Setting Up Liberty Server For z/OS With Top Secret

book

Article ID: 37272

calendar_today

Updated On:

Products

CA Top Secret CA Top Secret - LDAP

Issue/Introduction

INTRODUCTION: 

How to interpret the RACF commands to set up Liberty Server for z/OS into Top Secret Commands.

INSTRUCTIONS:

Enabling z/OS authorized services in Liberty for z/OS

Liberty on z/OS® offers the ability for your applications to take advantage of z/OS authorized services for System Authorization Facility (SAF) authorization, Workload Manager (WLM), resource recovery services (RRS), and SVCDUMP. If your application requires these services, set up a Liberty angel process and grant access for your Liberty server to use these services.

About this task

To use the z/OS Authorized Services, you can set up the following types of profiles using a SAF security product such as RACF®:

  • SAF STARTED profile is required if you plan on running the Liberty server or the Liberty angel process as a z/OS Started Task. For more information about the Liberty angel process, see Liberty profile: Process types on z/OS.
  • SAF SERVER profile is required if you plan on having the Liberty server access any of the z/OS Authorized Services for your applications. You can find the description of each service in the following content.

Note: You do not need to set up RACF if you are not planning to run the Liberty server as a Started Task and you are not planning to use any of the authorized services.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

Procedure

  • Create STARTED profiles for the PROCs for the angel and Liberty server processes. This action enables the angel and Liberty server to run as Started Tasks.
    • To cause the angel to run under the user ID WLPUSER0:                

**The below command assumes that you have already created the user acid WLPUSER0 and the GROUP acid WASUSER.  Issue a TSS LIST(acid) for each of these and see if they are created.  If not use the below create commands.  We do not know if the acids need any other permits then what is in this document.**

TSS CREATE(WLPUSER0) TYPE(USER) PASS(xxxx,0) NAME('WLP0 USER') DEPT(dept)

TSS CREATE(WASUSER) TYPE(GROUP) NAME('WASUSER GROUP') DEPT(dept)

TSS ADD(WASUSER) GID(nnn) 

rdef started bbgzangl.* uacc(none) stdata(user(WLPUSER0)group(wasuser) privileged(no) trusted(no) trace(yes)) 

TSS ADD(STC) PROCNAME(BBGZANGL) ACID(WLPUSER0)

TSS ADD(WLPUSER0) GROUP(WASUSER) 

    • To cause a server running under the BBGZSRV procedure name to run under the user ID WLPUSER1

**The below command assumes that you have already created the user acid WLPUSER1.

Issue a TSS LIST(acid)  ese and see if it is created.  If not use the below create command.**

TSS CREATE(WLPUSER1) TYPE(USER) PASS(xxxx,0) NAME('WLP1 USER') DEPT(dept) 

rdef started bbgzsrv.* uacc(none) stdata(user(WLPUSER1)group(wasuser) privileged(no) trusted(no) trace(yes)) 

TSS ADD(STC) PROCNAME(BBGZSRV) ACID(WLPUSER1)

TSS ADD(WLPUSER1) GROUP(WASUSER)

  • Create a SERVER profile for the angel process and permit the WLPUSER1 user ID. This action grants a Liberty server access to the angel process, which is required for the z/OS authorized services. To enable a server running as WLPUSER1 to connect to the angel:

**The below command assumes that you have already created the RESCLASS of SERVER.

It is most likely that this RESCLASS is already defined.** 

  • rdef server bbg.angel uacc(none) 

TSS ADD(dept) SERVER(BBG.)

permit bbg.angel class(server) access(read) id(wlpuser1) 

TSS PERMIT(WLPUSER1) SERVER(BBG.ANGEL) ACCESS(READ)

  • Create a SERVER profile for the authorized module BBGZSAFM and permit the Started Task user ID of the Liberty server to the profile. This action enables a Liberty server to use the z/OS Authorized services. To enable a server running as WLPUSER1 to access the authorized module:
  • rdef server bbg.authmod.bbgzsafm uacc(none)

 Already done above.

permit bbg.authmod.bbgzsafm class(server) access(read) id(wlpuser1) 

TSS PERMIT(WLPUSER1) SERVER(BBG.AUTHMOD.BBGZSAFM) ACCESS(READ)

  • Create SERVER profiles for the individual authorized services provided for the z/OS platform. These profiles enable the server to invoke the individual authorized services and these services are grouped by function:
    • To enable the SAF authorized user registry services and SAF authorization services (SAFCRED):
    • rdef server bbg.authmod.bbgzsafm.safcred uacc(none) 

Already done above.

permit bbg.authmod.bbgzsafm.safcred class(server) access(read) id(wlpuser1) 

TSS PERMIT(WLPUSER1) SERVER(BBG.AUTHMOD.BBGZSAFM.SAFCRED) ACCESS(READ)

    • To enable the WLM services (ZOSWLM):
    • rdef server bbg.authmod.bbgzsafm.zoswlm uacc(none) 

Already done above.

permit bbg.authmod.bbgzsafm.zoswlm class(server) access(read) id(wlpuser1)

 TSS PERMIT(WLPUSER1) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSWLM) ACCESS(READ)

    • To enable the RRS transaction services (TXRRS):
    • rdef server bbg.authmod.bbgzsafm.txrrs uacc(none) 

Already done above.

permit bbg.authmod.bbgzsafm.txrrs class(server) access(read) id(wlpuser1) 

TSS PERMIT(WLPUSER1) SERVER(BBG.AUTHMOD.BBGZSAFM.TXRRS) ACCESS(READ)

    • To enable the SVCDUMP services (ZOSDUMP):
    • rdef server bbg.authmod.bbgzsafm.zosdump uacc(none) 

Already done above.

permit bbg.authmod.bbgzsafm.zosdump class(server) access(read) id(wlpuser1) 

TSS PERMIT(WLPUSER1) SERVER(BBG.AUTHMOD.BBGZSAFM.ZOSDUMP) ACCESS(READ)

    • To enable optimized local adapter services:.
    • rdef server bbg.authmod.bbgzsafm.localcom uacc(none)
  • Already done above.
    • permit bbg.authmod.bbgzsafm.localcom class(server) access(read) id(wlpuser1)

TSS PERMIT(WLPUSER1) SERVER(BBG.AUTHMOD.BBGZSAFM.LOCALCOM) ACCESS(READ)

    • rdef server bbg.authmod.bbgzsafm.wola uacc(none)
  • Already done above.

permit bbg.authmod.bbgzsafm.wola class(server) access(read) id(wlpuser1) 

TSS PERMIT(WLPUSER1) SERVER(BBG.AUTHMOD.BBGZSAFM.WOLA) ACCESS(READ)

    • To enable the IFAUSAGE services (PRODMGR):
    • rdef server bbg.authmod.bbgzsafm.prodmgr uacc(none) 

Already done above.

permit bbg.authmod.bbgzsafm.prodmgr class(server) access(read) id(wlpuser1) 

TSS PERMIT(WLPUSER1) SERVER(BBG.AUTHMOD.BBGZSAFM.PRODMGR) ACCESS(READ)

  • Create a SERVER profile for the authorized client module BBGZSCFM and permit the Started Task user ID of the Liberty server to the profile. This action enables a Liberty server to load the z/OS Authorized client services. To enable a server that is running as WLPUSER1 to access the authorized client module:
  • rdef server bbg.authmod.bbgzscfm uacc(none) 

Already done above.

permit bbg.authmod.bbgzscfm class(server) access(read) id(wlpuser1) 

TSS PERMIT(WLPUSER1) SERVER(BBG.AUTHMOD.BBGZSCFM) ACCESS(READ)

  • Create SERVER profiles for the individual authorized client services provided for the z/OS platform. These profiles enable clients to invoke the individual authorized services provided by the server. These services are grouped by function:
    • To enable optimized local adapter services:
    • rdef server bbg.authmod.bbgzscfm.wola uacc(none) 

Already done above.

permit bbg.authmod.bbgzscfm.wola class(server) access(read) id(wlpuser1) 

 

TSS PERMIT(WLPUSER1) SERVER(BBG.AUTHMOD.BBGZSCFM.WOLA) ACCESS(READ)