Is there an ACF2 Equivalent list of Commands for RACFMSTR for SSRE and TKLM security setup?

Document ID : KB000011138
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

This document supplies equivalent ACF2 commands to replace the RACF commands in the RACFMSTR REXX. There is not a one-for-one correspondence in commands since ACF2 accomplishes the same objective differently. The commands define two user ids, SSREADM and SSRECFG, their profile records, certificates and keyrings. Included are samples of appropriate rules to provide the necessary access to the related resources.

Answer:

First, issue a SHOW CLASMAP and ensure you have a CLASMAP record for each of the following classes and that the class is mapped to a resource type other than SAF.

APPL, CBIND, FACILITY, SERVER, EJBROLE, OPERCMDS

If the class is mapped to SAF, then insert a CLASMAP record to map the class to a more meaningful 3-character resource type code. Where indicated this example uses type codes that can be replaced with others of your choice.

DIGTNMAP and SECLABEL references in the original document have been bypassed. If you require this level of security, please contact CA ACF2 Technical Support for follow up.

Where resource rules are indicated, check whether you already have a $KEY for that resource and TYPE code. If you do, modify the existing rule set accordingly.

Continuation characters (-) appear at the end of a line when the input is to be processed in a batch job. If the command is to be entered from TSO, omit the continuation character and wrap the command text to the next input line.

/* Create WAS configuration group.                                             
                                                                               
 ACF                                                                           
 SET PROFILE(GROUP) DIV(OMVS)                                                  
 INSERT SSREGRP GID(4321)                                                      
                                                                               
/* Adding WAS admin userid.                                                    
                                                                               
 ACF                                                                           
 SET LID                                                                       
 INSERT SSREADM NAME(SSRE Administrator) RESTRICT GROUP(SSREGRP) UID(1234) -   
   HOME(/tmp) OMVSPGM(/bin/sh) FILEPROC(10000)                                 
                                                                               
/* APPL class setup.                                                           
                                                                               
 ACF                                                                           
 SET R(APL)    <----NEW TYPE CODE                                              
 COMPILE                                                                       
 $KEY(SSREcell) TYPE(APL)                                                      
  UID(uid of SSREADM) SERVICE(READ) ALLOW
                                       
/* Defining CBIND CB.BIND.domain_name.                                         
                                                                               
 ACF                                                                           
 SET R(CBI)    <----NEW TYPE CODE                                              
 COMPILE                                                                       
 $KEY(CB) TYPE(CBI)                                                            
  SSREcell.SSRE- UID(*) SERVICE(READ) ALLOW                                    
  SSREcell.- UID(*) PREVENT                                                    
  BIND.SSREcell.SSRE- UID(*) SERVICE(READ) ALLOW                               
  BIND.SSREcell.SSRE- UID(uid of SSREADM) SERVICE(DEL) ALLOW                   
  BIND.SSREcell.- UID(*) PREVENT                                               
                                                                               
/* Defining SERVER CB.cluster.generic_server rules.                            
                                                                           
 ACF                                                                       
 SET R(SVR)    <----NEW TYPE CODE                                          
 COMPILE                                                                   
 $KEY(CB) TYPE(SVR)                                                        
  -.SSRE- UID(uid of SSREADM) SERVICE(READ) ALLOW                          
  -.SSRE- UID(*) PREVENT                                                   
  - UID(*) PREVENT                                                         
                                                                           
/* Authorize servants to WLM Services if WBI server.                       
                                                                           
 ACF                                                                       
 SET R(FAC)                                                                
 COMPILE                                                                   
 $KEY(BPX) TYPE(FAC)                                                       
  WLMSERVER UID(uid of SSREADM) SERVICE(READ) ALLOW                        
  WLMSERVER UID(*) PREVENT                                                 
                                                                           
 COMPILE                                                                   
 $KEY(IRR) TYPE(FAC)                                                       
  DIGTCERT.LISTRING UID(uid of SSREADM) SERVICE(READ) ALLOW                
  DIGTCERT.LISTRING UID(*) PREVENT                                         
  DIGTCERT.LIST UID(uid of SSREADM) SERVICE(READ) ALLOW                    
  DIGTCERT.LIST UID(*) PREVENT                                             
                                                                           
/* Create CA Certificate for WebSphere Security Domain.                    
/* FORMAT_DATE IS 2015/12/31                                               
                                                                           
 GENCERT CERTAUTH.WEBCERT SUBJSDN(CN='SSRE CertAuth for Security Domain' -
 OU='SSREcell.WebSphere FOR zOS') LABEL(WebSphereCA-SSREcell) TRUST -      
 EXPIRE(2015/12/31)                                                        
                                                                           
/* Generating certificates for WebSphere servers                           
                                                                           
 GENCERT SSREADM.CERT SUBJSDN(CN=SSREADM.SSRE O=IBM OU=SSREcell) -      
 LABEL(DefaultWASCert.SSRE) SIGNWITH(CERTAUTH.WEBCERT) EXPIRE(2015/12/31)          
                                                                               
/* Creating SSL keyrings for WebSphere servers.                                
                                                                               
 SET PROFILE(USER) DIV(KEYRING)                                                
 INSERT SSREADM.RING RINGNAME(WASKeyring.SSREcell)                             
                                                                               
/* Connecting Server Certificates to their keyrings.                           
                                                                               
 CONNECT CERTDATA(SSREADM.CERT) KEYRING(SSREADM.RING) DEFAULT USAGE(PERSONAL)                                                                                
                                                                               
/* Connect WAS CA Certificates to Server's keyring.                            
                                                                               
 CONNECT CERTDATA(CERTAUTH.WEBCERT) KEYRING(SSREADM.RING) USAGE(CERTAUTH)          
                                                                               
/* Connect Commercial CAs to Server's keyring.                                  
/* This assumes CERTDATA records have been inserted for each CERTAUTH.         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Verisign Class 1 Primary CA) -               
 KEYRING(SSREADM.RING) USAGE(CERTAUTH)                                         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Versign Class 3 Primary CA) -               
 KEYRING(SSREADM.RING) USAGE(CERTAUTH)                                         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(RSA Secure Server CA) -                      
 KEYRING(SSREADM.RING) USAGE(CERTAUTH)                                         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Server CA) KEYRING(SSREADM.RING) -    
 USAGE(CERTAUTH)                                                               
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Premium Server CA) USAGE(CERTAUTH) -  
 KEYRING(SSREADM.RING)
                                                          
 CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Basic CA) USAGE(CERTAUTH) -  
 KEYRING(SSREADM.RING)                                                         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Freemail CA) -               
 USAGE(CERTAUTH) KEYRING(SSREADM.RING)                                         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Premium CA) -                
 USAGE(CERTAUTH) KEYRING(SSREADM.RING)                                         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Verisign International Svr CA) -             
 KEYRING(SSREADM.RING) USAGE(CERTAUTH)                                         
                                                                               
/* Setting up EJBRoles Rules                                                   
                                                                               
 ACF                                                                           
 SET R(EJB)                                                                    
 COMPILE                                                                       
 $KEY(SSREcell) TYPE(EJB)                                                      
  administrator UID(uid of SSREADM) SERVICE(READ) ALLOW                        
  monitor UID(uid of SSREADM) SERVICE(READ) ALLOW                              
  configurator UID(uid of SSREADM) SERVICE(READ) ALLOW                         
  operator UID(uid of SSREADM) SERVICE(READ) ALLOW                             
  deployer UID(uid of SSREADM) SERVICE(READ) ALLOW                             
  CosNamingRead UID(*) SERVICE(READ) ALLOW                                     
  CosNamingWrite UID(uid of SSREADM) SERVICE(READ) ALLOW                       
  CosNamingCreate UID(uid of SSREADM) SERVICE(READ) ALLOW                      
  CosNamingDelete UID(uid of SSREADM) SERVICE(READ) ALLOW                      
  All#Role UID(*) SERVICE(READ) ALLOW                                          
                                                                               
/* Define BBO.SYNC.SSREcell.-                                                  
                                                                               
 ACF                                                                           
 SET R(FAC)                                                                    
 COMPILE                                                                       
 $KEY(BBO) TYPE(FAC)                                                           
  SYNC.SSREcell.- UID(*) PREVENT                                               
  TRUSTEDAPPS.SSREcell.- UID(uid of SSREADM) SERVICE(READ) ALLOW                
                                                                               
/* Multi-level Seclabel processing (omitted)                                   
                                                                               
                                                                               
/* JG02 addition starts here */                                                
                                                                               
 ACF                                                                           
 SET LID                                                                       
 INSERT SSRECFG NAME(SSRE Config) PASSWORD(your pswd) GROUP(SSREGRP) -         
 UID(1235) HOME(/tmp) OMVSPGM(/bin/sh) LIDZMAX MAXDAYS(0) NOPSWD-EXP -          
 FILEPROC(10000)                                                               
                                                                               
/* Generating certificate for SSRECFG                                          
                                                                               
 GENCERT SSRECFG.CERT SUBJSDN(CN=SSRECFG.SSRE O=IBM OU=SSREcell) -          
 LABEL(DefaultWASCert.SSRE) SIGNWITH(CERTAUTH.WEBCERT) EXPIRE(2015/12/31)          
                                                                               
/* Creating SSL keyrings for SSRE Config.   
                                    
 ACF                                                                           
 SET PROFILE(USER) DIV(KEYRING)                                                
 INSERT SSRECFG.RING RINGNAME(WASKeyring.SSREcell)                             
                                                                               
/* Connect CFG Certificate to its keyring.                                     
                                                                               
 CONNECT CERTDATA(SSRECFG.CERT) KEYRING(SSRECFG.RING) DEFAULT USAGE(PERSONAL)  
                                                                                
/* Connect CA Signing Certificate to CFG keyring.                              
                                                                               
 CONNECT CERTDATA(CERTAUTH.WEBCERT) KEYRING(SSRECFG.RING) USAGE(CERTAUTH) 
      
/* Connect Commercial CAs to CFG keyring.                                      
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Verisign Class 1 Primary CA) -               
 KEYRING(SSRECFG.RING) USAGE(CERTAUTH)                                         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Versign Class 3 Primary CA) -               
 KEYRING(SSRECFG.RING) USAGE(CERTAUTH)                                         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(RSA Secure Server CA) -                      
 KEYRING(SSRECFG.RING) USAGE(CERTAUTH)                                         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Server CA) KEYRING(SSRECFG.RING) -    
 USAGE(CERTAUTH)                                                               
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Premium Server CA) USAGE(CERTAUTH) -  
 KEYRING(SSRECFG.RING)                                                         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Basic CA) USAGE(CERTAUTH) -  
 KEYRING(SSRECFG.RING)                                                         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Freemail CA) -               
 USAGE(CERTAUTH) KEYRING(SSRECFG.RING)                                         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Thawte Personal Premium CA) -                
 USAGE(CERTAUTH) KEYRING(SSRECFG.RING)                                         
                                                                               
 CONNECT CERTDATA(CERTAUTH) LABEL(Verisign International Svr CA) -             
 KEYRING(SSRECFG.RING) USAGE(CERTAUTH)                                         
                                                                               
/* Define rule for starting SSRE                                               
                                                                               
 ACF                                                                           
 SET R(OPR)                                                                    
 $KEY(MVS) TYPE(OPR)                                                           
  START.STC.SSRE.- UID(*) PREVENT                                              
  START.STC.SSRE.- UID(uid of SSRECFG) SERVICE(UPDATE) ALLOW                   
                                                                               
/* Rebuild Rules and OMVS Profiles (Assumes these type codes are in INFODIR)   
 F ACF2,REBUILD(APL)                                                           
 F ACF2,REBUILD(FAC)                                                           
 F ACF2,REBUILD(EJB)                                                           
 F ACF2,REBUILD(CBI)                                                           
 F ACF2,REBUILD(SRV)                                                           
 F ACF2,REBUILD(OPR)                                                           
 F ACF2,REBUILD(USR),CLASS(P)                                                  
 F ACF2,REBUILD(GRP),CLASS(P)                                                  
 F ACF2,OMVS