RACF Commands From IBM's FEKRACF Member And The CA Top Secret Equivalent Commands.

Document ID : KB000052795
Last Modified Date : 13/02/2019
Show Technical Document Details
Introduction:

Description:

IBM provides a FEKRACF member for RDz implementation. This member has RACF commands. What are the CA Top Secret equivalent commands?

Solution:

The following are the RACF commands from the FEKRACF member and the CA Top Secret equivalent commands.

#  display current settings
# SETROPTS LIST
* No CA Top Secret equivalent and not needed.
 
#  activate facility class for z/OS UNIX profiles
# SETROPTS GENERIC(FACILITY)
* No CA Top Secret equivalent and not needed.
 
# SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
* No CA Top Secret equivalent and not needed.
 
#  activate started task definitions
# SETROPTS GENERIC(STARTED)
* No CA Top Secret equivalent and not needed.
 
# RDEFINE STARTED ** STDATA(USER(=MEMBER) GROUP(STCGROUP) TRACE(YES))
* TSS ADD(STC) PROCN(DEFAULT) ACID(defaultacid) - Skip this step if you
already have a default acid for undefined started tasks.
* TSS ADD(defaultacid) GROUP(STCGROUP) 
 
# SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
* No CA Top Secret equivalent and not needed.
 
#  activate console security for JES Job Monitor server
# SETROPTS GENERIC(CONSOLE)
* No CA Top Secret equivalent and not needed.
 
# SETROPTS CLASSACT(CONSOLE) RACLIST(CONSOLE)
* No CA Top Secret equivalent and not needed.
 
#  activate operator command protection for JES Job Monitor server
# SETROPTS GENERIC(OPERCMDS)
* No CA Top Secret equivalent and not needed.
 
# SETROPTS CLASSACT(OPERCMDS) RACLIST(OPERCMDS)
* No CA Top Secret equivalent and not needed.
 
#  activate application protection for RSE server
# SETROPTS GENERIC(APPL)
* No CA Top Secret equivalent and not needed.
 
# SETROPTS CLASSACT(APPL) RACLIST(APPL)
* No CA Top Secret equivalent and not needed.
 
#  activate secured signon using PassTickets for RSE server
# SETROPTS GENERIC(PTKTDATA)
* No CA Top Secret equivalent and not needed.
 
# SETROPTS CLASSACT(PTKTDATA) RACLIST(PtTKTDATA)
* No CA Top Secret equivalent and not needed.
 
#  activate program control for RSE server
# RDEFINE PROGRAM ** ADDMEM('SYS1.CMDLIB'//NOPADCHK) UACC(READ)
* TSS ADD(owningacid) DSN(SYS1.) 
* TSS PER(ALL) DSN(SYS1.CMDLIB) ACC(READ)
 
# SETROPTS WHEN(PROGRAM)
* No CA Top Secret equivalent and not needed.
 
#  show results -------------------------------------------------------
 SETROPTS LIST
* No CA Top Secret equivalent and not needed.
 
#  add OMVS segment to existing user ID
# LISTUSER #userid NORACF OMVS
TSS LIST(#user) SEGMENT(OMVS)
 
# ALTUSER #userid OMVS(UID(#user-identifier) -
#  HOME(/u/#userid) OMVSPGM(/bin/sh) NOASSIZEMAX)
* TSS ADD(#userid) UID(uid) HOME(/u/#userid) OMVSPGM(/bin/sh)
 
#  add OMVS segment to existing group
# LISTGRP #grou-name NORACF OMVS
* TSS LIST(#user) SEGMENT(OMVS)
 
# ALTGROUP #group-name OMVS(GID(#group-identifier))
* TSS ADD(#group-name) GID(#group-identifier)
 
#  HLQ stub
 LISTGRP FEK ALL
* TSS LIST(FEK) DATA(ALL)
 
 ADDGROUP (FEK) OWNER(IBMUSER) SUPGROUP(SYS1) -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z - HLQ STUB')
* TSS CRE(FEK) NAME('RATIONAL DEV SYSTEM Z - HLQ STUB') TYPE(GROUP) -
 DEPT(deptacid) 
 
#  general data set protection
 LISTDSD PREFIX(FEK) ALL
* TSS WHOHAS DSN(FEK)
 
 ADDSD 'FEK.*.**' -
 UACC(READ) DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) DSN(FEK)
* TSS PER(ALL) DSN(FEK) ACC(READ)
 
 PERMIT 'FEK.*.**' -
 CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK) ACC(ALL)
 
#  sclmdt long/short name translation, users need update
 LISTDSD PREFIX(FEK.#CUST.LSTRANS)
* TSS WHOHAS DSN(FEK.#CUST.LSTRANS)
 
 ADDSD 'FEK.#CUST.LSTRANS.FILE' -
 UACC(UPDATE) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - SCLMDT')
* TSS ADD(owningacid) DSN(FEK.#CUST.LSTRANS.FILE) - Not needed. 
 Already owned previously with 'TSS ADD(owningacid) DSN(FEK)'
* TSS PER(ALL) DSN(FEK.#CUST.LSTRANS.FILE) ACC(UPDATE)
 
 PERMIT 'FEK.#CUST.LSTRANS.FILE' -
 CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK.#CUST.LSTRANS.FILE) ACC(ALL)
 
#  carma ram development, ram developers need update
 LISTDSD PREFIX(FEK.#CUST.CRA)
* TSS WHOHAS DSN(FEK.#CUST.CRA)
 
 ADDSD 'FEK.#CUST.CRA*.**' -
 UACC(READ) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - CARMA')
* TSS ADD(owningacid) DSN(FEK.#CUST.CRA) - Not needed. 
 Already owned previously with 'TSS ADD(owningacid) DSN(FEK)'
* TSS PER(ALL) DSN(FEK.#CUST.CRA) ACC(READ)
 
 PERMIT 'FEK.#CUST.CRA*.**' -
 CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK.#CUST.CRA) ACC(ALL)
 
 PERMIT 'FEK.#CUST.CRA*.**' -
 CLASS(DATASET) ACCESS(UPDATE) ID(#ram-developer)
* TSS PER(@ram-developer) DSN(FEK.#CUST.CRA) ACC(UPDATE)
 
#  CRD server, cics administrators need update
 LISTDSD PREFIX(FEK.#CUST.ADN)
* TSS WHOHAS DSN(FEK.#CUST.ADN)
 
 ADDSD 'FEK.#CUST.ADNREP*.**' -
 UACC(READ) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - ADN')
* TSS ADD(owningacid) DSN(FEK.#CUST.ADNREP) - Not needed. 
 Already owned previously with 'TSS ADD(owningacid) DSN(FEK)'
* TSS PER(ALL) DSN(FEK.#CUST.ADNREP) ACC(READ)
 
 PERMIT 'FEK.#CUST.ADNREP*.**' -
 CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK.#CUST.ADNREP) ACC(ALL)
 
 PERMIT 'FEK.#CUST.ADNREP*.**' -
 CLASS(DATASET) ACCESS(UPDATE) ID(#cicsadmin)
* TSS PER(#cicsadmin) DSN(FEK.#CUST.ADNREP) ACC(UPDATE)
 
#  manifest repository, all users need update
 LISTDSD PREFIX(FEK.#CUST.ADN)
* TSS WHOHAS DSN(FEK.#CUST.ADN)
 
 ADDSD 'FEK.#CUST.ADNMAN*.**' -
 UACC(UPDATE) DATA('RATIONAL DEVELOPER FOR SYSTEM Z - ADN')
* TSS ADD(owningacid) DSN(FEK.#CUST.ADNMAN) - Not needed. 
 Already owned previously with 'TSS ADD(owningacid) DSN(FEK)'
* TSS PER(ALL) DSN(FEK.#CUST.ADNMAN) ACC(UPDATE)
 
 PERMIT 'FEK.#CUST.ADNMAN*.**' -
 CLASS(DATASET) ACCESS(ALTER) ID(#sysprog)
* TSS PER(#sysprog) DSN(FEK.#CUST.ADNMAN)  ACC(ALL)
 
 SETROPTS GENERIC(DATASET) REFRESH
* No CA Top Secret equivalent and not needed.
 
#  show results -------------------------------------------------------
 LISTGRP FEK ALL
* TSS LIST(FEK) DATA(ALL)
 
 LISTDSD PREFIX(FEK) ALL
* TSS WHOHAS DSN(FEK)
 
#  group for started tasks
 LISTGRP  STCGROUP OMVS
* TSS LIST(STCGROUP) SEGMENT(OMVS)
 
 ADDGROUP STCGROUP
* TSS CREATE(STCGROUP) TYPE(GROUP) NAME('STC GROUP W/OMVS SEGEMENT') DEPT(dept)
 
 ALTGROUP STCGROUP OMVS(GID(1)) -
 DATA('STARTED TASK GROUP WITH OMVS SEGEMENT')
* TSS ADD(STCGROUP) GID(1)
 
#  userid for JES job monitor
 LISTUSER STCJMON OMVS
* TSS LIST(STCJMON) SEGMENT(OMVS)
 
 ADDUSER  STCJMON -
 NOPASSWORD -
 DFLTGRP(STCGROUP) -
 OMVS(UID(7) HOME(/tmp) OMVSPGM(/bin/sh)) -
 NAME('RDZ - JES JOBMONITOR') -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS CRE(STCJMON) PASS(NOPW,0) NAME('RDZ - JES JOBMONITOR') DEPT(dept)
* TSS ADD(STCJMON) OMVSGRP(STCGROUP) UID(7) HOME(/tmp) OMVSPGM(/bin/sh) 
 
#  userid for RSE daemon
 LISTUSER STCRSE OMVS
* TSS LIST(STCRSE) SEGMENT(OMVS)
 
 ADDUSER  STCRSE -
 NOPASSWORD -
 DFLTGRP(STCGROUP) -
 OMVS(UID(8) HOME(/tmp) OMVSPGM(/bin/sh)) -
 NAME('RDZ - RSE DAEMON') -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS CRE(STCRSE) PASS(NOPW,0)  NAME('RDZ - RSE DAEMON') DEPT(dept)
* TSS ADD(STCRSE) UID(8) HOME(/tmp) OMVSPGM(/bin/sh) GROUP(STCGROUP) - 
 DFLTGRP(STCGROUP) 
 
#  userid for lock daemon
 LISTUSER STCLOCK OMVS
* TSS LIST(STCLOCK) SEGMENT(OMVS)
 
 ADDUSER  STCLOCK -
 NOPASSWORD -
 DFLTGRP(STCGROUP) -
 OMVS(UID(9) HOME(/tmp) OMVSPGM(/bin/sh)) -
 NAME('RDZ - LOCK DAEMON') -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS CRE(STCLOCK) PASS(NOPW,0) NAME('RDZ - LOCK DAEMON') DEPT(dept) 
* TSS ADD(STCLOCK) GROUP(STCGROUP) UID(9) HOME(/tmp) OMVSPGM(/bin/sh) -                  -
 DFLTGRP(STCGROUP) 
 
#  started task for JES Job Monitor
 RLIST   STARTED JMON.* ALL STDATA
* TSS LIST(STC) PROCN(JMON) PREFIX
 
 RDEFINE STARTED JMON.* -
 STDATA(USER(STCJMON) GROUP(STCGROUP) TRUSTED(NO)) -
 DATA('RDZ - JES JOBMONITOR')
* TSS ADD(STC) PROCN(JMON) ACID(STCJMON)
* TSS ADD(STCJMON) GROUP(STCGROUP)
 
#  started task for RSE daemon
 RLIST   STARTED RSED.* ALL STDATA
* TSS LIST(STC) PROCN(RSED) PREFIX
 
 RDEFINE STARTED RSED.* -
 STDATA(USER(STCRSE) GROUP(STCGROUP) TRUSTED(NO)) -
 DATA('RDZ - RSE DAEMON')
* TSS ADD(STC) PROCN(RSED) ACID(STCRSE)
* TSS ADD(STCRSE) GROUP(STCGROUP)
 
#  started task for lock daemon
 RLIST   STARTED LOCKD.* ALL STDATA
* TSS LIST(STC) PROCN(LOCKD) PREFIX 
 
 RDEFINE STARTED LOCKD.* -
 STDATA(USER(STCLOCK) GROUP(STCGROUP) TRUSTED(NO)) -
 DATA('RDZ - LOCK DAEMON')
* TSS ADD(STC) PROCN(LOCKD) ACID(STCLOCK)
* TSS ADD(STCLOCK) GROUP(STCGROUP)
 
 SETROPTS RACLIST(STARTED) REFRESH
* No CA Top Secret equivalent and not needed.
 
#  show results -------------------------------------------------------
 LISTGRP  STCGROUP OMVS
* TSS LIST(STCGROUP) SEGMENT(OMVS)
 
 LISTUSER STCJMON  OMVS
* TSS LIST(STCJMON) SEGMENT(OMVS)
 
 LISTUSER STCRSE   OMVS
* TSS LIST(STCRSE) SEGMENT(OMVS)
 
 LISTUSER STCLOCK  OMVS
* TSS LIST(STCLOCK) SEGMENT(OMVS)
 
 RLIST STARTED JMON.*  ALL STDATA
* TSS LIST(STC) PROCN(JMON) PREFIX
 
 RLIST STARTED RSED.*  ALL STDATA
* TSS LIST(STC) PROCN(RSED) PREFIX
 
 RLIST STARTED LOCKD.* ALL STDATA
* TSS LIST(STC) PROCN(LOCKD) PREFIX
 
#  define JMON console 
 RLIST   CONSOLE JMON ALL
* TSS WHOHAS TSOAUTH(CONSOLE)
 
 RDEFINE CONSOLE JMON UACC(READ) -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) TSOAUTH(CONSOLE)
 
 SETROPTS RACLIST(CONSOLE) REFRESH
* No CA Top Secret equivalent and not needed.
 
#  define JMON console access
 RLIST   OPERCMDS MVS.MCSOPER.JMON ALL
* TSS WHOHAS OPERCMDS(MVS.MCSOPER.JMON)
 
 RDEFINE OPERCMDS MVS.MCSOPER.JMON UACC(READ) -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) OPERCMDS(MVS.MCSOPER.JMON) 
* TSS PER(ALL) OPERCMDS(MVS.MCSOPER.JMON) ACC(READ)
 
#  define conditional JES operator command access
 RLIST   OPERCMDS JES%.** ALL
* TSS WHOHAS OPERCMDS(JES%)
 
 RDEFINE OPERCMDS JES%.** -
 UACC(NONE)
* TSS ADD(owningacid) OPERCMDS(JES) 
 
 PERMIT JES%.** CLASS(OPERCMDS) ACCESS(UPDATE) ID(*) -
 WHEN(CONSOLE(JMON))
* TSS PER(ALL) OPERCMDS(JES%) ACC(UPDATE)
 
 SETROPTS RACLIST(OPERCMDS) REFRESH
* No CA Top Secret equivalent and not needed.
 
#  show results -------------------------------------------------------
 RLIST   CONSOLE JMON ALL
* TSS WHOHAS TSOAUTH(CONSOLE)
 
 RLIST   OPERCMDS MVS.MCSOPER.JMON ALL
* TSS WHOHAS OPERCMDS(MVS.MCSOPER.JMON)
 
 RLIST   OPERCMDS JES%.** ALL
* TSS WHOHAS OPERCMDS(JES)
 
#  permit RSE server to create the client's security environment
 RLIST   FACILITY BPX.SERVER ALL
* TSS WHOHAS IBMFAC(BPX.SERVER) 
 
 RDEFINE FACILITY BPX.SERVER UACC(NONE)
* TSS ADD(owningacid) IBMFAC(BPX.)
 
 PERMIT BPX.SERVER CLASS(FACILITY) ACCESS(UPDATE) ID(STCRSE)
* TSS PER(STCRSE) IBMFAC(BPX.SERVER) ACC(UPDATE)
 
 SETROPTS RACLIST(FACILITY) REFRESH
* No equivalent and not needed with Top Secret.
 
#  show results -------------------------------------------------------
 RLIST   FACILITY BPX.SERVER ALL
* TSS WHOHAS IBMFAC(BPX.SERVER)
 
#  mark LE runtime & ISPF TSO/ISPF Client Gateway as program controlled
 RLIST  PROGRAM ** ALL
* TSS LIST(ALL) DATA(XAUTH)
 
 RALTER PROGRAM ** UACC(READ) ADDMEM('SYS1.LINKLIB'//NOPADCHK)
* TSS PER(ALL) DSN(SYS1.LINKLI) ACC(FETCH)
 
 RALTER PROGRAM ** UACC(READ) ADDMEM('SYS1.MIGLIB'//NOPADCHK)
* TSS PER(ALL) DSN(SYS1.MIGLIB) ACC(FETCH)
 
 RALTER PROGRAM ** UACC(READ) ADDMEM('CEE.SCEERUN'//NOPADCHK)
* TSS PER(ALL) DSN(CEE.SCEERUN) ACC(FETCH)
 
 RALTER PROGRAM ** UACC(READ) ADDMEM('CEE.SCEERUN2'//NOPADCHK)
* TSS PER(ALL) DSN(CEE.SCEERUN2) ACC(FETCH)
 
 RALTER PROGRAM ** UACC(READ) ADDMEM('ISP.SISPLPA'//NOPADCHK)
* TSS PER(ALL) DSN(ISP.SISPLPA) ACC(FETCH)
 
 RALTER PROGRAM ** UACC(READ) ADDMEM('ISP.SISPLOAD'//NOPADCHK)
* TSS PER(ALL) DSN(ISP.SISPLOAD) ACC(FETCH)
 
#  (optional) mark Alt. REXX runtime, SSL and File Manager as progctl
# RALTER PROGRAM ** UACC(READ) ADDMEM('REXX.V1R4M0.SEAGALT'//NOPADCHK)
* TSS PER(ALL) DSN(REXX.V1R4M0.SEAGALT) ACC(FETCH)
 
# RALTER PROGRAM ** UACC(READ) ADDMEM('SYS1.SIEALNKE'//NOPADCHK)
* TSS PER(ALL) DSN(SYS1.SIEALNKE) ACC(FETCH)
 
# RALTER PROGRAM ** UACC(READ) ADDMEM('FMN.SFMNMODA'//NOPADCHK)
* TSS PER(ALL) DSN(FMN.SFMNMODA) ACC(FETCH)
 
 SETROPTS WHEN(PROGRAM) REFRESH
* No equivalent and not needed with Top Secret
 
#  show results -------------------------------------------------------
 RLIST  PROGRAM ** ALL
* TSS LIST(ALL) DATA(XAUTH)
 
#  define RSE server as an application
 RLIST   APPL FEKAPPL ALL
* TSS WHOHAS APPL(FEKAPPL)
 
 RDEFINE APPL FEKAPPL UACC(READ) -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) APPL(FEKAPPL)
* TSS PER(ALL) APPL(FEKAPPL) ACC(READ)
 
 SETROPTS RACLIST(APPL) REFRESH
* No equivalent and not needed with Top Secret
 
#  activate passticket support for RSE application
 RLIST   PTKTDATA FEKAPPL ALL SSIGNON
* TSS WHOHAS PTKTDATA(FEKAPPL)
 
 RDEFINE PTKTDATA FEKAPPL UACC(NONE) -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z') -
 APPLDATA('NO REPLAY PROTECTION - DO NOT CHANGE') -
 SSIGNON(KEYMASKED(key16           ))
* TSS ADD(NDT) PSTKAPPL(FEKAPPL) SESSKEY(key16           ) SIGNMULTI
 
 RLIST   PTKTDATA IRRPTAUTH.FEKAPPL.* ALL
* TSS WHOHAS PTKTDATA(IRRPTAUTH.FEKAPPL.)
 
 RDEFINE PTKTDATA IRRPTAUTH.FEKAPPL.* UACC(NONE) -
 DATA('RATIONAL DEVELOPER FOR SYSTEM Z')
* TSS ADD(owningacid) PSTKAPPL(IRRPTAUTH.FEKAPPL.) 
 
 PERMIT IRRPTAUTH.FEKAPPL.* CLASS(PTKTDATA) ACCESS(UPDATE) ID(STCRSE)
* TSS PER(STCRSE) PTKTDATA(IRRPTAUTH.FEKAPPL.) ACC(UPDATE) 
 
 SETROPTS RACLIST(PTKTDATA) REFRESH
* No equivalent and not needed with Top Secret
 
#  show results -------------------------------------------------------
 RLIST   APPL FEKAPPL ALL
* TSS WHOHAS APPL(FEKAPPL)
 
 RLIST   PTKTDATA FEKAPPL ALL SSIGNON
* TSS WHOHAS PTKTDATA(FEKAPPL) 
 
 RLIST   PTKTDATA IRRPTAUTH.FEKAPPL.* ALL
* TSS WHOHAS PTKTDATA(IRRPTAUTH.FEKAPPL.)
 
#  activate port of entry checking
# RLIST   FACILITY BPX.POE ALL
* TSS WHOHAS IBMFAC(BPX.POE)
 
# RDEFINE FACILITY BPX.POE UACC(NONE)
* TSS ADD(owningacid) IBMFAC(BPX.POE) - Not needed. Done in a previous
step with a 'TSS ADD(owningacid) IBMFAC(BPX.)'
 
# PERMIT BPX.POE CLASS(FACILITY) ACCESS(READ) ID(STCRSE)
* TSS PER(STCRSE) IBMFAC(BPX.POE) ACC(READ)
 
# SETROPTS RACLIST(FACILITY) REFRESH
* No equivalent and not needed with Top Secret
 
#  show results -------------------------------------------------------
 RLIST   FACILITY BPX.POE ALL
* TSS WHOHAS IBMFAC(BPX.POE)


In addition to the above CA Top Secret commands, a facility should be defined in CA Top Secret for the RDz address space. Below is an example:

TSS MODIFY FACILITY(USERnn=NAME=RDZ) where 'nn' is an unused facility number in your system.
TSS MODIFY FACILITY(RDZ=MODE=FAIL)
TSS MODIFY FACILITY(RDZ=PGM=BPX)
TSS MODIFY FACILITY(RDZ=...)
where '...' is any other FACILITY control options that you want to override the default settings.

The TSS MODIFY command is only valid until the next recycle of CA Top Secret. To make the changes permanent, add the corresponding FACILITY statements to the CA Top Secret parameter file:

FACILITY(USERnn=NAME=RDZ)       
FACILITY(RDZ=MODE=FAIL) 
FACILITY(RDZ=PGM=BPX)
FACILITY(RDZ=...)

Once the FACILITY is defined, add the FACILITY as a MASTFAC to the region acid for RDz:

TSS ADD(regionacid) MASTFAC(facilityname)

to associate the FACILITY with the region.

All users using the FACILITY will need to be authorized to that FACILITY in order to signon.

TSS ADD(acid) FAC(facilityname)

where 'acid' is the user ACID, an attached profile, or the ALL record, if all users need access.

The RDz started task will need to be recycled after adding the MASTFAC for the change to be picked up.
Instructions:
Please Update This Required Field