Description:
Setup similar to RACF can be done online or in batch.
See solution for commands in batch TSO that are used to setup the certificates and rules needed for AT-TLS.
Solution:
The following ACFBATCH job can be used to setup ACF2 security for AT-TLS.
//ACFBATCH EXEC PGM=IKJEFT01,REGION=0K //*============================================================= //* AT-TLS Support //*============================================================= //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSTSIN DD * * * Create the keyring * ACF SET PROFILE(USER) DIV(KEYRING) INSERT CS09.RING RINGNAME(ATTLS_keyring) * * GENCERT the certauth certificate * GENCERT CERTAUTH.cs09 SUBJ(CN='itso.ibm.com' -O='I.B.M Corporation' C=US) - LABEL(LOCALCA) KEYUSAGE(certsign) * * GENCERT the personal certificate * GENCERT CS09.CERT SUBJ(CN='SC30ServerCert' OU='ITSO' C=US) - LABEL(SC30ServerCert) SIGNWITH(certauth Label(LOCALCA)) * * Connect the certificates * CONNECT CERTDATA(CS09.CERT) KEYRING(CS09.RING) USAGE(PERSONAL) - DEFAULT CONNECT CERTDATA(CERTAUTH.cs09) KEYRING(CS09.RING) USAGE(CERTAUTH) * * Create CLAMAP record to map resource CSFSERV to TYPE(CSF) rather * than the default TYPE(SAF) * SET CONTROL(GSO)INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF) ENTITYLN(8) F ACF2,REFRESH(CLASMAP) * * Add the CSFSERV resource rules * SET RESOURCE(CSF) RECKEY CSFDSV ADD( UID(UID string for CS09) -SERVICE(READ) ALLOW) RECKEY CSFPKE ADD( UID(UID string for CS09) -SERVICE(READ) ALLOW) * * Add the SERVAUTH resource rules * SET RESOURCE(SER) RECKEY EZB ADD( INITSTACK.SC30.TCPIPA UID(*) - SERVICE(READ) ALLOW) * RECKEY EZB ADD( INITSTACK.SC31.TCPIPA UID(*) - SERVICE(READ) ALLOW) * * If RSER is not already specified in the GSO INFODIR add it * SET CONTROL(GSO) CHANGE INFODIR TYPES(R-RSER) ADD * * To activate the new records issue the following operator commands: * F ACF2,REFRESH(INFODIR) F ACF2,REBUILD(SER) END //*