Is any special setup needed for zRule Execution Server for z/OS when using CA ACF2?

Document ID : KB000011016
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

zRule Execution Server for z/OS is a rule execution module for COBOL applications running on z/OS. zRule makes security calls to the security package on the z/OS system.

Question:

Is there any special setup required when CA ACF2 is the security package?

Answer:

zRule makes a RACROUTE call to check for security. The first RACROUTE call made is an EXTRACT call that makes the decision if more security calls should be made. An example of that call from a SECTRACE looks like this:

CAS21D0I TRACEID: TRC0001    EVENT#:  34652341                                  
CAS21D0I JOBNAME: ZRULE01 USERID:  ZRULE01 ASID: 02RS                       
CAS21D1I PROGRAM: HBRMAIN  RB CURR: HBRMAIN  APF:  YES  SFR/RFR: N/A        
CAS21D3I SAFDEF:  GENXTRCT INTERNAL MODE: GLOBAL                              
CAS2200I RACROUTE REQUEST=EXTRACT,CLASS={=>}'HBRADMIN',RELEASE=2.1,           
CAS2200I          ENTITYX=({=>}'AB01.NO.SUBSYS.SECURITY'),FLDACC=NO,          
CAS2200I          GENERIC=ASIS,MSGSP=0,MATCHGN=NO,TYPE=EXTRACT,               
CAS2200I          WORKA={STRUCTURE SAFWORKA,=>,18EEF7F8}                      
CAS2203I REG. 1   DATA AREA FOLLOWS                                           
CAS2204I 18EEE060 +000  E5000400 00000001 004801BF 9870BBA4 *V...........q..u 
CAS2204I 18EEE070 +010  C5D5E4C5 D5E4E2E2 E9D9E4D3 C5F0F140 *ENUENUSSZRULE01 
CAS2204I 18EEE080 +020  40404040 404040400  

 

The high-level name on the entity is site-specific.

zRule is looking for this EXTRACT call to fail with return codes of 4:8/0 which means NO PROFILE FOUND. Since CA ACF2 is setup to protect by default, and does not use profile records in the same way that RACF does, there needs to be a SAFDEF record in place to send back the return codes needed for the product. Here are some sample SAFDEF records:

**** / SAFDEF.HBRADMIN LAST CHANGED BY SECADMIN ON mm/dd/yy-hh:mm 
                    FUNCRET(8) FUNCRSN(0) ID(HBRADMIN) MODE(IGNORE)    
                    RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN            
                    ENTITYX=AB**.NO.SUBSYS.SECURITY) RETCODE(4)        
                                                                       
**** / SAFDEF.HBRCMD LAST CHANGED BY SECADMIN ON mm/dd/yy-hh:mm
                    FUNCRET(8) FUNCRSN(0) ID(HBRCMD) MODE(IGNORE)      
                    RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN            
                    ENTITYX=AB**.NO.COMMAND.SECURITY) RETCODE(4)       
                                                                       
**** / SAFDEF.HBRCONN LAST CHANGED BY SECADMIN ON mm/dd/yy-hh:mm
                    FUNCRET(8) FUNCRSN(0) ID(HBRCONN) MODE(IGNORE)     
                    RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN            
                    ENTITYX=AB**.NO.CONNECT.SECURITY) RETCODE(4)       
                                                                       
**** / SAFDEF.HBRRES LAST CHANGED BY SECADMIN ON mm/dd/yy-hh:mm
                    FUNCRET(8) FUNCRSN(0) ID(HBRRES) MODE(IGNORE)      
                    RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN            
                    ENTITYX=AB**.NO.RESCONSOLE.SECURITY) RETCODE(4)

 

You will need to adjust the entity for your site specifics.

The insert commands would look like this:

TSO ACF
SET CONTROL(GSO) SYSID(****)
INSERT SAFDEF.HBRADMIN ID(HBRADMIN) MODE(IGNORE) FUNCRET(8) RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN ENTITYX=AB**.NO.SUBSYS.SECURITY)
INSERT SAFDEF.HBRCMD ID(HBRCMD) MODE(IGNORE) FUNCRET(8) RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN ENTITYX=AB**.NO.COMMAND.SECURITY)
INSERT SAFDEF.HBRCONN ID(HBRCONN) MODE(IGNORE) FUNCRET(8) RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN ENTITYX=AB**.NO.CONNECT.SECURITY)
INSERT SAFDEF.HBRRES ID(HBRRES) MODE(IGNORE) FUNCRET(8) RACROUTE(REQUEST=EXTRACT CLASS=HBRADMIN ENTITYX=AB**.NO.RESCONSOLE.SECURITY)

 

then make sure you refresh the SAFDEF records to make them available to CA ACF2

F ACF2,REFRESH(SAFDEF)