Preparing to run IP security (IPSEC) in ACF2 environment
book
Article ID: 243324
calendar_today
Updated On:
Products
ACF2 - z/OSACF2ACF2 - MISC
Issue/Introduction
The following article translates the sample RACF commands given in IBM's Steps for Preparing to run IP security into the equivalent ACF2 commands. Note that only steps 3-5 are documented in this article as these are the only steps containing RACF commands. The remainder of the steps can be found in the IBM documentation Steps for preparing to run IP security
ACF2 Commands: SET LID INSERT IKED STC UID(300) HOME(/var/ike/) GROUP(IKE) SET P(GROUP) DIV(OMVS) INSERT IKE GID(931) SET R(FAC) RECKEY BPX ADD( DAEMON UID(IKED UID) SERVICE(READ) ALLOW) F ACF2,REBUILD(FAC)
Set the /var directory access to all using the following command:
chmod 777 /var
If the /var/ike directory does not already exist, use a superuser ID to create it and modify this directory using the following commands:
Enable the IKED to access certificates by issuing the appropriate commands.
If the certificates used by the IKED are not site certificates, enable the IKED to access the certificates on an ESM key ring by issuing the following commands:
Tip: These SERVAUTH profiles provide ipsec command access to only the local stack. For information about SERVAUTH profiles for controlling ipsec command access for the network security services (NSS) server, see Network security services for the IPSec discipline.
To refresh the in-storage RACF profiles in the SERVAUTH class, issue the following command:
SETROPTS RACLIST(SERVAUTH) REFRESH
ACF2 Command: F ACF2,REBUILD(SER)
Step 5: Steps for setting up profiles in the CSFSERV resource class
Determine the SAF profiles that you will use within the CSFSERV resource class:
Note that for ACF2, the default class type code for CSFSERV is SAF. Most sites change this type code to something more meaningful like CSF. For the purpose of these examples, CSF will be used. Replace CSF with the appropriate type code for CSFSERV listed in the SHOW CLASMAP command.
See ACF2 documentation section Integrated Cryptographic Service Facility for more details on this class and how to set it up for the first time in ACF2.
After verifying the CSFSERV class has been set up in ACF2, determine what profiles are needed using the IBM documentation and use the following RECKEY command template to write the appropriate rules. Put as many RECKEY commands between the SET and F ACF2,REBUILD commands as needed.
SET R(CSF) RECKEY profile ADD( UID(userid) ALLOW) F ACF2,REBUILD(CSF)