RACF Commands From IBM's FEKRACF Member And The CA Top Secret Equivalent Commands.

Document ID : KB000052795
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

IBM provides a FEKRACF member for RDz implementation. This member has RACF commands. What are the CA Top Secret equivalent commands?

Solution:

The following are the RACF commands from the FEKRACF member and the CA Top Secret equivalent commands.

#  display current settings
# SETROPTS LIST
* No CA Top Secret equivalent and not needed.
 
#  activate facility class for z/OS UNIX profiles
# SETROPTS GENERIC(FACILITY)
* No CA Top Secret equivalent and not needed.
 
# SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
* No CA Top Secret equivalent and not needed.
 
#  activate started task definitions
# SETROPTS GENERIC(STARTED)
* No CA Top Secret equivalent and not needed.
 
# RDEFINE STARTED ** STDATA(USER(=MEMBER) GROUP(STCGROUP) TRACE(YES))
* TSS ADD(STC) PROCN(DEFAULT) ACID(defaultacid) - Skip this step if you
already have a default acid for undefined started tasks.
* TSS ADD(defaultacid) GROUP(STCGROUP) 
 
# SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
* No CA Top Secret equivalent and not needed.
 
#  activate console security for JES Job Monitor server
# SETROPTS GENERIC(CONSOLE)
* No CA Top Secret equivalent and not needed.
 
# SETROPTS CLASSACT(CONSOLE) RACLIST(CONSOLE)
* No CA Top Secret equivalent and not needed.
 
#  activate operator command protection for JES Job Monitor server
# SETROPTS GENERIC(OPERCMDS)
* No CA Top Secret equivalent and not needed.
 
# SETROPTS CLASSACT(OPERCMDS) RACLIST(OPERCMDS)
* No CA Top Secret equivalent and not needed.
 
#  activate application protection for RSE server
# SETROPTS GENERIC(APPL)
* No CA Top Secret equivalent and not needed.
 
# SETROPTS CLASSACT(APPL) RACLIST(APPL)
* No CA Top Secret equivalent and not needed.
 
#  activate secured signon using PassTickets for RSE server
# SETROPTS GENERIC(PTKTDATA)
* No CA Top Secret equivalent and not needed.
 
# SETROPTS CLASSACT(PTKTDATA) RACLIST(PtTKTDATA)
* No CA Top Secret equivalent and not needed.
 
#  activate program control for RSE server
# RDEFINE PROGRAM ** ADDMEM('SYS1.CMDLIB'//NOPADCHK) UACC(READ)
* TSS ADD(owningacid) DSN(SYS1.) 
* TSS PER(ALL) DSN(SYS1.CMDLIB) ACC(READ)
 
# SETROPTS WHEN(PROGRAM)
* No CA Top Secret equivalent and not needed.
 
#  show results -------------------------------------------------------
 SETROPTS LIST
* No CA Top Secret equivalent and not needed.
 
#  add OMVS segment to existing user ID
# LISTUSER #userid NORACF OMVS
TSS LIST(#user) SEGMENT(OMVS)
 
# ALTUSER #userid OMVS(UID(#user-identifier) -
#  HOME(/u/#userid) OMVSPGM(/bin/sh) NOASSIZEMAX)
* TSS ADD(#userid) UID(uid) HOME(/u/#userid) OMVSPGM(/bin/sh)
 
#  add OMVS segment to existing group
# LISTGRP #grou-name NORACF OMVS
* TSS LIST(#user) SEGMENT(OMVS)
 
# ALTGROUP #group-name OMVS(GID(#group-identifier))
* TSS ADD(#group-name) GID(#group-identifier)
 
#  HLQ stub
 LISTGRP FEK ALL
* TSS LIST(FEK) DATA(ALL)
 
 ADDGROUP (FEK) OWNER(IBMUSER) SUPGROUP(SYS1) -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z - HLQ STUB')
* TSS CRE(FEK) NAME('RATIONAL DEV SYSTEM Z - HLQ STUB') TYPE(GROUP) -
 DEPT(deptacid) 
 
#  general data set protection
 LISTDSD PREFIX(FEK) ALL
* TSS WHOHAS DSN(FEK)
 
 ADDSD 'FEK.*.**' -
 UACC(READ) DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) DSN(FEK)
* TSS PER(ALL) DSN(FEK) ACC(READ)
 
 PERMIT 'FEK.*.**' -
 CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK) ACC(ALL)
 
#  sclmdt long/short name translation, users need update
 LISTDSD PREFIX(FEK.#CUST.LSTRANS)
* TSS WHOHAS DSN(FEK.#CUST.LSTRANS)
 
 ADDSD 'FEK.#CUST.LSTRANS.FILE' -
 UACC(UPDATE) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - SCLMDT')
* TSS ADD(owningacid) DSN(FEK.#CUST.LSTRANS.FILE) - Not needed. 
 Already owned previously with 'TSS ADD(owningacid) DSN(FEK)'
* TSS PER(ALL) DSN(FEK.#CUST.LSTRANS.FILE) ACC(UPDATE)
 
 PERMIT 'FEK.#CUST.LSTRANS.FILE' -
 CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK.#CUST.LSTRANS.FILE) ACC(ALL)
 
#  carma ram development, ram developers need update
 LISTDSD PREFIX(FEK.#CUST.CRA)
* TSS WHOHAS DSN(FEK.#CUST.CRA)
 
 ADDSD 'FEK.#CUST.CRA*.**' -
 UACC(READ) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - CARMA')
* TSS ADD(owningacid) DSN(FEK.#CUST.CRA) - Not needed. 
 Already owned previously with 'TSS ADD(owningacid) DSN(FEK)'
* TSS PER(ALL) DSN(FEK.#CUST.CRA) ACC(READ)
 
 PERMIT 'FEK.#CUST.CRA*.**' -
 CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK.#CUST.CRA) ACC(ALL)
 
 PERMIT 'FEK.#CUST.CRA*.**' -
 CLASS(DATASET) ACCESS(UPDATE) ID(#ram-developer)
* TSS PER(@ram-developer) DSN(FEK.#CUST.CRA) ACC(UPDATE)
 
#  CRD server, cics administrators need update
 LISTDSD PREFIX(FEK.#CUST.ADN)
* TSS WHOHAS DSN(FEK.#CUST.ADN)
 
 ADDSD 'FEK.#CUST.ADNREP*.**' -
 UACC(READ) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - ADN')
* TSS ADD(owningacid) DSN(FEK.#CUST.ADNREP) - Not needed. 
 Already owned previously with 'TSS ADD(owningacid) DSN(FEK)'
* TSS PER(ALL) DSN(FEK.#CUST.ADNREP) ACC(READ)
 
 PERMIT 'FEK.#CUST.ADNREP*.**' -
 CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK.#CUST.ADNREP) ACC(ALL)
 
 PERMIT 'FEK.#CUST.ADNREP*.**' -
 CLASS(DATASET) ACCESS(UPDATE) ID(#cicsadmin)
* TSS PER(#cicsadmin) DSN(FEK.#CUST.ADNREP) ACC(UPDATE)
 
#  manifest repository, all users need update
 LISTDSD PREFIX(FEK.#CUST.ADN)
* TSS WHOHAS DSN(FEK.#CUST.ADN)
 
 ADDSD 'FEK.#CUST.ADNMAN*.**' -
 UACC(UPDATE) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - ADN')
* TSS ADD(owningacid) DSN(FEK.#CUST.ADNMAN) - Not needed. 
 Already owned previously with 'TSS ADD(owningacid) DSN(FEK)'
* TSS PER(ALL) DSN(FEK.#CUST.ADNMAN) ACC(UPDATE)
 
 PERMIT 'FEK.#CUST.ADNMAN*.**' -
 CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK.#CUST.ADNMAN)  ACC(ALL)
 
 SETROPTS GENERIC(DATASET) REFRESH
* No CA Top Secret equivalent and not needed.
 
#  show results -------------------------------------------------------
 LISTGRP FEK ALL
* TSS LIST(FEK) DATA(ALL)
 
 LISTDSD PREFIX(FEK) ALL
* TSS WHOHAS DSN(FEK)
 
#  group for started tasks
 LISTGRP  STCGROUP OMVS
* TSS LIST(STCGROUP) SEGMENT(OMVS)
 
 ADDGROUP STCGROUP
* TSS CREATE(STCGROUP) TYPE(GROUP) NAME('STC GROUP W/OMVS SEGEMENT') DEPT(dept)
 
 ALTGROUP STCGROUP OMVS(GID(1)) -
 DATA('STARTED TASK GROUP WITH OMVS SEGEMENT')
* TSS ADD(STCGROUP) GID(1)
 
#  userid for JES job monitor
 LISTUSER STCJMON OMVS
* TSS LIST(STCJMON) SEGMENT(OMVS)
 
 ADDUSER  STCJMON -
 NOPASSWORD -
 DFLTGRP(STCGROUP) -
 OMVS(UID(7) HOME(/tmp) OMVSPGM(/bin/sh)) -
 NAME('RDZ - JES JOBMONITOR') -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS CRE(STCJMON) PASS(NOPW,0) NAME('RDZ - JES JOBMONITOR') DEPT(dept)
* TSS ADD(STCJMON) OMVSGRP(STCGROUP) UID(7) HOME(/tmp) OMVSPGM(/bin/sh) 
 
#  userid for RSE daemon
 LISTUSER STCRSE OMVS
* TSS LIST(STCRSE) SEGMENT(OMVS)
 
 ADDUSER  STCRSE -
 NOPASSWORD -
 DFLTGRP(STCGROUP) -
 OMVS(UID(8) HOME(/tmp) OMVSPGM(/bin/sh)) -
 NAME('RDZ - RSE DAEMON') -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS CRE(STCRSE) PASS(NOPW,0)  NAME('RDZ - RSE DAEMON') DEPT(dept)
* TSS ADD(STCRSE) UID(8) HOME(/tmp) OMVSPGM(/bin/sh) GROUP(STCGROUP) - 
 DFLTGRP(STCGROUP) 
 
#  userid for lock daemon
 LISTUSER STCLOCK OMVS
* TSS LIST(STCLOCK) SEGMENT(OMVS)
 
 ADDUSER  STCLOCK -
 NOPASSWORD -
 DFLTGRP(STCGROUP) -
 OMVS(UID(9) HOME(/tmp) OMVSPGM(/bin/sh)) -
 NAME('RDZ - LOCK DAEMON') -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS CRE(STCLOCK) PASS(NOPW,0) NAME('RDZ - LOCK DAEMON') DEPT(dept) 
* TSS ADD(STCLOCK) GROUP(STCGROUP) UID(9) HOME(/tmp) OMVSPGM(/bin/sh) -                  -
 DFLTGRP(STCGROUP) 
 
#  started task for JES Job Monitor
 RLIST   STARTED JMON.* ALL STDATA
* TSS LIST(STC) PROCN(JMON) PREFIX
 
 RDEFINE STARTED JMON.* -
 STDATA(USER(STCJMON) GROUP(STCGROUP) TRUSTED(NO)) -
 DATA('RDZ - JES JOBMONITOR')
* TSS ADD(STC) PROCN(JMON) ACID(STCJMON)
* TSS ADD(STCJMON) GROUP(STCGROUP)
 
#  started task for RSE daemon
 RLIST   STARTED RSED.* ALL STDATA
* TSS LIST(STC) PROCN(RSED) PREFIX
 
 RDEFINE STARTED RSED.* -
 STDATA(USER(STCRSE) GROUP(STCGROUP) TRUSTED(NO)) -
 DATA('RDZ - RSE DAEMON')
* TSS ADD(STC) PROCN(RSED) ACID(STCRSE)
* TSS ADD(STCRSE) GROUP(STCGROUP)
 
#  started task for lock daemon
 RLIST   STARTED LOCKD.* ALL STDATA
* TSS LIST(STC) PROCN(LOCKD) PREFIX 
 
 RDEFINE STARTED LOCKD.* -
 STDATA(USER(STCLOCK) GROUP(STCGROUP) TRUSTED(NO)) -
 DATA('RDZ - LOCK DAEMON')
* TSS ADD(STC) PROCN(LOCKD) ACID(STCLOCK)
* TSS ADD(STCLOCK) GROUP(STCGROUP)
 
 SETROPTS RACLIST(STARTED) REFRESH
* No CA Top Secret equivalent and not needed.
 
#  show results -------------------------------------------------------
 LISTGRP  STCGROUP OMVS
* TSS LIST(STCGROUP) SEGMENT(OMVS)
 
 LISTUSER STCJMON  OMVS
* TSS LIST(STCJMON) SEGMENT(OMVS)
 
 LISTUSER STCRSE   OMVS
* TSS LIST(STCRSE) SEGMENT(OMVS)
 
 LISTUSER STCLOCK  OMVS
* TSS LIST(STCLOCK) SEGMENT(OMVS)
 
 RLIST STARTED JMON.*  ALL STDATA
* TSS LIST(STC) PROCN(JMON) PREFIX
 
 RLIST STARTED RSED.*  ALL STDATA
* TSS LIST(STC) PROCN(RSED) PREFIX
 
 RLIST STARTED LOCKD.* ALL STDATA
* TSS LIST(STC) PROCN(LOCKD) PREFIX
 
#  define JMON console 
 RLIST   CONSOLE JMON ALL
* TSS WHOHAS TSOAUTH(CONSOLE)
 
 RDEFINE CONSOLE JMON UACC(READ) -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) TSOAUTH(CONSOLE)
 
 SETROPTS RACLIST(CONSOLE) REFRESH
* No CA Top Secret equivalent and not needed.
 
#  define JMON console access
 RLIST   OPERCMDS MVS.MCSOPER.JMON ALL
* TSS WHOHAS OPERCMDS(MVS.MCSOPER.JMON)
 
 RDEFINE OPERCMDS MVS.MCSOPER.JMON UACC(READ) -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) OPERCMDS(MVS.MCSOPER.JMON) 
* TSS PER(ALL) OPERCMDS(MVS.MCSOPER.JMON) ACC(READ)
 
#  define conditional JES operator command access
 RLIST   OPERCMDS JES%.** ALL
* TSS WHOHAS OPERCMDS(JES%)
 
 RDEFINE OPERCMDS JES%.** -
 UACC(NONE)
* TSS ADD(owningacid) OPERCMDS(JES) 
 
 PERMIT JES%.** CLASS(OPERCMDS) ACCESS(UPDATE) ID(*) -
 WHEN(CONSOLE(JMON))
* TSS PER(ALL) OPERCMDS(JES%) ACC(UPDATE)
 
 SETROPTS RACLIST(OPERCMDS) REFRESH
* No CA Top Secret equivalent and not needed.
 
#  show results -------------------------------------------------------
 RLIST   CONSOLE JMON ALL
* TSS WHOHAS TSOAUTH(CONSOLE)
 
 RLIST   OPERCMDS MVS.MCSOPER.JMON ALL
* TSS WHOHAS OPERCMDS(MVS.MCSOPER.JMON)
 
 RLIST   OPERCMDS JES%.** ALL
* TSS WHOHAS OPERCMDS(JES)
 
#  permit RSE server to create the client's security environment
 RLIST   FACILITY BPX.SERVER ALL
* TSS WHOHAS IBMFAC(BPX.SERVER) 
 
 RDEFINE FACILITY BPX.SERVER UACC(NONE)
* TSS ADD(owningacid) IBMFAC(BPX.)
 
 PERMIT BPX.SERVER CLASS(FACILITY) ACCESS(UPDATE) ID(STCRSE)
* TSS PER(STCRSE) IBMFAC(BPX.SERVER) ACC(UPDATE)
 
 SETROPTS RACLIST(FACILITY) REFRESH
* No equivalent and not needed with Top Secret.
 
#  show results -------------------------------------------------------
 RLIST   FACILITY BPX.SERVER ALL
* TSS WHOHAS IBMFAC(BPX.SERVER)
 
#  mark LE runtime & ISPF TSO/ISPF Client Gateway as program controlled
 RLIST  PROGRAM ** ALL
* TSS LIST(ALL) DATA(XAUTH)
 
 RALTER PROGRAM ** UACC(READ) ADDMEM('SYS1.LINKLIB'//NOPADCHK)
* TSS PER(ALL) DSN(SYS1.LINKLI) ACC(FETCH)
 
 RALTER PROGRAM ** UACC(READ) ADDMEM('SYS1.MIGLIB'//NOPADCHK)
* TSS PER(ALL) DSN(SYS1.MIGLIB) ACC(FETCH)
 
 RALTER PROGRAM ** UACC(READ) ADDMEM('CEE.SCEERUN'//NOPADCHK)
* TSS PER(ALL) DSN(CEE.SCEERUN) ACC(FETCH)
 
 RALTER PROGRAM ** UACC(READ) ADDMEM('CEE.SCEERUN2'//NOPADCHK)
* TSS PER(ALL) DSN(CEE.SCEERUN2) ACC(FETCH)
 
 RALTER PROGRAM ** UACC(READ) ADDMEM('ISP.SISPLPA'//NOPADCHK)
* TSS PER(ALL) DSN(ISP.SISPLPA) ACC(FETCH)
 
 RALTER PROGRAM ** UACC(READ) ADDMEM('ISP.SISPLOAD'//NOPADCHK)
* TSS PER(ALL) DSN(ISP.SISPLOAD) ACC(FETCH)
 
#  (optional) mark Alt. REXX runtime, SSL and File Manager as progctl
# RALTER PROGRAM ** UACC(READ) ADDMEM('REXX.V1R4M0.SEAGALT'//NOPADCHK)
* TSS PER(ALL) DSN(REXX.V1R4M0.SEAGALT) ACC(FETCH)
 
# RALTER PROGRAM ** UACC(READ) ADDMEM('SYS1.SIEALNKE'//NOPADCHK)
* TSS PER(ALL) DSN(SYS1.SIEALNKE) ACC(FETCH)
 
# RALTER PROGRAM ** UACC(READ) ADDMEM('FMN.SFMNMODA'//NOPADCHK)
* TSS PER(ALL) DSN(FMN.SFMNMODA) ACC(FETCH)
 
 SETROPTS WHEN(PROGRAM) REFRESH
* No equivalent and not needed with Top Secret
 
#  show results -------------------------------------------------------
 RLIST  PROGRAM ** ALL
* TSS LIST(ALL) DATA(XAUTH)
 
#  define RSE server as an application
 RLIST   APPL FEKAPPL ALL
* TSS WHOHAS APPL(FEKAPPL)
 
 RDEFINE APPL FEKAPPL UACC(READ) -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) APPL(FEKAPPL)
* TSS PER(ALL) APPL(FEKAPPL) ACC(READ)
 
 SETROPTS RACLIST(APPL) REFRESH
* No equivalent and not needed with Top Secret
 
#  activate passticket support for RSE application
 RLIST   PTKTDATA FEKAPPL ALL SSIGNON
* TSS WHOHAS PTKTDATA(FEKAPPL)
 
 RDEFINE PTKTDATA FEKAPPL UACC(NONE) -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z') -
 APPLDATA('NO REPLAY PROTECTION - DO NOT CHANGE') -
 SSIGNON(KEYMASKED(key16           ))
* TSS ADD(NDT) PSTKAPPL(FEKAPPL) SESSKEY(key16           ) SIGNMULTI
 
 RLIST   PTKTDATA IRRPTAUTH.FEKAPPL.* ALL
* TSS WHOHAS PTKTDATA(IRRPTAUTH.FEKAPPL.)
 
 RDEFINE PTKTDATA IRRPTAUTH.FEKAPPL.* UACC(NONE) -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) PSTKAPPL(IRRPTAUTH.FEKAPPL.) 
 
 PERMIT IRRPTAUTH.FEKAPPL.* CLASS(PTKTDATA) ACCESS(UPDATE) ID(STCRSE)
* TSS PER(STCRSE) PTKTDATA(IRRPTAUTH.FEKAPPL.) ACC(UPDATE) 
 
 SETROPTS RACLIST(PTKTDATA) REFRESH
* No equivalent and not needed with Top Secret
 
#  show results -------------------------------------------------------
 RLIST   APPL FEKAPPL ALL
* TSS WHOHAS APPL(FEKAPPL)
 
 RLIST   PTKTDATA FEKAPPL ALL SSIGNON
* TSS WHOHAS PTKTDATA(FEKAPPL) 
 
 RLIST   PTKTDATA IRRPTAUTH.FEKAPPL.* ALL
* TSS WHOHAS PTKTDATA(IRRPTAUTH.FEKAPPL.)
 
#  activate port of entry checking
# RLIST   FACILITY BPX.POE ALL
* TSS WHOHAS IBMFAC(BPX.POE)
 
# RDEFINE FACILITY BPX.POE UACC(NONE)
* TSS ADD(owningacid) IBMFAC(BPX.POE) - Not needed. Done in a previous
step with a 'TSS ADD(owningacid) IBMFAC(BPX.)'
 
# PERMIT BPX.POE CLASS(FACILITY) ACCESS(READ) ID(STCRSE)
* TSS PER(STCRSE) IBMFAC(BPX.POE) ACC(READ)
 
# SETROPTS RACLIST(FACILITY) REFRESH
* No equivalent and not needed with Top Secret
 
#  show results -------------------------------------------------------
 RLIST   FACILITY BPX.POE ALL
* TSS WHOHAS IBMFAC(BPX.POE)