID?)

TSS PER(WEBUSERID)  IBMFAC(IRR.RFACTOR.MFADEF. AZFSIDP1) ACC(READ)

 

//*

//*   RSA SecurId authentication via RADIUS UDP protocol:

//*

//*     RDEFINE MFADEF FACTOR.AZFSIDR1 OWNER(?ADMINUSERID?)

//*     RDEFINE FACILITY IRR.RFACTOR.MFADEF.AZFSIDR1

TSS ADD(owning_acid) MFADEF(FACTOR. AZFSIDR1)

 

//*             OWNER(?ADMINUSERID?)

//*     PERMIT IRR.RFACTOR.MFADEF.AZFSIDR1 ACCESS(UPDATE)

//*            CLASS(FACILITY) ID(?ADMINUSERID?)

TSS PER(ADMINUSERID)  IBMFAC(IRR.RFACTOR.MFADEF. AZFSIDR1) ACC(UPDATE)

 

//*     PERMIT IRR.RFACTOR.MFADEF.AZFSIDR1 ACCESS(READ)

//*            CLASS(FACILITY) ID(?WEBUSERID?)

TSS PER(WEBUSERID)  IBMFAC(IRR.RFACTOR.MFADEF. AZFSIDR1) ACC(READ)

 

//*

//*   TOTP authentication for both IBM TouchToken and Generic clients:

//*

//*     RDEFINE MFADEF FACTOR.AZFTOTP1 OWNER(?ADMINUSERID?)

//*     RDEFINE FACILITY IRR.RFACTOR.MFADEF.AZFTOTP1

//*             OWNER(?ADMINUSERID?)

TSS ADD(owning_acid) MFADEF(FACTOR. AZFTOTP1)

 

//*     PERMIT IRR.RFACTOR.MFADEF.AZFTOTP1 ACCESS(UPDATE)

//*            CLASS(FACILITY) ID(?ADMINUSERID?)

TSS PER(ADMINUSERID)  IBMFAC(IRR.RFACTOR.MFADEF. AZFTOTP1) ACC(UPDATE)

//*     PERMIT IRR.RFACTOR.MFADEF.AZFTOTP1 ACCESS(READ)

//*            CLASS(FACILITY) ID(?WEBUSERID?)

TSS PER(WEBUSERID)  IBMFAC(IRR.RFACTOR.MFADEF. AZFTOTP1) ACC(READ)

 

//*

//*   Yubikey authentication via Yubico OTP:

//*

//*     RDEFINE MFADEF FACTOR.AZFYUBI1 OWNER(?ADMINUSERID?)

//*     RDEFINE FACILITY IRR.RFACTOR.MFADEF.AZFYUBI1

TSS ADD(owning_acid) MFADEF(FACTOR. AZFYUBI1)

 

//*             OWNER(?ADMINUSERID?)

//*     PERMIT IRR.RFACTOR.MFADEF.AZFYUBI1 ACCESS(UPDATE)

//*            CLASS(FACILITY) ID(?ADMINUSERID?)

TSS PER(ADMINUSERID)  IBMFAC(IRR.RFACTOR.MFADEF. AZFYUBI1) ACC(UPDATE)

 

//*     PERMIT IRR.RFACTOR.MFADEF.AZFYUBI1 ACCESS(READ)

//*            CLASS(FACILITY) ID(?WEBUSERID?)

TSS PER(WEBUSERID)  IBMFAC(IRR.RFACTOR.MFADEF. AZFYUBI1) ACC(READ)

 

//*

//* 1.6 Define a profile to protect access to user factor data, and

//*     allow the administrator and the AZF#IN01 task to read/write

//*     user factor data.

//*

//*     RDEFINE FACILITY IRR.RFACTOR.USER UACC(NONE)

//*     PERMIT IRR.RFACTOR.USER ACCESS(UPDATE) CLASS(FACILITY)

 

//*            ID(?ADMINUSERID?)

//*     PERMIT IRR.RFACTOR.USER ACCESS(UPDATE) CLASS(FACILITY)

//*            ID(?WEBUSERID?)

TSS PER(WEBUSERID)  IBMFAC(IRR.RFACTOR.USER) ACC(UPDATE)

 

//*

//* 1.7 Authorize the Web Services started task to list Key Rings in

//*     preparation for its use of AT-TLS

//*

//*     PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(?WEBUSERID?)

//*            ACCESS(READ)

//*

//* 1.8 Refresh the MFADEF and FACILITY classes

//*

//*     SETROPTS RACLIST(MFADEF) REFRESH

//*     SETROPTS RACLIST(FACILITY) REFRESH

//*

//*

//*********************************************************************

//*

//* Section 2 - Preparing AZF to use PKCS#11 for cryptography, using

//*             the CRYPTOZ and CSFSERV classes.

//*  

//*

//* 2.1 Activate the CRYPTOZ class with support for generics, and

//*     RACLIST it

//*

//*     SETROPTS CLASSACT(CRYPTOZ) GENERIC(CRYPTOZ) GENCMD(CRYPTOZ)

//*              RACLIST(CRYPTOZ)

//*

//* 2.2 Restrict access to PKCS#11 by default

//*

//*     RDEFINE CRYPTOZ SO.** UACC(NONE) OWNER(?ADMINUSERID?)

//*     RDEFINE CRYPTOZ USER.** UACC(NONE) OWNER(?ADMINUSERID?)

TSS ADD(owning_acid)  CRYPTOZ(SO)

TSS ADD(owning_acid)  CRYPTOZ(USER)

TSS ADD(owning_acid)  CRYPTOZ(CLEARKEY)

//*

//* 2.3 Create the PKCS#11 token and define profiles to protect it

//*

//*     RACDCERT ADDTOKEN(?PKCS11TOKEN?)

//*

//*     RDEFINE CRYPTOZ SO.?PKCS11TOKEN? UACC(NONE)

//*     RDEFINE CRYPTOZ USER.?PKCS11TOKEN? UACC(NONE)

//*     RDEFINE CRYPTOZ CLEARKEY.?PKCS11TOKEN? UACC(NONE)

//*

//* 2.4 Give the administrator and AZF#IN01 task authority to create

//*     PKCS#11 keys.  Allow the administrator and both started tasks

//*     to use PKCS#11 keys.

//*

//*     PERMIT SO.?PKCS11TOKEN? CLASS(CRYPTOZ) ID(?ADMINUSERID?)

//*            ACC(CONTROL)

//*     PERMIT SO.?PKCS11TOKEN? CLASS(CRYPTOZ) ID(?WEBUSERID?)

//*            ACC(CONTROL)

//*

//*     PERMIT USER.?PKCS11TOKEN? CLASS(CRYPTOZ) ID(?ADMINUSERID?)

//*            ACC(UPDATE)

//*     PERMIT USER.?PKCS11TOKEN? CLASS(CRYPTOZ) ID(?STCUSERID?)

//*            ACC(UPDATE)

//*     PERMIT USER.?PKCS11TOKEN? CLASS(CRYPTOZ) ID(?WEBUSERID?)

//*            ACC(UPDATE)

//*

//*     PERMIT CLEARKEY.?PKCS11TOKEN? CLASS(CRYPTOZ) ID(?ADMINUSERID?)

//*            ACC(READ)

//*     PERMIT CLEARKEY.?PKCS11TOKEN? CLASS(CRYPTOZ) ID(?STCUSERID?)

//*            ACC(READ)

//*

//* 2.5 Refresh the CRYPTOZ class

//*

//*     SETROPTS RACLIST(CRYPTOZ) REFRESH

//*

//* 2.6 If your environment secures access to ICSF callable services

//*     via discrete profiles, give the AZF administrator access to a

//*     variety of services used to support PKCS#11 operations.

//*  TSS ADD(owning_acid) CSFSERV (**)

//*

//*     PERMIT CSFRNG CLASS(CSFSERV) ID(?ADMINUSERID?) ACC(READ)

//*     PERMIT CSF1SKD CLASS(CSFSERV) ID(?ADMINUSERID?) ACC(READ)

//*     PERMIT CSF1SKE CLASS(CSFSERV) ID(?ADMINUSERID?) ACC(READ)

//*     PERMIT CSF1TRC CLASS(CSFSERV) ID(?ADMINUSERID?) ACC(READ)

//*     PERMIT CSF1TRL CLASS(CSFSERV) ID(?ADMINUSERID?) ACC(READ)

//*     PERMIT CSFOWH CLASS(CSFSERV) ID(?ADMINUSERID?) ACC(READ)

//*     PERMIT CSF1GSK CLASS(CSFSERV) ID(?ADMINUSERID?) ACC(READ)

//*     PERMIT CSFIQA CLASS(CSFSERV) ID(?ADMINUSERID?) ACC(READ)

//*     PERMIT CSFRNGL CLASS(CSFSERV) ID(?ADMINUSERID?) ACC(READ)

//*     PERMIT CSF1HMG CLASS(CSFSERV) ID(?ADMINUSERID?) ACC(READ)

//*     PERMIT CSF1GAV CLASS(CSFSERV) ID(?ADMINUSERID?) ACC(READ)

//*     PERMIT CSF1SAV CLASS(CSFSERV) ID(?ADMINUSERID?) ACC(READ)

TSS PER(ADMINUSERID) CSFSERV (CSFRNG) ACC(READ)        

TSS PER(ADMINUSERID) CSFSERV (CSF1SKD) ACC(READ)

TSS PER(ADMINUSERID) CSFSERV (CSF1SKE) ACC(READ)

TSS PER(ADMINUSERID) CSFSERV (CSF1TRC) ACC(READ)

TSS PER(ADMINUSERID) CSFSERV (CSF1TRL) ACC(READ)

TSS PER(ADMINUSERID) CSFSERV (CSFOWH) ACC(READ)

TSS PER(ADMINUSERID) CSFSERV (CSF1GSK) ACC(READ)

TSS PER(ADMINUSERID) CSFSERV (CSFIQA) ACC(READ)

TSS PER(ADMINUSERID) CSFSERV (CSFRNGL) ACC(READ)

TSS PER(ADMINUSERID) CSFSERV (CSF1HMG) ACC(READ)

TSS PER(ADMINUSERID) CSFSERV (CSF1GAV) ACC(READ)

TSS PER(ADMINUSERID) CSFSERV (CSF1SAV) ACC(READ)

//*

//* 2.7 If your environment secures access to ICSF callable services

//*     via discrete profiles, give the AZF web services task access

//*     to services used to support PKCS#11 operations.

//*

//*     PERMIT CSFRNG CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSF1SKD CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSF1SKE CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSF1TRC CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSF1TRL CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSFOWH CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSF1GSK CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSFIQA CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSFRNGL CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSF1HMG CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSF1GAV CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*

TSS PER(WEBUSERID) CSFSERV (CSFRNG) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSF1SKD) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSF1SKE) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSF1TRC) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSF1TRL) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSFOWH) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSF1GSK) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSFIQA) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSFRNGL) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSF1HMG) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSF1GAV) ACC(READ)

 

//*     Give the PAGENT task owning User ID access to these services:

//*

//*     PERMIT CSFRNG CLASS(CSFSERV) ID(?PAGENTUSERID?) ACC(READ)

//*     PERMIT CSFIQA CLASS(CSFSERV) ID(?PAGENTUSERID?) ACC(READ)

TSS PER(PAGENTUSERID) CSFSERV (CSFRNG) ACC(READ)

TSS PER(PAGENTUSERID) CSFSERV (CSFIQA) ACC(READ)

//*

//* 2.8 If your environment runs ICSF with CHECKAUTH(YES), additional

//*     permissions must be granted.

//*

//*     PERMIT CSFDSG CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSFDSV CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSF1DVK CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSF1GKP CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSF1TRD CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*     PERMIT CSFPKI CLASS(CSFSERV) ID(?WEBUSERID?) ACC(READ)

//*

TSS PER(WEBUSERID) CSFSERV (CSFDSG) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSFDSV) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSF1DVK) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSF1GKP) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSF1TRD) ACC(READ)

TSS PER(WEBUSERID) CSFSERV (CSFPKI) ACC(READ)

 

//*     PERMIT CSFOWH CLASS(CSFSERV) ID(?STCUSERID?) ACC(READ)

//*     PERMIT CSFRNG CLASS(CSFSERV) ID(?STCUSERID?) ACC(READ)

//*     PERMIT CSFRNGL CLASS(CSFSERV) ID(?STCUSERID?) ACC(READ)

//*     PERMIT CSF1HMG CLASS(CSFSERV) ID(?STCUSERID?) ACC(READ)

//*     PERMIT CSF1SKD CLASS(CSFSERV) ID(?STCUSERID?) ACC(READ)

//*     PERMIT CSF1TRD CLASS(CSFSERV) ID(?STCUSERID?) ACC(READ)

//*     PERMIT CSF1TRL CLASS(CSFSERV) ID(?STCUSERID?) ACC(READ)

TSS PER(STCUSERID) CSFSERV (CSFOWH) ACC(READ)

TSS PER(STCUSERID) CSFSERV (CSFRNG) ACC(READ)

TSS PER(STCUSERID) CSFSERV (CSFRNGL) ACC(READ)

TSS PER(STCUSERID) CSFSERV (CSF1HMG) ACC(READ)

TSS PER(STCUSERID) CSFSERV (CSF1SKD) ACC(READ)

TSS PER(STCUSERID) CSFSERV (CSF1TRD) ACC(READ)

TSS PER(STCUSERID) CSFSERV (CSF1TRL) ACC(READ)

 

//*

//*     PERMIT CSF1SKD CLASS(CSFSERV) ID(?TCPIPUSERID?) ACC(READ)

//*     PERMIT CSF1TRD CLASS(CSFSERV) ID(?TCPIPUSERID?) ACC(READ)

TSS PER(TCPIPUSERID) CSFSERV (CSF1SKD) ACC(READ)

TSS PER(TCPIPUSERID) CSFSERV (CSF1TRD) ACC(READ)

//*

 

 

//* 2.9 Refresh the CSFSERV class

//*

//*     SETROPTS RACLIST(CSFSERV) REFRESH

//*

//*

//*********************************************************************

//*

//* Section 3 - MFADEF Policy configuration examples.

//*

//*             SETROPTS RACLIST(...) REFRESH commands are omitted.

//*

//*             For guidance on provisioning large numbers of users,

//*             relevant to multiple supported factors, see 'Chapter

//*             25. Configuring bulk provisioning users for IBM MFA.'

//*

//* 3.1 In this example, we create a policy that requires RSA SecurId

//*     (via AZFSIDP1), and

//*       - uses the example name 'SECURID'

//*       - issues Cache Token Credentials (CTCs) that are valid for

//*         up to 5 minutes

//*       - issues single-use CTCs

//*

//*     We then authorize the AZF#IN01 started task to read details of

//*     the policy, connect the policy to example User ID 'TESTUSER',

//*     and connect the User ID to the factor (AZFSIDP1) required by

//*     the policy.

//*

//*     RDEFINE MFADEF POLICY.SECURID

//*             MFPOLICY(FACTOR(AZFSIDP1) TOKENTIMEOUT(300)

//*             REUSE(N))

//*     RDEFINE FACILITY IRR.RFACTOR.POLICY.SECURID UACC(NONE)

//*             OWNER(?ADMINUSERID?)

//*     PERMIT IRR.RFACTOR.POLICY.SECURID ACCESS(READ) CLASS(FACILITY)

//*            ID(?WEBUSERID?)

TSS PER(WEBUSERID) IBMFAC(IRR.RFACTOR.POLICY.SECURID)  ACCESS(READ)

//*

//*     ALU TESTUSER MFA(ADDPOLICY(SECURID))

//*     ALU TESTUSER MFA(FACTOR(AZFSIDP1))

//*

//*     Refer to installation and customization guide 'Chapter 10.

//*     Configuring IBM MFA for RSA SecurID' for additional AZFSIDP1

//*     details.

//*

//*

//*     RDEFINE MFADEF POLICY.PASSTOTP

//*             MFPOLICY(FACTOR(AZFTOTP1 AZFPASS1) TOKENTIMEOUT(3600)

//*             REUSE(Y))

 

TSS ADD(SDT) MFPOLICY(PASSTOTP) MFACTOR(AZFTOTP1,AZFPASS1)  TOKEOUT(3600) REUSE(YES)

 

//*     RDEFINE FACILITY IRR.RFACTOR.POLICY.PASSTOTP UACC(NONE)

//*             OWNER(?ADMINUSERID?)

//*     PERMIT IRR.RFACTOR.POLICY.PASSTOTP ACCESS(READ)

//*            CLASS(FACILITY) ID(?WEBUSERID?)

 

TSS ADD(dept) IBMFAC(IRR.)

 

TSS PERMIT(webuserid) IBMFAC(IRR.RFACTOR.POLICY.PASSTOTP) ACCESS(READ)

 

//*     ALU TESTUSER MFA(ADDPOLICY(PASSTOTP))

//*     ALU TESTUSER MFA(FACTOR(AZFPASS1))

//*     ALU TESTUSER MFA(FACTOR(AZFTOTP1) TAGS(REGSTATE:OPEN))

 

TSS ADD(TESTUSER) MFPOLICY(PASSTOTP)

TSS ADD(TESTUSER) MFACTOR(AZFPASS1) MFACTIVE(YES)

TSS ADD(TESTUSER) MFACTOR(AZFTOTP1) MFACTIVE(YES) MFADATA(REGSTATE:OPEN)

//*     RDEFINE MFADEF POLICY.PASSYUBI

//*             MFPOLICY(FACTOR(AZFYUBI1 AZFPASS1) TOKENTIMEOUT(600)

//*             REUSE(Y))

//*     RDEFINE FACILITY IRR.RFACTOR.POLICY.PASSYUBI UACC(NONE)

//*             OWNER(?ADMINUSERID?)

//*     PERMIT IRR.RFACTOR.POLICY.PASSYUBI ACCESS(READ)

//*            CLASS(FACILITY) ID(?WEBUSERID?)

 

TSS ADD(SDT) MFPOLICY(PASSYUBI) MFACTOR(AZFYUBI1,AZFPASS1)  TOKEOUT(600) REUSE(YES)

 

TSS PERMIT(WEBUSERID) IBMFAC(IRR.RFACTOR.POLICY.PASSYUBI) ACCESS(READ)

 

//*     ALU TESTUSER MFA(ADDPOLICY(PASSYUBI))

//*     ALU TESTUSER MFA(FACTOR(AZFPASS1))

//*     ALU TESTUSER MFA(FACTOR(AZFYUBI1) TAGS(REGSTATE:OPEN))

 

TSS ADD(TESTUSER) MFPOLICY(PASSYUBI)

TSS ADD(TESTUSER) MFACTOR(AZFPASS1) MFACTIVE(YES)

TSS ADD(TESTUSER) MFACTOR(AZFYUBI1) MFACTIVE(YES) MFADATA(REGSTATE:OPEN)

 

//*********************************************************************

//*

//* Section 4 - Creating an example Public Key Infrastructure using

//*             RACF, consisting of:

//*               - a new CA certificate, the root of trust for AZF

//*                 services and users

//*               - a new end-entity certificate for MFA Web Services

//*

//*    Note: This section is intended primarily for use in configuring

//*          test or proof-of-concept installations, with the goal of

//*          establishing compatibility with AZF product functions.

//*          It should not be read as security policy advice of any

//*          kind.  Production installations are encouraged, wherever

//*          applicable, to use PKI policies and procedures that have

//*          been vetted and deployed specifically by your

//*          organization.

//*

//* 4.1 These commands establish authorities to RACDCERT functions

//*     used in this section, using FACILITY class profiles.  This

//*     step can be skipped if the administrator using the RACDCERT

//*     command has the SPECIAL attribute.  Different configuration is

//*     required, using the RDATALIB class, if the

//*     IRR.RACDCERT.GRANULAR profile is defined in the FACILITY

//*     class.  Refer to 'Controlling the use of the RACDCERT command'

//*     in the RACF Security Administrator's Guide.

//*

//*     RDEFINE FACILITY IRR.DIGTCERT.ADD       UACC(NONE)

//*     RDEFINE FACILITY IRR.DIGTCERT.ADDRING   UACC(NONE)

//*     RDEFINE FACILITY IRR.DIGTCERT.CONNECT   UACC(NONE)

//*     RDEFINE FACILITY IRR.DIGTCERT.DELETE    UACC(NONE)

//*     RDEFINE FACILITY IRR.DIGTCERT.DELRING   UACC(NONE)

//*     RDEFINE FACILITY IRR.DIGTCERT.EXPORT    UACC(NONE)

//*     RDEFINE FACILITY IRR.DIGTCERT.GENCERT   UACC(NONE)

//*     RDEFINE FACILITY IRR.DIGTCERT.GENREQ    UACC(NONE)

//*     RDEFINE FACILITY IRR.DIGTCERT.LIST      UACC(NONE)

//*     RDEFINE FACILITY IRR.DIGTCERT.LISTCHAIN UACC(NONE)

//*     RDEFINE FACILITY IRR.DIGTCERT.LISTRING  UACC(NONE)

//*

//*     PERMIT IRR.DIGTCERT.ADD       CLASS(FACILITY)

//*            ID(?ADMINUSERID?) ACCESS(CONTROL)

//*     PERMIT IRR.DIGTCERT.ADDRING   CLASS(FACILITY)

//*            ID(?ADMINUSERID?) ACCESS(UPDATE)

//*     PERMIT IRR.DIGTCERT.CONNECT   CLASS(FACILITY)

//*            ID(?ADMINUSERID?) ACCESS(CONTROL)

//*     PERMIT IRR.DIGTCERT.DELETE    CLASS(FACILITY)

//*            ID(?ADMINUSERID?) ACCESS(CONTROL)

//*     PERMIT IRR.DIGTCERT.DELMAP    CLASS(FACILITY)

//*            ID(?ADMINUSERID?) ACCESS(UPDATE)

//*     PERMIT IRR.DIGTCERT.DELRING   CLASS(FACILITY)

//*            ID(?ADMINUSERID?) ACCESS(UPDATE)

//*     PERMIT IRR.DIGTCERT.EXPORT    CLASS(FACILITY)

//*            ID(?ADMINUSERID?) ACCESS(CONTROL)

//*     PERMIT IRR.DIGTCERT.GENCERT   CLASS(FACILITY)

//*            ID(?ADMINUSERID?) ACCESS(CONTROL)

//*     PERMIT IRR.DIGTCERT.GENREQ    CLASS(FACILITY)

//*            ID(?ADMINUSERID?) ACCESS(CONTROL)

//*     PERMIT IRR.DIGTCERT.LIST      CLASS(FACILITY)

//*            ID(?ADMINUSERID?) ACCESS(CONTROL)

//*     PERMIT IRR.DIGTCERT.LISTCHAIN CLASS(FACILITY)

//*            ID(?ADMINUSERID?) ACCESS(CONTROL)

//*     PERMIT IRR.DIGTCERT.LISTMAP   CLASS(FACILITY)

//*            ID(?ADMINUSERID?) ACCESS(UPDATE)

//*     PERMIT IRR.DIGTCERT.LISTRING  CLASS(FACILITY)

//*            ID(?ADMINUSERID?) ACCESS(UPDATE)

TSS PER(ADMINUSERID) IBMFAC(IRR.DIGTCERT.ADD) ACC(CONTROL)

TSS PER(ADMINUSERID) IBMFAC(IRR.DIGTCERT.ADDRING ) ACC(UPDATE)

TSS PER(ADMINUSERID) IBMFAC(IRR.DIGTCERT. CONNECT) ACC(CONTROL)

TSS PER(ADMINUSERID) IBMFAC(IRR.DIGTCERT. DELETE) ACC(CONTROL)

TSS PER(ADMINUSERID) IBMFAC(IRR.DIGTCERT. DELMAP) ACC(UPDATE)

TSS PER(ADMINUSERID) IBMFAC(IRR.DIGTCERT. DELRING) ACC(UPDATE)

TSS PER(ADMINUSERID) IBMFAC(IRR.DIGTCERT. EXPORT) ACC(CONTROL)

TSS PER(ADMINUSERID) IBMFAC(IRR.DIGTCERT. GENCERT) ACC(CONTROL)

TSS PER(ADMINUSERID) IBMFAC(IRR.DIGTCERT. GENREQ) ACC(CONTROL)

TSS PER(ADMINUSERID) IBMFAC(IRR.DIGTCERT.LIST)  ACC(CONTROL)

TSS PER(ADMINUSERID) IBMFAC(IRR.DIGTCERT. LISTCHAIN) ACC(CONTROL)

TSS PER(ADMINUSERID) IBMFAC(IRR.DIGTCERT. LISTMAP) ACC(UPDATE)

TSS PER(ADMINUSERID) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)

//*

//*     SETROPTS RACLIST(FACILITY) REFRESH

//*

//* 4.2 This commands creates a new CA certificate (and private key)

//*     and adds it to the CERTAUTH store.  Replace ?CA-yyyy-mm-dd?

//*     with the desired expiration date of the CA certificate.

//*

//*     RACDCERT GENCERT CERTAUTH

//*              SUBJECTSDN( CN('AZF Example CA') )

//*              SIZE(2048)

//*              NOTAFTER( DATE(?CA-yyyy-mm-dd?) )

//*              WITHLABEL('AZFCA')

//*              SIGNWITH( CERTAUTH LABEL('AZFCA') )

//*              KEYUSAGE( CERTSIGN )

TSS equivalent

TSS GENCERT(CERTAUTH) DIGICERT(AZFCA) -

   SUBJECTN('CN="AZF Example CA" C="US"') -

   NADATE(nn/nn/nn) -

   LABLCERT('AZFCA')

   SIGNWITH(CERTAUTH,AZFCA)

   KEYUSAGE(CERTSIGN)

//*

//* 4.3 This command creates a new end-entity certificate (and private

//*     key) for use as the AZF web services (AZF#IN01) server

//*     identity.

//*

//*     Replace ?WEB-yyyy-mm-dd? with the desired expiration date of

//*     the AZF Web Services certificate.  This date should be before

//*     the expiration of the CA certificate.

//*

//*     The ALTNAME section is important to enable browser users and

//*     iOS device users.  Replace ?numeric-ip-address? with the IPV4

//*     address (if any) users may specify when contacting AZF web

//*     services.  If users may specify more than one IP address to

//*     contact the AZF server, or you wish to use this certificate on

//*     multiple AZF hosts, add additional IP clauses to the ALTNAME

//*     section.  Replace ?dns-name?  with the DNS host name users

//*     will specify when contacting AZF web services.  If users

//*     specify a variety of DNS hostnames when connecting to the web

//*     services host (including shortened names that assume a DNS

//*     suffix, e.g. 'myhost' instead of 'myhost.myorganization.com'),

//*     add additional DOMAIN clauses to the ALTNAME section to

//*     account for those names.

//*

//*     RACDCERT GENCERT ID(?WEBUSERID?)

//*              SUBJECTSDN( CN('AZF Web Services') )

//*              SIZE(2048)

//*              NOTAFTER( DATE(?CA-yyyy-mm-dd?) )

//*              WITHLABEL('AZFWEB')

//*              SIGNWITH( CERTAUTH LABEL('AZFCA') )

//*              KEYUSAGE( HANDSHAKE KEYAGREE )

//*              ALTNAME(

TSS equivalent

 TSS GENCERT(WEBUSERID) DIGICERT(AZFWEB)

 SUBJECTN('CN="'AZF Web Services “')

KEYSIZE(2048)

LABLCERT('AZFWEB')

 SIGNWITH( CERTAUTH,

KEYUSAGE( HANDSHAKE KEYAGREE )

NOTAFTER(XX/XX/XXXX)

ALTNAME(xxxx)

 

 Where 'certname' is the name you want to give to the digital certificate (1-8

 characters).

//*                IP(?numeric-ip-address?)

//*                DOMAIN('?numeric-ip-address?')

//*                DOMAIN('?dns-name?')

//*              )

//*

//*

//******************************* END *********************************

 

Powered by Wolken Software