ACF2 equivalent to the RACF security setup for AT-TLS

book

Article ID: 48997

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction

The following are ACF2 commands in batch format that are used to setup the certificates and access rules needed for AT-TLS. This includes resource rules for TCP/IP resources required by many pieces of AT-TLS such as PAGENT and IMS Connect.

Resolution

The following ACFBATCH job can be used to setup ACF2 security for AT-TLS.

//ACFBATCH EXEC PGM=IKJEFT01,REGION=0K
//*=============================================================
//* AT-TLS Support
//*=============================================================
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSTSIN  DD *   
*
* Create the keyring
*
ACF
SET PROFILE(USER) DIV(KEYRING)
INSERT CS09.RING RINGNAME(ATTLS_keyring)
*
* GENCERT the certauth certificate
*
GENCERT CERTAUTH.cs09 SUBJ(CN='itso.ibm.com' -O='I.B.M Corporation' C=US) -
LABEL(LOCALCA) KEYUSAGE(certsign)
*
* GENCERT the personal certificate
*
GENCERT CS09.CERT SUBJ(CN='SC30ServerCert' OU='ITSO' C=US) -
LABEL(SC30ServerCert) SIGNWITH(certauth Label(LOCALCA))
*
* Connect the certificates
*
CONNECT CERTDATA(CS09.CERT) KEYRING(CS09.RING) USAGE(PERSONAL) -
DEFAULT
CONNECT CERTDATA(CERTAUTH.cs09) KEYRING(CS09.RING) USAGE(CERTAUTH)
*
* Create CLAMAP record to map resource CSFSERV to TYPE(CSF) rather
*        than the default TYPE(SAF)
*
SET CONTROL(GSO)INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF) ENTITYLN(8)
F ACF2,REFRESH(CLASMAP)
*
* Add the CSFSERV resource rules
*
SET RESOURCE(CSF)
RECKEY CSFDSV ADD( UID(UID string for CS09) -SERVICE(READ) ALLOW)
RECKEY CSFPKE ADD( UID(UID string for CS09) -SERVICE(READ) ALLOW)
*
* Create PAGENT logonid and designate as a started task
*
SET LID
INSERT pagent_logonid STC * * Add SERVAUTH resource rules that controls which users can have
* access to the TCP/IP stack before PAGENT is active * SET RESOURCE(SER) RECKEY EZB ADD( INITSTACK.sysname.tcpprocname UID(*) - SERVICE(READ) ALLOW)
*
* Add the SERVAUTH resource rules to control which
* users can start, stop and refresh PAGENT
*
SET R(SER)
RECKEY EZB ADD( PAGENT.sysname.tcpprocname.- UID(*) -
SERVICE(READ) ALLOW)
* * If RSER is not already specified in the GSO INFODIR add it * SET CONTROL(GSO) CHANGE INFODIR TYPES(R-RSER) ADD
*
* PAGENT logonid must have READ access to the BPX.DAEMON resource
*
SET R(FAC)
RECKEY BPX ADD( DAEMON UID(*) SERVICE(READ) ALLOW) * * To activate the new records issue the following operator commands: * F ACF2,REFRESH(INFODIR) F ACF2,REBUILD(SER)
F ACF2,REBUILD(FAC) END //*