How do I setup ACF2 for IBM HealthChecker?

Document ID : KB000027210
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

How do I setup ACF2 for IBM HealthChecker?

Answer:

  1. Define a Logonid with associated USER and GROUP profiles:
    ACF
    SET LID
    INSERT hcsuperid NAME(health checker) STC UID(0) -
    HOME(/) PROGRAM(/bin/sh) GROUP(OMVSGRP)
    SET PROFILE(GRP) DIV(OMVS)
    INSERT OMVSGRP GID(nn)

    (Replace the lower case values with desired names)

    F ACF2, REBUILD(USR), CLASS(P)
    F ACF2, REBUILD(GRP), CLASS(P)
  2. Modify your SYS1 access rule to allow this Logonid:

    - WRITE access to PRODSYS.HZSPDATA.
    - READ access to SYS1.PARMLIB.

  3. If using a log stream:
    - write a resource rule for the Resource TYPE mapped to the LOGSTRM Resource Class (as delivered it is SAF - check ACF SHOW CLASMAP output) - and give the Logonid SERVICE(UPDATE) access to the logstreamname, e.g.:

    $KEY(logstreamname) TYPE(saf)
    UID(uidmask) SERVICE(UPDATE) ALLOW

    - if the resource type is resident (check ACF SHOW RESIDENT output) issue command F ACF2,REBUILD(saf).

    - write a resource rule for the Resource TYPE mapped to the FACILITY Resource Class (as delivered it is FAC - check ACF SHOW CLASMAP output) and give the HZSPRINT utility Logonid SERVICE(READ) access to the logstreamname, e.g.:

    $KEY(logstreamname) TYPE(fac)
    UID(uidmask) SERVICE(READ) ALLOW

    - if the resource type is resident (check ACF SHOW RESIDENT output) issue command F ACF2,REBUILD(fac).

  4. As delivered by CA, the Resource Classes XFACILIT and GXFACILI are mapped to Resource Types XFC and GXF respectively. Check via ACF SHOW CLASMAP command that you have not changed this.
  5. Write resource rules for the Resource Names, masked as appropriate, with required access in the SERVICE keyword. The ACF2 equivalents of the RACF attributes for use in the Resource Rules SERVICE keyword are:

     RACF      ACF2 Resource Rule -----     --------------------- READ      READ UPDATE    UPDATE ALTER     ADD CONTROL   DELETE EXECUTE   EXECUTE
  6. Note that RACF attributes are hierarchical so, for example, UPDATE includes READ access; in ACF2 each attribute must be specified, e.g. SERVICE(READ,UPDATE). If no SERVICE keyword is included in the resource rule, all accesses are allowed.

    A very basic rule that would allow all users access to all HZS resources would be:

    $KEY(HZS) TYPE(XFC)
    - UID(*) ALLOW

    Changing ALLOW to LOG would log to SMF and ALLOW all validations.

  7. The TYPE(XFC) Resource Class XFACILIT validation is a RACROUTE  FASTAUTH call. SAF FASTAUTH calls require resident
    directories because there can be no I/O. Create a globally resident directory for a resource class by specifying the resource
    class in a GSO INFODIR record. This can be done as follows:

    SET CONTROL(GSO)
    CHANGE INFODIR TYPES(R-RXFC)

    Once the INFODIR record has been updated, issue the following commands to activate the changes:

    F ACF2,REFRESH(INFODIR)
    F ACF2,REBUILD(XFC),CLASS(R)

Additional Information: 
For details on Resource rules, the GSO INFODIR and the MODIFY ACF2 commands see the CA ACF2 for z/OS

Administration Guide.