ACF2 setup for configuring z/OS Connect EE client certificate authentication
search cancel

ACF2 setup for configuring z/OS Connect EE client certificate authentication

book

Article ID: 234754

calendar_today

Updated On:

Products

ACF2 - z/OS

Issue/Introduction

Translate the RACF definitions to ACF2 for configuring z/OS Connect EE client certificate authentication.

 

Environment

Release : 16.0

Component :

Resolution

The RACF to ACF2 command translations are shown in comments below:

1. Activate the RACF DIGTNMAP class to allow certificate name filters to be created or changed.

SETROPTS CLASSACT(DIGTNMAP) RACLIST(DIGTNMAP)

*There is no ACF2 equivalent as CERTMAP records are active by default

2. Map the TLS client certificate to a RACF user ID.

RACDCERT MAP ID(EMPLOY1) *SDNFILTER('CN=myClient.host.com.O=IBM.C=US') *WITHLABEL('ClientCertEMPLOY1')

*SET CONTROL(GSO)

*INSERT CERTMAP.EMPLOY1 SDNFILTR(CN=myClient.host.com.O=IBM.C=US) USER(EMPLOY1) LABEL(ClientCertEMPLOY1)

3. Refresh the DIGTNMAP RACF class.

SETROPTS RACLIST(DIGTNMAP) REFRESH

*F ACF2,REFRESH(CERTMAP)

4. Server.xml changes

5. Assign the mapped RACF user ID to the zosConnectAccess

   a. Define the SAF EJBROLE profile.

   RDEFINE EJBROLE profilePrefix.zos.connect.access.roles.zosConnectAccess U*ACC(*NONE)

   *Not required with ACF2

  b. Activate the EJBROLE class

   SETROPTS CLASSACT(EJBROLE)

   *Issue SHOW CLASMAP command and by default EJBROLE resource class is mapped to EJB

  c. Assign the user IDs and groups who require authority to access.z/OS Connect EE READ access to this profile.

  PERMIT profilePrefix.zos.connect.access.roles.zosConnectAccess CLASS(EJB*ROLE*) ID(STAFF) ACCESS(READ)

  PERMIT profilePrefix.zos.connect.access.roles.zosConnectAccess CLASS(EJB*ROLE*) ID(EMPLOY1) ACCESS(READ)

  *SET RESOURCE(EJB)
  *RECKEY profilePrefix ADD( zos.connect.access.roles.zosConnectAccess UID(UID string for STAFF) SERVICE(READ) ALLOW)
  *RECKEY profilePrefix ADD( zos.connect.access.roles.zosConnectAccess UID(UID string for EMPLOY1) SERVICE(READ) ALLOW)

d. Refresh the EJBROLE class.

  SETROPTS RACLIST(EJBROLE) REFRESH

  *F ACF2,REBUILD(EJB)

e. Ensure the user IDs and groups have also been granted READ access to the profilePrefixAPPL

  PERMIT profilePrefix CLASS(APPL) ACCESS(READ) ID(EMPLOY1)

  *SET RESOURCE(APL)->Issue SHOW CLASMAP command first and verify which type code resource class APPL is mapped to, in this example, it’s mapped to APL

  *RECKEY profilePrefix ADD(  UID(uid of EMPLOY1) SERVICE(READ) ALLOW)

Powered by Wolken Software