IBM provides a FEKRACF member for IDz implementation. This member has only RACF commands. What are the Broadcom Top Secret equivalent commands?
The following are the RACF commands from the FEKRACF member and the CA Top Secret equivalent commands.
# display current settings # SETROPTS LIST * No CA Top Secret equivalent and not needed. # activate facility class for z/OS UNIX profiles # SETROPTS GENERIC(FACILITY) * No CA Top Secret equivalent and not needed. # SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) * No CA Top Secret equivalent and not needed. # activate started task definitions # SETROPTS GENERIC(STARTED) * No CA Top Secret equivalent and not needed. # RDEFINE STARTED ** STDATA(USER(=MEMBER) GROUP(STCGROUP) TRACE(YES)) * TSS ADD(STC) PROCN(DEFAULT) ACID(defaultacid) - Skip this step if you already have a default acid for undefined started tasks. * TSS ADD(defaultacid) GROUP(STCGROUP)
# SETROPTS CLASSACT(STARTED) RACLIST(STARTED) * No CA Top Secret equivalent and not needed. # activate console security for JES Job Monitor server # SETROPTS GENERIC(CONSOLE) * No CA Top Secret equivalent and not needed. # SETROPTS CLASSACT(CONSOLE) RACLIST(CONSOLE) * No CA Top Secret equivalent and not needed. # activate operator command protection for JES Job Monitor server # SETROPTS GENERIC(OPERCMDS) * No CA Top Secret equivalent and not needed. # SETROPTS CLASSACT(OPERCMDS) RACLIST(OPERCMDS) * No CA Top Secret equivalent and not needed. # activate application protection for RSE server # SETROPTS GENERIC(APPL) * No CA Top Secret equivalent and not needed. # SETROPTS CLASSACT(APPL) RACLIST(APPL) * No CA Top Secret equivalent and not needed. # activate secured signon using PassTickets for RSE server # SETROPTS GENERIC(PTKTDATA) * No CA Top Secret equivalent and not needed. # SETROPTS CLASSACT(PTKTDATA) RACLIST(PtTKTDATA) * No CA Top Secret equivalent and not needed. # activate program control for RSE server # RDEFINE PROGRAM ** ADDMEM('SYS1.CMDLIB'//NOPADCHK) UACC(READ) * TSS ADD(owningacid) DSN(SYS1.) * TSS PER(ALL) DSN(SYS1.CMDLIB) ACC(READ) # SETROPTS WHEN(PROGRAM) * No CA Top Secret equivalent and not needed. # show results ------------------------------------------------------- SETROPTS LIST * No CA Top Secret equivalent and not needed. # add OMVS segment to existing user ID # LISTUSER #userid NORACF OMVS TSS LIST(#user) SEGMENT(OMVS) # ALTUSER #userid OMVS(UID(#user-identifier) - # HOME(/u/#userid) OMVSPGM(/bin/sh) NOASSIZEMAX) * TSS ADD(#userid) UID(uid) HOME(/u/#userid) OMVSPGM(/bin/sh) # add OMVS segment to existing group # LISTGRP #grou-name NORACF OMVS * TSS LIST(#user) SEGMENT(OMVS) # ALTGROUP #group-name OMVS(GID(#group-identifier)) * TSS ADD(#group-name) GID(#group-identifier) # HLQ stub LISTGRP FEK ALL * TSS LIST(FEK) DATA(ALL) ADDGROUP (FEK) OWNER(IBMUSER) SUPGROUP(SYS1) - DATA('RATIONAL DEVELOPER FOR SYSTEM Z - HLQ STUB') * TSS CRE(FEK) NAME('RATIONAL DEV SYSTEM Z - HLQ STUB') TYPE(GROUP) - DEPT(deptacid) # general data set protection LISTDSD PREFIX(FEK) ALL * TSS WHOHAS DSN(FEK) ADDSD 'FEK.*.**' - UACC(READ) DATA('RATIONAL DEVELOPER FOR SYSTEM Z') * TSS ADD(owningacid) DSN(FEK) * TSS PER(ALL) DSN(FEK) ACC(READ) PERMIT 'FEK.*.**' - CLASS(DATASET) ACCESS(ALTER) ID(#sysprog) * TSS PER(#sysprog) DSN(FEK) ACC(ALL) # sclmdt long/short name translation, users need update LISTDSD PREFIX(FEK.#CUST.LSTRANS) * TSS WHOHAS DSN(FEK.#CUST.LSTRANS) ADDSD 'FEK.#CUST.LSTRANS.FILE' - UACC(UPDATE) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - SCLMDT') * TSS ADD(owningacid) DSN(FEK.#CUST.LSTRANS.FILE) - Not needed. Already owned previously with 'TSS ADD(owningacid) DSN(FEK)' * TSS PER(ALL) DSN(FEK.#CUST.LSTRANS.FILE) ACC(UPDATE) PERMIT 'FEK.#CUST.LSTRANS.FILE' - CLASS(DATASET) ACCESS(ALTER) ID(#sysprog) * TSS PER(#sysprog) DSN(FEK.#CUST.LSTRANS.FILE) ACC(ALL) # carma ram development, ram developers need update LISTDSD PREFIX(FEK.#CUST.CRA) * TSS WHOHAS DSN(FEK.#CUST.CRA) ADDSD 'FEK.#CUST.CRA*.**' - UACC(READ) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - CARMA') * TSS ADD(owningacid) DSN(FEK.#CUST.CRA) - Not needed. Already owned previously with 'TSS ADD(owningacid) DSN(FEK)' * TSS PER(ALL) DSN(FEK.#CUST.CRA) ACC(READ) PERMIT 'FEK.#CUST.CRA*.**' - CLASS(DATASET) ACCESS(ALTER) ID(#sysprog) * TSS PER(#sysprog) DSN(FEK.#CUST.CRA) ACC(ALL) PERMIT 'FEK.#CUST.CRA*.**' - CLASS(DATASET) ACCESS(UPDATE) ID(#ram-developer) * TSS PER(@ram-developer) DSN(FEK.#CUST.CRA) ACC(UPDATE) # CRD server, cics administrators need update LISTDSD PREFIX(FEK.#CUST.ADN) * TSS WHOHAS DSN(FEK.#CUST.ADN) ADDSD 'FEK.#CUST.ADNREP*.**' - UACC(READ) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - ADN') * TSS ADD(owningacid) DSN(FEK.#CUST.ADNREP) - Not needed. Already owned previously with 'TSS ADD(owningacid) DSN(FEK)' * TSS PER(ALL) DSN(FEK.#CUST.ADNREP) ACC(READ) PERMIT 'FEK.#CUST.ADNREP*.**' - CLASS(DATASET) ACCESS(ALTER) ID(#sysprog) * TSS PER(#sysprog) DSN(FEK.#CUST.ADNREP) ACC(ALL) PERMIT 'FEK.#CUST.ADNREP*.**' - CLASS(DATASET) ACCESS(UPDATE) ID(#cicsadmin) * TSS PER(#cicsadmin) DSN(FEK.#CUST.ADNREP) ACC(UPDATE) # manifest repository, all users need update LISTDSD PREFIX(FEK.#CUST.ADN) * TSS WHOHAS DSN(FEK.#CUST.ADN) ADDSD 'FEK.#CUST.ADNMAN*.**' - UACC(UPDATE) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - ADN') * TSS ADD(owningacid) DSN(FEK.#CUST.ADNMAN) - Not needed. Already owned previously with 'TSS ADD(owningacid) DSN(FEK)' * TSS PER(ALL) DSN(FEK.#CUST.ADNMAN) ACC(UPDATE) PERMIT 'FEK.#CUST.ADNMAN*.**' - CLASS(DATASET) ACCESS(ALTER) ID(#sysprog) * TSS PER(#sysprog) DSN(FEK.#CUST.ADNMAN) ACC(ALL) SETROPTS GENERIC(DATASET) REFRESH * No CA Top Secret equivalent and not needed. # show results ------------------------------------------------------- LISTGRP FEK ALL * TSS LIST(FEK) DATA(ALL) LISTDSD PREFIX(FEK) ALL * TSS WHOHAS DSN(FEK) # group for started tasks LISTGRP STCGROUP OMVS * TSS LIST(STCGROUP) SEGMENT(OMVS) ADDGROUP STCGROUP * TSS CREATE(STCGROUP) TYPE(GROUP) NAME('STC GROUP W/OMVS SEGEMENT') DEPT(dept) ALTGROUP STCGROUP OMVS(GID(1)) - DATA('STARTED TASK GROUP WITH OMVS SEGEMENT') * TSS ADD(STCGROUP) GID(1)
# userid for JES job monitor LISTUSER STCJMON OMVS * TSS LIST(STCJMON) SEGMENT(OMVS) ADDUSER STCJMON - NOPASSWORD - DFLTGRP(STCGROUP) - OMVS(UID(7) HOME(/tmp) OMVSPGM(/bin/sh)) - NAME('RDZ - JES JOBMONITOR') - DATA('RATIONAL DEVELOPER FOR SYSTEM Z') * TSS CRE(STCJMON) PASS(NOPW,0) NAME('RDZ - JES JOBMONITOR') DEPT(dept) * TSS ADD(STCJMON) OMVSGRP(STCGROUP) UID(7) HOME(/tmp) OMVSPGM(/bin/sh) # userid for RSE daemon LISTUSER STCRSE OMVS * TSS LIST(STCRSE) SEGMENT(OMVS) ADDUSER STCRSE - NOPASSWORD - DFLTGRP(STCGROUP) - OMVS(UID(8) HOME(/tmp) OMVSPGM(/bin/sh)) - NAME('RDZ - RSE DAEMON') - DATA('RATIONAL DEVELOPER FOR SYSTEM Z') * TSS CRE(STCRSE) PASS(NOPW,0) NAME('RDZ - RSE DAEMON') DEPT(dept) * TSS ADD(STCRSE) UID(8) HOME(/tmp) OMVSPGM(/bin/sh) GROUP(STCGROUP) - DFLTGRP(STCGROUP) # userid for lock daemon LISTUSER STCLOCK OMVS * TSS LIST(STCLOCK) SEGMENT(OMVS) ADDUSER STCLOCK - NOPASSWORD - DFLTGRP(STCGROUP) - OMVS(UID(9) HOME(/tmp) OMVSPGM(/bin/sh)) - NAME('RDZ - LOCK DAEMON') - DATA('RATIONAL DEVELOPER FOR SYSTEM Z') * TSS CRE(STCLOCK) PASS(NOPW,0) NAME('RDZ - LOCK DAEMON') DEPT(dept) * TSS ADD(STCLOCK) GROUP(STCGROUP) UID(9) HOME(/tmp) OMVSPGM(/bin/sh) - - DFLTGRP(STCGROUP)
# started task for JES Job Monitor RLIST STARTED JMON.* ALL STDATA * TSS LIST(STC) PROCN(JMON) PREFIX RDEFINE STARTED JMON.* - STDATA(USER(STCJMON) GROUP(STCGROUP) TRUSTED(NO)) - DATA('RDZ - JES JOBMONITOR') * TSS ADD(STC) PROCN(JMON) ACID(STCJMON) * TSS ADD(STCJMON) GROUP(STCGROUP) # started task for RSE daemon RLIST STARTED RSED.* ALL STDATA * TSS LIST(STC) PROCN(RSED) PREFIX RDEFINE STARTED RSED.* - STDATA(USER(STCRSE) GROUP(STCGROUP) TRUSTED(NO)) - DATA('RDZ - RSE DAEMON') * TSS ADD(STC) PROCN(RSED) ACID(STCRSE) * TSS ADD(STCRSE) GROUP(STCGROUP) # started task for lock daemon RLIST STARTED LOCKD.* ALL STDATA * TSS LIST(STC) PROCN(LOCKD) PREFIX RDEFINE STARTED LOCKD.* - STDATA(USER(STCLOCK) GROUP(STCGROUP) TRUSTED(NO)) - DATA('RDZ - LOCK DAEMON') * TSS ADD(STC) PROCN(LOCKD) ACID(STCLOCK) * TSS ADD(STCLOCK) GROUP(STCGROUP) SETROPTS RACLIST(STARTED) REFRESH * No CA Top Secret equivalent and not needed. # show results ------------------------------------------------------- LISTGRP STCGROUP OMVS * TSS LIST(STCGROUP) SEGMENT(OMVS) LISTUSER STCJMON OMVS * TSS LIST(STCJMON) SEGMENT(OMVS) LISTUSER STCRSE OMVS * TSS LIST(STCRSE) SEGMENT(OMVS) LISTUSER STCLOCK OMVS * TSS LIST(STCLOCK) SEGMENT(OMVS) RLIST STARTED JMON.* ALL STDATA * TSS LIST(STC) PROCN(JMON) PREFIX RLIST STARTED RSED.* ALL STDATA * TSS LIST(STC) PROCN(RSED) PREFIX RLIST STARTED LOCKD.* ALL STDATA * TSS LIST(STC) PROCN(LOCKD) PREFIX # define JMON console RLIST CONSOLE JMON ALL * TSS WHOHAS TSOAUTH(CONSOLE) RDEFINE CONSOLE JMON UACC(READ) - DATA('RATIONAL DEVELOPER FOR SYSTEM Z') * TSS ADD(owningacid) TSOAUTH(CONSOLE) SETROPTS RACLIST(CONSOLE) REFRESH * No CA Top Secret equivalent and not needed.
# define JMON console access RLIST OPERCMDS MVS.MCSOPER.JMON ALL * TSS WHOHAS OPERCMDS(MVS.MCSOPER.JMON) RDEFINE OPERCMDS MVS.MCSOPER.JMON UACC(READ) - DATA('RATIONAL DEVELOPER FOR SYSTEM Z') * TSS ADD(owningacid) OPERCMDS(MVS.MCSOPER.JMON) * TSS PER(ALL) OPERCMDS(MVS.MCSOPER.JMON) ACC(READ) # define conditional JES operator command access RLIST OPERCMDS JES%.** ALL * TSS WHOHAS OPERCMDS(JES%) RDEFINE OPERCMDS JES%.** - UACC(NONE) * TSS ADD(owningacid) OPERCMDS(JES) PERMIT JES%.** CLASS(OPERCMDS) ACCESS(UPDATE) ID(*) - WHEN(CONSOLE(JMON)) * TSS PER(ALL) OPERCMDS(JES%) ACC(UPDATE) SETROPTS RACLIST(OPERCMDS) REFRESH * No CA Top Secret equivalent and not needed. # show results ------------------------------------------------------- RLIST CONSOLE JMON ALL * TSS WHOHAS TSOAUTH(CONSOLE) RLIST OPERCMDS MVS.MCSOPER.JMON ALL * TSS WHOHAS OPERCMDS(MVS.MCSOPER.JMON) RLIST OPERCMDS JES%.** ALL * TSS WHOHAS OPERCMDS(JES) # permit RSE server to create the client's security environment RLIST FACILITY BPX.SERVER ALL * TSS WHOHAS IBMFAC(BPX.SERVER) RDEFINE FACILITY BPX.SERVER UACC(NONE) * TSS ADD(owningacid) IBMFAC(BPX.) PERMIT BPX.SERVER CLASS(FACILITY) ACCESS(UPDATE) ID(STCRSE) * TSS PER(STCRSE) IBMFAC(BPX.SERVER) ACC(UPDATE) SETROPTS RACLIST(FACILITY) REFRESH * No equivalent and not needed with Top Secret. # show results ------------------------------------------------------- RLIST FACILITY BPX.SERVER ALL * TSS WHOHAS IBMFAC(BPX.SERVER) # mark LE runtime & ISPF TSO/ISPF Client Gateway as program controlled RLIST PROGRAM ** ALL * TSS LIST(ALL) DATA(XAUTH) RALTER PROGRAM ** UACC(READ) ADDMEM('SYS1.LINKLIB'//NOPADCHK) * TSS PER(ALL) DSN(SYS1.LINKLI) ACC(FETCH) RALTER PROGRAM ** UACC(READ) ADDMEM('SYS1.MIGLIB'//NOPADCHK) * TSS PER(ALL) DSN(SYS1.MIGLIB) ACC(FETCH) RALTER PROGRAM ** UACC(READ) ADDMEM('CEE.SCEERUN'//NOPADCHK) * TSS PER(ALL) DSN(CEE.SCEERUN) ACC(FETCH) RALTER PROGRAM ** UACC(READ) ADDMEM('CEE.SCEERUN2'//NOPADCHK) * TSS PER(ALL) DSN(CEE.SCEERUN2) ACC(FETCH) RALTER PROGRAM ** UACC(READ) ADDMEM('ISP.SISPLPA'//NOPADCHK) * TSS PER(ALL) DSN(ISP.SISPLPA) ACC(FETCH) RALTER PROGRAM ** UACC(READ) ADDMEM('ISP.SISPLOAD'//NOPADCHK) * TSS PER(ALL) DSN(ISP.SISPLOAD) ACC(FETCH) # (optional) mark Alt. REXX runtime, SSL and File Manager as progctl # RALTER PROGRAM ** UACC(READ) ADDMEM('REXX.V1R4M0.SEAGALT'//NOPADCHK) * TSS PER(ALL) DSN(REXX.V1R4M0.SEAGALT) ACC(FETCH) # RALTER PROGRAM ** UACC(READ) ADDMEM('SYS1.SIEALNKE'//NOPADCHK) * TSS PER(ALL) DSN(SYS1.SIEALNKE) ACC(FETCH) # RALTER PROGRAM ** UACC(READ) ADDMEM('FMN.SFMNMODA'//NOPADCHK) * TSS PER(ALL) DSN(FMN.SFMNMODA) ACC(FETCH) SETROPTS WHEN(PROGRAM) REFRESH * No equivalent and not needed with Top Secret # show results ------------------------------------------------------- RLIST PROGRAM ** ALL * TSS LIST(ALL) DATA(XAUTH) # define RSE server as an application RLIST APPL FEKAPPL ALL * TSS WHOHAS APPL(FEKAPPL) RDEFINE APPL FEKAPPL UACC(READ) - DATA('RATIONAL DEVELOPER FOR SYSTEM Z') * TSS ADD(owningacid) APPL(FEKAPPL) * TSS PER(ALL) APPL(FEKAPPL) ACC(READ) SETROPTS RACLIST(APPL) REFRESH * No equivalent and not needed with Top Secret # activate passticket support for RSE application RLIST PTKTDATA FEKAPPL ALL SSIGNON * TSS WHOHAS PTKTDATA(FEKAPPL) RDEFINE PTKTDATA FEKAPPL UACC(NONE) - DATA('RATIONAL DEVELOPER FOR SYSTEM Z') - APPLDATA('NO REPLAY PROTECTION - DO NOT CHANGE') - SSIGNON(KEYMASKED(key16 )) * TSS ADD(NDT) PSTKAPPL(FEKAPPL) SESSKEY(key16 ) SIGNMULTI RLIST PTKTDATA IRRPTAUTH.FEKAPPL.* ALL * TSS WHOHAS PTKTDATA(IRRPTAUTH.FEKAPPL.) RDEFINE PTKTDATA IRRPTAUTH.FEKAPPL.* UACC(NONE) - DATA('RATIONAL DEVELOPER FOR SYSTEM Z') * TSS ADD(owningacid) PTKTDATA(IRRPTAUTH.FEKAPPL.) PERMIT IRRPTAUTH.FEKAPPL.* CLASS(PTKTDATA) ACCESS(UPDATE) ID(STCRSE) * TSS PER(STCRSE) PTKTDATA(IRRPTAUTH.FEKAPPL.) ACC(UPDATE) SETROPTS RACLIST(PTKTDATA) REFRESH * No equivalent and not needed with Top Secret # show results ------------------------------------------------------- RLIST APPL FEKAPPL ALL * TSS WHOHAS APPL(FEKAPPL) RLIST PTKTDATA FEKAPPL ALL SSIGNON * TSS WHOHAS PTKTDATA(FEKAPPL) RLIST PTKTDATA IRRPTAUTH.FEKAPPL.* ALL * TSS WHOHAS PTKTDATA(IRRPTAUTH.FEKAPPL.) # activate port of entry checking # RLIST FACILITY BPX.POE ALL * TSS WHOHAS IBMFAC(BPX.POE) # RDEFINE FACILITY BPX.POE UACC(NONE) * TSS ADD(owningacid) IBMFAC(BPX.POE) - Not needed. Done in a previous step with a 'TSS ADD(owningacid) IBMFAC(BPX.)' # PERMIT BPX.POE CLASS(FACILITY) ACCESS(READ) ID(STCRSE) * TSS PER(STCRSE) IBMFAC(BPX.POE) ACC(READ) # SETROPTS RACLIST(FACILITY) REFRESH * No equivalent and not needed with Top Secret # show results ------------------------------------------------------- RLIST FACILITY BPX.POE ALL * TSS WHOHAS IBMFAC(BPX.POE) In addition to the above CA Top Secret commands, a facility should be defined in CA Top Secret for the RDz address space. Below is an example: TSS MODIFY FACILITY(USERnn=NAME=RDZ) where 'nn' is an unused facility number in your system. TSS MODIFY FACILITY(RDZ=MODE=FAIL) TSS MODIFY FACILITY(RDZ=PGM=BPX) TSS MODIFY FACILITY(RDZ=...) where '...' is any other FACILITY control options that you want to override the default settings. The TSS MODIFY command is only valid until the next recycle of CA Top Secret. To make the changes permanent, add the corresponding FACILITY statements to the CA Top Secret parameter file: FACILITY(USERnn=NAME=RDZ) FACILITY(RDZ=MODE=FAIL) FACILITY(RDZ=PGM=BPX) FACILITY(RDZ=...) Once the FACILITY is defined, add the FACILITY as a MASTFAC to the region acid for RDz: TSS ADD(regionacid) MASTFAC(facilityname) to associate the FACILITY with the region. All users using the FACILITY will need to be authorized to that FACILITY in order to signon. TSS ADD(acid) FAC(facilityname) where 'acid' is the user ACID, an attached profile, or the ALL record, if all users need access. The RDz started task will need to be recycled after adding the MASTFAC for the change to be picked up.