How do I setup ACF2 for IBM HealthChecker?
search cancel

How do I setup ACF2 for IBM HealthChecker?

book

Article ID: 27210

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

Where can one find information on ACF2  health check setup.

Environment

Release: 16.0
Component: ACF2 for Z/OS

Resolution

  1. Define a Logonid with associated USER and GROUP profiles:
    ACF
    SET LID
    INSERT hcsuperid NAME(health checker) STC UID(0) -
    HOME(/) PROGRAM(/bin/sh) GROUP(OMVSGRP)
    SET PROFILE(GRP) DIV(OMVS)
    INSERT OMVSGRP GID(nn)

    (Replace the lower case values with desired names)

    F ACF2, REBUILD(USR), CLASS(P)
    F ACF2, REBUILD(GRP), CLASS(P)
  2. Modify your SYS1 access rule to allow this Logonid:

    - WRITE access to PRODSYS.HZSPDATA.
    - READ access to SYS1.PARMLIB.

  3. If using a log stream:
    - write a resource rule for the Resource TYPE mapped to the LOGSTRM Resource Class (as delivered it is SAF - check ACF SHOW CLASMAP output) - and give the Logonid SERVICE(UPDATE) access to the logstreamname, e.g.:

    $KEY(logstreamname) TYPE(saf)
    UID(uidmask) SERVICE(UPDATE) ALLOW

    - if the resource type is resident (check ACF SHOW RESIDENT output) issue command F ACF2,REBUILD(saf).

    - write a resource rule for the Resource TYPE mapped to the FACILITY Resource Class (as delivered it is FAC - check ACF SHOW CLASMAP output) and give the HZSPRINT utility Logonid SERVICE(READ) access to the logstreamname, e.g.:

    $KEY(logstreamname) TYPE(fac)
    UID(uidmask) SERVICE(READ) ALLOW

    - if the resource type is resident (check ACF SHOW RESIDENT output) issue command F ACF2,REBUILD(fac).

  4. As delivered by CA, the Resource Classes XFACILIT and GXFACILI are mapped to Resource Types XFC and GXF respectively. Check via ACF SHOW CLASMAP command that you have not changed this.
  5. Write resource rules for the Resource Names, masked as appropriate, with required access in the SERVICE keyword. The ACF2 equivalents of the RACF attributes for use in the Resource Rules SERVICE keyword are:

     RACF      ACF2 Resource Rule -----     --------------------- READ      READ UPDATE    UPDATE ALTER     ADD CONTROL   DELETE EXECUTE   EXECUTE

  6. Note that RACF attributes are hierarchical so, for example, UPDATE includes READ access; in ACF2 each attribute must be specified, e.g. SERVICE(READ,UPDATE). If no SERVICE keyword is included in the resource rule, all accesses are allowed.

    A very basic rule that would allow all users access to all HZS resources would be:

    $KEY(HZS) TYPE(XFC)
    - UID(*) ALLOW

    Changing ALLOW to LOG would log to SMF and ALLOW all validations.

  7. The TYPE(XFC) Resource Class XFACILIT validation is a RACROUTE  FASTAUTH call. SAF FASTAUTH calls require resident
    directories because there can be no I/O. Create a globally resident directory for a resource class by specifying the resource
    class in a GSO INFODIR record. This can be done as follows:

    SET CONTROL(GSO)
    CHANGE INFODIR TYPES(R-RXFC)

    Once the INFODIR record has been updated, issue the following commands to activate the changes:

    F ACF2,REFRESH(INFODIR)
    F ACF2,REBUILD(XFC),CLASS(R)

Additional Information

ACF2 Health Checks

For details on Resource rules, the GSO INFODIR and the MODIFY ACF2 commands see the CA ACF2 for z/OS Administration Guide.

Powered by Wolken Software