Configure IBM RACF Security
Follow these steps to configure iDash to use IBM RACF security.
ca712
This section assumes you have completed the steps that are documented under ‘Prepare Certificates for External Security’. Remember, you are loading a minimum of three certificates (more if you do fail over) in your external security product.
- CA 7Server for iDash Certificate Authority (CA) certificate
- CA 7Server of iDash Server certificate
- iDashServer certificate (exported using the keytool utility)
Follow the steps below to configure
iDash
to use IBM RACF security:- Confirm you have completed the steps that are documented under ‘Prepare Certificates for External Security.’
- Define the necessary FACILITY class profiles to give you access to use the RACDCERT commands:
- The control levels in increasing strength are NONE, READ, UPDATE, CONTROL, and ALTER.
- To use the RACDCERT command, you need the appropriate permission to the IRR.DIGTCERT.function profile under the FACILITY class.
- READ access is required to manipulate your certificates and key rings.
- UPDATE access is required to manipulate them for other users.
- CONTROL access is required to manipulate CERTAUTH (certificate authority) certificates.
Give the certificate-owner for the three certificates permission to read key rings and certificates as shown in the following example:RDEFINE FACILITY IRR.DIGTCERT.ADD UACC(NONE) RDEFINE FACILITY IRR.DIGTCERT.ADDRING UACC(NONE) RDEFINE FACILITY IRR.DIGTCERT.ALTER UACC(NONE) RDEFINE FACILITY IRR.DIGTCERT.CONNECT UACC(NONE) RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE) RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) PERMIT IRR.DIGTCERT.ADD CLASS(FACILITY) ID(userid) ACCESS(READ) PERMIT IRR.DIGTCERT.ADDRING CLASS(FACILITY) ID(userid) ACCESS(READ) PERMIT IRR.DIGTCERT.ALTER CLASS(FACILITY) ID(userid) ACCESS(READ) PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(userid) ACCESS(UPDATE) PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(userid) ACCESS(READ) PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(userid) ACCESS(READ)PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(certificate-owner) ACCESS(READ) PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(certificate-owner) ACCESS(READ) SETROPTS RACLIST(FACILITY) REFRESH- To connect a certificate authority certificate to your key ring, UPDATE access is required to the IRR.DIGTCERT.CONNECT profile in the FACILITY.
- You now have the appropriate access to RADCERT commands.
- Create a key ring. A key ring is a named collection of certificates that are associated with a specific user. A key ring must be created using a RACF command similar to the following sample:RACDCERT ID(ring-owner) ADDRING(keyringname)
- ring-owner
- Specifies the user ID that owns the key ring. This user ID should be the certificate owner ID.
- keyringname
- Specifies a unique name for the key ring
- Add theCA 7Server for iDash Certificate Authority (CA) certificate to your RACF database:RACDCERT CERTAUTH ADD('your.mvs.cacert.name') WITHLABEL(‘your CA 7 Server for iDash CA certificate label’) TRUST PASSWORD(‘pswd’)
- your.mvs.cacert.name
- Name of the sequential data set used to store theCA 7Server for iDash Certificate Authority certificate.
- your CA 7 Server for iDash CA certificate label
- Specifies the label that you opt to identify the CA certificate (32 characters or less). For example, IDASHCA
- pswd
- The password that was used to store the certificate in the gskkyman database. This field may be optional. If omitted and required, you are prompted to enter a password in quotes.
CA 7Server for iDash Certificate Authority certificate is added to your RACF database. - Add theCA 7Server for iDash Server certificate to your RACF database:RACDCERT ID(certificate-owner) ADD('your.mvs.srvcert.name') WITHLABEL('your CA 7 Server for iDash server certificate label') TRUST PASSWORD('pswd')
- certificate-owner
- Specifies the user ID that you select to own the certificate.
- your.mvs.srvcert.name
- Specifies the data set name that is used to store theCA 7Server for iDash server certificate
- your CA 7 Server for iDash server certificate label
- Specifies the label that you opt to identify this server certificate (32 characters or less). For example, IDASHSRV
- pswd
- The password that was used to store the certificate in the gskkyman database. This field may be optional. If omitted and required, you are prompted to enter a password in quotes.
- Add theiDashServer certificate to your RACF database:RACDCERT ID(certificate-owner) ADD('your.idashserver.cacert.name') WITHLABEL('your iDash server certificate label') TRUST
- certificate-owner
- Specifies the user ID that you select to own the certificate.
- 'your.mvs.idashserver.cacert.name'
- Specifies the data set name that is used to store theiDashServer CA certificate
- your CA 7 Server for iDash server certificate label
- Specifies the label that you opt to identify youriDashServer CA certificate (32 characters or less). For example, IDASHCL1
CA 7Server for iDash and/oriDashServer that you have set up for failover. In this case, you must add those certificates to IBM RACF database. You must provide different DIGICERT names for these failover certificates. - Connect the certificates to the key ring:After you add the certificates to your RACF database, connect the certificates to the key ring.RACDCERT ID(ring-owner) CONNECT(LABEL(‘your CA7 Server for iDash server certificate label’) RING(keyringname) USAGE(PERSONAL) DEFAULT ) RACDCERT ID(ring-owner) CONNECT(LABEL(‘your iDash server certificate label’) RING(keyringname) USAGE(PERSONAL) ) RACDCERT ID(ring-owner) CONNECT( CERTAUTH LABEL(‘your CA 7 Server for iDash CA certificate label') RING(keyringname) USAGE(CERTAUTH) )
- LABEL
- Specifies the label that you used in the previous steps to identify each certificate
- keyringname
- Specifies the name of the key ring you used when you created the key ring.
- ring-owner
- Specifies the user ID that created the key ring
(Optional) Post-Configuration Tasks
Debug Key Ring and Certificate Issues
The following RACDCERT commands can be useful for identifying errors or failures that are related to your key ring or certificates. Use the following RACDCERT commands to list the key ring and certificates to verify their existence and proper attributes.
- To list the key ring:RACDCERT ID(ring-owner) LISTRING(keyringname)
- To list the certificate authority (CA) certificates:RACDCERT CERTAUTH LIST(LABEL(‘your CA 7 Server for iDash CA certificate label’)) or RACDCERT CERTAUTH LIST(SERIALNUMBER(023456))
- To list the server certificates:RACDCERT ID(certificate-owner) LIST(LABEL(‘your CA 7 Server for iDash Server certificate label’)) RACDCERT ID(certificate-owner) LIST(LABEL(‘your iDash Server certificate label’))
Replace an Expired Server Certificate
Follow these steps:
- Obtain one or more new certificates.
- Upload the certificates to z/OS.
- Delete the existing certificates from the RACF database so you can use the same labels for the new certificates.RACDCERT ID(certificate-owner)DELETE(LABEL((‘your CA 7 Server for iDash Server certificate label’)) RACDCERT ID(certificate-owner)DELETE(LABEL((‘your iDash Server certificate label’)) RACDCERT CERTAUTH DELETE(LABEL(‘your CA 7 Server for iDash CA certificate label’))
- Add the new certificates and connect them to your key ring as previously described.
Refresh RACF Classes
If you have RACLISTed the DIGTCERT or DIGTRING classes, refresh the in-storage profiles before the updates can take effect.SETROPTS CLASSACT(DIGTCERT DIGTRING)
If you have not RACLISTed the DIGTCERT or DIGTRING classes, you do not need to refresh the in-storage profiles.SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH