How to implement RACF as the security system for TPX ?
Article ID: 25378
Updated On:
Products
Issue/Introduction
Procedure to implement RACF as the security system for TPX .
Environment
Component: TPX for Z/OS
Resolution
Steps required to setup TPX / RACF as the security system for authentication.
- TPX supports RACF password phrase and MFA through the SAF interface. Sites using IBM RACF must configure TPX to use SAF security.
If your site uses IBM RACF:
- in the SMRT option 9 (Security Parameters) set Security System to SAF
- set SAMT to SAF
- After changing the "Security System" and SAMT, TPX must be restarted to pick up the new configuration.
- The TPX Security Action/Message Table (SAMT) can be customized for messages produced by RACF. (optional)
- For TPX Dynamic users, RACF/SAF interface can be used to validate profile assignment. (optional)
- "Dynamic users" are users who are not maintained in the TPX database.
- Their profiles are not determined by records in the ADMIN files, but instead are determined when the dynamic user logs on.
Following are two methods for defining profile selection for a Dynamic user;
-
-
- USER-LEVEL PROFILE SELECTION
- Specify "Y" in the "Load profiles at startup" field of the SMRT (Performance Parameters).
- Specify "USER" in the "Profile Selection" field of the SMRT (Performance Parameters).
- In RACF, specify each profile as a RACF Group.
- In RACF, specify the Group names in each user's security record.
- For each Group name, a profile with a matching name will be added to the user's profile list.
- PROFILE-LEVEL PROFILE SELECTION
- Specify "Y" in the "Load profiles at startup" field of the SMRT (Performance Parameters).
- Set up a new class in the RACF Class Descriptor field, ICHRRCDE. Use the ICHERCDE macro to create this class.
- Activate the RACF Resource Class with the SETROPTS CLASSACT command.
- Define the RACF Resource Class to TPX by specifying it's name in the "Resource Class" field of the SMRT (Security Parameters).
- Set up a rule in the class for each profile, specifying which users can use that profile.
- Indicate which profile should appear first in the user's list of profiles by entering "Y" in the "Profile Should be First" field of the profile. (Field is in Profile Maintenance, under User/Group Maintenance.)
- USER-LEVEL PROFILE SELECTION
-
NOTE: The TPXUSNSF exit can be used to add profiles to or delete profiles from the list provided by the security system.
Example of PROFILE-LEVEL PROFILE SELECTION
SMRT Security Parameters ------------------- * Security System: RACF * Profile Selection: PROF * Alias Name: * Resource Class: CA$TPX Performance Parameters ---------------------- VTAM Authorized Path Facility: Y Large Message Processing Option: Y Rtasks (Number of servers): 03 Load profiles at startup: Y DEFINE THE NEW CLASS TO THE ROUTER TABLE LABEL ICHERCDE CLASS=CA$TPX, DFTUACC=NONE, FIRST=ALPHA, ID=nn (128-255) KEYQUAL=0, MAXLNTH=39, OPER=NO, OTHER=ANY POSIT=nnn (SEE RACF CUSTOMIZATION) LABEL ICHRFRTB ACTION=RACF, CLASS=CA$TPX Execute the following to complete the setup. SETROPTS CLASSACT(CA$TPX) SETROPTS GENERIC(CA$TPX) RDEFINE CA$TPX profname UACC(NONE) . . . PERMIT profname CLASS(CA$TPX) ID(USERID) ACCESS(READ) . . .
Where,
MAXLNTH is maximum length of the profile name, generally an 8 would be appropriate.
RACLIST=ALLOWED/DISALLOWED is not relevant from TPX perspective.
TPX does not issue a RACLIST or RACROUTE REQUEST=LIST , rather
TPX issues individual RACHECK or RACROUTE REQUEST=AUTH to validate which profiles, a user is authorized for, loaded at TPX startup.
A RACF READ permission is required for the user to allow read access to the profile.
All Profiles referenced in RACF, Must have a corresponding entry in TPX.
Additional Information
Feedback
