Setting ESM profiles
The EC for Venafi gateway address space does not issue ESM commands, so it does not require elevated permissions for ESM. The address space requires sufficient authority to access the data sets in the started task JCL procedure and listen on the TCP port specified and make TCP connections to the EC for Venafi agent systems.
The EC for Venafi agent address spaces require the necessary ESM permissions to issue the following commands:
- RACDCERT
- RLIST
- GENCERT
- GENREQ
The user ID for EC for Venafi requires access to the same FACILITY class IRR.DIGTCERT.* profiles that a standard administrator needs.
The commands are issued using the authority of the user ID specified for RACFAdminUser <userID> in the EC for Venafi configuration member.
To use certain EC for Venafi features, you must configure the following ESM profiles:
- Set the required ESM profiles
- Define a user ID that can issue SETROPTS REFRESH command
- Define a user ID that can use the web interface
- Define a user ID that can configure certificates and certificate objects
- Additional configuration for TSS
Set the required ESM profiles
ESM command authority requires that all profiles be in the FACILITY class. The following list presents the IBM RACF standard profiles in the FACILITY class. Use equivalent profiles for TSS and ACF2.
- IRR.DIGTCERT.ADD
- IRR.DIGTCERT.ADDRING
- IRR.DIGTCERT.ALTER
- IRR.DIGTCERT.CHECKCERT
- IRR.DIGTCERT.CONNECT
- IRR.DIGTCERT.DELETE
- IRR.DIGTCERT.DELRING
- IRR.DIGTCERT.EXPORT
- IRR.DIGTCERT.GENCERT
- IRR.DIGTCERT.GENREQ
- IRR.DIGTCERT.IMPORT
- IRR.DIGTCERT.LIST
- IRR.DIGTCERT.LISTCHAIN
- IRR.DIGTCERT.LISTRING
- IRR.DIGTRING.REKEY
Make sure that you assign appropriate access to the profiles:
- READ access allows a user ID to manipulate only their own certificates
- UPDATE access allows a user ID to manipulate other users' certificates
- CONTROL allows a user ID to manipulate CA and SITE certificates
Additionally, if you are using profiles in the RDATLIB class, then the EC for Venafi started task requires access to the *.*.LST profiles, because the RDATALIB profiles are checked first.
Define a user ID that can issue SETROPTS REFRESH command
For the EC for Venafi started task to issue the following command, provide the STC user ID with access to CLAUTH(DIGTCERT):
SETR RACLIST(DIGTCERT) REFRESHALU STCUSER CLAUTH(DIGTCERT)
Define a user ID that can use the web interface
To access the web interface, the follow profiles are required for authorized users:
- RSM.RSS.LOGIN—READ access to log in to RSS
- RSM.RSS.VENAFI—READ access to access the EC for Venafi web interface
Define a user ID that can configure certificates and certificate objects
To use the EC for Venafi UI to create new certificates on z/OS or to create certificate objects on Venafi Trust Protection Platform (TPP), the following profile is required for authorized users:
- BMC.RSS.UICERT – READ access is required
Additional configuration for TSS
Top Secret requires fix SO06741 to provide support for r_datalib.