Configure IBM RACF Security

Follow these steps to configure iDash to use IBM RACF security.
ca712
This section assumes you have completed the steps that are documented under ‘Prepare Certificates for External Security’.  Remember, you are loading a minimum of three certificates (more if you do fail over) in your external security product.
  1. CA 7
    Server for iDash Certificate Authority (CA) certificate
  2. CA 7
    Server of iDash Server certificate
  3. iDash
    Server certificate (exported using the keytool utility)
Follow the steps below to configure
iDash
to use IBM RACF security:
  1. Confirm you have completed the steps that are documented under ‘Prepare Certificates for External Security.’
  2. Define the necessary FACILITY class profiles to give you access to use the RACDCERT commands:
    • The control levels in increasing strength are NONE, READ, UPDATE, CONTROL, and ALTER.
    • To use the RACDCERT command, you need the appropriate permission to the IRR.DIGTCERT.function profile under the FACILITY class.
      • READ access is required to manipulate your certificates and key rings.
      • UPDATE access is required to manipulate them for other users.
      • CONTROL access is required to manipulate CERTAUTH (certificate authority) certificates.
      Use the following sample RACF RDEFINE, PERMIT, and SETROPTS commands to define necessary FACILITY class profiles. These commands also give you access to use the RACDCERT commands:
      RDEFINE FACILITY IRR.DIGTCERT.ADD UACC(NONE) RDEFINE FACILITY IRR.DIGTCERT.ADDRING UACC(NONE) RDEFINE FACILITY IRR.DIGTCERT.ALTER UACC(NONE) RDEFINE FACILITY IRR.DIGTCERT.CONNECT UACC(NONE) RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE) RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) PERMIT IRR.DIGTCERT.ADD CLASS(FACILITY) ID(userid) ACCESS(READ) PERMIT IRR.DIGTCERT.ADDRING CLASS(FACILITY) ID(userid) ACCESS(READ) PERMIT IRR.DIGTCERT.ALTER CLASS(FACILITY) ID(userid) ACCESS(READ) PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(userid) ACCESS(UPDATE) PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(userid) ACCESS(READ) PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(userid) ACCESS(READ)
      Give the certificate-owner for the three certificates permission to read key rings and certificates as shown in the following example:
      PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(certificate-owner) ACCESS(READ) PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(certificate-owner) ACCESS(READ) SETROPTS RACLIST(FACILITY) REFRESH
      • To connect a certificate authority certificate to your key ring, UPDATE access is required to the IRR.DIGTCERT.CONNECT profile in the FACILITY.
  3. You now have the appropriate access to RADCERT commands.
  4. Create a key ring. A key ring is a named collection of certificates that are associated with a specific user. A key ring must be created using a RACF command similar to the following sample:
    RACDCERT ID(
    ring-owner
    ) ADDRING(
    keyring
    name)
    ring-owner
    Specifies the user ID that owns the key ring. This user ID should be the certificate owner ID.
    keyringname
    Specifies a unique name for the key ring
    The key ring is created.
  5. Add the
    CA 7
    Server for iDash Certificate Authority (CA) certificate to your RACF database:
    RACDCERT CERTAUTH ADD('
    your.mvs.cacert.name
    ') WITHLABEL(‘
    your CA 7 Server for iDash CA certificate label
    ) TRUST PASSWORD(‘pswd’)
    your.mvs.cacert.name
    Name of the sequential data set used to store the
    CA 7
    Server for iDash Certificate Authority certificate.
    your CA 7 Server for iDash CA certificate label
    Specifies the label that you opt to identify the CA certificate (32 characters or less). For example, IDASHCA
    pswd
    The password that was used to store the certificate in the gskkyman database. This field may be optional. If omitted and required, you are prompted to enter a password in quotes.
    The
    CA 7
    Server for iDash Certificate Authority certificate is added to your RACF database.
  6. Add the
    CA 7
    Server for iDash Server certificate to your RACF database:
    RACDCERT ID(
    certificate-owner
    ) ADD('
    your.mvs.srvcert.name
    ') WITHLABEL('
    your CA 7 Server for iDash server certificate label
    '
    ) TRUST PASSWORD('pswd')
    certificate-owner
    Specifies the user ID that you select to own the certificate.
    your.mvs.srvcert.name
    Specifies the data set name that is used to store the
    CA 7
    Server for iDash server certificate
    your CA 7 Server for iDash server certificate label
    Specifies the label that you opt to identify this server certificate (32 characters or less). For example, IDASHSRV
    pswd
    The password that was used to store the certificate in the gskkyman database. This field may be optional. If omitted and required, you are prompted to enter a password in quotes.
  7. Add the
    iDash
    Server certificate to your RACF database:
    RACDCERT ID(
    certificate-owner
    ) ADD('
    your.idashserver.cacert.name
    ') WITHLABEL('
    your iDash server certificate label
    '
    ) TRUST
    certificate-owner
    Specifies the user ID that you select to own the certificate.
    'your.mvs.idashserver.cacert.name'
    Specifies the data set name that is used to store the
    iDash
    Server CA certificate
    your CA 7 Server for iDash server certificate label
    Specifies the label that you opt to identify your
    iDash
    Server CA certificate (32 characters or less). For example, IDASHCL1
    You might have another
    CA 7
    Server for iDash and/or
    iDash
    Server that you have set up for failover. In this case, you must add those certificates to IBM RACF database. You must provide different DIGICERT names for these failover certificates.
  8. Connect the certificates to the key ring:
    After you add the certificates to your RACF database, connect the certificates to the key ring.
    RACDCERT ID(
    ring-owner
    ) CONNECT(LABEL(‘your CA7 Server for iDash server certificate label’) RING(
    keyringname
    ) USAGE(PERSONAL) DEFAULT ) RACDCERT ID(
    ring-owner
    ) CONNECT(LABEL(‘your iDash server certificate label’) RING(
    keyringname
    ) USAGE(PERSONAL) ) RACDCERT ID(
    ring-owner
    ) CONNECT( CERTAUTH LABEL(‘your CA 7 Server for iDash CA certificate label') RING(
    keyringname
    ) USAGE(CERTAUTH) )
    LABEL
    Specifies the label that you used in the previous steps to identify each certificate
    keyringname
    Specifies the name of the key ring you used when you created the key ring.
    ring-owner
    Specifies the user ID that created the key ring
(Optional) Post-Configuration Tasks
Debug Key Ring and Certificate Issues
The following RACDCERT commands can be useful for identifying errors or failures that are related to your key ring or certificates. Use the following RACDCERT commands to list the key ring and certificates to verify their existence and proper attributes.
  • To list the key ring:
    RACDCERT ID(
    ring-owner
    ) LISTRING(
    keyringname
    )
  • To list the certificate authority (CA) certificates:
    RACDCERT CERTAUTH LIST(LABEL(‘your CA 7 Server for iDash CA certificate label’)) or RACDCERT CERTAUTH LIST(SERIALNUMBER(023456))
  • To list the server certificates:
    RACDCERT ID(
    certificate-owner
    ) LIST(LABEL(‘your CA 7 Server for iDash Server certificate label’)) RACDCERT ID(
    certificate-owner
    ) LIST(LABEL(‘your iDash Server certificate label’))
Replace an Expired Server Certificate
When a certificate expires, replace your existing certificate with a new one. The steps to replace an existing certificate with a new certificate are similar to the steps that you performed when obtaining and adding the certificates.
Follow these steps:
  1. Obtain one or more new certificates.
  2. Upload the certificates to z/OS.
  3. Delete the existing certificates from the RACF database so you can use the same labels for the new certificates.
    RACDCERT ID(
    certificate-owner)
    DELETE(LABEL((‘your CA 7 Server for iDash Server certificate label’)) RACDCERT ID(
    certificate-owner)
    DELETE(LABEL((‘your iDash Server certificate label’)) RACDCERT CERTAUTH DELETE(LABEL(‘your CA 7 Server for iDash CA certificate label’))
  4. Add the new certificates and connect them to your key ring as previously described.
Refresh RACF Classes
After you perform the RACF updates to add certificates and key rings, you must refresh the in-storage RACF profiles. If you use RACLIST, the DIGTCERT, and DIGTRING classes, activate them.
SETROPTS CLASSACT(DIGTCERT DIGTRING)
If you have RACLISTed the DIGTCERT or DIGTRING classes, refresh the in-storage profiles before the updates can take effect.
SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH
If you have not RACLISTed the DIGTCERT or DIGTRING classes, you do not need to refresh the in-storage profiles.