Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Ops Monitor for Java Environments 4.1.

Setting up RACF for z/OS Connect EE

If you want to monitor z/OS Connect EE servers, use the following procedure to set up RACF for every z/OS Connect EE server.

The examples in the set-up procedure use the following values:

  • z/OS Connect EE user ID: zosConnectUserId
  • MainView for Java Environments PAS user ID: mvjePasUserId 
    mvjePasUserId must be connected to RACF group MVJE.

  • SAF credentials profile prefix as displayed in the server.xml safProfilePrefix
    For example:

    <safCredentials profilePrefix="BBGZDFLT" />

  1. Define RACF EJBROLE objects by specifying the following definitions in the RACF interface :

    Note

    If RACF EJBROLE objects are not defined on your system, check for generic resources that might already be controlling your RACF access.

    PE CLASS(APPL) <safProfilePrefix>  +
       ID(<mvjePasUserId>) ACCESS(READ)

    PE <safProfilePrefix>.zos.connect.access.roles.zosConnectAccess +
       CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)

    PE <safProfilePrefix>.zos.connect.access.roles.zosConnectAdmin +
       CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)


    PERMIT <safProfilePrefix>.com.ibm.ws.management.security.resource.Reader +
       CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)

    PERMIT +
       <safProfilePrefix>.com.ibm.ws.management.security.resource.Administrator +
       CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)

    PERMIT +
    <safProfilePrefix>.com.ibm.ws.management.security.resource.allAuthenticatedUsers+
       CLASS(EJBROLE) ID(<mvjePasUserId>) ACCESS(READ)

  2. Create a certificate for the MVJE PAS.

    Notes

    • The certificate should not restrict Key usage (EKU).
    • Update the keystore tags in the Server.xml file with the zosconnect keyring.
    • Update the Keystore and Truststore parameters in the MJESSLxx member with the the PAS keyring.
    Example for creating certificates and adding certificates to a keyring
     RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('CA for Liberty') +
      O('BMC') +
      OU('LIBERTY') C('US')) WITHLABEL('MJEBANKCERT') HIGHTRUST +
      NOTAFTER(DATE(2024/12/31))
     SETROPTS RACLIST(DIGTNMAP, DIGTCRIT) REFRESH

    RACDCERT ID (<mvjePasUserId>) GENCERT SUBJECTSDN(CN('pas') +
      O('BMC') OU('MVJE')) WITHLABEL('MJEBANKMVJE') +
      SIGNWITH(CERTAUTH LABEL('MJEBANKCERT'))                +
      NOTAFTER(DATE(2024/12/31))

    RACDCERT ID (<zosConnectUserId>) GENCERT SUBJECTSDN(CN('zosconnectee') +
      O('BMC') OU('LIBERTY')) WITHLABEL('MJEBANKZC') +
      SIGNWITH(CERTAUTH LABEL('MJEBANKCERT'))                +
      NOTAFTER(DATE(2024/12/31))


    RACDCERT ADDRING(NEWMV) ID(<mvjePasUserId>)

    RACDCERT ID(<mvjePasUserId>) CONNECT (LABEL('MJEBANKCERT')  +
      RING(NEWMV) CERTAUTH)
    RACDCERT ID(<mvjePasUserId>) CONNECT (LABEL('MJEBANKMVJE')  +
      RING(NEWMV) ID(<mvjePasUserId>) DEFAULT)

    RACDCERT ADDRING(NEWZC) ID(<zosConnectUserId>)

    RACDCERT ID(<zosConnectUserId>) CONNECT (LABEL('MJEBANKCERT') +
      RING(NEWZC) CERTAUTH)
    RACDCERT ID(<zosConnectUserId>) CONNECT (LABEL('MJEBANKZC')  +
      RING(NEWZC) ID(<zosConnectUserId>) DEFAULT)

    RACDCERT ID(<mvjePasUserId>) MAP   +                                       
    SDNFILTER('CN=pas.OU=MVJE.O=BMC') WITHLABEL('MVJEPASMAP')      

     SETROPTS RACLIST(DIGTNMAP, DIGTCRIT, RDATALIB, DIGTCERT, DIGTRING, +
       FACILITY, EJBROLE, APPL                                        +
     ) REFRESH 
  3. Depending on your security setup, grant access to one of the following facilities:

    • If RDATALIB is active on your system, grant access to PE CLASS RDATALIB:

      <zosConnectUserId>.<ringName>.LST user(<zosConnectUserId>)
      <mvjePasUserId><ringName>.LST user(<mvjePasUserId>)

    • If RDATALIB is not active on your system, grant access to PE CLASS(FACILITY)  IRR.DIGTCERT.LIST or IRR.DIGTCERT.LISTRING: 

      PE CLASS(FACILITY) ID(<mvjePasUserId>, <zosConnectUserId>) IRR.DIGTCERT.LIST
      or
      PE CLASS(FACILITY) ID(<mvjePasUserId>, <zosConnectUserId>) IRR.DIGTCERT.LISTRING

Where to go from here

To complete setting up z/OS Connect EE servers, complete the procedures in Enabling-features-in-the-server-xml-file.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*