search cancel

Preparing to run IP security (IPSEC) in ACF2 environment

book

Article ID: 243324

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 ACF2 - MISC

Issue/Introduction

The following article translates the sample RACF commands given in IBM's Steps for Preparing to run IP security into the equivalent ACF2 commands. Note that only steps 3-5 are documented in this article as these are the only steps containing RACF commands. The remainder of the steps can be found in the IBM documentation here: https://www.ibm.com/docs/en/zos/2.4.0?topic=guide-steps-preparing-run-ip-security

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

Step 3: Steps for authorizing the IKE daemon

  1. Add user ID IKED, and add IKED to the STARTED class.

    • If IKED is defined using UID 0:

      ADDUSER  IKED     DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(0)  HOME('/'))
      RDEFINE  STARTED  IKED.*            STDATA(USER(IKED))
      PERMIT   BPX.DAEMON CLASS(FACILITY) ID(IKED)     ACCESS(READ)
      SETROPTS RACLIST(STARTED) REFRESH
      SETROPTS GENERIC(STARTED)  REFRESH

      ACF2 Commands:
      SET LID
      INSERT IKED STC UID(0) HOME(/) GROUP(OMVSGRP)
      SET R(FAC)
      RECKEY BPX ADD( DAEMON UID(IKED UID) SERVICE(READ) ALLOW)
      F ACF2,REBUILD(FAC)

    • If IKED is defined using a nonzero UID (for example, 300) and IKE GID (for example, 931), then IKED needs the following access:

      ADDGROUP IKE OMVS(GID(931))
      ADDUSER  IKED DFLTGRP(IKE) OMVS(UID(300) HOME('/var/ike/'))  NOPASSWORD
      CONNECT  IKED GROUP(IKE) UACC(READ)
      RDEFINE  STARTED  IKED.*            STDATA(USER(IKED))
      PERMIT   BPX.DAEMON CLASS(FACILITY) ID(IKED)     ACCESS(READ)
      SETROPTS RACLIST(STARTED) REFRESH
      SETROPTS GENERIC(STARTED) REFRESH

      ACF2 Commands:
      SET LID
      INSERT IKED STC UID(300) HOME(/var/ike/) GROUP(IKE)
      SET P(GROUP) DIV(OMVS)
      INSERT IKE GID(931)
      SET R(FAC)
      RECKEY BPX ADD( DAEMON UID(IKED UID) SERVICE(READ) ALLOW)
      F ACF2,REBUILD(FAC)

      1. Set the /var directory access to all using the following command:

        chmod 777 /var

      2. If the /var/ike directory does not already exist, use a superuser ID to create it and modify this directory using the following commands:

        mkdir /var/ike/ 
        chown IKED /var/ike
        chgrp IKE /var/ike
        chmod 770 /var/ike

      3. If the /var/sock/ directory does not already exist, use a superuser ID to create it and set the access to all using the following commands:

        mkdir /var/sock/
        chown 0 /var/sock
        chmod 777 /var/sock

      4. Define RACF definitions for IKED to retrieve IP security policies from Policy Agent:

        RDEFINE SERVAUTH EZB.PAGENT.sysname.*.IPSEC UACC(NONE)  
        PERMIT EZB.PAGENT.sysname.*.IPSEC CLASS(SERVAUTH) ID(IKED) ACCESS(READ) 
        SETROPTS RACLIST(SERVAUTH) REFRESH
        SETROPTS GENERIC(STARTED)  REFRESH

        ACF2 Commands:
        SET R(SER)
        RECKEY EZB ADD( PAGENT.sysname.*-.IPSEC UID(IKED UID) SERVICE(READ) ALLOW)
        F ACF2,REBUILD(SER)

        Note that the default type code for SERVAUTH is SER. Replace SER with the appropriate type code listed in a SHOW CLASMAP command.

      5. Permit IKED to issue console messages directly without the BPXM023I message prefix:

        RDEFINE FACILITY BPX.CONSOLE UACC(NONE)
        PERMIT BPX.CONSOLE CLASS(FACILITY) ID(IKED) ACCESS(READ)
        SETROPTS RACLIST(FACILITY) REFRESH

        ACF2 Commands:
        SET R(FAC)
        RECKEY BPX ADD( CONSOLE UID(IKED UID) SERVICE(READ) ALLOW)
        F ACF2,REBUILD(FAC)

  1. Allow the IKED to access SYS1.PARMLIB as follows:

    PERMIT   SYS1.PARMLIB  ID(IKED)        ACCESS(READ)

    ACF2 Commands:
    SET RULE
    RECKEY SYS1 ADD( PARMLIB UID(IKED UID) R(A))

  2. Enable the IKED to access certificates by issuing the appropriate commands.

    • If the certificates used by the IKED are not site certificates, enable the IKED to access the certificates on an ESM key ring by issuing the following commands:

      RDEFINE  FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
      RDEFINE  FACILITY IRR.DIGTCERT.LIST     UACC(NONE)
      PERMIT   IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IKED) ACCESS(READ)
      PERMIT   IRR.DIGTCERT.LIST     CLASS(FACILITY) ID(IKED) ACCESS(READ)
      SETROPTS RACLIST(FACILITY) REFRESH

      ACF2 Commands:
      SET R(FAC)
      RECKEY IRR( DIGTCERT.LISTRING UID(IKED UID) SERVICE(READ) ALLOW)
      RECKEY IRR( DIGTCERT.LIST UID(IKED UID) SERVICE(READ) ALLOW)
      F ACF2,REBUILD(FAC)

    • If the certificates used by the IKED are site certificates, enable the IKED to access them by issuing the following commands:

      RDEFINE  FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
      RDEFINE  FACILITY IRR.DIGTCERT.LIST     UACC(NONE)
      RDEFINE  FACILITY IRR.DIGTCERT.GENCERT  UACC(NONE)
      PERMIT   IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IKED) ACCESS(UPDATE)
      PERMIT   IRR.DIGTCERT.LIST     CLASS(FACILITY) ID(IKED) ACCESS(READ)
      PERMIT   IRR.DIGTCERT.GENCERT  CLASS(FACILITY) ID(IKED) ACCESS(CONTROL)
      SETROPTS RACLIST(FACILITY) REFRESH

      ACF2 Commands:
      SET R(FAC)
      RECKEY IRR( DIGTCERT.LISTRING UID(IKED UID) SERVICE(UPDATE) ALLOW)
      RECKEY IRR( DIGTCERT.LIST UID(IKED UID) SERVICE(READ) ALLOW)
      RECKEY IRR( DIGTCERT.GENCERT UID(IKED UID) SERVICE(DELETE) ALLOW)
      F ACF2,REBUILD(FAC)

  3. Enable the IKED to run as nonswappable.

    PERMIT BPX.STOR.SWAP CLASS(FACILITY) ID(IKED) ACCESS(READ)
    SETROPTS RACLIST(FACILITY) REFRESH

    ACF2 Commands:
    SET R(FAC)
    RECKEY BPX( STOR.SWAP UID(IKED UID) SERVICE(READ) ALLOW)
    F ACF2,REBUILD(FAC)

Step 4: Steps for authorizing the ipsec command 

  1. Define access control for the ipsec

    The ipseccommand uses both display and control features. You can control access to each feature independently.

    • To control access to both the display and control capabilities of the ipseccommand, issue the following commands:

      SETROPTS GENERIC(SERVAUTH)
      RDEFINE  SERVAUTH EZB.IPSECCMD.sysname.tcpprocname.* UACC(NONE)
      PERMIT   IPSECCMD.sysname.tcpprocname.* CLASS(SERVAUTH) ID(userid) ACCESS(READ)
      SETROPTS GENERIC(SERVAUTH) REFRESH

      ACF2 Commands:
      SET R(SER)
      RECKEY EZB( IPSECCMD.sysname.tcpprocname.- UID(IKED UID) SERVICE(READ) ALLOW)
      F ACF2,REBUILD(SER)

    • To control access specifically to the display capabilities of the ipseccommand for a stack, issue the following commands:

      RDEFINE  SERVAUTH EZB.IPSECCMD.sysname.tcpprocname.DISPLAY UACC(NONE)
      PERMIT   IPSECCMD.sysname.tcpprocname.DISPLAY CLASS(SERVAUTH) ID(userid) ACCESS(READ)

      ACF2 Commands:
      SET R(SER)
      RECKEY EZB( IPSECCMD.sysname.tcpprocname.DISPLAY UID(IKED UID) SERVICE(READ) ALLOW)

    • To control access specifically to the display capabilities of the ipseccommand for global defensive filters, issue the following commands:

      RDEFINE  SERVAUTH EZB.IPSECCMD.sysname.DMD_GLOBAL.DISPLAY UACC(NONE)
      PERMIT   IPSECCMD.sysname.DMD_GLOBAL.DISPLAY CLASS(SERVAUTH) ID(userid) ACCESS(READ)

      ACF2 Commands:
      SET R(SER)
      RECKEY EZB( IPSECCMD.sysname.DMD_GLOBAL.DISPLAY UID(IKED UID) SERVICE(READ) ALLOW)


    • To control access specifically to the control capabilities of the ipseccommand for a stack, issue the following commands:

      RDEFINE  SERVAUTH EZB.IPSECCMD.sysname.tcpprocname.CONTROL UACC(NONE)
      PERMIT   IPSECCMD.sysname.tcpprocname.CONTROL CLASS(SERVAUTH) ID(userid) ACCESS(READ)

      ACF2 Commands:
      SET R(SER)
      RECKEY EZB( IPSECCMD.sysname.tcpprocname.CONTROL UID(IKED UID) SERVICE(READ) ALLOW)

    • To control access specifically to the control capabilities of the ipseccommand for global defensive filters, issue the following commands:

      RDEFINE  SERVAUTH EZB.IPSECCMD.sysname.DMD_GLOBAL.CONTROL UACC(NONE)
      PERMIT   IPSECCMD.sysname.DMD_GLOBAL.CONTROL CLASS(SERVAUTH) ID(userid) ACCESS(READ)

      ACF2 Commands:
      SET R(SER)
      RECKEY EZB( IPSECCMD.sysname.DMD_GLOBAL.CONTROL UID(IKED UID) SERVICE(READ) ALLOW)

Tip: These SERVAUTH profiles provide ipsec command access to only the local stack. For information about SERVAUTH profiles for controlling ipsec command access for the network security services (NSS) server, see Network security services for the IPSec discipline.

  1. To refresh the in-storage RACF profiles in the SERVAUTH class, issue the following command:

    SETROPTS RACLIST(SERVAUTH) REFRESH

    ACF2 Command:
    F ACF2,REBUILD(SER)

Step 5: Steps for setting up profiles in the CSFSERV resource class

  1. Determine the SAF profiles that you will use within the CSFSERV resource class:

    Note that for ACF2, the default class type code for CSFSERV is SAF. Most sites change this type code to something more meaningful like CSF. For the purpose of these examples, CSF will be used. Replace CSF with the appropriate type code for CSFSERV listed in the SHOW CLASMAP command.

    See ACF2 documentation section Integrated Cryptographic Service Facility for more details on this class and how to set it up for the first time in ACF2.

    After verifying the CSFSERV class has been set up in ACF2, determine what profiles are needed using the IBM documentation and use the following RECKEY command template to write the appropriate rules. Put as many RECKEY commands between the SET and F ACF2,REBUILD commands as needed.

    SET R(CSF)
    RECKEY profile ADD( UID(userid) ALLOW)
    F ACF2,REBUILD(CSF)