ACF2 equivalent commands for Setting up RACF for z/OS Connect EE and Liberty JVMs.

Release : 16.0

The following ACFBATCH job contains the ACF2 equivalent command for Setting up security for z/OS Connect EE and Liberty JVMs.

//ACFBATCH EXEC PGM=ACFBATCH  
//SYSOUT   DD SYSOUT=*        
//SYSPRINT DD SYSOUT=*        
//SYSOUT   DD SYSOUT=*        
*
* Grant authorization to EJBROLE objects
*
* RACF command
* PE CLASS(APPL) <safProfilePrefix>  +
*     ID(<safProfilePrefix>) ACCESS(READ)
SET RESOURCE(APL)
RECKEY safProfilePrefix add( USER(safProfilePrefix) SERVICE(READ) ALLOW)
* 
* Note: TYPE(APL) if you have a CLASMAP mapping resource class APPL to TYPE(APL) or the default TYPE(SAF)
* 
* RACF command
*  PE <safProfilePrefix>.zos.connect.access.roles.zosConnectAccess +
*     CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)
SET RESOURCE(EJB)
RECKEY safProfilePrefix ADD(zos.connect.access.roles.zosConnectAccess USER(mvjePasUserId) SERVICE(READ) ALLOW)
* 
* RACF command
*  PE <safProfilePrefix>.zos.connect.access.roles.zosConnectAdmin +
*     CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)
SET RESOURCE(EJB)
RECKEY safProfilePrefix ADD(zos.connect.access.roles.zosConnectAdmin USER(mvjePasUserId) SERVICE(READ) ALLOW)
* 
* RACF command
*  PERMIT <safProfilePrefix>.com.ibm.ws.management.security.resource.Reader +
*     CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)
SET RESOURCE(EJB)
RECKEY safProfilePrefix ADD(com.ibm.ws.management.security.resource.Reader USER(mvjePasUserId) SERVICE(READ) ALLOW)
* 
* RACF command
*  PERMIT +
*     <safProfilePrefix>.com.ibm.ws.management.security.resource.Administrator +
*     CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)
SET RESOURCE(EJB)
RECKEY safProfilePrefix ADD(com.ibm.ws.management.security.resource.Administrator USER(mvjePasUserId) SERVICE(READ) ALLOW)
* 
* RACF command
*  PERMIT +
*  <safProfilePrefix>.com.ibm.ws.management.security.resource.allAuthenticatedUsers+
*     CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)
SET RESOURCE(EJB)
RECKEY safProfilePrefix ADD(com.ibm.ws.management.security.resource.allAuthenticatedUsers USER(mvjePasUserId) SERVICE(READ) ALLOW)
* 
* EJB resource rules must be globally resident by a resident directory
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-REJB)
F ACF2,REBUILD(EJB)
* (For z/OS Connect EE JVMs) Use the CERTMAP record to create
*   a mapping of the PAS distinguished name back to the logonid. 
SET CONTROL(GSO)
INSERT CERTMAP.mvjava SDNFILTR("CN=<hostname>.OU=AMI.O=BMC")  -
 USERID(<mvjavaUserId>) LABEL(<mvjavaUserId>-MAP)   
* 
* Create a certificate for the MVJE PAS 
*
* Keyring/Certificate Notes
* The link for the IBM documentation Setting up 'RACF for 
*  z/OS Connect EE and Liberty JVMs' indicates that there 
*  are two options
* 
* 1) If you sign all of the Liberty JVMs into the system with the same CERTAUTH (CA).
* 2) If you sign the Liberty JVMs into the system with different CAs.
* 
* There are no RACF commands, however the steps include the following.
* 
* Generate a default personal certificate for the MVJE PAS, using either the 
* CERTAUTH (CA) that signed your Liberty JVMs certificates or * generating a 
* new CA certificate that will be used to sign the default personal certificate 
* for the MVJE PAS.
* 
* Create a KeyRing for the MVJE PAS.
* Add(CONNECT) the default personal certificate for the MVJE PAS and the 
* CA certificate that signed it to the Keyring created.
* 
ACF
* GENCERT if using the CERTAUTH(CA) that signed your Liberty JVMs certificates
GENCERT MVJEPAS.CERT SUBJSDN(.....) LABEL(MVJE PAS Certificate) SIGNWITH(your Liberty CA)
* GENCERTs if using different CAs
GENCERT CERTAUTH.SIGNER SUBJSDN(.....) LABEL(MY COMPANY CA) EXPIRE(12/31/25)
GENCERT MVJEPAS.CERT SUBJSDN(.....) LABEL(MVJE PAS Certificate) SIGNWITH(CERTAUTH.SIGNER)
*
SET PROFILE(USER) DIV(KEYRING)
INSERT MVJEPAS.RING RINGNAME(MVJEPASRing)
*
SET PROFILE(USER) DIV(KEYRING)
* If using the CERTAUTH(CA) that signed your Liberty JVMs certificates
* change CERTAUTH.SIGNER to the CERTDATA record name of the CERTAUTH(CA) 
* that signed your Liberty JVMs certificates
CONNECT CERTDATA(CERTAUTH.SIGNER) KEYRING(MVJEPAS.RING) USAGE(CERTAUTH)
CONNECT CERTDATA(MVJEPAS.CERT) KEYRING(MVJEPAS.RING) USAGE(PERSONAL)
*
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS 
F ACF2,OMVS(CERTDATA)
/*