Implementing security for the z/OS CIM Server
search cancel

Implementing security for the z/OS CIM Server

book

Article ID: 41804

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

How to setup the security for z/OS CIM Server using ACF2 security.

 

 

Environment

Release:
Component: ACF2MS

Resolution

Configure the CIM Server Using ACF2 Security

This article describes how to configure CIM servers using ACF2 security.
This article contains the following topics:

Configure the CIM Server Security Using ACF2
Create Certificates and Key Rings on CIM Server Using ACF2

Configure the CIM Server Security Using ACF2
This topic describes the ACF2 security commands for z/OS CIM Server. 

Note: The attached file contains sample JCL to guide and help you perform
the steps that are described in this topic.

Follow these steps:

Note: The following sample commands use a UID string such as "****************CFZSRV".
You replace the UID string to match the standards for your site.

Create the default CIM server ID and group.
The following IDs and groups are the default IDs and groups that are required to run CIM server:
CFZSRV: The CIM Server ID that the started task uses.
CFZSRVGP: The CIM Server group that the started task uses.
Create the default CIM server group.
Note: Replace &GIDNUM with a valid GID for the new group.
The following code is an example of the required syntax:

SET PROFILE(GROUP) DIV(OMVS)
INSERT CFZSRVGP GID(&GIDNUM)

Create the default CIM server IDs. 

The default CIM STC ID is CFZSRV and runs as UID(0). 
The following code is an example of the syntax:

SET LID
INSERT CFZSRV NAME(CIM SERVER ID) GROUP(CFZSRVGP) -
MUSASS NO-SMC OMVSPGM(/bin/sh) PTICKET RESTRICT -
HOME(/u/cfzsrv) UID(0)

F ACF2,REBUILD(USR),CLASS(P)
F ACF2,REBUILD(GRP),CLASS(P)
F ACF2,OMVS

SET RULE
RECKEY CFZSRV ADD(- UID(****************CFZSRV) -
R(A) W(A) E(A) A(A))

Define the WBEM resource class. 

If the WBEM resource class already exists in your environment, skip this step.  
The following code is an example of the syntax:

SET CONTROL(GSO)
INSERT CLASMAP.WBEM RESOURCE(WBEM) RSRCTYPE(WBE) ENTITYLN(246)
CHANGE INFODIR TYPES(R-RWBE) ADD
F ACF2,REFRESH(CLASMAP)
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(WBE)

Grant CFZSRV full access to the CIMSERV WBEM.
Also, you grant the end-user UPDATE access to CIMSERV WBEM.
You replace &ENDUSER with an existing ID, not UID(0), with an OMVS segment. 
The following code is an example of the syntax: 

SET RESOURCE(WBE)
RECKEY CIMSERV ADD( UID(****************&ENDUSER) SERVICE(READ,UPDATE) ALLOW)
RECKEY CIMSERV ADD( UID(****************CFZSRV) SERVICE(READ,UPDATE,DELETE,ADD) ALLOW)
F ACF2,REBUILD(WBE)

Set up the required surrogate. |
The following code is an example of the syntax:

SET RES(SUR)
RECKEY BPX ADD(SRV.- UID(****************CFZSRV) SERVICE(READ) ALLOW)
F ACF2,REBUILD(SUR)

Permit CFZSRV to access to the IBM Facilities.
You permit CFZSRV UPDATE access to BPX.SERVER,
READ access to BPX.SMF to write SMF records,
and READ access to BPX.CONSOLE to write to the console.
The following code is an example of the syntax:

SET RES(FAC)
RECKEY BPX ADD(SERVER UID(****************CFZSRV) SERVICE(READ,UPDATE) ALLOW)
RECKEY BPX ADD(SMF UID(****************CFZSRV) SERVICE(READ) ALLOW)
RECKEY BPX ADD(CONSOLE UID(****************CFZSRV) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)

Create and permit access to CFZAPPL.
You permit CFZSRV and the CIM end-user access to resource CFZAPPL.
The following code is an example of the syntax:

SET CONTROL(GSO)
INSERT CLASMAP.CFZAPPL ENTITYLN(255) RESOURCE(CFZAPPL) RSRCTYPE(CFZ)
F ACF2,REFRESH(CLASMAP)
CHANGE INFODIR TYPES(R-RCFZ) ADD
F ACF2,REFRESH(INFODIR)
SET RESOURCE(CFZ)
RECKEY CFZAPPL ADD( UID(****************&ENDUSER) SERVICE(READ) ALLOW)
RECKEY CFZAPPL ADD( UID(****************CFZSRV) SERVICE(READ) ALLOW)
F ACF2,REBUILD(CFZ) 

Establish the security setup that is required for ARM.
If ARM is required for the CIM server, give CFZSRV access to the IXCARM IBM Facility.
The following code is an example of the syntax:

SET RESOURCE(FAC)
RECKEY IXCARM ADD(DEFAULT.CFZ_SRV_- UID(****************CFZSRV) SERVICE(UPDATE) ALLOW)
F ACF2,REBUILD(FAC)

Establish CFZSRV as the Started Task ID for CIM.
You start the CIM server (CFZCIM) using ID CFZSRV.
The following code is an example of the syntax:

T C(GSO)
INS STC.DAAS GROUP(CFZSRVGP) LOGONID(CFZSRV) STCID(CFZCIM)
F ACF2,REFRESH(STC)

Permit the CIM cluster and JES jobs provider to access CEA.
You give CIM users access to CEA.* data sets.
The following code is an example of the syntax: 

SET RULE
RECKEY CEA ADD(- UID(****************&ENDUSER) R(A) W(A))
RECKEY CEA ADD(- UID(****************CFZSRV) R(A) W(A))
SET RESOURCE(SER)
RECKEY CEA ADD(- UID(****************&ENDUSER) SERVICE(UPDATE) ALLOW)
RECKEY CEA ADD(- UID(****************CFZSRV)  SERVICE(UPDATE) ALLOW)
F ACF2,REBUILD(SER)

<OPTIONAL> Configure multilevel security (MLS) on the CIM Server.
When the CIM server is running in a multilevel secure (MLS) z/OS system,
providers are executed in several provider agent processes,
depending on the security classification for the user and port of entry,
independent of the CIM server configuration.
For more information, see ACF2 Multilevel Security Planning Guide. 

As a result, you give CFZSRVGP read access to IBM Facility BPX.POE.
The following code is an example of the syntax:

SET RES(FAC)
RECKEY BPX ADD(POE UID(****************CFZSRV) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)

Add permissions to access IOSCDR.
The following code is an example of the syntax that you use
to allow the Data Service Probe to access device identification information:

SET RES(FAC)
RECKEY IOSCDR ADD( UID(****************&ENDUSER) SERVICE(UPDATE) ALLOW)
F ACF2,REBUILD(FAC)

Add Permissions for the users accessing Data Service Probe.
You configure CA Unified Infrastructure Management Operations for z Systems and
CA Unified Infrastructure Management Storage for z Systems to connect to CIM with
one username and password, and you give this ID permission to access RMF.
The following code is an example of the syntax:

SET RES(STC)
RECKEY STC ADD( UID(****************&ENDUSER) SERVICE(READ) ALLOW)
SET CONTROL(GSO)
INSERT CLASMAP.STC RESOURCE(STC) RSRCTYPE(STC)
F ACF2,REFRESH(CLASMAP)
CHANGE INFODIR TYPES(R-RSTC) ADD
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(STC)
SET RESOURCE(PTK)
RECKEY IRRPTAUTH ADD(GPMSERVE.- UID(****************&ENDUSER) SERVICE(READ,UPDATE) ALLOW)
F ACF2,REBUILD(PTK),CLASS(P)
SET RES(FAC)
RECKEY GPMSERVE ADD(UID(****************&ENDUSER) SERVICE(READ,UPDATE) ALLOW)
F ACF2,REBUILD(FAC)

Create Certificates and Key Rings on CIM Server Using ACF2

This topic describes the ACF2 commands that you use to generate a
valid digital certificate for the CIM server, the associated CIM server
private key, and the digital certificate of local certificate authority
to sign the CIM server certificate. 

As a best practice, you can enable CIM server with HTTPS on nonproduction systems.
However, we recommend that you always use HTTPS in production environments.
You create the key ring to store the digital certificates and assign it to the CIM server logonid.
The CIM server certificate is marked as the default certificate.
Note: The attached file contains sample JCL to guide and help you perform the
steps that are described in this topic.

Follow these steps:

Generate a self-signed digital certificate to represent the local certificate authority.

SET PROFILE(USER) DIV(CERTDATA)
GENCERT CERTAUTH.CIMCACRT -
    SUBJSDN(CN='LOCAL CA CERT' -
               OU='Local Unit' -
               O='My Organization' -
               C=US) -
    SIZE(2048) -
    EXPIRE(12/31/2049) -
    KEYUSAGE(CERTSIGN) -
    LABEL(LOCAL_CA_CERTIFICATE) -
    ALTNAME(DOMAIN=MYCOMPANY.COM)

Create a digital certificate for the CIM Server logonid (for example, CFZSRV)
that is signed with the certificate-authority certificate that was created in Step 1.

SET PROFILE(USER) DIV(CERTDATA)
GENCERT CFZSRV.CIMSVCRT -
    SUBJSDN(CN='CIM SERVER CERT' -
                OU='CIM Server' -
                O='My Organization' -
                C=US) -
    SIZE(2048) -
    EXPIRE(12/31/2049) -
     KEYUSAGE(HANDSHAKE) -
    LABEL(CIM_SERVER_CERTIFICATE) -
    SIGNWITH(CERTAUTH.CIMCACRT)

Create a key ring and assign it to the CIM server logonid.

SET PROFILE(USER) DIV(KEYRING)
INSERT CFZSRV.CIMRING RINGNAME(CFZCIM_Server_Ring)

Connect the CIM server certificate to the key ring and mark it as the default certificate.

SET PROFILE(USER) DIV(KEYRING)
CONNECT CERTDATA(CFZSRV.CIMSVCRT) -
KEYRING(CFZSRV.CIMRING) USAGE(PERSONAL) DEFAULT

Connect the local certificate authority certificate to the key ring to complete the certificate hierarchy.

SET PROFILE(USER) DIV(KEYRING)  
CONNECT CERTDATA(CERTAUTH.CIMCACRT) -
 KEYRING(CFZSRV.CIMRING) USAGE(CERTAUTH)