I am planning on implementing RDz-Rational Developer for System z, is there an ACF2 setup job equivalent to the RACF FEKRACF job?

Document ID : KB000053850
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Yes there is an ACF2 job FEKACF that can be used to define ACF2 rules, users, profile records for Rational Developer for System z that is equivalent to the RACF FEKRACF.

Solution:

The ACF2 FEKACF job follows. Details on the ACF2 commands can be found in the eTrust CA-ACF2 Security for z/OS Administrator Guide. Please review all comments and customize as appropriate.

********************************* Top of Data **********************************
//FEKACF JOB 1,'DEFINE ACF2 SETTINGS'                                   00010003
//*********************************************************************         
//*                                                                   *         
//*                                                                   *         
//* CA CACF2 FOR z/OS                                                 *         
//* COPYRIGHT (C) 2009 CA. ALL RIGHTS RESERVED.                       *         
//*                                                                   *         
//* MEMBER:    FEKACF2                                                *         
//*                                                                   *         
//* Rational Developer for System z                                   *         
//* This JCL can be used to define ACF2 rules, users, profile         *         
//* records and make mandatory z/OS UNIX files program controlled.    *         
//*                                                                   *         
//* CAUTIONS:                                                         *         
//* A) This JOB contains case sensitive path statements.              *         
//* B) This is neither a JCL procedure nor a complete JOB.            *         
//*    Before using this JCL, you will have to make the following     *         
//*    modifications:                                                 *         
//*                                                                   *         
//* 1) Add the JOB parameters to meet your system requirements.       *         
//*                                                                   *         
//* 2) Customize the different steps of this jcl as documented in     *         
//*    the step headers.                                              *         
//*  A. ACF2INIT                                                      *         
//*  B. USER                                                          *         
//*  C. DATASET                                                       *         
//*  D. STC                                                           *         
//*  E. JESCMDS                                                       *         
//*  F. SERVER                                                        *         
//*  G. PROGCTLM                                                      *         
//*  H. PSTICKET                                                      *         
//*  I. POE                                                           *         
//*  J. PROGCTLU (z/OS UNIX)                                          *         
//*                                                                   *         
//* Notes:                                                            *         
//*                                                                   *         
//* 1. The user ID that enters these commands must have SECURITY,     *         
//*    ACCOUNT and REFRESH.                                           *         
//*                                                                   *         
//* 2. The user ID that runs this JOB must have READ access to        *         
//*    BPX.FILEATTR.PROGCTL (FACILITY CLASS) or be UID(0).            *         
//*                                                                   *         
//* 3. This job should complete with a return code 0.                 *         
//*    The ACF2 steps of this job will complete with a return code 0. *         
//*    The results of each step must be verified after completion.    *         
//*                                                                   *         
//*********************************************************************         
//*                                                                             
//* PROCEDURE TO EXECUTE ACF2 COMMANDS WITH COMMENTS                            
//* - no customization needed                                                   
//*                                                                             
//ACFCOM   PROC CMD=''                                                          
//ACFCOM   EXEC PGM=IKJEFT01,REGION=0M,PARM=&CMD                                
//SYSEXEC  DD DISP=(SHR,PASS),DSN=&&COMMENT                                     
//SYSTSPRT DD SYSOUT=*                                                          
//SYSTSIN  DD DUMMY                                                             
//         PEND                                                                 
//*                                                                             
//* CREATE TEMP REXX TO BE USED AS COMMENT CHARACTER FOR BATCH TSO              
//* - no customization needed                                                   
//*                                                                             
//COMMENT  EXEC PGM=IEBGENER                                                    
//SYSPRINT DD SYSOUT=*                                                          
//SYSIN    DD DUMMY                                                             
//SYSUT2   DD DISP=(NEW,PASS),DSN=&&COMMENT(#),                                 
//            SPACE=(TRK,(1,1,1)),DCB=(RECFM=FB,LRECL=80),UNIT=3390             
//SYSUT1   DD DATA,DLM=$$                                                       
 /* REXX */                                                                     
 /* COMMENT COMMAND TO BE USED IN BATCH TSO */                                  
 NOP                                                                            
 EXIT 0                                                                         
$$                                                                              
//*********************************************************************         
//* REQUIRED SETTINGS AND CLASSES                                               
//*                                                                             
//* The following classes CA ACF2 has these classes pre-defined:                
//*  FACILITY, CONSOLE, OPERCMDS, APPL, PTKTDATA, and PROGRAM                   
//*                                                                             
//* No customization is needed to define these classes.                         
//*                                                                             
//*********************************************************************         
//*ACF2INIT EXEC ACFCOM                                                         
//*SYSTSIN DD *                                                                 
//*******************************************************************           
//* DEFINE OMVS SEGMENT FOR USERS                                               
//* - replace #user with user ID  (assumes user ID already defined)             
//* - replace #user-identifier with non-zero z/OS UNIX user ID                  
//* - replace #group-name with default ACF2 group for user ID                   
//* - replace #group-identifier with z/OS UNIX group ID                         
//*                                                                             
//*   Note:  Ensure the home directory exists and the                           
//*          permissions for the directory allow #user access.                  
//*******************************************************************           
//USER   EXEC ACFCOM                                                            
//SYSTSIN DD *                                                                  
#  add OMVS profile record for existing user ID                                 
  ACF                                                                           
  set profile(user) div(omvs)                                                   
  insert #user UID(#user-identifier) -                                          
  home(/u/#user) omvspgm(/bin/sh)                                               
  END                                                                           
                                                                                
#  add OMVS profile record for existing group                                   
  ACF                                                                           
  set profile(group) div(omvs)                                                  
  insert #group-name GID(#group-identifier)                                     
  END                                                                           
//*********************************************************************         
//* DEFINE DATA SET PERMISSIONS                                                 
//* - change "FEK.#CUST." to the appropriate high level qualifier(s)            
//*   of customized data sets                                                   
//* - change "FEK." to the appropriate high level qualifier(s)                  
//*   of installation data sets                                                 
//* - change #sysprog to the sysprog's ACF2 UID string                          
//* - change #ram-developer to the RAM developer's ACF2 UID string              
//* - change #cicsadmin to the CICS administrator's ACF2 UID string             
//*                                                                             
//* Notes:                                                                      
//* + FEK.SFEKAUTH is APF authorized data sets.                                 
//*   It is strongly advised that you protect data sets                         
//*   FEK.SFEKLOAD and FEK.SFEKLPA against updates.                             
//*********************************************************************         
//DATASET  EXEC ACFCOM                                                          
//SYSTSIN DD *                                                                  
#  general data set protection                                                  
  ACF                                                                           
  set rule                                                                      
  reckey fek add(- uid(#sysprog) r(a) w(a) a(a))                                
  reckey fek add(- uid(*) r(a))                                                 
  reckey fek add(#cust.lstrans.file uid(*) r(a) w(a))                           
  reckey fek add(#cust.cra-.- uid(*) r(a))                                      
  reckey fek add(#cust.adnrep-.- uid(*) r(a))                                   
  reckey fek add(#cust.adnrep-.- uid(#cicsadmin) r(a) w(a))                     
  reckey fek add(#cust.adnman-.- uid(*) r(a) w(a))                              
END                                                                             
//*********************************************************************         
//* DEFINE STARTED TASKS                                                        
//* - (optional) change STCGROUP to the group name for started tasks            
//* - (optional) change GID(1) to the z/OS UNIX group ID                        
//* - (optional) change STCJMON to the user ID of the JMON started task         
//* - (optional) change UID(7)  to the z/OS UNIX ID of STCJMON                  
//* - (optional) change STCRSE to the user ID of the RSED started task          
//* - (optional) change UID(8) to the z/OS UNIX ID of STCRSE                    
//* - (optional) change STCLOCK to the user ID of the LOCK started task         
//* - (optional) change UID(9) to the z/OS UNIX ID of STCLOCK                   
//*********************************************************************         
//STC    EXEC ACFCOM                                                            
//SYSTSIN DD *                                                                  
#  group for started tasks                                                      
  ACF                                                                           
  set profile(group) div(omvs)                                                  
  insert stcgroup gid(1)                                                        
 END                                                                            
                                                                                
#  userid for JES job monitor                                                   
  ACF                                                                           
  set lid                                                                       
  insert stcjmon name(RDZ - JES JOBMONITOR) stc -                               
  group(stcgroup) uid(7) home(/tmp) omvspgm(/bin/sh)                            
 END                                                                            
                                                                                
#  userid for RSE daemon                                                        
  ACF                                                                           
  insert stcrse name(RDZ - RSE DAEMON) stc -                                    
  group(stcgroup) uid(8) home(/tmp) omvspgm(/bin/sh)                            
 END                                                                            
                                                                                
#  userid for LOCK daemon                                                       
  ACF                                                                           
  insert stclock name(rdz - LOCK DAEMON) stc -                                  
  group(stcgroup) uid(9) home(/tmp) omvspgm(/bin/sh)                            
 END                                                                            
                                                                                
# Add a GSO STC record for each of the started tasks                            
  ACF                                                                           
  set c(gso)                                                                    
  insert STC.rsetask stc(rsed) logonid(stcrse) group(stcgroup)                  
  insert STC.jmontask stc(jmon) logonid(stcjmon) group(stcgroup)                
  insert STC.locktask stc(lock) logonid(stclock) group(stcgroup)                
                                                                                
  f acf2,refresh(stc)                                                           
  end                                                                           
                                                                                
# Show resulting STC table                                                      
  ACF                                                                           
  show stc                                                                      
  end                                                                           
//*********************************************************************         
//* DEFINE JES COMMAND SECURITY                                                 
//* - no customization needed                                                   
//*                                                                             
//* Notes:                                                                      
//* + the JMON console name cannot be changed                                   
//* + Hold/Release/Cancel/Purge are the only JES commands available             
//* + the commands can be limited in JES Job Monitor configuration file         
//*   > owned by user                                                           
//*   > nodeid.userid.jobname.jobid profile in JESSPOOL class                   
//*                                                                             
//*  Ensure CLASMAPs records map each class to an appropriate 3-character       
//*  type code.                                                                 
//*********************************************************************         
//JESCMDS EXEC ACFCOM                                                           
//SYSTSIN DD *                                                                  
#  define JMON console                                                          
  ACF                                                                           
  set resource(saf)                                                             
  reckey jmon add(uid(*) service(read) allow)                                   
                                                                                
  END                                                                           
                                                                                
#  define JMON console access                                                   
  ACF                                                                           
  set resource(saf)                                                             
  reckey mvs add(uid(*) service(read) allow)                                    
                                                                                
  END                                                                           
                                                                                
#  define conditional JES operator command access                               
  ACF                                                                           
  set resource(saf)                                                             
  reckey jes* add(- uid(*) prevent)                                             
  reckey jes* add(- uid(*) source(jmon) service(read,update) allow)             
                                                                                
 END                                                                            
//*********************************************************************         
//* DEFINE RSE SERVER AS A SECURE Z/OS UNIX SERVER                              
//* - change STCRSE to the user ID of the RSED started task                     
//*                                                                             
//* Note: STCRSE requires UID(0) if this profile is not defined                 
//*********************************************************************         
//SERVER EXEC ACFCOM                                                            
//SYSTSIN DD *                                                                  
  ACF                                                                           
  set resource(fac)                                                             
  reckey bpx.server add(uid(*) prevent)                                         
  reckey bpx.server add(uid(rsed uid string) service(read,update) allow)        
                                                                                
  f acf2,rebuild(fac)                                                           
 END                                                                            
//*********************************************************************         
//* DEFINE MVS PROGRAM CONTROLLED LIBRARIES FOR RSE SERVER                      
//* - provide correct data set names                                            
//*                                                                             
//* Ensure the following libraries are protected and permit READ access:        
//* sys1.linklib, sys1.miglib, cee.sceerun, cee.sceerun2, isp.sisplpa, and      
//* isp.sispload.                                                               
//*                                                                             
//*PROGCTLM EXEC ACFCOM                                                         
//*SYSTSIN DD *                                                                 
//*********************************************************************         
//* DEFINE PASSTICKET SUPPORT FOR RSE SERVER                                    
//* - change "key16           " to a secret 16 character hex string             
//*                                                                             
//* Notes:                                                                      
//* + RSE can be configured to use the shared OMVSAPPL application ID           
//* + the FEKAPPL application ID cannot be changed, but it can be               
//*   replaced by OMVSAPPL                                                      
//*********************************************************************         
//PSTICKET EXEC ACFCOM                                                          
//SYSTSIN DD *                                                                  
# define RSE server as an application                                           
  ACF                                                                           
  set resource(saf)                                                             
  reckey fekappl add(uid(*) service(read) allow)                                
                                                                                
 END                                                                            
                                                                                
# activate passticket support for RSE application                               
  ACF                                                                           
  set profile(ptktdata) div(ssignon)                                            
  insert fekappl mult-use sskey(key16......)                                    
                                                                                
  set resource(ptk)                                                             
  reckey irrptauth add(fekappl.- uid(stcrse uid string) -                       
  service(read,update) allow)                                                   
                                                                                
 END                                                                            
//*********************************************************************         
//* DEFINE PORT OF ENTRY CHECKING FOR RSE SERVER                                
//* - change STCRSE to the user ID of the RSED started task                     
//*                                                                             
//* Notes:                                                                      
//* + RSE server must be configured to use POE                                  
//* + defining BPX.POE will impact other TCPIP applications, like INETD         
//* + security zones should be set up in the SERVAUTH class                     
//* + STCRSE requires UID(0) if this profile is not defined and                 
//*   you enable POE checking for RSE server                                    
//*********************************************************************         
//POE  EXEC ACFCOM                                                              
//SYSTSIN DD *                                                                  
#  activate port of entry checking                                              
  ACF                                                                           
  set resource(fac)                                                             
  reckey bpx.poe add(uid(*) prevent)                                            
  reckey bpx.poe add(uid(stcrse uid string) service(read) allow)                
                                                                                
  f acf2,rebuild(fac)                                                           
  f acf2,rebuild(grp),class(p)                                                  
  f acf2,rebuild(usr),class(p)                                                  
  f acf2,rebuild(ptk),class(p)                                                  
 END                                                                            
//*********************************************************************         
//* MAKE JAVA INTERFACE PROGRAM CONTROLLED FOR RSE SERVER                       
//* - provide, in variable ACFJNI, the path of the Java interface               
//*   to your security software (default is /usr/lib/libIRRAcf.so)              
//*                                                                             
//* Notes:                                                                      
//*                                                                             
//* + You need READ access to the BPX.FILEATTR.PROGCTL profile                  
//*   (FACILITY class) or UID(0) to execute the extattr command                 
//* + Since z/OS 1.10, /usr/lib/libIRRRacf.so is part of SAF, which             
//*   ships with base z/OS                                                      
//*                                                                             
//        SET ACFJNI='/usr/lib/libIRRRacf.so'                                   
//*                                                                             
//PROGCTLU EXEC PGM=BPXBATCH,                                                   
//           PARM='SH extattr +p &ACFJNI.'                                      
//STDOUT   DD SYSOUT=*                                                          
//STDERR   DD SYSOUT=*                                                          
//*                                                                             
//* SHOW RESULTS OF THE EXTATTR COMMAND                                         
//*                                                                             
//PROGRAM  EXEC PGM=BPXBATCH,                                                   
//           PARM='SH ls -E &ACFJNI.'                                           
//STDOUT   DD SYSOUT=*                                                          
//STDERR   DD SYSOUT=*                                                          
/*                                                                              
******************************** Bottom of Data ********************************