SSHD comes with RACF commands for the SAF requirements. What are the ACF2 and Top Secret equivalents of these commands?
Release : 16.0
SSHD(Port 922) for Ansible – Implementation Procedures
RACF
ADDGROUP SSHDG OMVS(GID(999))
ADDUSER SSHD DFLTGRP(SSHDG) OMVS(UID(999) HOME(’/var/empty’) PROGRAM(’/bin/false’)) NOPASSWORD
ACF2
ACF
SET PROFILE(GROUP) DIV(OMVS)
INSERT SSHDG GID(999)
SET LID
INSERT SSHD NAME(SSH User) GROUP(SSHDG) UID(999)-
HOME(/var/empty) PROGRAM(/bin/false) RESTRICT
TSS
TSS CREATE(SSHDG) TYPE(GROUP) DEPT(dept) NAME(‘SSHD Group’)
TSS ADD(SSHDG) GID(999)
TSS CREATE(SSHD)TYPE(USER) DEPT(dept) –
NAME(‘SSHD Unprivileged USER Account’) PROTECTED
TSS ADD(SSHD) UID(999) GROUP(SSHDG) DFLTGRP(SSHDG)
TSS ADD(SSHD) HOME(/var/empty) OMVSPGM(/bin/false)
TSS ADD(SSHD) FAC(BATCH)
RACF
ADDUSER SSHDAEM DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) NOPASSWORD
ACF2
ACF
INSERT SSHDAEM NAME(SSHDAEM User) GROUP(OMVSGRP) UID(0) -
HOME(/) PROGRAM(/bin/sh)
* Note: If OMVSGRP does not exist it would need to be created and assigned a GID
TSS
TSS CREATE(SSHDAEM) TYPE(USER) DEPT(dept)-
NAME(‘SSHD Privileged USER Account’) PROTECTED
TSS ADD(SSHDAEM) UID(0) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)
TSS ADD(SSHDAEM) HOME(/) OMVSPGM(/bin/sh)
TSS ADD(SSHDAEM) FAC(STC)
RACF
RDEFINE STARTED SSHD.* STDATA(USER(SSHDAEM)
GROUP(OMVSGRP) TRUSTED(NO))
SETROPTS RACLIST(STARTED) REFRESH
ACF2
ACF
SET CONTROL(GSO)
INSERT STC.SSH GROUP(OMVSGRP) LOGONID(SSHDAEM) STC(SSHD-)
F ACF2,REFRESH(STC)
* Note: If OMVSGRP does not exist it would need to be created and assigned a GID.
TSS
TSS ADD(STC) PROCNAME(SSHD*) ACID(SSHDAEM)
* Note: If OMVSGRP does not exist it would need to be created and assigned a GID.
RACF
PERMIT BPX.DAEMON CLASS(FACILITY) ID(SSHDAEM) ACCESS(READ)
ACF2
ACF
SET RESOURCE(FAC)
RECKEY BPX ADD(DAEMON UID(<uid for SSHDAEM >) SERVICE(READ) - ALLOW)
F ACF2,REBUILD(FAC
TSS
TSS PERMIT(SSHDAEM) IBMFAC(BPX.DAEMON) ACCESS(READ)
RACF
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ACCESS(READ)ID(SSHDAEM)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ACCESS(UPDATE) ID(SSHDAEM)
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ACCESS(CONTROL) ID(SSHDAEM)
ACF2
ACF
SET RESOURCE(FAC)
RECKEY IRR ADD(DIGTCERT.LIST UID(<uid for SSHDAEM>) - SERVICE(READ) ALLOW)
RECKEY IRR ADD(DIGTCERT. LISTRING UID(<uid for SSHDAEM>) - SERVICE(UPDATE) ALLOW)
RECKEY IRR ADD(DIGTCERT. GENCERT UID(<uid for SSHDAEM>) - SERVICE(DELETE) ALLOW)
F ACF2,REBUILD(FAC)
TSS
TSS PERMIT(SSHDAEM) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(READ)
TSS PERMIT(SSHDAEM) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(UPDATE)
TSS PERMIT(SSHDAEM) IBMFAC(IRR.DIGTCERT.GENCERT) ACCESS(CONTROL)
CSFIQA, CSF1TRC, CSF1TRD, CSF1PKS, CSF1PKV, CSF1DVK, CSF1GAV
If a cryptographic coprocessor card is installed add these profiles.
CSFDSG, CLSFDSV, CSFPKI
ACF2
* By default, ACF2 assigns the 3-character type code "SAF"
* to the CSFSERV resource class. Sitres might prefer to
* modify the default type code to "CSF" or another value.
* To change the CSFSERV class type code to "CSF" a GSO CLASMAP
* can be INSERTed from TSO, ACF as follows:
SET CONTROL(GSO)
INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF)
F ACF2,REFRESH(CLASMAP)
* The CSFSERVE resource class type code must be made resident
* by adding the type code to the GSO INFODIR record. Make
* resource rules with type code CSF resident:
SET CONTROL(GSO)
CONTROL
CHANGE INFODIR TYPES(R-RCSF) ADD
F ACF2,REFRESH(INFODIR)
*
* ICSF digital signature algorithms in the CSFSERV class.
SET RESOURCE(CSF)
RECKEY CSFIQA add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSF1TRC add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSF1TRD add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSF1PKS add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSF1PKV add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSF1DVK add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSF1GAV add( UID(<uid for SSHDAEM>) ALLOW)
F ACF2,REBUILD(CSF)
* If a cryptographic coprocessor card is installed add these profiles.
SET RESOURCE(CSF)
RECKEY CSFDSG add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CLSFDSV add( UID(<uid for SSHDAEM>) ALLOW)
RECKEY CSFPKI add( UID(<uid for SSHDAEM>) ALLOW)
F ACF2,REBUILD(CSF)
TSS
TSS ADD(dept) CSFSERV(CSFIQA) - if not already done
TSS ADD(dept) CSFSERV(CSF1TRC) - if not already done
TSS ADD(dept) CSFSERV(CSF1TRD) - if not already done
TSS ADD(dept) CSFSERV(CSF1PKS) - if not already done
TSS ADD(dept) CSFSERV(CSF1PKV) - if not already done
TSS ADD(dept) CSFSERV(CSF1DVK) - if not already done
TSS ADD(dept) CSFSERV(CSF1GAV) - if not already done
/*
TSS PERMIT(SSHDAEM) CSFERV(CSFIQA) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSF1TRC) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSF1TRD) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSF1PKS) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSF1PKV) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSF1DVK) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSF1GAV) ACCESS(READ)
/*
/* If a cryptographic coprocessor card is installed
/* add these profiles.
TSS ADD(dept) CSFSERV(CSFDSG) - if not already done
TSS ADD(dept) CSFSERV(CLSFDSV) - if not already done
TSS ADD(dept) CSFSERV(CSFPKI) - if not already done
/*
TSS PERMIT(SSHDAEM) CSFERV(CSFDSG) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CLSFDSV) ACCESS(READ)
TSS PERMIT(SSHDAEM) CSFERV(CSFPKI) ACCESS(READ)
RACF
RACDCERT ID(SSHDAEM) ADDRING(SSHDring)
ACF2
ACF
SET P(USER) DIV(KEYRING)
INSERT SSHDAEM.ring RINGNAME(SSHDring)
TSS
TSS ADD(SSHDAEM) KEYRING(SSHDRING) LABLRING(SSHDRING)
RACF
DEFINE RDATALIB SSHDAEM.SSHDring.LST UACC(NONE)
PERMIT SSHDAEM.SSHDring.LST CLASS(RDATALIB) ID(SSHDAEM) ACCESS(READ)
ACF2
ACF
SET RESOURCE(RDA)
RECKEY SSHDAEM ADD(SSHDring.LST UID(<uid for SSHDAEM>) - SERVICE(READ) ALLOW)
F ACF2,REBUILD(RDA)
TSS
TSS ADD(dept) RDATALIB(SSHDAEM.SSHDRING.LST) if not already done
TSS PER(SSHDAEM) RDATALIB(SSHDAEM.SSHDRING.LST) ACCESS(READ)
RACF
RACDCERT GENCERT ID(SSHDAEM) SUBJECTSDN(CN('host-ssh-rsa-cn'))
SIZE(2048) WITHLABEL('host-ssh-rsa')
RACDCERT GENCERT ID(SSHDAEM) SUBJECTSDN(CN('host-ssh-ecdsa-cn'))
SIZE(256) NISTECC WITHLABEL('host-ssh-ecdsa')
ACF2
ACF
SET PROFILE(USER) DIVISION(CERTDATA)
GENCERT SSHDAEM.sshrsa LABEL(host-ssh-rsa) SIZE(2048) -
SUBJSDN(CN='host-ssh-rsa-cn')
GENCERT SSHDAEM.sshecda LABEL(host-ssh-ecdsa) SIZE(2048) -
SUBJSDN(CN='host-ssh-ecdsa-cn') NISTECC
TSS
TSS GENCERT(SSHDAEM) DIGICERT(xxxxxxxx) –
LABLCERT('host-ssh-rsa') –
SUBJECTN('CN="host-ssh-rsa-cn"’) KEYSIZE(2048)
TSS GENCERT(SSHDAEM) DIGICERT(yyyyyyyy) –
LABLCERT('host-ssh-ecdsa') –
SUBJECTN('CN="host-ssh-ecdsa-cn"’) KEYSIZE(256) NISTECC
RACF
RACDCERT CONNECT(ID(SSHDAEM) LABEL('host-ssh-rsa')
RING(SSHDring) USAGE(PERSONAL)) ID(SSHDAEM)
RACDCERT CONNECT(ID(SSHDAEM) LABEL('host-ssh-ecdsa')
RING(SSHDring) USAGE(PERSONAL)) ID(SSHDAEM)
ACF2
ACF
CONNECT CERTDATA(SSHDAEM.sshrsa) KEYRING(SSHDAEM.ring) - USAGE(PERSONAL)
CONNECT CERTDATA(SSHDAEM.sshecda) KEYRING(SSHDAEM.ring) - USAGE(PERSONAL)
TSS
TSS ADD(SSHDAEM) KEYRING(SSHDRING) DIGICERT(xxxxxxxx) - USAGE(PERSONAL)
TSS ADD(SSHDAEM) KEYRING(SSHDRING) DIGICERT(yyyyyyyy) - USAGE(PERSONAL)
RACF
RACDCERT ID(SSHDAEM) ADDRING(SSHKnownHostsRing)
ACF2
ACF
SET PROFILE(USER) DIVISION(KEYRING)
INSERT SSHDAEM.keyr01 RINGNAME(SSHKnownHostsRing)
TSS
TSS ADD(SSHDAEM) KEYRING(SSHKHRNG) LABLRING(SSHKnownHostsRing)
From z/OS:
RACF
RACDCERT EXPORT(LABEL('host-ssh-type')) ID(SSHDAEM)
FORMAT(CERTDER) DSN('host.sshcert.type')
ACF2
ACF
EXPORT SSHDAEM.??????? DSN('host.sshcert.type') FORMAT(CERTDER)
** NOTE: The RACDCERT EXPORT command assumes the certificate with label LABEL('host-ssh-type') exists in the security database, so for ACF2 this would be the certificate certdata record name SSHDAEM.??????? of the certificate in the ACF2 INFOSTG database.
TSS
TSS EXPORT(SSHDAEM) DIGICERT(zzzzzzzz) –
DSN('host.sshcert.type’) FORMAT(CERTDER)
where ‘zzzzzzzz’ is the digital certificate with label LABEL('host-ssh-type').
** NOTE: The RACDCERT EXPORT command assumes the certificate with label LABEL('host-ssh-type') exists in the security database, so for Top Secret, this would be the DIGICERT that has the LABLCERT ''host-ssh-type' in the Top Secret database. If this certificate does not exist in the security database, the keys should be copied from Linux/Unix using the openssl command below.
From Linux/Unix:
openssl x509 -pubkey -noout -in certificate.pem > pubcertkey.pub
RACF
RACDCERT ADD('host.sshcert.type') ID(SSHDAEM)
WITHLABEL('host-ssh-type') TRUST
ACF2
ACF
SET PROFILE(USER) DIV(CETDATA)
INSERT SSHDAEN.sshhost DSN('host.sshcert.type') -
LABEL(host-ssh-type)TRUST
TSS
TSS ADD(SSHDAEM) DIGICERT(zzzzzzzz) –
LABLCERT('host-shcert-type’) TRUST
RACF
RACDCERT CONNECT(ID(SSHDAEM) LABEL('host-ssh-type')
RING(SSHKnownHostsRing)) ID(SSHDAEM)
ACF2
ACF
CONNECT CERTDATA(SSHDAEN.sshhost) KEYRING(SSHDAEM.keyr01)
TSS
TSS ADD(SSHDAEM) KEYRING(SSHKHRNG) DIGICERT(zzzzzzzz)