CA Top Secret Commands Translation for z/OSMF on z/OS 2.2.

Document ID : KB000010467
Last Modified Date : 14/02/2018
Show Technical Document Details


- The documentation has got an attached file which contains the CA Top Secret commands to implement z/OSMF for z/OS 2.2 


- The first lines at the top of the file RACF2TSS_ZOSMF22.txt when you open it are NOTES. You have to carefully review all these notes before executing any command.


- Each single RACF command is left in commentary, followed by one or more CA Top Secret commands.


- the goal of the file is to translate RACF command to TSS one and to add some clauses to respect TSS syntax. But, it is not possible to run them all like they are.

  You have still got some customizations to perform to fit your local requirement. See NOTES in the file.  





- Download the attached file  RACF2TSS_ZOSMF22.txt to your host.


- Read the NOTES.


- Make all necessary change to fit your local requirement. It is possible that IBM makes some changes as well, depending on the release. 

   Then some translation might be missing. But, the file give you a lot of examples of translations, you can refer to them to make your own translation.


- It may be possible that when a digital certificate is generated, that you have to send it to an Certificate Authority to get it signed and validated and add it back to CA Top Secret database.

  This is not specified within the file, as we only translate the RACF command.


Additional Information:



- If you want to have more information about CA Top Secret commands, go to the link below:


The NOTES have been coped below:


*** Top Of Data ***



The #dept is one of your existing department or has to be created

You have to replace #dept with a department of your choice.      

With CA Top Secret the GROUP is reserved to manage GID() only.   

So, no permits can be done for a TSS GROUP. It's why it is needed

to create a TSS PROFILE to handle those permits.                 


You will see some additional lines with '##' in there.           

These lines are commented out on purpose. You can ignore it,     

except when they are there to create a PROFILE.                  

This PROFILE is likely used later on within this file.           

Be very careful and review. You have to assess whether you want  

to apply them or not. You can change the profile name to fit     

your site requirement. Be careful to do it on the entire file to 

keep the coherence.                                              


With RACF the keyring and the digital certificate are known by   

their label. With TSS, they are known by a TSS name.             

You have to review all name given for TSS coherent among the     

TSS commands to fit your site requirement.                       



will give:                                                       


Whenever the label is referenced in RACF command, A#KeyRg is     

use in the equivalent TSS command.                               


Some TSS commands are duplicate, you can either delete them or   

leave them all as they are and ignore the bad return code when   

they are executed.                                               


All change has to be done before executing these TSS commands.

*** End Of Data ***  


File Attachments: