IBM Z Software Asset security Configuration with Top Secret.
search cancel

IBM Z Software Asset security Configuration with Top Secret.

book

Article ID: 377810

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

This article documents the Top Secret commands for implementing IBM Z Software Asset Management version 8.3. 

 

The sample(s) in the Software Asset Management manual shows an overview of RACF activities, but not for other security product. 

 

The instructions to implement security with IBM RACF are documented at the following link:

IBM Z Software Asset Management 8.3 Administration Guide and Reference (pages 156/161).

Environment

Top secret 16.0

IBM Z Software Asset Management version 8.3. 

Resolution

These are the Top Secret commands to implement the security of  IBM Z Software Asset Management

 

Translation of the RACF commands that are in the HSISANS1 member of JCLLIB

 

/*--------------------------------------------------------------*/
/* IZSAM ANALYZER DATABASE PROFILES */
/*--------------------------------------------------------------*/
 RDELETE FACILITY IZSAM.DB.AU*
 RDEFINE FACILITY IZSAM.DB.AU* UACC(NONE)
 PERMIT IZSAM.DB.AU* ACCESS(READ) -
 CLASS(FACILITY) ID(IZSAMADM,IZSAMUSR,AUID001)
 
 RDELETE FACILITY IZSAM.DB.*
 RDEFINE FACILITY IZSAM.DB.* UACC(NONE)
 PERMIT IZSAM.DB.* ACCESS(READ) -
 CLASS(FACILITY) ID(IZSAMADM,IZSAMUSR)
 PERMIT IZSAM.DB.* ACCESS(NONE) -
 CLASS(FACILITY) ID(AUID001)

 

 Top Secret commands:



TSS ADD(owner) IBMFAC(IZSAM.)
TSS PERMIT(IZSAMADM) IBMFAC(IZSAM.DB.AU*) ACCESS(READ)
TSS PERMIT(IZSAMUSR) IBMFAC(IZSAM.DB.AU*) ACCESS(READ)
TSS PERMIT(AUID001)  IBMFAC(IZSAM.DB.AU*) ACCESS(READ)

TSS PERMIT(IZSAMADM) IBMFAC(IZSAM.DB.) ACCESS(READ)
TSS PERMIT(IZSAMUSR) IBMFAC(IZSAM.DB.) ACCESS(READ)
TSS PERMIT(AUID001) IBMFAC(IZSAM.DB.) ACCESS(NONE)

 

/*--------------------------------------------------------------*
/* IZSAM ANALYZER MENU PROFILES *
/*--------------------------------------------------------------*
 RDELETE FACILITY IZSAM.MENU.ASSET
 RDEFINE FACILITY IZSAM.MENU.ASSET UACC(NONE)
 PERMIT IZSAM.MENU.ASSET ACCESS(READ) -
 CLASS(FACILITY) ID(IZSAMADM,IZSAMUSR,AUID001)
 
 RDELETE FACILITY IZSAM.MENU.DISC
 RDEFINE FACILITY IZSAM.MENU.DISC UACC(NONE)
 PERMIT IZSAM.MENU.DISC ACCESS(READ) -
 CLASS(FACILITY) ID(IZSAMADM,IZSAMUSR)
 
 RDELETE FACILITY IZSAM.MENU.ADMINR
 RDEFINE FACILITY IZSAM.MENU.ADMINR UACC(NONE)
 PERMIT IZSAM.MENU.ADMINR ACCESS(READ) -
 CLASS(FACILITY) ID(IZSAMADM,IZSAMUSR)
 
 RDELETE FACILITY IZSAM.MENU.ADMIN
 RDEFINE FACILITY IZSAM.MENU.ADMIN UACC(NONE)
 PERMIT IZSAM.MENU.ADMIN ACCESS(READ) -
 CLASS(FACILITY) ID(IZSAMADM)
 
 RDELETE FACILITY IZSAM.MENU.ADMIN.LIB_CLASSIFICATION
 RDEFINE FACILITY IZSAM.MENU.ADMIN.LIB_CLASSIFICATION UACC(NONE)
 PERMIT IZSAM.MENU.ADMIN.LIB_CLASSIFICATION ACCESS(READ) -
 CLASS(FACILITY) ID(IZSAMADM)
 
 RDELETE FACILITY IZSAM.MENU.CUSTOM
 RDEFINE FACILITY IZSAM.MENU.CUSTOM UACC(NONE)
 PERMIT IZSAM.MENU.CUSTOM ACCESS(READ) -
 CLASS(FACILITY) ID(IZSAMADM,IZSAMUSR)
 SETROPTS RACLIST(FACILITY) REFRESH

 

 Top Secret Commands:



TSS PERMIT(IZSAMADM) IBMFAC(IZSAM.MENU.ASSET) ACCESS(READ)
TSS PERMIT(IZSAMUSR) IBMFAC(IZSAM.MENU.ASSET) ACCESS(READ)
TSS PERMIT(AUID001) IBMFAC(IZSAM.MENU.ASSET) ACCESS(READ)

TSS PERMIT(IZSAMADM) IBMFAC(IZSAM.MENU.DISC) ACCESS(READ)
TSS PERMIT(IZSAMUSR) IBMFAC(IZSAM.MENU.DISC) ACCESS(READ)

TSS PERMIT(IZSAMADM) IBMFAC(IZSAM.MENU.ADMINR) ACCESS(READ)
TSS PERMIT(IZSAMUSR) IBMFAC(IZSAM.MENU.ADMINR) ACCESS(READ)

TSS PERMIT(IZSAMADM) IBMFAC(IZSAM.MENU.ADMIN) ACCESS(READ)

TSS PERMIT(IZSAMADM) IBMFAC(IZSAM.MENU.ADMIN.LIB_CLASSIFICATION) ACCESS(READ)

TSS PERMIT(IZSAMADM) IBMFAC(IZSAM.MENU.CUSTOM) ACCESS(READ)
TSS PERMIT(IZSAMUSR) IBMFAC(IZSAM.MENU.CUSTOM) ACCESS(READ)

 

            

 

Translation of the RACF commands that are in the HSISANS2 member of JCLLIB



 PROF NOPREF
 
 RACDCERT DELETE(LABEL('LOCALCA')) CERTAUTH
 RACDCERT DELETE(LABEL('IZSAMCERT')) ID(Userid-running-HSISANLO)
 RACDCERT ID(Userid-running-HSISANLO) DELRING(IZSAM_KEYRING)
 
 SETROPTS CLASSACT(DIGTCERT,DIGTNMAP)
 
 RACDCERT ID(Userid-running-HSISANLO) ADDRING(IZSAM_KEYRING)

 

Top Secret command:

TSS ADD(Userid-running-HSISANLO) KEYRING(Keyringname) LABLRING(IZSAM_KEYRING)

Note: The RACF command is creating a Keyring with name IZSAM_KEYRING but Top secret only accepts 8-byte ring names, so use another name (Keyringname) and update the GSK_KEYRING_FILE parameter accordingly in the HSISANP2 in the PARMLIB 

 

RACDCERT ID(Userid-running-HSISANLO) CERTAUTH GENCERT -
 SUBJECTSDN( O('Your Organization') -
 CN('Your Domain') -
 C('US')) TRUST -
 WITHLABEL('LOCALCA') -
 KEYUSAGE(CERTSIGN)



Top Secret command:

TSS GENCERT(CERTAUTH) DIGICERT(DIGILOCA) 
        SUBJECTN(‘CN='Your Domain' O='Your Organization' C=US’)'
        LABLCERT(LOCALCA)
        KEYUSAGE(CERTSIGN)
        TRUST

 

 

RACDCERT ID(Userid-running-HSISANLO) GENCERT -
SUBJECTSDN (CN('IZSAMCERT') -
 OU('Your Dept.') -
 C('US')) -
 WITHLABEL('IZSAMCERT') -
 SIGNWITH(CERTAUTH -
 LABEL('LOCALCA'))

 

Top Secret command:

TSS GENCERT(Userid-running-HSISANLO) DIGICERT(DIGIIZSA) 
        SUBJECTN(‘CN='IZSAMCERT' OU='Your Dept.' C=US’)
        LABLCERT(IZSAMCERT)
        SIGNWITH(CERTAUTH,LOCALCA)




 RACDCERT ID(Userid-running-HSISANLO) -
 CONNECT(ID(Userid-running-HSISANLO) -
 LABEL('IZSAMCERT') -
 RING(IZSAM_KEYRING) -
 DEFAULT -
 USAGE(PERSONAL))



Top Secret command:



TSS ADD(Userid-running-HSISANLO) KEYRING(Keyringname) 
   RINGDATA(Userid-running-HSISANLO,DIGIIZSA) USAGE(PERSONAL) DEFAULT



 RACDCERT ID(Userid-running-HSISANLO) -
 CONNECT(ID(Userid-running-HSISANLO) CERTAUTH -
 LABEL('LOCALCA') -
 RING(IZSAM_KEYRING) -
 USAGE(CERTAUTH))

 

Top Secret command:

TSS ADD(Userid-running-HSISANLO) KEYRING(Keyringname) 
RINGDATA(CERTAUTH,DIGILOCA) USAGE(CERTAUTH)

 



 SETROPTS RACLIST(DIGTCERT,DIGTNMAP) REFRESH
 PROF NOPREF
 RDEL FACILITY IRR.DIGTCERT.LIST
 RDEL FACILITY IRR.DIGTCERT.LISTRING
 RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
 RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
 PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) -
 ID(Userid-running-HSISANLO) AC(READ)
 PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) -
 ID(Userid-running-HSISANLO) AC(READ)
 SETR RACLIST(FACILITY) REFRESH

 

Top Secret commands:

 

TSS ADD(owner) IBMFAC(IRR.)                                            Note: This resource may be already owned
TSS PER(Userid-running-HSISANLO) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(READ)
TSS PER(Userid-running-HSISANLO) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(READ)



Translation of the RACF commands that are in the HSISANS3 member of JCLLIB to enable IZSAM Analyzer to use HTTP secure (HTTPS) using an existing 

 CA certificate

 

PROF NOPREF
RACDCERT DELETE(LABEL('IZSAMCERT')) ID(Userid-running-HSISANLO)
RACDCERT ID(Userid-running-HSISANLO) DELRING(IZSAM_KEYRING)
SETROPTS CLASSACT(DIGTCERT,DIGTNMAP)

RACDCERT ID(Userid-running-HSISANLO) ADDRING(IZSAM_KEYRING)



Top Secret command:

 

TSS ADD(Userid-running-HSISANLO) KEYRING(Keyringname) LABLRING(IZSAM_KEYRING)

 

RACDCERT ID(Userid-running-HSISANLO) GENCERT -
SUBJECTSDN (CN('IZSAMCERT') -
OU('Your Dept.') -
C('US')) -
WITHLABEL('IZSAMCERT')

 

Top Secret command:



TSS GENCERT(Userid-running-HSISANLO) DIGICERT(DIGIIZSA) 
        SUBJECTN(‘CN='IZSAMCERT' OU='Your Dept.' C=ÙS’)
        LABLCERT(IZSAMCERT)

 

       

RACDCERT ID(Userid-running-HSISANLO) -
CONNECT(ID(Userid-running-HSISANLO) -
LABEL('IZSAMCERT') -
RING(IZSAM_KEYRING) -
DEFAULT -
USAGE(PERSONAL))



Top Secret command:



TSS ADD(Userid-running-HSISANLO) KEYRING(Keyringname) 
RINGDATA(Userid-running-HSISANLO,DIGIIZSA) USAGE(PERSONAL) DEFAULT



RACDCERT ID(Userid-running-HSISANLO) -
CONNECT(ID(Userid-running-HSISANLO) CERTAUTH -
LABEL('Entrust Secure Server Root CA') -
RING(IZSAM_KEYRING) -
USAGE(CERTAUTH))
SETROPTS RACLIST(DIGTCERT,DIGTNMAP) REFRESH



Top Secret command:

 

TSS ADD(Userid-running-HSISANLO) KEYRING(Keyringname)
RINGDATA(CERTAUTH,digicert of Entrust Secure Server Root CA) USAGE(CERTAUTH)

 

 

PROF NOPREF
RDEL FACILITY IRR.DIGTCERT.LIST
RDEL FACILITY IRR.DIGTCERT.LISTRING
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) -
ID(Userid-running-HSISANLO) AC(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) -
ID(Userid-running-HSISANLO) AC(READ)
SETR RACLIST(FACILITY) REFRESH

Top Secret commands:



TSS ADD(owner) IBMFAC(IRR.)     Note: This resource may be already owned
TSS PER(Userid-running-HSISANLO) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(READ)
TSS PER(Userid-running-HSISANLO) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(READ)



2 more settings are necessary:

 

1.-  Page 21 of the IBM Z Software Asset Management 8.3 Administration Guide and Reference  explain that Security administrators can use permissions to the HSICANLZ resource in the APPL RACF class to control which users are allowed to logon to the Analyzer.

 

The TSS Command is:

 

TSS PERMIT(UserID) APPL(HSICANLZ)  ***Read is the default access level.

 

2.- For RDATALIB                           <=== (certificate related)

 

The TSS Command is:

 

TSS ADD(xxxxDEPT) RDATALIB(HSIJANLO)

TSS PER(xxxxxx)   RDATALIB(xxxxxx.IZSAM_KEYRING.LST) ACC(UPD)
Powered by Wolken Software