Contribute in GitHub:
Open doc issue|Edit online
Security setup for the agent
There are a couple of security definitions which are required for the UKO agent. Those are covered in the configureSecurity step of the agent example workflow.
The examples have the following assumptions:
- The
${AGENT_STC_NAME}procedure starts the agent. ${AGENT_STC_USER}is the user ID for the agent started task
Furthermore, you will need the user IDs defined according to the Required user IDs for UKO chapter.
Agent security prereqs
This section describes security definitions that are not part of the workflow.
APF Authorization
${AGENT_HLQ}.SKMGMOD0 contains modules linked with AC(1). Ensure that the agent fetches these modules from an APF authorized library. If a STEPLIB concatenation is used, then ensure that all STEPLIB data sets are on the APF list.
In addition, the module KMGPRACF needs to be added to the AUTHTSF table of SYS1.PARMLIB(IKJTSOxx).
For more details and examples, refer to the APF autorization chapter.
Dataset access
Check the DD-names in the ${AGENT_STC_NAME} procedure. The UKO Agent user ID ${AGENT_STC_USER} needs READ access to at least the following data sets:
${AGENT_RUNLIB}to access the load modules to run the agent${TCPIP_HLQ}.SEZATCPfor TCP/IP related functions${ZOS_PARMLIB}to access the agent configuration parameters
If you specified additional datasets in the STEPLIB concatenation, the agent needs access to those as well.
General security definitions
The configureSAFSecurityProfiles sub-step of the configureSecurity step of the agent example workflow will help you to define general access. For a full list with a detailed description of each class, refer to the RACF Reference table.
Agent started task
You must define a STARTED class profile for the agent started task so that the agent is started as a z/OS started task.
Below, see an example of a RACF command setting up the ${AGENT_STC_USER} userid.
RDEFINE STARTED ${AGENT_STC_NAME}.* UACC(NONE) STDATA(USER(${AGENT_STC_USER}) +
PRIVILEGED(NO) TRUSTED(NO) TRACE(YES))
SETROPTS RACLIST(STARTED) GENERIC(STARTED) REFRESH
APPL class access
When a client user logs on to the UKO agent, a check for the KMGPRACF resource is done in the APPL class. If KMGPRACF is defined in the APPL class, then the client user ID needs READ access.
/* Create and permit APPL class profile */
RDEFINE APPL KMGPRACF UACC(NONE)
PERMIT KMGPRACF CLASS(APPL) ID(${UKO_AGENT_CLIENT_USER}) ACC(READ)
SETROPTS RACLIST(APPL) REFRESH
FACILITY class access
The UKO Agent ${AGENT_STC_USER} ID must have READ access to KMG.EKMF.KMGPRACF in the FACILITY class to run an agent.
RDEFINE FACILITY KMG.EKMF.KMGPRACF UACC(NONE) OWNER(${AGENT_STC_GROUP})
PERMIT KMG.EKMF.KMGPRACF CLASS(FACILITY) ID(${AGENT_STC_GROUP}) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
An ${UKO_AGENT_CLIENT_USER} must be given permission to be used with a UKO agent running under the specific task user ID ${AGENT_STC_USER}. Therefore, every ${UKO_AGENT_CLIENT_USER} must have access to
the KMG.EKMF.KMGPRACF.${AGENT_STC_USER} profile in the FACILITY class. While UKO only has one client user ID, there may be multiple client user IDs for the EKMF Workstation.
RDEFINE FACILITY KMG.EKMF.KMGPRACF.* UACC(NONE) OWNER(${AGENT_STC_GROUP})
RDEFINE FACILITY KMG.EKMF.KMGPRACF.${AGENT_STC_USER} UACC(NONE) OWNER(${AGENT_STC_GROUP})
PERMIT KMG.EKMF.KMGPRACF.${AGENT_STC_USER} CLASS(FACILITY) ID(${UKO_AGENT_CLIENT_GROUP}) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
SMF logging
Create a KMG.EKMF.SMF in the FACILITY class and grant access to the ${AGENT_STC_GROUP} for SMF logging. This is required even if SMF logging is not enabled. To enable SMF logging, the ${AGENT_STC_USER} needs READ access to KMG.EKMF.SMF and AUDIT(ALL(READ)) must be applied to the profile to force SMF records to be written by RACF, when a resource is accessed.
RDEFINE FACILITY KMG.EKMF.SMF UACC(NONE) AUDIT(ALL(READ))
PERMIT KMG.EKMF.SMF CLASS(FACILITY) ID(${AGENT_STC_GROUP}) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
XFACILIT class setup
The Agent requires access to KMG.WEBCLIENT.${UKO_AGENT_CLIENT_USER} in the XFACILIT class. The ${UKO_AGENT_CLIENT_USER} must match the value specified for the &WEBCLIENT parameter in the agent configuration
options.
RDEFINE XFACILIT KMG.WEBCLIENT.${UKO_AGENT_CLIENT_USER}
PERMIT KMG.WEBCLIENT.${UKO_AGENT_CLIENT_USER} CLASS(XFACILIT) +
ACC(READ) ID(${AGENT_STC_GROUP})
SETROPTS RACL(XFACILIT) REFRESH
If ICSF keystore policy checking is active and the CSF.PKDS.TOKEN.CHECK.DEFAULT.LABEL resource in XFACILIT class is defined, the CSF-PKDS-DEFAULT resource in CSFKEYS class must also be defined and the Agent's ${AGENT_STC_USER} needs access.
Additional security for EKMF Workstation access
The EKMF Workstation user ID must be part of the ${UKO_AGENT_CLIENT_GROUP}.
A ${UKO_AGENT_CLIENT_USER} can specify that the EKMF audit records are not written to SMF. This is only required for the initial setup. Both the ${AGENT_STC_USER} and ${UKO_AGENT_CLIENT_USER} need READ
access to KMG.EKMF.AUDITOFF to allow the EKMF client to disable logging to SMF.
RDEFINE FACILITY KMG.EKMF.AUDITOFF UACC(NONE)
PERMIT KMG.EKMF.AUDITOFF CLASS(FACILITY) ID(${AGENT_STC_GROUP}) ACCESS(READ)
PERMIT KMG.EKMF.AUDITOFF CLASS(FACILITY) ID(${UKO_AGENT_CLIENT_GROUP}) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
The configureSAFSecurityProfiles sub-step of the configureSecurity step of the agent example workflow will define those additioal profiles if you set the property WORKSTATION_ACCESS_REQUIRED=true.
In addition, the ${AGENT_STC_USER} needs access to ${DB_JCC_SSID}.BATCH in the DSNR class.
RDEFINE DSNR ${DB_JCC_SSID}.BATCH UACC(NONE)
PERMIT ${DB_JCC_SSID}.BATCH CLASS(DSNR) ACCESS(READ) ID(${AGENT_STC_USER})
SETROPTS RACLIST(DSNR) REFRESH
ICSF Authorization
The z/OS user ID (${AGENT_STC_USER}) that is associated with the UKO agent must be authorized to ICSF services. For detailed information about ICSF authorization, see the fCryptographic Support Downloads for IBM z/OS.
For a full description of the ICSF functions and ACPS, refer to the ICSF and ACP Reference.
The defineIcsfAccess sub-step of the configureSecurity step of the agent example workflow will help you to define the required profiles.
Access to ICSF functions in CSFSERV class
To be able to call ICSF, the UKO Agent ${AGENT_STC_USER} ID needs READ access to the following profiles in the CSFSERV class:
- CSFCRC
- CSFDEC
- CSFDSG
- CSFDSV
- CSFEDH
- CSFENC
- CSFIQF
- CSFKDMR
- CSFKDMW
- CSFKDSL
- CSFKIM
- CSFKRC2
- CSFKRD
- CSFKRR2
- CSFKRW
- CSFKRW2
- CSFKYT
- CSFKYT2
- CSFMGN
- CSFMVR
- CSFOWH
- CSFPKG
- CSFPKI
- CSFPKRC
- CSFPKRD
- CSFPKRR
- CSFPKRW
- CSFPKX
- CSFPRR2
- CSFRNGL
- CSFSAD
- CSFSAE
- CSFSYI
- CSFSYI2
- CSFSYX
It is recommended that you establish a generic profile to protect all the CSFSERV resources that are not in use. If this has not been done yet, you could use for example the following command
RDEFINE CSFSERV ** UACC(NONE)
After that, you need to grant access to each required ICSF resource. For example, to grant access to the CSFDSG service:
RDEFINE CSFSERV CSFDSG UACC(NONE)
PERMIT CSFDSG CLASS(CSFSERV) ACCESS(READ) ID(${AGENT_STC_GROUP})
This has to be repeated for all required ICSF resources. At the end, issue a REFRESH command:
SETROPTS RACLIST(CSFSERV) REFRESH
ACPs that need to be enabled for the Agent
In addition, the following Access Control Points (ACPs) must be enabled in the crypto adapter:
- 000E
- 000F
- 0010
- 0011
- 0012
- 001D
- 0021
- 0022
- 0023
- 003B, 003C [1]
- 00F4
- 00FD
- 0100
- 0101
- 0103
- 0104
- 0106
- 012A
- 012B
- 012E
- 012F
- 0144
- 01FF
- 0235
- 023D
- 0275
- 02B4
- 02B9
- 0311 [2]
- 0329
- 0360
- 0362
- 0367
The following ACPs are required if your installation uses the feature of importing existing CKDS keys:
- 00F5
- 00FC
- 0130
- 0131
- 0327
- 02B3
- 0105
- 023E
Link encryption
You can specify Diffie-Hellman (DH) link encryption between the UKO agent and the server. Refer to the Setting up link encryption for more details.
The defineLinkEncryption sub-step of the configureSecurity step of the agent example workflow helps you to set up the required profiles and grant access.
CSFKEYS access
In the CSFKEYS class the ${AGENT_STC_USER} needs access to the key labels it administers. This includes the keys starting with the prefixes specified by &SYS-ECCSIGN-PREFIX and &SYS-RSAKEK-PREFIX in the agent configuration options.
The defineKeyAccess sub-step of the configureSecurity step of the agent example workflow helps you to set up access to a specific key label prefix ${KEY_PREFIX}. Note that this is just an example. Depending on your environment and your key naming conventions, these statements need to be adjustet.
RDEFINE CSFKEYS {KEY_PREFIX}.** UACC(NONE) ICSF(SYMCPACFWRAP(YES),SYMCPACFRET(YES))
PERMIT {KEY_PREFIX}.** CLASS(CSFKEYS) ID(${AGENT_STC_GROUP}) ACCESS(CONTROL)
SETROPTS RACLIST(CSFKEYS) REFRESH
For Diffie-Hellman link encryption, the Agent's ${AGENT_STC_USER} needs access to the corresponding key label named &SYS-ECCSIGN-PREFIX.${AGENT_STC_USER} as specified in the agent parameters.
If &SYS-RSAKEK-PREFIX is specified in the agent parameters, then the agent's ${AGENT_STC_USER} needs access to the corresponding &SYS-RSAKEK-PREFIX.<key-label> key label.
The agent example workflow specifies &SYS-ECCSIGN-PREFIX(${KEY_PREFIX}.ECCSIGN) and &SYS-RSAKEK-PREFIX(${KEY_PREFIX}.RSAKEK),
so by granting access to {KEY_PREFIX}.**, the agent will have the required access unless a more specific profile is protecting the prefixes.
If ICSF keystore policy checking is active and the CSF.PKDS.TOKEN.CHECK.DEFAULT.LABEL resource in XFACILIT class is defined, the CSF-PKDS-DEFAULT resource in CSFKEYS class must also be defined
and the Agent's ${AGENT_STC_USER} needs access.
-
This ACP is not required. It is a security feature that key length cannot be determined for WRAPENH3 keys. If enabled, then the key store viewer uses this facility to reveal key length of the WRAPENH3 keys ↩︎
-
Only needed if your installation needs to install trusted blocks from the EKMF Workstation. ↩︎