ACF2 equivalent commands for Setting up RACF for z/OS Connect EE and Liberty JVMs.
Release : 16.0
The following ACFBATCH job contains the ACF2 equivalent command for Setting up security for z/OS Connect EE and Liberty JVMs.
//ACFBATCH EXEC PGM=ACFBATCH
//SYSOUT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSOUT DD SYSOUT=*
*
* Grant authorization to EJBROLE objects
*
* RACF command
* PE CLASS(APPL) <safProfilePrefix> +
* ID(<safProfilePrefix>) ACCESS(READ)
SET RESOURCE(APL)
RECKEY safProfilePrefix add( USER(safProfilePrefix) SERVICE(READ) ALLOW)
*
* Note: TYPE(APL) if you have a CLASMAP mapping resource class APPL to TYPE(APL) or the default TYPE(SAF)
*
* RACF command
* PE <safProfilePrefix>.zos.connect.access.roles.zosConnectAccess +
* CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)
SET RESOURCE(EJB)
RECKEY safProfilePrefix ADD(zos.connect.access.roles.zosConnectAccess USER(mvjePasUserId) SERVICE(READ) ALLOW)
*
* RACF command
* PE <safProfilePrefix>.zos.connect.access.roles.zosConnectAdmin +
* CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)
SET RESOURCE(EJB)
RECKEY safProfilePrefix ADD(zos.connect.access.roles.zosConnectAdmin USER(mvjePasUserId) SERVICE(READ) ALLOW)
*
* RACF command
* PERMIT <safProfilePrefix>.com.ibm.ws.management.security.resource.Reader +
* CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)
SET RESOURCE(EJB)
RECKEY safProfilePrefix ADD(com.ibm.ws.management.security.resource.Reader USER(mvjePasUserId) SERVICE(READ) ALLOW)
*
* RACF command
* PERMIT +
* <safProfilePrefix>.com.ibm.ws.management.security.resource.Administrator +
* CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)
SET RESOURCE(EJB)
RECKEY safProfilePrefix ADD(com.ibm.ws.management.security.resource.Administrator USER(mvjePasUserId) SERVICE(READ) ALLOW)
*
* RACF command
* PERMIT +
* <safProfilePrefix>.com.ibm.ws.management.security.resource.allAuthenticatedUsers+
* CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)
SET RESOURCE(EJB)
RECKEY safProfilePrefix ADD(com.ibm.ws.management.security.resource.allAuthenticatedUsers USER(mvjePasUserId) SERVICE(READ) ALLOW)
*
* EJB resource rules must be globally resident by a resident directory
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-REJB)
F ACF2,REBUILD(EJB)
* (For z/OS Connect EE JVMs) Use the CERTMAP record to create
* a mapping of the PAS distinguished name back to the logonid.
SET CONTROL(GSO)
INSERT CERTMAP.mvjava SDNFILTR("CN=<hostname>.OU=AMI.O=BMC") -
USERID(<mvjavaUserId>) LABEL(<mvjavaUserId>-MAP)
*
* Create a certificate for the MVJE PAS
*
* Keyring/Certificate Notes
* The link for the IBM documentation Setting up 'RACF for
* z/OS Connect EE and Liberty JVMs' indicates that there
* are two options
*
* 1) If you sign all of the Liberty JVMs into the system with the same CERTAUTH (CA).
* 2) If you sign the Liberty JVMs into the system with different CAs.
*
* There are no RACF commands, however the steps include the following.
*
* Generate a default personal certificate for the MVJE PAS, using either the
* CERTAUTH (CA) that signed your Liberty JVMs certificates or * generating a
* new CA certificate that will be used to sign the default personal certificate
* for the MVJE PAS.
*
* Create a KeyRing for the MVJE PAS.
* Add(CONNECT) the default personal certificate for the MVJE PAS and the
* CA certificate that signed it to the Keyring created.
*
ACF
* GENCERT if using the CERTAUTH(CA) that signed your Liberty JVMs certificates
GENCERT MVJEPAS.CERT SUBJSDN(.....) LABEL(MVJE PAS Certificate) SIGNWITH(your Liberty CA)
* GENCERTs if using different CAs
GENCERT CERTAUTH.SIGNER SUBJSDN(.....) LABEL(MY COMPANY CA) EXPIRE(12/31/25)
GENCERT MVJEPAS.CERT SUBJSDN(.....) LABEL(MVJE PAS Certificate) SIGNWITH(CERTAUTH.SIGNER)
*
SET PROFILE(USER) DIV(KEYRING)
INSERT MVJEPAS.RING RINGNAME(MVJEPASRing)
*
SET PROFILE(USER) DIV(KEYRING)
* If using the CERTAUTH(CA) that signed your Liberty JVMs certificates
* change CERTAUTH.SIGNER to the CERTDATA record name of the CERTAUTH(CA)
* that signed your Liberty JVMs certificates
CONNECT CERTDATA(CERTAUTH.SIGNER) KEYRING(MVJEPAS.RING) USAGE(CERTAUTH)
CONNECT CERTDATA(MVJEPAS.CERT) KEYRING(MVJEPAS.RING) USAGE(PERSONAL)
*
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,OMVS
F ACF2,OMVS(CERTDATA)
/*