How do I setup ACF2 for IBM HealthChecker?
- Define a Logonid with associated USER and GROUP profiles:
INSERT hcsuperid NAME(health checker) STC UID(0) -
HOME(/) PROGRAM(/bin/sh) GROUP(OMVSGRP)
SET PROFILE(GRP) DIV(OMVS)
INSERT OMVSGRP GID(nn)
(Replace the lower case values with desired names)
F ACF2, REBUILD(USR), CLASS(P)
F ACF2, REBUILD(GRP), CLASS(P)
- Modify your SYS1 access rule to allow this Logonid:
- WRITE access to PRODSYS.HZSPDATA.
- READ access to SYS1.PARMLIB.
If using a log stream:
- write a resource rule for the Resource TYPE mapped to the LOGSTRM Resource Class (as delivered it is SAF - check ACF SHOW CLASMAP output) - and give the Logonid SERVICE(UPDATE) access to the logstreamname, e.g.:
UID(uidmask) SERVICE(UPDATE) ALLOW
- if the resource type is resident (check ACF SHOW RESIDENT output) issue command F ACF2,REBUILD(saf).
- write a resource rule for the Resource TYPE mapped to the FACILITY Resource Class (as delivered it is FAC - check ACF SHOW CLASMAP output) and give the HZSPRINT utility Logonid SERVICE(READ) access to the logstreamname, e.g.:
UID(uidmask) SERVICE(READ) ALLOW
- if the resource type is resident (check ACF SHOW RESIDENT output) issue command F ACF2,REBUILD(fac).
- As delivered by CA, the Resource Classes XFACILIT and GXFACILI are mapped to Resource Types XFC and GXF respectively. Check via ACF SHOW CLASMAP command that you have not changed this.
- Write resource rules for the Resource Names, masked as appropriate, with required access in the SERVICE keyword. The ACF2 equivalents of the RACF attributes for use in the Resource Rules SERVICE keyword are:
RACF ACF2 Resource Rule ----- --------------------- READ READ UPDATE UPDATE ALTER ADD CONTROL DELETE EXECUTE EXECUTE
Note that RACF attributes are hierarchical so, for example, UPDATE includes READ access; in ACF2 each attribute must be specified, e.g. SERVICE(READ,UPDATE). If no SERVICE keyword is included in the resource rule, all accesses are allowed.
A very basic rule that would allow all users access to all HZS resources would be:
- UID(*) ALLOW
Changing ALLOW to LOG would log to SMF and ALLOW all validations.
- The TYPE(XFC) Resource Class XFACILIT validation is a RACROUTE FASTAUTH call. SAF FASTAUTH calls require resident
directories because there can be no I/O. Create a globally resident directory for a resource class by specifying the resource
class in a GSO INFODIR record. This can be done as follows:
CHANGE INFODIR TYPES(R-RXFC)
Once the INFODIR record has been updated, issue the following commands to activate the changes:
For details on Resource rules, the GSO INFODIR and the MODIFY ACF2 commands see the CA ACF2 for z/OS