Converting IDz RACF commands to Top Secret
Article ID: 52795
Updated On:
Products
Top Secret
Issue/Introduction
IBM provides a FEKRACF member for IDz implementation. This member has only RACF commands. What are the Broadcom Top Secret equivalent commands?
Environment
Release: TOPSEC00200-15-Top Secret-Security
Component:
Component:
Resolution
The following are the RACF commands from the FEKRACF member and the CA Top Secret equivalent commands.
# display current settings # SETROPTS LIST * No CA Top Secret equivalent and not needed. # activate facility class for z/OS UNIX profiles # SETROPTS GENERIC(FACILITY) * No CA Top Secret equivalent and not needed. # SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY) * No CA Top Secret equivalent and not needed. # activate started task definitions # SETROPTS GENERIC(STARTED) * No CA Top Secret equivalent and not needed. # RDEFINE STARTED ** STDATA(USER(=MEMBER) GROUP(STCGROUP) TRACE(YES)) * TSS ADD(STC) PROCN(DEFAULT) ACID(defaultacid) - Skip this step if you already have a default acid for undefined started tasks. * TSS ADD(defaultacid) GROUP(STCGROUP)
# SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
* No CA Top Secret equivalent and not needed.
# activate console security for JES Job Monitor server
# SETROPTS GENERIC(CONSOLE)
* No CA Top Secret equivalent and not needed.
# SETROPTS CLASSACT(CONSOLE) RACLIST(CONSOLE)
* No CA Top Secret equivalent and not needed.
# activate operator command protection for JES Job Monitor server
# SETROPTS GENERIC(OPERCMDS)
* No CA Top Secret equivalent and not needed.
# SETROPTS CLASSACT(OPERCMDS) RACLIST(OPERCMDS)
* No CA Top Secret equivalent and not needed.
# activate application protection for RSE server
# SETROPTS GENERIC(APPL)
* No CA Top Secret equivalent and not needed.
# SETROPTS CLASSACT(APPL) RACLIST(APPL)
* No CA Top Secret equivalent and not needed.
# activate secured signon using PassTickets for RSE server
# SETROPTS GENERIC(PTKTDATA)
* No CA Top Secret equivalent and not needed.
# SETROPTS CLASSACT(PTKTDATA) RACLIST(PtTKTDATA)
* No CA Top Secret equivalent and not needed.
# activate program control for RSE server
# RDEFINE PROGRAM ** ADDMEM('SYS1.CMDLIB'//NOPADCHK) UACC(READ)
* TSS ADD(owningacid) DSN(SYS1.)
* TSS PER(ALL) DSN(SYS1.CMDLIB) ACC(READ)
# SETROPTS WHEN(PROGRAM)
* No CA Top Secret equivalent and not needed.
# show results -------------------------------------------------------
SETROPTS LIST
* No CA Top Secret equivalent and not needed.
# add OMVS segment to existing user ID
# LISTUSER #userid NORACF OMVS
TSS LIST(#user) SEGMENT(OMVS)
# ALTUSER #userid OMVS(UID(#user-identifier) -
# HOME(/u/#userid) OMVSPGM(/bin/sh) NOASSIZEMAX)
* TSS ADD(#userid) UID(uid) HOME(/u/#userid) OMVSPGM(/bin/sh)
# add OMVS segment to existing group
# LISTGRP #grou-name NORACF OMVS
* TSS LIST(#user) SEGMENT(OMVS)
# ALTGROUP #group-name OMVS(GID(#group-identifier))
* TSS ADD(#group-name) GID(#group-identifier)
# HLQ stub
LISTGRP FEK ALL
* TSS LIST(FEK) DATA(ALL)
ADDGROUP (FEK) OWNER(IBMUSER) SUPGROUP(SYS1) -
DATA('RATIONAL DEVELOPER FOR SYSTEM Z - HLQ STUB')
* TSS CRE(FEK) NAME('RATIONAL DEV SYSTEM Z - HLQ STUB') TYPE(GROUP) -
DEPT(deptacid)
# general data set protection
LISTDSD PREFIX(FEK) ALL
* TSS WHOHAS DSN(FEK)
ADDSD 'FEK.*.**' -
UACC(READ) DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) DSN(FEK)
* TSS PER(ALL) DSN(FEK) ACC(READ)
PERMIT 'FEK.*.**' -
CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK) ACC(ALL)
# sclmdt long/short name translation, users need update
LISTDSD PREFIX(FEK.#CUST.LSTRANS)
* TSS WHOHAS DSN(FEK.#CUST.LSTRANS)
ADDSD 'FEK.#CUST.LSTRANS.FILE' -
UACC(UPDATE) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - SCLMDT')
* TSS ADD(owningacid) DSN(FEK.#CUST.LSTRANS.FILE) - Not needed.
Already owned previously with 'TSS ADD(owningacid) DSN(FEK)'
* TSS PER(ALL) DSN(FEK.#CUST.LSTRANS.FILE) ACC(UPDATE)
PERMIT 'FEK.#CUST.LSTRANS.FILE' -
CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK.#CUST.LSTRANS.FILE) ACC(ALL)
# carma ram development, ram developers need update
LISTDSD PREFIX(FEK.#CUST.CRA)
* TSS WHOHAS DSN(FEK.#CUST.CRA)
ADDSD 'FEK.#CUST.CRA*.**' -
UACC(READ) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - CARMA')
* TSS ADD(owningacid) DSN(FEK.#CUST.CRA) - Not needed.
Already owned previously with 'TSS ADD(owningacid) DSN(FEK)'
* TSS PER(ALL) DSN(FEK.#CUST.CRA) ACC(READ)
PERMIT 'FEK.#CUST.CRA*.**' -
CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK.#CUST.CRA) ACC(ALL)
PERMIT 'FEK.#CUST.CRA*.**' -
CLASS(DATASET) ACCESS(UPDATE) ID(#ram-developer)
* TSS PER(@ram-developer) DSN(FEK.#CUST.CRA) ACC(UPDATE)
# CRD server, cics administrators need update
LISTDSD PREFIX(FEK.#CUST.ADN)
* TSS WHOHAS DSN(FEK.#CUST.ADN)
ADDSD 'FEK.#CUST.ADNREP*.**' -
UACC(READ) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - ADN')
* TSS ADD(owningacid) DSN(FEK.#CUST.ADNREP) - Not needed.
Already owned previously with 'TSS ADD(owningacid) DSN(FEK)'
* TSS PER(ALL) DSN(FEK.#CUST.ADNREP) ACC(READ)
PERMIT 'FEK.#CUST.ADNREP*.**' -
CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK.#CUST.ADNREP) ACC(ALL)
PERMIT 'FEK.#CUST.ADNREP*.**' -
CLASS(DATASET) ACCESS(UPDATE) ID(#cicsadmin)
* TSS PER(#cicsadmin) DSN(FEK.#CUST.ADNREP) ACC(UPDATE)
# manifest repository, all users need update
LISTDSD PREFIX(FEK.#CUST.ADN)
* TSS WHOHAS DSN(FEK.#CUST.ADN)
ADDSD 'FEK.#CUST.ADNMAN*.**' -
UACC(UPDATE) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - ADN')
* TSS ADD(owningacid) DSN(FEK.#CUST.ADNMAN) - Not needed.
Already owned previously with 'TSS ADD(owningacid) DSN(FEK)'
* TSS PER(ALL) DSN(FEK.#CUST.ADNMAN) ACC(UPDATE)
PERMIT 'FEK.#CUST.ADNMAN*.**' -
CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK.#CUST.ADNMAN) ACC(ALL)
SETROPTS GENERIC(DATASET) REFRESH
* No CA Top Secret equivalent and not needed.
# show results -------------------------------------------------------
LISTGRP FEK ALL
* TSS LIST(FEK) DATA(ALL)
LISTDSD PREFIX(FEK) ALL
* TSS WHOHAS DSN(FEK)
# group for started tasks
LISTGRP STCGROUP OMVS
* TSS LIST(STCGROUP) SEGMENT(OMVS)
ADDGROUP STCGROUP
* TSS CREATE(STCGROUP) TYPE(GROUP) NAME('STC GROUP W/OMVS SEGEMENT') DEPT(dept)
ALTGROUP STCGROUP OMVS(GID(1)) -
DATA('STARTED TASK GROUP WITH OMVS SEGEMENT')
* TSS ADD(STCGROUP) GID(1)
# userid for JES job monitor
LISTUSER STCJMON OMVS
* TSS LIST(STCJMON) SEGMENT(OMVS)
ADDUSER STCJMON -
NOPASSWORD -
DFLTGRP(STCGROUP) -
OMVS(UID(7) HOME(/tmp) OMVSPGM(/bin/sh)) -
NAME('RDZ - JES JOBMONITOR') -
DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS CRE(STCJMON) PASS(NOPW,0) NAME('RDZ - JES JOBMONITOR') DEPT(dept)
* TSS ADD(STCJMON) OMVSGRP(STCGROUP) UID(7) HOME(/tmp) OMVSPGM(/bin/sh)
# userid for RSE daemon
LISTUSER STCRSE OMVS
* TSS LIST(STCRSE) SEGMENT(OMVS)
ADDUSER STCRSE -
NOPASSWORD -
DFLTGRP(STCGROUP) -
OMVS(UID(8) HOME(/tmp) OMVSPGM(/bin/sh)) -
NAME('RDZ - RSE DAEMON') -
DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS CRE(STCRSE) PASS(NOPW,0) NAME('RDZ - RSE DAEMON') DEPT(dept)
* TSS ADD(STCRSE) UID(8) HOME(/tmp) OMVSPGM(/bin/sh) GROUP(STCGROUP) -
DFLTGRP(STCGROUP)
# userid for lock daemon
LISTUSER STCLOCK OMVS
* TSS LIST(STCLOCK) SEGMENT(OMVS)
ADDUSER STCLOCK -
NOPASSWORD -
DFLTGRP(STCGROUP) -
OMVS(UID(9) HOME(/tmp) OMVSPGM(/bin/sh)) -
NAME('RDZ - LOCK DAEMON') -
DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS CRE(STCLOCK) PASS(NOPW,0) NAME('RDZ - LOCK DAEMON') DEPT(dept)
* TSS ADD(STCLOCK) GROUP(STCGROUP) UID(9) HOME(/tmp) OMVSPGM(/bin/sh) - -
DFLTGRP(STCGROUP)
# started task for JES Job Monitor
RLIST STARTED JMON.* ALL STDATA
* TSS LIST(STC) PROCN(JMON) PREFIX
RDEFINE STARTED JMON.* -
STDATA(USER(STCJMON) GROUP(STCGROUP) TRUSTED(NO)) -
DATA('RDZ - JES JOBMONITOR')
* TSS ADD(STC) PROCN(JMON) ACID(STCJMON)
* TSS ADD(STCJMON) GROUP(STCGROUP)
# started task for RSE daemon
RLIST STARTED RSED.* ALL STDATA
* TSS LIST(STC) PROCN(RSED) PREFIX
RDEFINE STARTED RSED.* -
STDATA(USER(STCRSE) GROUP(STCGROUP) TRUSTED(NO)) -
DATA('RDZ - RSE DAEMON')
* TSS ADD(STC) PROCN(RSED) ACID(STCRSE)
* TSS ADD(STCRSE) GROUP(STCGROUP)
# started task for lock daemon
RLIST STARTED LOCKD.* ALL STDATA
* TSS LIST(STC) PROCN(LOCKD) PREFIX
RDEFINE STARTED LOCKD.* -
STDATA(USER(STCLOCK) GROUP(STCGROUP) TRUSTED(NO)) -
DATA('RDZ - LOCK DAEMON')
* TSS ADD(STC) PROCN(LOCKD) ACID(STCLOCK)
* TSS ADD(STCLOCK) GROUP(STCGROUP)
SETROPTS RACLIST(STARTED) REFRESH
* No CA Top Secret equivalent and not needed.
# show results -------------------------------------------------------
LISTGRP STCGROUP OMVS
* TSS LIST(STCGROUP) SEGMENT(OMVS)
LISTUSER STCJMON OMVS
* TSS LIST(STCJMON) SEGMENT(OMVS)
LISTUSER STCRSE OMVS
* TSS LIST(STCRSE) SEGMENT(OMVS)
LISTUSER STCLOCK OMVS
* TSS LIST(STCLOCK) SEGMENT(OMVS)
RLIST STARTED JMON.* ALL STDATA
* TSS LIST(STC) PROCN(JMON) PREFIX
RLIST STARTED RSED.* ALL STDATA
* TSS LIST(STC) PROCN(RSED) PREFIX
RLIST STARTED LOCKD.* ALL STDATA
* TSS LIST(STC) PROCN(LOCKD) PREFIX
# define JMON console
RLIST CONSOLE JMON ALL
* TSS WHOHAS TSOAUTH(CONSOLE)
RDEFINE CONSOLE JMON UACC(READ) -
DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) TSOAUTH(CONSOLE)
SETROPTS RACLIST(CONSOLE) REFRESH
* No CA Top Secret equivalent and not needed.
# define JMON console access
RLIST OPERCMDS MVS.MCSOPER.JMON ALL
* TSS WHOHAS OPERCMDS(MVS.MCSOPER.JMON)
RDEFINE OPERCMDS MVS.MCSOPER.JMON UACC(READ) -
DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) OPERCMDS(MVS.MCSOPER.JMON)
* TSS PER(ALL) OPERCMDS(MVS.MCSOPER.JMON) ACC(READ)
# define conditional JES operator command access
RLIST OPERCMDS JES%.** ALL
* TSS WHOHAS OPERCMDS(JES%)
RDEFINE OPERCMDS JES%.** -
UACC(NONE)
* TSS ADD(owningacid) OPERCMDS(JES)
PERMIT JES%.** CLASS(OPERCMDS) ACCESS(UPDATE) ID(*) -
WHEN(CONSOLE(JMON))
* TSS PER(ALL) OPERCMDS(JES%) ACC(UPDATE)
SETROPTS RACLIST(OPERCMDS) REFRESH
* No CA Top Secret equivalent and not needed.
# show results -------------------------------------------------------
RLIST CONSOLE JMON ALL
* TSS WHOHAS TSOAUTH(CONSOLE)
RLIST OPERCMDS MVS.MCSOPER.JMON ALL
* TSS WHOHAS OPERCMDS(MVS.MCSOPER.JMON)
RLIST OPERCMDS JES%.** ALL
* TSS WHOHAS OPERCMDS(JES)
# permit RSE server to create the client's security environment
RLIST FACILITY BPX.SERVER ALL
* TSS WHOHAS IBMFAC(BPX.SERVER)
RDEFINE FACILITY BPX.SERVER UACC(NONE)
* TSS ADD(owningacid) IBMFAC(BPX.)
PERMIT BPX.SERVER CLASS(FACILITY) ACCESS(UPDATE) ID(STCRSE)
* TSS PER(STCRSE) IBMFAC(BPX.SERVER) ACC(UPDATE)
SETROPTS RACLIST(FACILITY) REFRESH
* No equivalent and not needed with Top Secret.
# show results -------------------------------------------------------
RLIST FACILITY BPX.SERVER ALL
* TSS WHOHAS IBMFAC(BPX.SERVER)
# mark LE runtime & ISPF TSO/ISPF Client Gateway as program controlled
RLIST PROGRAM ** ALL
* TSS LIST(ALL) DATA(XAUTH)
RALTER PROGRAM ** UACC(READ) ADDMEM('SYS1.LINKLIB'//NOPADCHK)
* TSS PER(ALL) DSN(SYS1.LINKLI) ACC(FETCH)
RALTER PROGRAM ** UACC(READ) ADDMEM('SYS1.MIGLIB'//NOPADCHK)
* TSS PER(ALL) DSN(SYS1.MIGLIB) ACC(FETCH)
RALTER PROGRAM ** UACC(READ) ADDMEM('CEE.SCEERUN'//NOPADCHK)
* TSS PER(ALL) DSN(CEE.SCEERUN) ACC(FETCH)
RALTER PROGRAM ** UACC(READ) ADDMEM('CEE.SCEERUN2'//NOPADCHK)
* TSS PER(ALL) DSN(CEE.SCEERUN2) ACC(FETCH)
RALTER PROGRAM ** UACC(READ) ADDMEM('ISP.SISPLPA'//NOPADCHK)
* TSS PER(ALL) DSN(ISP.SISPLPA) ACC(FETCH)
RALTER PROGRAM ** UACC(READ) ADDMEM('ISP.SISPLOAD'//NOPADCHK)
* TSS PER(ALL) DSN(ISP.SISPLOAD) ACC(FETCH)
# (optional) mark Alt. REXX runtime, SSL and File Manager as progctl
# RALTER PROGRAM ** UACC(READ) ADDMEM('REXX.V1R4M0.SEAGALT'//NOPADCHK)
* TSS PER(ALL) DSN(REXX.V1R4M0.SEAGALT) ACC(FETCH)
# RALTER PROGRAM ** UACC(READ) ADDMEM('SYS1.SIEALNKE'//NOPADCHK)
* TSS PER(ALL) DSN(SYS1.SIEALNKE) ACC(FETCH)
# RALTER PROGRAM ** UACC(READ) ADDMEM('FMN.SFMNMODA'//NOPADCHK)
* TSS PER(ALL) DSN(FMN.SFMNMODA) ACC(FETCH)
SETROPTS WHEN(PROGRAM) REFRESH
* No equivalent and not needed with Top Secret
# show results -------------------------------------------------------
RLIST PROGRAM ** ALL
* TSS LIST(ALL) DATA(XAUTH)
# define RSE server as an application
RLIST APPL FEKAPPL ALL
* TSS WHOHAS APPL(FEKAPPL)
RDEFINE APPL FEKAPPL UACC(READ) -
DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) APPL(FEKAPPL)
* TSS PER(ALL) APPL(FEKAPPL) ACC(READ)
SETROPTS RACLIST(APPL) REFRESH
* No equivalent and not needed with Top Secret
# activate passticket support for RSE application
RLIST PTKTDATA FEKAPPL ALL SSIGNON
* TSS WHOHAS PTKTDATA(FEKAPPL)
RDEFINE PTKTDATA FEKAPPL UACC(NONE) -
DATA('RATIONAL DEVELOPER FOR SYSTEM Z') -
APPLDATA('NO REPLAY PROTECTION - DO NOT CHANGE') -
SSIGNON(KEYMASKED(key16 ))
* TSS ADD(NDT) PSTKAPPL(FEKAPPL) SESSKEY(key16 ) SIGNMULTI
RLIST PTKTDATA IRRPTAUTH.FEKAPPL.* ALL
* TSS WHOHAS PTKTDATA(IRRPTAUTH.FEKAPPL.)
RDEFINE PTKTDATA IRRPTAUTH.FEKAPPL.* UACC(NONE) -
DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) PTKTDATA(IRRPTAUTH.FEKAPPL.)
PERMIT IRRPTAUTH.FEKAPPL.* CLASS(PTKTDATA) ACCESS(UPDATE) ID(STCRSE)
* TSS PER(STCRSE) PTKTDATA(IRRPTAUTH.FEKAPPL.) ACC(UPDATE)
SETROPTS RACLIST(PTKTDATA) REFRESH
* No equivalent and not needed with Top Secret
# show results -------------------------------------------------------
RLIST APPL FEKAPPL ALL
* TSS WHOHAS APPL(FEKAPPL)
RLIST PTKTDATA FEKAPPL ALL SSIGNON
* TSS WHOHAS PTKTDATA(FEKAPPL)
RLIST PTKTDATA IRRPTAUTH.FEKAPPL.* ALL
* TSS WHOHAS PTKTDATA(IRRPTAUTH.FEKAPPL.)
# activate port of entry checking
# RLIST FACILITY BPX.POE ALL
* TSS WHOHAS IBMFAC(BPX.POE)
# RDEFINE FACILITY BPX.POE UACC(NONE)
* TSS ADD(owningacid) IBMFAC(BPX.POE) - Not needed. Done in a previous
step with a 'TSS ADD(owningacid) IBMFAC(BPX.)'
# PERMIT BPX.POE CLASS(FACILITY) ACCESS(READ) ID(STCRSE)
* TSS PER(STCRSE) IBMFAC(BPX.POE) ACC(READ)
# SETROPTS RACLIST(FACILITY) REFRESH
* No equivalent and not needed with Top Secret
# show results -------------------------------------------------------
RLIST FACILITY BPX.POE ALL
* TSS WHOHAS IBMFAC(BPX.POE)
In addition to the above CA Top Secret commands, a facility should be defined in CA Top Secret for the RDz address space. Below is an example:
TSS MODIFY FACILITY(USERnn=NAME=RDZ) where 'nn' is an unused facility number in your system.
TSS MODIFY FACILITY(RDZ=MODE=FAIL)
TSS MODIFY FACILITY(RDZ=PGM=BPX)
TSS MODIFY FACILITY(RDZ=...)
where '...' is any other FACILITY control options that you want to override the default settings.
The TSS MODIFY command is only valid until the next recycle of CA Top Secret. To make the changes permanent, add the corresponding FACILITY statements to the CA Top Secret parameter file:
FACILITY(USERnn=NAME=RDZ)
FACILITY(RDZ=MODE=FAIL)
FACILITY(RDZ=PGM=BPX)
FACILITY(RDZ=...)
Once the FACILITY is defined, add the FACILITY as a MASTFAC to the region acid for RDz:
TSS ADD(regionacid) MASTFAC(facilityname)
to associate the FACILITY with the region.
All users using the FACILITY will need to be authorized to that FACILITY in order to signon.
TSS ADD(acid) FAC(facilityname)
where 'acid' is the user ACID, an attached profile, or the ALL record, if all users need access.
The RDz started task will need to be recycled after adding the MASTFAC for the change to be picked up.
Feedback
Yes
No
Powered by
