- The documentation has got an attached file which contains the CA Top Secret commands to implement z/OSMF for z/OS 2.2
- The first lines at the top of the file RACF2TSS_ZOSMF22.txt when you open it are NOTES. You have to carefully review all these notes before executing any command.
- Each single RACF command is left in commentary, followed by one or more CA Top Secret commands.
- the goal of the file is to translate RACF command to TSS one and to add some clauses to respect TSS syntax. But, it is not possible to run them all like they are.
You have still got some customizations to perform to fit your local requirement. See NOTES in the file.
- Download the attached file RACF2TSS_ZOSMF22.txt to your host.
- Read the NOTES.
- Make all necessary change to fit your local requirement. It is possible that IBM makes some changes as well, depending on the release.
Then some translation might be missing. But, the file give you a lot of examples of translations, you can refer to them to make your own translation.
- It may be possible that when a digital certificate is generated, that you have to send it to an Certificate Authority to get it signed and validated and add it back to CA Top Secret database.
This is not specified within the file, as we only translate the RACF command.
- If you want to have more information about CA Top Secret commands, go to the link below:
The NOTES have been coped below:
*** Top Of Data ***
The #dept is one of your existing department or has to be created
You have to replace #dept with a department of your choice.
With CA Top Secret the GROUP is reserved to manage GID() only.
So, no permits can be done for a TSS GROUP. It's why it is needed
to create a TSS PROFILE to handle those permits.
You will see some additional lines with '##' in there.
These lines are commented out on purpose. You can ignore it,
except when they are there to create a PROFILE.
This PROFILE is likely used later on within this file.
Be very careful and review. You have to assess whether you want
to apply them or not. You can change the profile name to fit
your site requirement. Be careful to do it on the entire file to
keep the coherence.
With RACF the keyring and the digital certificate are known by
their label. With TSS, they are known by a TSS name.
You have to review all name given for TSS coherent among the
TSS commands to fit your site requirement.
RACDCERT ADDRING(IZUKeyring.IZUDFLT) ID(IZUSVR)
TSS ADD(IZUSVR) KEYRING(A#KeyRg) LABLRING(IZUKeyring.IZUDFLT)
Whenever the label is referenced in RACF command, A#KeyRg is
use in the equivalent TSS command.
Some TSS commands are duplicate, you can either delete them or
leave them all as they are and ignore the bad return code when
they are executed.
All change has to be done before executing these TSS commands.
*** End Of Data ***