Configuring the security product by running commands
If you are using RACF® as your SAF product and you do not want to run the defracf.cmd script, you can run RACF commands to create the user IDs and group IDs, and grant them necessary permissions.
About this task
In this task, the following default values of the parameters in the
cdpui.properties file are used in the code samples.
STC_USRID = HBOSTCID
STC_GROUP = HBOSTCGP
STC_ANGEL = HBOCFGA
STC_SERVER = HBOCFGT
AUTHORIZED_GROUP = HBOUSRGP
GUEST_USER = HBOGUEST
GUEST_GROUP = HBOUNGRP
AUTHORIZED_USER = HBOUSER
If you are not using default values, make sure to change the
values in the samples to the values that you use.Procedure
-
If any one of classes
STARTED
,APPL
,FACILITY
,SERVER
,EJBROLE
,DIGTCERT
, andDIGTRING
are not active, run one or more of the following RACF commands to activate them.SETROPTS RACLIST(STARTED) CLASSACT(STARTED) SETROPTS CLASSACT(APPL) SETROPTS CLASSACT(FACILITY) SETROPTS CLASSACT(SERVER) SETROPTS CLASSACT(EJBROLE) SETROPTS CLASSACT(DIGTCERT) SETROPTS CLASSACT(DIGTRING)
- Run the following commands to define the groups and users that are specified in the
cdpui.properties file.
ADDGROUP HBOSTCGP OMVS(GID(3701)) ADDGROUP HBOUSRGP OMVS(GID(3702)) ADDGROUP HBOUNGRP OMVS(GID(3703)) ADDUSER HBOSTCID DFLTGRP(HBOSTCGP) OMVS(UID(2701) HOME(/u/hbostcid) PROGRAM(/bin/sh)) NAME('CDP UI Server Started Task USERID') NOPASSWORD NOOIDCARD ADDUSER HBOGUEST RESTRICTED DFLTGRP(HBOUNGRP) OMVS(UID(2702)) NAME('CDPz Unauthenticated USERID') NOPASSWORD NOOIDCARD
- Run the following command to allow a user to use the Configuration Tool.
CONNECT HBOUSER GROUP(HBOUSRGP)
- Run the following commands to define resource profiles and grant permission to these
resource profiles to the user and group for the Configuration Tool server started task
procedure.
RDEF STARTED HBOCFGA.* UACC(NONE) STDATA(USER(HBOSTCID) GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) RDEF STARTED HBOCFGT.* UACC(NONE) STDATA(USER(HBOSTCID) GROUP(HBOSTCGP) PRIVILEGED(NO) TRUSTED(NO) TRACE(YES)) RDEFINE SERVER BBG.ANGEL.HBOCFGA UACC(NONE) RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM UACC(NONE) RDEFINE SERVER BBG.AUTHMOD.BBGZSAFM.SAFCRED UACC(NONE) PERMIT BBG.ANGEL.HBOCFGA CLASS(SERVER) ACCESS(READ) ID(HBOSTCID) PERMIT BBG.AUTHMOD.BBGZSAFM CLASS(SERVER) ACCESS(READ) ID(HBOSTCID) PERMIT BBG.AUTHMOD.BBGZSAFM.SAFCRED CLASS(SERVER) ACCESS(READ) ID(HBOSTCID) RDEFINE APPL HBOCFGT UACC(NONE) RDEFINE SERVER BBG.SECPFX.HBOCFGT UACC(NONE) PERMIT BBG.SECPFX.HBOCFGT CLASS(SERVER) ACCESS(READ) ID(HBOSTCID) RDEFINE FACILITY BBG.SYNC.HBOCFGT UACC(NONE) PERMIT BBG.SYNC.HBOCFGT CLASS(FACILITY) ID(HBOSTCID) ACCESS(CONTROL) RDEFINE EJBROLE HBOCFGT.CDPUIServer.cdpUser UACC(NONE) PERMIT HBOCFGT CLASS(APPL) ID(HBOSTCID) ACCESS(READ) PERMIT HBOCFGT CLASS(APPL) ID(HBOGUEST) ACCESS(READ) PERMIT HBOCFGT CLASS(APPL) ID(HBOUSRGP) ACCESS(READ) PERMIT HBOCFGT.CDPUIServer.cdpUser CLASS(EJBROLE) ID(HBOUSRGP) ACCESS(READ) PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(HBOSTCID) ACCESS(READ) RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('CDPz CA Certification_HOSTNAME')) WITHLABEL('HBOCA') TRUST NOTAFTER(DATE(2030/12/31)) RACDCERT ID (HBOSTCID) GENCERT SUBJECTSDN(CN('HOSTNAME')) ALTNAME(DOMAIN(‘HOSTNAME’)) WITHLABEL('HBODefaultCert') SIGNWITH(CERTAUTH LABEL('HBOCA')) NOTAFTER(DATE(2030/12/31)) RACDCERT ADDRING(HBO.Keyring.DFLT) ID(HBOSTCID) RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBODefaultCert') RING(HBO.Keyring.DFLT) DEFAULT) RACDCERT ID(HBOSTCID) CONNECT (LABEL('HBOCA') RING(HBO.Keyring.DFLT) CERTAUTH)
Important: ChangeHOSTNAME
in theCN
field to the actual local host name. Usually the format of the host name isXXXX.XXX.XXX.XXX
. - If the sharing of in-storage profile is active for any one of classes
STARTED
,APPL
,FACILITY
,SERVER
,EJBROLE
,DIGTCERT
, andDIGTRING
, run one or more of the following RACF commands to refresh them so that the changes to these classes take effect.SETROPTS RACLIST(STARTED) REFRESH SETROPTS RACLIST(SERVER) REFRESH SETROPTS RACLIST(FACILITY) REFRESH SETROPTS RACLIST(EJBROLE) REFRESH SETROPTS RACLIST(APPL) REFRESH SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH