Default language.

Setting up IBM RACF

If RACF is your primary ESM, you must perform the following procedures to support the Security interface:

  • Authorize the CAS and PAS started tasks.
  • Add a SAF resource class (optional).

For complete information about administering RACF, refer to your RACF documentation.

Related topics

How to set up your ESM for windows mode

To authorize the CAS and PAS started tasks

  1. Define user IDs for the CAS and PAS by using RACF commands, such as: ADDUSER BBMCAS DFLTGRP(SYSMGMT) OWNER(SYSPROG)

    ADDUSER BBMPAS DFLTGRP(SYSMGMT) OWNER(SYSPROG)

    Important

    To access UNIX System Services data, the BMC AMI Ops Monitor for UNIX System Services PAS must have superuser authority. The PAS requires that a user ID be defined to the security system (such as RACF) and assigned to the PAS STC by the security system’s facilities.

    For RACF, this means updating either the RACF started procedure table (ICHRIN03) or the STARTED class definition. The user ID that is assigned must have an OMVS segment with a home directory of / and one of the following UID assignments:

    • UID=0 specifically assigned (superuser authority)
    • A non-zero UID assigned, but the user ID permitted READ access to security resource BPX.SUPERUSER in class FACILITY

    The PAS will then switch to an effective UID of 0 at startup.

  2. Define the CAS and PAS-started tasks. The following RACF commands show how to associate the user IDs defined in Step 1 with a specific started task procedure name. In this example, the procedure names are BBICAS and BBIPAS:

    RDEFINE STARTED BBICAS.* OWNER(SYSPROG)+

     STDATA(USER(BBMCAS) GROUP(SYSMGMT))

    RDEFINE STARTED BBIPAS.* OWNER(SYSPROG)+

     STDATA(USER(BBMPAS) GROUP(SYSMGMT))

    SETROPTS RACLIST(STARTED) REFRESH

To add a SAF resource class (optional)

Important

  • If you are using the resource CLASS name FACILITY, you can skip this step.
  • If you want to specify a resource CLASS name other than FACILITY (as described in Identifying-the-security-class), add the SAF resource CLASS name to one of the following tables:
    • (Preferred method) RACF class descriptor table (ICHRRCDE)
    • RACF router table (ICHRFR01)

(BMC.AMIOPS.SPE2207)

  1. Define the new resource CLASS name in the RACF dynamic class descriptor table (CDT) by issuing the following command:

    RDEFINE CDT class                                      -
               CDTINFO( MAXLENGTH(99) DEFAULTUACC(NONE)       -
                        FIRST(ALPHA,NUMERIC,NATIONAL,SPECIAL) -
                        CASE(ASIS)                            -
                        OTHER(ALPHA,NUMERIC,NATIONAL,SPECIAL) -
                        POSIT(301) RACLIST(REQUIRED)          -
                        GENERIC(ALLOWED) GENLIST(ALLOWED)     -
                        OPERATIONS(YES)                       -
                      ) UACC(NONE)

    Guidelines for this command are as follows:

    • BMC suggests MAXLENGTH(99). The required minimum length is 99. However, there is no reason not to specify the maximum of MAXLENGTH(246).
    • BMC suggests CASE(ASIS). Some products generate resource ENTITY names with lowercase characters. If you monitor subsystems that have resources and objects defined in mixed case, you should specify CASE(ASIS).
    • The value used for the POSIT() parameter must be selected appropriately for each MVS system and RACF database.

          2. Activate the dynamic CDT (if it is not already active) or refresh the CDT by using one of the following commands:
            SETROPTS CLASSACT(CDT) RACLIST(CDT)

              SETROPTS RACLIST(CDT) REFRESH

          3. Activate a new resource class by issuing the following RACF commands for each resource class name:
            SETROPTS GENERIC(class) GENCMD(class)

              SETROPTS CLASSACT(class) RACLIST(class)

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*