Security › External Security Only › Implementing External Security for RACF

Implementing External Security for RACF

Note: For more information about the RACF Class Descriptor Table and the Routing Table, see the IBM z/OS Security Server (RACF) System Programmer's Guide. For more information about the commands in this section, see the z/OS Security Server (RACF) Command Language Reference. For information about the Dynamic class descriptor table, see the z/OS Security Server RACF Security Administrator's Guide.

The sample jobs are in CVDEJCL member RMORACF.

To use RACF to manage CA Deliver external security, follow these steps:

1. Create or add code to the RACF Class Descriptor Table.

   For example, the following job creates a Class Descriptor Table that contains the CA Deliver nine class names. The table must be assembled and linked as ICHRRCDE. If you have already created one of these tables, include it in the link step. Otherwise, remove the INCLUDE SYSLMOD(ICHRRCDE) statement from the link step.

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //CDT  EXEC HLASMCL
   //C.SYSLIB DD DSN=SYS1.MODGEN,DISP=SHR
   //C.SYSIN DD *
   

   DLV@ACT  ICHERCDE CLASS=DLV@ACT,ID=128,MAXLNTH=37,FIRST=ALPHA,         +
                  OTHER=ANY,POSIT=25,OPER=NO
   DLV@BACT ICHERCDE CLASS=DLV@BACT,ID=128,MAXLNTH=37,FIRST=ALPHA,        +
                  OTHER=ANY,POSIT=25,OPER=NO
   DLV@BANR ICHERCDE CLASS=DLV@BANR,ID=128,MAXLNTH=13,FIRST=ALPHA,        +
                  OTHER=ANY,POSIT=25,OPER=NO
   DLV@BNDL ICHERCDE CLASS=DLV@BNDL,ID=128,MAXLNTH=37,FIRST=ALPHA,        +
                  OTHER=ANY,POSIT=25,OPER=NO
   

   DLV@DBAS ICHERCDE CLASS=DLV@DBAS,ID=128,MAXLNTH=22,FIRST=ALPHA,        +
                  OTHER=ANY,POSIT=25,OPER=NO
   DLV@DIST ICHERCDE CLASS=DLV@DIST,ID=128,MAXLNTH=37,FIRST=ALPHA,        +
                  OTHER=ANY,POSIT=25,OPER=NO
   DLV@JOB  ICHERCDE CLASS=DLV@JOB,ID=128,MAXLNTH=13,FIRST=ALPHA,         +
                  OTHER=ANY,POSIT=25,OPER=NO
   DLV@PANL ICHERCDE CLASS=DLV@PANL,ID=128,MAXLNTH=13,FIRST=ALPHA,        +
                  OTHER=ANY,POSIT=25,OPER=NO
   DLV@REPT ICHERCDE CLASS=DLV@REPT,ID=128,MAXLNTH=37,FIRST=ALPHA,        +
                  OTHER=ANY,POSIT=25,OPER=NO
            ICHERCDE
   /*
   

   //L.SYSLMOD DD DSN=SYS1.LINKLIB,
   //             DISP=SHR
   //L.SYSIN   DD *
         INCLUDE SYSLMOD(ICHRRCDE) NEEDED IF ADDING TO AN EXISTING TABLE
         ORDER  DLV@ACT
         ORDER  DLV@BACT
         ORDER  DLV@BANR
         ORDER  DLV@BNDL
         ORDER  DLV@DBAS
         ORDER  DLV@DIST
         ORDER  DLV@JOB
         ORDER  DLV@PANL
         ORDER  DLV@REPT
         ORDER  ICHRRCDE
         NAME   ICHRRCDE(R)
   /*
   

2. Add the CA Deliver class names to the RACF Router Table, for example:

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //RT   EXEC HLASMCL
   //C.SYSLIB DD DSN=SYS1.MODGEN,DISP=SHR
   //C.SYSIN DD *
   ICHRFR01 CSECT
   DLV@ACT  ICHRFRTB CLASS=DLV@ACT,ACTION=RACF
   DLV@BACT ICHRFRTB CLASS=DLV@BACT,ACTION=RACF
   DLV@BANR ICHRFRTB CLASS=DLV@BANR,ACTION=RACF
   DLV@BNDL ICHRFRTB CLASS=DLV@BNDL,ACTION=RACF
   DLV@DBAS ICHRFRTB CLASS=DLV@DBAS,ACTION=RACF
   DLV@DIST ICHRFRTB CLASS=DLV@DIST,ACTION=RACF
   DLV@JOB  ICHRFRTB CLASS=DLV@JOB,ACTION=RACF
   DLV@PANL ICHRFRTB CLASS=DLV@PANL,ACTION=RACF
   DLV@REPT ICHRFRTB CLASS=DLV@REPT,ACTION=RACF
   ENDTAB   ICHRFRTB TYPE=END
            END   ICHRFR01
   /*
   

   //L.SYSLMOD DD DSN=SYS1.LINKLIB,
   //             DISP=SHR
   //L.SYSIN   DD *
         NAME    ICHRFR01(R)
   /*
   

3. Activate the new classes, for example:

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //CLSA EXEC PGM=IKJEFT01
   //SYSTSPRT DD SYSOUT=*
   //SYSTSIN DD *
   SETR CLASSACT(DLV@ACT)
   SETR CLASSACT(DLV@BACT)
   SETR CLASSACT(DLV@BANR)
   SETR CLASSACT(DLV@BNDL)
   SETR CLASSACT(DLV@DBAS)
   SETR CLASSACT(DLV@DIST)
   SETR CLASSACT(DLV@JOB)
   SETR CLASSACT(DLV@PANL)
   SETR CLASSACT(DLV@REPT)
   /*
   

4. Define a group to own the resources, for example:

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //AG   EXEC PGM=IKJEFT01
   //SYSTSPRT DD SYSOUT=*
   //SYSTSIN DD *
   AG (DLVRADMN) OWNER(SYS1) SUPGROUP(SYS1)
   /*
   

5. To give READ access to all of the functions and ALTER access to all of the resources, run the following job steps:

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //RDEF EXEC PGM=IKJEFT01
   //SYSTSPRT DD SYSOUT=*
   //SYSTSIN DD *
   RDEF DLV@ACT  (RMO.) OWNER(DLVRADMN) UACC(READ)
   RDEF DLV@BACT (RMO.) OWNER(DLVRADMN) UACC(READ)
   RDEF DLV@BNDL (RMO.) OWNER(DLVRADMN) UACC(READ)
   RDEF DLV@DIST (RMO.) OWNER(DLVRADMN) UACC(READ)
   RDEF DLV@JOB  (RMO.) OWNER(DLVRADMN) UACC(READ)
   RDEF DLV@REPT (RMO.) OWNER(DLVRADMN) UACC(READ)
   /*
   

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //RDEF EXEC PGM=IKJEFT01
   //SYSTSPRT DD SYSOUT=*
   //SYSTSIN DD *
   

   RDEF DLV@ACT  (RMO.*) OWNER(DLVRADMN) UACC(ALTER)
   RDEF DLV@BACT (RMO.*) OWNER(DLVRADMN) UACC(ALTER)
   RDEF DLV@BANR (RMO.*) OWNER(DLVRADMN) UACC(ALTER)
   RDEF DLV@BNDL (RMO.*) OWNER(DLVRADMN) UACC(ALTER)
   RDEF DLV@DBAS (RMO.*) OWNER(DLVRADMN) UACC(ALTER)
   RDEF DLV@DIST (RMO.*) OWNER(DLVRADMN) UACC(ALTER)
   RDEF DLV@JOB  (RMO.*) OWNER(DLVRADMN) UACC(ALTER)
   RDEF DLV@PANL (RMO.*) OWNER(DLVRADMN) UACC(ALTER)
   RDEF DLV@REPT (RMO.*) OWNER(DLVRADMN) UACC(ALTER)
   /*
   

6. Connect a user to the group and alter the user definition (so its default group is the one you now created), for example:

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //CONN EXEC PGM=IKJEFT01
   //SYSTSPRT DD SYSOUT=*
   //SYSTSIN DD *
   CO (userid) GROUP(DLVRADMN)
   /*
   

   //EXAMPLE   JOB ACCOUNT,PROGRAMMER
   //ALU  EXEC PGM=IKJEFT01
   //SYSTSPRT DD SYSOUT=*
   //SYSTSIN DD *
   ALU (userid) DFLTGRP(DLVRADMN)
   /*