ACF2 equivalent to the RACF security setup for AT-TLS PAGENT

book

Article ID: 48997

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 - z/OS ACF2 - MISC

Issue/Introduction

The following are ACF2 commands in batch format that are used to setup the certificates and access rules needed for AT-TLS. This includes resource rules for TCP/IP resources required by many pieces of AT-TLS such as PAGENT and IMS Connect.

Resolution

The following ACFBATCH job can be used to setup ACF2 security for AT-TLS.

//ACFBATCH EXEC PGM=IKJEFT01,REGION=0K
//*=============================================================
//* AT-TLS Support
//*=============================================================
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSTSIN  DD *   
*
* Create the keyring
*
ACF
SET PROFILE(USER) DIV(KEYRING)
INSERT CS09.RING RINGNAME(ATTLS_keyring)
*
* GENCERT the certauth certificate
*
GENCERT CERTAUTH.cs09 SUBJ(CN='itso.ibm.com' -O='I.B.M Corporation' C=US) -
LABEL(LOCALCA) KEYUSAGE(certsign)
*
* GENCERT the personal certificate
*
GENCERT CS09.CERT SUBJ(CN='SC30ServerCert' OU='ITSO' C=US) -
LABEL(SC30ServerCert) SIGNWITH(certauth Label(LOCALCA))
*
* Connect the certificates
*
CONNECT CERTDATA(CS09.CERT) KEYRING(CS09.RING) USAGE(PERSONAL) -
DEFAULT
CONNECT CERTDATA(CERTAUTH.cs09) KEYRING(CS09.RING) USAGE(CERTAUTH)
*
* Create CLAMAP record to map resource CSFSERV to TYPE(CSF) rather
*        than the default TYPE(SAF)
*
SET CONTROL(GSO)INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF) ENTITYLN(8)
F ACF2,REFRESH(CLASMAP)
*
* Add the CSFSERV resource rules
*
SET RESOURCE(CSF)
RECKEY CSFDSV ADD( UID(UID string for CS09) -SERVICE(READ) ALLOW)
RECKEY CSFPKE ADD( UID(UID string for CS09) -SERVICE(READ) ALLOW)
*
* Create PAGENT logonid and designate as a started task
*
SET LID
INSERT PAGENT NAME(TCP/IP POLICY AGENT) STC UID(0) HOME(/) GROUP(SYS1)
SET CONTROL(GSO)
INSERT STC.pagent LOGONID(PAGENT) STCID(PAGENT*)
F ACF2,REFRESH(STC)
*
* Add OPERCMD resource rules that
* restrict startup of policy agent
*
SET RESOURCE(OPR)
RECKEY MVS ADD(SERVMGR.PAGENT UID(UID string for PAGENT) SERVICE(DELETE) ALLOW)
F ACF2,REBUILD(OPR)
* * Add SERVAUTH resource rules that controls which users can have
* access to the TCP/IP stack before PAGENT is active * SET RESOURCE(SER) RECKEY EZB ADD( INITSTACK.sysname.tcpprocname UID(*) - SERVICE(READ) ALLOW)
*  OMPROUTE daemon (If applicable)
RECKEY EZB ADD( INITSTACK.- UID(UID string for OMPROUTE)-
SERVICE(READ) ALLOW)
*  SNMP agent and subagents (If applicable)
RECKEY EZB ADD( INITSTACK.- UID(UID string for OSNMPD) -
SERVICE(READ) ALLOW)
RECKEY EZB ADD( INITSTACK.- UID(UID string for IOBSNMP) -
SERVICE(READ) ALLOW)
*  NAME daemon (If applicable)
RECKEY EZB ADD( INITSTACK.- UID(UID string for NAMED) -
SERVICE(READ) ALLOW)
*
* Add the SERVAUTH resource rules to control which
* users can start, stop and refresh PAGENT
*
SET R(SER)
RECKEY EZB ADD( PAGENT.sysname.tcpprocname.- UID(*) -
SERVICE(READ) ALLOW)
* * If RSER is not already specified in the GSO INFODIR add it * SET CONTROL(GSO) CHANGE INFODIR TYPES(R-RSER) ADD
*
* PAGENT logonid must have READ access to the BPX.DAEMON resource
*
SET R(FAC)
RECKEY BPX ADD( DAEMON UID(*) SERVICE(READ) ALLOW) * * To activate the new records issue the following operator commands: * F ACF2,REFRESH(INFODIR) F ACF2,REBUILD(SER)
F ACF2,REBUILD(FAC) END //*