How to implement ACF2 rule for z/OS 2.2 IBM HTTP Server - Powered by Apache, version 9?

Document ID:  TEC1195172
Last Modified Date:  06/08/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA ACF2 for z/OS

Releases

  • CA ACF2 for z/OS:Release:16

Components

  • CA ACF2 for z/OS:ACF2MS
Introduction:

I am trying to convert RACF information to ACF2. How to implement ACF2 rule for z/OS 2.2 IBM HTTP Server - Powered by Apache, version 9? 

Background:

As per IBM HTTP Server guide to run IBM HTTP Server, you must set the following z/OS system configurations:

Set the memlimit parameter.

Configure a mechanism for allowing access to low ports.

Required System Authorization Facility (SAF) configurations.

– Create a user ID and group for IBM HTTP Server.

– Set program control for required MVS data sets.

– Set program control for HFS files.

– Set program control for z/OS System SSL.

– Access to SAF key rings.

– Permitting user IDs to CSFSERV for hardware encryption.

– Using cryptographic hardware for key storage (optional).

 Setting environment variable * _BPX_JOBNAME (optional).

Environment:
CA ACF2 for Z/OS 2.2 Release 16.0
Instructions:

1. Create a user ID and group for IBM HTTP Server 
Password example (RACF) 
ADDGROUP WWWGROUP OMVS(GID(999)) 
ADDUSER WWWSERV DFLTGRP(WWWGROUP) OMVS(UID(999)) PASSWORD(password) 

Password phrase example (RACF) 
ADDGROUP WWWGROUP OMVS(GID(999)) 
ADDUSER WWWSERV DFLTGRP(WWWGROUP) OMVS(UID(999)) PHRASE(’my0users@99#701_workgroup’) 

ACF2 equivalent: 
SET PROFILE(GROUP) DIV(OMVS) 
INSERT WWWGROUP GID(999) 
INSERT WWWSERV GROUP(WWWGROUP) PASSWORD(password) UID(999)  => If Password is used

Or

INSERT WWWSERV GROUP(WWWGROUP) PASSWORDPHRASE(passwordphrase) => If password phrase is used.


2. To use a cataloged procedure named WEBSRV1: 
RDEFINE STARTED WEBSRV1.* STDATA(USER(WWWSERV) GROUP(WWWGROUP) TRACE(YES)) 


Where a resource is not protected by default, RDEFINE is used in RACF to define resources. There is no counterpart to this in CA ACF2. CA ACF2 uses a default protection scheme, which assumes that the resource is protected. This default scheme requires that rules be written to allow access to a resource. 

3. Program control using RACF 
RALTER PROGRAM * ADDMEM(’hlq.LINKLIB’//NOPADCHK) UACC(READ) 
RALTER PROGRAM * ADDMEM(’hlq.SCEERUN’//NOPADCHK) UACC(READ) 
RALTER PROGRAM * ADDMEM(’hlq.SCLBDLL’) UACC(READ) 
SETROPTS WHEN(PROGRAM) REFRESH 

In CA ACF2, the equivalent function would be handled by making changes to an access rule or a resource rule and then recompiling it. 

4. Access to SAF key rings.

The following commands are RACF commands. Replace WWWSERV with the actual user ID under which IBM HTTP Server is started. 
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE) 
PE IRR.DIGTCERT.LIST CLASS(FACILITY) ID(WWWSERV) ACCESS(READ) 
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) 
PE IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(WWWSERV) ACCESS(READ) 
SETR CLASSACT(FACILITY) 
SETR RACLIST(FACILITY) REFRESH 

ACF2 equivalent: 
SET RESOURCE(FAC) 
RECKEY IRR ADD(DIGTCERT.LIST UID(UID string of WWWSERV) SERVICE(READ) ALLOW) 
RECKEY IRR ADD( DIGTCERT.LISTRING UID(UID string for WWWSERV) SERVICE(READ) ALLOW) 
F ACF2,REBUILD(FAC) 

5.The following example shows how to permit the WWWSERV ID and the PUBLIC ID access to profiles in CSFSERV. 

SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) 
RDEFINE CSFSERV CSF* UACC(NONE) 
PERMIT CSF%%C CLASS(CSFSERV) ID(WWWSERV PUBLIC) ACCESS(READ) 
PERMIT CSFPK% CLASS(CSFSERV) ID(WWWSERV PUBLIC) ACCESS(READ) 
PERMIT CSFCK% CLASS(CSFSERV) ID(WWWSERV PUBLIC) ACCESS(READ) 
SETROPTS CLASSACT(CSFSERV) 
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) REFRESH 

ACF2 equivalent: 
Create CLAMAP record to map resource CSFSERV to TYPE(CSF) rather than the default TYPE(SAF) 

SET CONTROL(GSO) 
INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF) ENTITYLN(8) 
F ACF2,REFRESH(CLASMAP) 

Add the CSFSERV resource rules: 
SET RESOURCE(CSF) 
RECKEY CSF%%C ADD( UID(UID string for WWWSERV PUBLIC)) SERVICE(READ) ALLOW) 
RECKEY CSFPK% ADD( UID(UID string for WWWSERV PUBLIC)) SERVICE(READ) ALLOW) 
RECKEY CSFCK% ADD( UID(UID string for WWWSERV PUBLIC)) SERVICE(READ) ALLOW) 
F ACF2,REBUILD(CSF) 

6. The following example shows how to give user IDs and the WWWSERV ID access to profiles in CSFSERV. 
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) 
RDEFINE CSFSERV CSF%%C UACC(READ) 
RDEFINE CSFSERV CSFPK% UACC(READ) 
RDEFINE CSFSERV CSFCK% UACC(READ) 
SETROPTS CLASSACT(CSFSERV) 
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV) REFRESH 

Where a resource is not protected by default, RDEFINE is used in RACF to define resources. There is no counterpart to this in CA ACF2.

7. If you use the _BPX_JOBNAME variable to set the jobname, the user ID which you use to run the server must have read access to the SAF FACILITY profile BPX.JOBNAME. For example:

RDEFINE FACILITY BPX.JOBNAME UACC(NONE) 
SETROPTS RACLIST(FACILITY) REFRESH 
PERMIT BPX.JOBNAME CLASS(FACILITY) ACCESS(READ) ID(WWWSERV) 
SETROPTS RACLIST(FACILITY) REFRESH 
RLIST FACILITY BPX.JOBNAME ALL 

ACF2 equivalent: 
SET RESOURCE(FAC)

RECKEY BPX ADD(JOBNAME UID(UID string of WWWSERV) SERVICE(READ) ALLOW)

F ACF2,REBUILD(FAC)

Additional Information:

IBM HTTP Server z/OS V2R2.0 HTTP Server - Powered by Apache User's Guide available on the link below:

http://www-03.ibm.com/systems/z/os/zos/library/bkserv/v2r2pdf/#DGW

http://publibz.boulder.ibm.com/epubs/pdf/dpr1cg01.pdf

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing