The following are ACF2 commands in batch format that are used to setup the certificates and access rules needed for AT-TLS. This includes resource rules for TCP/IP resources required by many pieces of AT-TLS such as PAGENT and IMS Connect.
The following ACFBATCH job can be used to setup ACF2 security for AT-TLS.
//ACFBATCH EXEC PGM=IKJEFT01,REGION=0K //*============================================================= //* AT-TLS Support //*============================================================= //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSTSIN DD * * * Create the keyring * ACF SET PROFILE(USER) DIV(KEYRING) INSERT CS09.RING RINGNAME(ATTLS_keyring) * * GENCERT the certauth certificate * GENCERT CERTAUTH.cs09 SUBJ(CN='itso.ibm.com' -O='I.B.M Corporation' C=US) - LABEL(LOCALCA) KEYUSAGE(certsign) * * GENCERT the personal certificate * GENCERT CS09.CERT SUBJ(CN='SC30ServerCert' OU='ITSO' C=US) - LABEL(SC30ServerCert) SIGNWITH(certauth Label(LOCALCA)) * * Connect the certificates * CONNECT CERTDATA(CS09.CERT) KEYRING(CS09.RING) USAGE(PERSONAL) - DEFAULT CONNECT CERTDATA(CERTAUTH.cs09) KEYRING(CS09.RING) USAGE(CERTAUTH) * * Create CLAMAP record to map resource CSFSERV to TYPE(CSF) rather * than the default TYPE(SAF) * SET CONTROL(GSO)INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF) ENTITYLN(8) F ACF2,REFRESH(CLASMAP) * * Add the CSFSERV resource rules * SET RESOURCE(CSF) RECKEY CSFDSV ADD( UID(UID string for CS09) -SERVICE(READ) ALLOW) RECKEY CSFPKE ADD( UID(UID string for CS09) -SERVICE(READ) ALLOW)
*
* Create PAGENT logonid and designate as a started task
*
SET LID
INSERT PAGENT NAME(TCP/IP POLICY AGENT) STC UID(0) HOME(/) GROUP(SYS1)
SET CONTROL(GSO)
INSERT STC.pagent LOGONID(PAGENT) STCID(PAGENT*)
F ACF2,REFRESH(STC)
*
* Add OPERCMD resource rules that
* restrict startup of policy agent
*
SET RESOURCE(OPR)
RECKEY MVS ADD(SERVMGR.PAGENT UID(UID string for PAGENT) SERVICE(DELETE) ALLOW)
F ACF2,REBUILD(OPR)
* * Add SERVAUTH resource rules that controls which users can have
* access to the TCP/IP stack before PAGENT is active * SET RESOURCE(SER) RECKEY EZB ADD( INITSTACK.sysname.tcpprocname UID(*) - SERVICE(READ) ALLOW)
* OMPROUTE daemon (If applicable)
RECKEY EZB ADD( INITSTACK.- UID(UID string for OMPROUTE)-
SERVICE(READ) ALLOW)
* SNMP agent and subagents (If applicable)
RECKEY EZB ADD( INITSTACK.- UID(UID string for OSNMPD) -
SERVICE(READ) ALLOW)
RECKEY EZB ADD( INITSTACK.- UID(UID string for IOBSNMP) -
SERVICE(READ) ALLOW)
* NAME daemon (If applicable)
RECKEY EZB ADD( INITSTACK.- UID(UID string for NAMED) -
SERVICE(READ) ALLOW)
*
* Add the SERVAUTH resource rules to control which
* users can start, stop and refresh PAGENT
*
SET R(SER)
RECKEY EZB ADD( PAGENT.sysname.tcpprocname.- UID(*) -
SERVICE(READ) ALLOW)
* * If RSER is not already specified in the GSO INFODIR add it * SET CONTROL(GSO) CHANGE INFODIR TYPES(R-RSER) ADD
*
* PAGENT logonid must have READ access to the BPX.DAEMON resource
*
SET R(FAC)
RECKEY BPX ADD( DAEMON UID(*) SERVICE(READ) ALLOW) * * To activate the new records issue the following operator commands: * F ACF2,REFRESH(INFODIR) F ACF2,REBUILD(SER)
F ACF2,REBUILD(FAC) END //*