Implementing RDz-Rational Developer for System z, is there an ACF2 setup job equivalent to the RACF FEKRACF job?
Article ID: 53850
Updated On:
Products
ACF2
ACF2 - DB2 Option
ACF2 - z/OS
ACF2 - MISC
Issue/Introduction
Yes there is an ACF2 job FEKACF that can be used to define ACF2 rules, users, profile records for Rational Developer for System z that is equivalent to the RACF FEKRACF.
Environment
Release:
Component: ACF2MS
Component: ACF2MS
Resolution
The ACF2 FEKACF job follows. There is also a link to download the sample JCL file 1628078671939__FEKACF.TXT at the bottom of the article. Details on the ACF2 commands can be found in the CA-ACF2 Security for z/OS Administrator Guide. Please review all comments and customize as appropriate.
********************************* Top of Data **********************************
//FEKACF JOB 1,'DEFINE ACF2 SETTINGS' 00010003
//*********************************************************************
//* *
//* *
//* CA CACF2 FOR z/OS *
//* COPYRIGHT (C) 2009 CA. ALL RIGHTS RESERVED. *
//* *
//* MEMBER: FEKACF2 *
//* *
//* Rational Developer for System z *
//* This JCL can be used to define ACF2 rules, users, profile *
//* records and make mandatory z/OS UNIX files program controlled. *
//* *
//* CAUTIONS: *
//* A) This JOB contains case sensitive path statements. *
//* B) This is neither a JCL procedure nor a complete JOB. *
//* Before using this JCL, you will have to make the following *
//* modifications: *
//* *
//* 1) Add the JOB parameters to meet your system requirements. *
//* *
//* 2) Customize the different steps of this jcl as documented in *
//* the step headers. *
//* A. ACF2INIT *
//* B. USER *
//* C. DATASET *
//* D. STC *
//* E. JESCMDS *
//* F. SERVER *
//* G. PROGCTLM *
//* H. PSTICKET *
//* I. POE *
//* J. PROGCTLU (z/OS UNIX) *
//* *
//* Notes: *
//* *
//* 1. The user ID that enters these commands must have SECURITY, *
//* ACCOUNT and REFRESH. *
//* *
//* 2. The user ID that runs this JOB must have READ access to *
//* BPX.FILEATTR.PROGCTL (FACILITY CLASS) or be UID(0). *
//* *
//* 3. This job should complete with a return code 0. *
//* The ACF2 steps of this job will complete with a return code 0. *
//* The results of each step must be verified after completion. *
//* *
//*********************************************************************
//*
//* PROCEDURE TO EXECUTE ACF2 COMMANDS WITH COMMENTS
//* - no customization needed
//*
//ACFCOM PROC CMD=''
//ACFCOM EXEC PGM=IKJEFT01,REGION=0M,PARM=&CMD
//SYSEXEC DD DISP=(SHR,PASS),DSN=&&COMMENT
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD DUMMY
// PEND
//*
//* CREATE TEMP REXX TO BE USED AS COMMENT CHARACTER FOR BATCH TSO
//* - no customization needed
//*
//COMMENT EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSIN DD DUMMY
//SYSUT2 DD DISP=(NEW,PASS),DSN=&&COMMENT(#),
// SPACE=(TRK,(1,1,1)),DCB=(RECFM=FB,LRECL=80),UNIT=3390
//SYSUT1 DD DATA,DLM=$$
/* REXX */
/* COMMENT COMMAND TO BE USED IN BATCH TSO */
NOP
EXIT 0
$$
//*********************************************************************
//* REQUIRED SETTINGS AND CLASSES
//*
//* The following classes CA ACF2 has these classes pre-defined:
//* FACILITY, CONSOLE, OPERCMDS, APPL, PTKTDATA, and PROGRAM
//*
//* No customization is needed to define these classes.
//*
//*********************************************************************
//*ACF2INIT EXEC ACFCOM
//*SYSTSIN DD *
//*******************************************************************
//* DEFINE OMVS SEGMENT FOR USERS
//* - replace #user with user ID (assumes user ID already defined)
//* - replace #user-identifier with non-zero z/OS UNIX user ID
//* - replace #group-name with default ACF2 group for user ID
//* - replace #group-identifier with z/OS UNIX group ID
//*
//* Note: Ensure the home directory exists and the
//* permissions for the directory allow #user access.
//*******************************************************************
//USER EXEC ACFCOM
//SYSTSIN DD *
# add OMVS profile record for existing user ID
ACF
set profile(user) div(omvs)
insert #user UID(#user-identifier) -
home(/u/#user) omvspgm(/bin/sh)
END
# add OMVS profile record for existing group
ACF
set profile(group) div(omvs)
insert #group-name GID(#group-identifier)
END
//*********************************************************************
//* DEFINE DATA SET PERMISSIONS
//* - change "FEK.#CUST." to the appropriate high level qualifier(s)
//* of customized data sets
//* - change "FEK." to the appropriate high level qualifier(s)
//* of installation data sets
//* - change #sysprog to the sysprog's ACF2 UID string
//* - change #ram-developer to the RAM developer's ACF2 UID string
//* - change #cicsadmin to the CICS administrator's ACF2 UID string
//*
//* Notes:
//* + FEK.SFEKAUTH is APF authorized data sets.
//* It is strongly advised that you protect data sets
//* FEK.SFEKLOAD and FEK.SFEKLPA against updates.
//*********************************************************************
//DATASET EXEC ACFCOM
//SYSTSIN DD *
# general data set protection
ACF
set rule
reckey fek add(- uid(#sysprog) r(a) w(a) a(a))
reckey fek add(- uid(*) r(a))
reckey fek add(#cust.lstrans.file uid(*) r(a) w(a))
reckey fek add(#cust.cra-.- uid(*) r(a))
reckey fek add(#cust.adnrep-.- uid(*) r(a))
reckey fek add(#cust.adnrep-.- uid(#cicsadmin) r(a) w(a))
reckey fek add(#cust.adnman-.- uid(*) r(a) w(a))
END
//*********************************************************************
//* DEFINE STARTED TASKS
//* - (optional) change STCGROUP to the group name for started tasks
//* - (optional) change GID(1) to the z/OS UNIX group ID
//* - (optional) change STCJMON to the user ID of the JMON started task
//* - (optional) change UID(7) to the z/OS UNIX ID of STCJMON
//* - (optional) change STCRSE to the user ID of the RSED started task
//* - (optional) change UID(8) to the z/OS UNIX ID of STCRSE
//* - (optional) change STCLOCK to the user ID of the LOCK started task
//* - (optional) change UID(9) to the z/OS UNIX ID of STCLOCK
//*********************************************************************
//STC EXEC ACFCOM
//SYSTSIN DD *
# group for started tasks
ACF
set profile(group) div(omvs)
insert stcgroup gid(1)
END
# userid for JES job monitor
ACF
set lid
insert stcjmon name(RDZ - JES JOBMONITOR) stc -
group(stcgroup) uid(7) home(/tmp) omvspgm(/bin/sh)
END
# userid for RSE daemon
ACF
insert stcrse name(RDZ - RSE DAEMON) stc -
group(stcgroup) uid(8) home(/tmp) omvspgm(/bin/sh)
END
# userid for LOCK daemon
ACF
insert stclock name(rdz - LOCK DAEMON) stc -
group(stcgroup) uid(9) home(/tmp) omvspgm(/bin/sh)
END
# Add a GSO STC record for each of the started tasks
ACF
set c(gso)
insert STC.rsetask stc(rsed) logonid(stcrse) group(stcgroup)
insert STC.jmontask stc(jmon) logonid(stcjmon) group(stcgroup)
insert STC.locktask stc(lock) logonid(stclock) group(stcgroup)
f acf2,refresh(stc)
end
# Show resulting STC table
ACF
show stc
end
//*********************************************************************
//* DEFINE JES COMMAND SECURITY
//* - no customization needed
//*
//* Notes:
//* + the JMON console name cannot be changed
//* + Hold/Release/Cancel/Purge are the only JES commands available
//* + the commands can be limited in JES Job Monitor configuration file
//* > owned by user
//* > nodeid.userid.jobname.jobid profile in JESSPOOL class
//*
//* Ensure CLASMAPs records map each class to an appropriate 3-character
//* type code.
//*********************************************************************
//JESCMDS EXEC ACFCOM
//SYSTSIN DD *
# define JMON console
ACF
set resource(saf)
reckey jmon add(uid(*) service(read) allow)
END
# define JMON console access
ACF
set resource(saf)
reckey mvs add(uid(*) service(read) allow)
END
# define conditional JES operator command access
ACF
set resource(saf)
reckey jes* add(- uid(*) prevent)
reckey jes* add(- uid(*) source(jmon) service(read,update) allow)
END
//*********************************************************************
//* DEFINE RSE SERVER AS A SECURE Z/OS UNIX SERVER
//* - change STCRSE to the user ID of the RSED started task
//*
//* Note: STCRSE requires UID(0) if this profile is not defined
//*********************************************************************
//SERVER EXEC ACFCOM
//SYSTSIN DD *
ACF
set resource(fac)
reckey bpx.server add(uid(*) prevent)
reckey bpx.server add(uid(rsed uid string) service(read,update) allow)
f acf2,rebuild(fac)
END
//*********************************************************************
//* DEFINE MVS PROGRAM CONTROLLED LIBRARIES FOR RSE SERVER
//* - provide correct data set names
//*
//* Ensure the following libraries are protected and permit READ access:
//* sys1.linklib, sys1.miglib, cee.sceerun, cee.sceerun2, isp.sisplpa, and
//* isp.sispload.
//*
//*PROGCTLM EXEC ACFCOM
//*SYSTSIN DD *
//*********************************************************************
//* DEFINE PASSTICKET SUPPORT FOR RSE SERVER
//* - change "key16 " to a secret 16 character hex string
//*
//* Notes:
//* + RSE can be configured to use the shared OMVSAPPL application ID
//* + the FEKAPPL application ID cannot be changed, but it can be
//* replaced by OMVSAPPL
//*********************************************************************
//PSTICKET EXEC ACFCOM
//SYSTSIN DD *
# define RSE server as an application
ACF
set resource(saf)
reckey fekappl add(uid(*) service(read) allow)
END
# activate passticket support for RSE application
ACF
set profile(ptktdata) div(ssignon)
insert fekappl mult-use sskey(key16......)
set resource(ptk)
reckey irrptauth add(fekappl.- uid(stcrse uid string) -
service(read,update) allow)
END
//*********************************************************************
//* DEFINE PORT OF ENTRY CHECKING FOR RSE SERVER
//* - change STCRSE to the user ID of the RSED started task
//*
//* Notes:
//* + RSE server must be configured to use POE
//* + defining BPX.POE will impact other TCPIP applications, like INETD
//* + security zones should be set up in the SERVAUTH class
//* + STCRSE requires UID(0) if this profile is not defined and
//* you enable POE checking for RSE server
//*********************************************************************
//POE EXEC ACFCOM
//SYSTSIN DD *
# activate port of entry checking
ACF
set resource(fac)
reckey bpx.poe add(uid(*) prevent)
reckey bpx.poe add(uid(stcrse uid string) service(read) allow)
f acf2,rebuild(fac)
f acf2,rebuild(grp),class(p)
f acf2,rebuild(usr),class(p)
f acf2,rebuild(ptk),class(p)
END
//*********************************************************************
//* MAKE JAVA INTERFACE PROGRAM CONTROLLED FOR RSE SERVER
//* - provide, in variable ACFJNI, the path of the Java interface
//* to your security software (default is /usr/lib/libIRRAcf.so)
//*
//* Notes:
//*
//* + You need READ access to the BPX.FILEATTR.PROGCTL profile
//* (FACILITY class) or UID(0) to execute the extattr command
//* + Since z/OS 1.10, /usr/lib/libIRRRacf.so is part of SAF, which
//* ships with base z/OS
//*
// SET ACFJNI='/usr/lib/libIRRRacf.so'
//*
//PROGCTLU EXEC PGM=BPXBATCH,
// PARM='SH extattr +p &ACFJNI.'
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
//*
//* SHOW RESULTS OF THE EXTATTR COMMAND
//*
//PROGRAM EXEC PGM=BPXBATCH,
// PARM='SH ls -E &ACFJNI.'
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
/*
******************************** Bottom of Data ********************************
Attachments
Feedback
Yes
No
Powered by
