Setting up RACF for z/OS Connect EE and Liberty JVMs

If you want to monitor IBM z/OS Connect EE and IBM WebSphere Liberty JVMs, use the following procedures to set up RACF for every JVM:

Related topics

Planning

The examples in the procedures use the following values:

  • z/OS Connect EE user ID: zosConnectUserId
  • BMC AMI Ops Monitor for Java Environments PAS user ID: mvjePasUserId 
    mvjePasUserId must be connected to RACF group MVJE.

  • SAF credentials profile prefix as displayed in the server.xml: safProfilePrefix 

    Example
    <safCredentials profilePrefix="BBGZDFLT" />

Grant RACF authorization to EJBROLE objects

To grant RACF authorization to EJBROLE objects, specify the following definitions in the RACF interface:

Important

If RACF EJBROLE objects are not authorized on your system, check for generic resources that might already control your RACF access.


PE CLASS(APPL) <safProfilePrefix>  +
    ID(<mvjePasUserId>) ACCESS(READ)

 PE <safProfilePrefix>.zos.connect.access.roles.zosConnectAccess +
    CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)

 PE <safProfilePrefix>.zos.connect.access.roles.zosConnectAdmin +
    CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)


 PERMIT <safProfilePrefix>.com.ibm.ws.management.security.resource.Reader +
    CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)

 PERMIT +
    <safProfilePrefix>.com.ibm.ws.management.security.resource.Administrator +
    CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)

 PERMIT +
 <safProfilePrefix>.com.ibm.ws.management.security.resource.allAuthenticatedUsers+
    CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)

Create a certificate for the MVJE PAS

Choose one of the following methods:

Important

  • The certificate should not restrict Key usage (EKU).
  • Update the keystore tags in the server.xml file with the zosconnect keyring.
  • Update the Keystore and Truststore parameters in the MJESSLxx member with the PAS keyring.

If you sign all of the Liberty JVMs into the system with the same CERTAUTH (CA), take the following steps:

  1. Find the CA for your Liberty JVM:
    1. In the server.xml, find the KeyRing name referenced in the SSL keyStoreRef.
    2. Specify RACDCERT listring(keyRing) id(liberty_userid)
    3. Ensure that the Truststore KeyRing contains the CA (and any additional certificates in the certificate chain back to the root CA).
  2. Use the CA to generate a default personal certificate for the MVJE PAS.
  3. (For z/OS Connect EE JVMs) Use the RADCERT MAP command to create a mapping of the PAS distinguished name back to the user ID.  
  4. In the RACF profile, create a KeyRing for the MVJE PAS:
    1. Add the certificate for the MVJE PAS.
    2. Add the CA chain to the KeyRing.
  5. Type ADDSEC on the command line and create a MJESSLxx member with the following values:
    • Member Suffix: xx (we recommend MV)
    • Description: JVM Security Definition
    • SSL=YES
    • KEYSTORE=mvjePasKeyRing
    • KEYPASS=password
    • KEYTYPE=JCERACFKS
    • TRUSTSTORE=mvjePasKeyRing
    • TRUSTPASS=password
    • TRUSTTYPE=JCERACFKS
    • USERID=PasUserId

If you sign the Liberty JVMs into the system with different CAs, take the following steps:

  1. Generate a CA for the MVJE PAS.
  2. Add the CA to the Truststore for all JVMs.
  3. Use the CA to generate a default personal certificate for the MVJE PAS.
  4. (For z/OS Connect EE JVMs) Use the RADCERT MAP command to create a mapping of the PAS distinguished name back to the user ID.  
  5. In the RACF profile, create a KeyRing for the MVJE PAS:
    1. Add certificate for the MVJE PAS.
    2. Add the CA for the MVJE PAS to the KeyRing.
    3. Add the CA chains for the Liberty JVMs to the Keyring.
  6. Type ADDSEC on the command line and create a MJESSLxx member with the following values:
    • Member Suffix: xx (we recommend MV)
    • Description: JVM Security Definition
    • SSL=YES
    • KEYSTORE=mvjePasKeyRing
    • KEYPASS=password
    • KEYTYPE=JCERACFKS
    • TRUSTSTORE=mvjePasKeyRing
    • TRUSTPASS=password
    • TRUSTTYPE=JCERACFKS
    • USERID=PasUserId

Grant access to CERTAUTH in a KeyRing

Depending on your security setup, grant access to one of the following facilities:

  • If RDATALIB is active on your system, grant access to PE CLASS RDATALIB:

    <zosConnectUserId>.<ringName>.LST user(<zosConnectUserId>)
    <mvjePasUserId>.<ringName>.LST user(<mvjePasUserId>)

  • If RDATALIB is not active on your system, grant access to PE CLASS(FACILITY)  IRR.DIGTCERT.LIST or IRR.DIGTCERT.LISTRING: 

    PE CLASS(FACILITY) ID(<mvjePasUserId>, <zosConnectUserId>) IRR.DIGTCERT.LIST
    or
    PE CLASS(FACILITY) ID(<mvjePasUserId>, <zosConnectUserId>) IRR.DIGTCERT.LISTRING

Where to go from here

To complete setting up z/OS Connect EE and Liberty JVMs, complete the procedures in Enabling-features-in-the-server-xml-file.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*