Description:

Setup similar to RACF can be done online or in batch.
See solution for commands in batch TSO that are used to setup the certificates and rules needed for AT-TLS.

Solution:

The following ACFBATCH job can be used to setup ACF2 security for AT-TLS.

//ACFBATCH EXEC PGM=IKJEFT01,REGION=0K
//*=============================================================
//* AT-TLS Support
//*=============================================================
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSTSIN  DD *   
*
* Create the keyring
*
ACF
SET PROFILE(USER) DIV(KEYRING)
INSERT CS09.RING RINGNAME(ATTLS_keyring)
*
* GENCERT the certauth certificate
*
GENCERT CERTAUTH.cs09 SUBJ(CN='itso.ibm.com' -O='I.B.M Corporation' C=US) -
LABEL(LOCALCA) KEYUSAGE(certsign)
*
* GENCERT the personal certificate
*
GENCERT CS09.CERT SUBJ(CN='SC30ServerCert' OU='ITSO' C=US) -
LABEL(SC30ServerCert) SIGNWITH(certauth Label(LOCALCA))
*
* Connect the certificates
*
CONNECT CERTDATA(CS09.CERT) KEYRING(CS09.RING) USAGE(PERSONAL) -
DEFAULT
CONNECT CERTDATA(CERTAUTH.cs09) KEYRING(CS09.RING) USAGE(CERTAUTH)
*
* Create CLAMAP record to map resource CSFSERV to TYPE(CSF) rather
*        than the default TYPE(SAF)
*
SET CONTROL(GSO)INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF) ENTITYLN(8)
F ACF2,REFRESH(CLASMAP)
*
* Add the CSFSERV resource rules
*
SET RESOURCE(CSF)
RECKEY CSFDSV ADD( UID(UID string for CS09) -SERVICE(READ) ALLOW)
RECKEY CSFPKE ADD( UID(UID string for CS09) -SERVICE(READ) ALLOW)
*
* Add the SERVAUTH resource rules
*
SET RESOURCE(SER)
RECKEY EZB ADD( INITSTACK.SC30.TCPIPA UID(*) -
SERVICE(READ) ALLOW)
*
RECKEY EZB ADD( INITSTACK.SC31.TCPIPA UID(*) -
SERVICE(READ) ALLOW)
*
* If RSER is not already specified in the GSO INFODIR add it
*
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RSER) ADD
*
* To activate the new records issue the following operator commands:
*
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(SER)
END
//*