Granting access to RACF FACILITY class profiles

To use the services offered by OCEP, the user IDs that are associated with the daemon applications must be authorized to access RACF FACILITY class profiles. See Table 1 for a list of these FACILITY class profiles and the type of access that is required.

Table 1. Required FACILITY Class Profiles
FACILITY Class Profile Access Explanation
IRR.DIGTCERT.LIST READ Enables the caller to use the CSSM_TP_CertGroupVerify function.
IRR.DIGTCERT.LISTRING READ Enables the caller to use the CSSM_DL_DataGetFirst and the CSSM_TP_CertGroupVerify functions to retrieve the contents of a key ring that is associated with the user's own user ID.
IRR.DIGTCERT.LISTRING UPDATE Enables the caller to use the CSSM_DL_DataGetFirst and the CSSM_TP_CertGroupVerify functions to retrieve the contents of a key ring that is associated with another user's user ID.

In addition, these user IDs must be authorized to access the CDS.* FACILITY class profiles that are required to access the OCSF Framework.

To define these FACILITY class profiles, you would issue the following RDEFINE commands: 
rdefine facility irr.digtcert.list uacc (none)
rdefine facility irr.digtcert.listring uacc (none)
Next, the user ID that is associated with the daemon or application that will call OCEP must be authorized to use the new FACILITY class profiles. For example, to permit the user ID G092799 to access these class profiles, you would issue the following RACF PERMIT commands: 
permit irr.digtcert.list class(facility) id(g092799) acc(read)
permit irr.digtcert.listring class(facility) id(g092799) acc(read)

Depending on the specific requirements of the application, you may also need to authorize the daemon user ID to access other class profiles.

For easier administration, you can also define a group for the user IDs that are associated with the applications that will use OCEP. This group can then be permitted to access the appropriate RACF FACILITY class profiles. Individual users can then be connected, as needed, to the group.

For more information about how to define RACF groups and grant access to the FACILITY class profiles, see the z/OS Security Server RACF Command Language Reference and the z/OS Security Server RACF Security Administrator's Guide.

For more information about the class authorizations that are required for OCSF, see z/OS Open Cryptographic Services Facility Application Programming.

Parent topic: Configuring the OCEP installation