Setting ESM profiles


Set the external security manager (ESM) profiles in BMC AMI Resident Security Server, which provides the core functionality that supports EC for Venafi. For more information, see Creating ESM resources in the RSS documentation.



Related topics

The EC for Venafi gateway address space does not issue ESM commands, so it does not require elevated permissions for ESM. The address space requires sufficient authority to access the data sets in the started task JCL procedure and listen on the TCP port specified and make TCP connections to the EC for Venafi agent systems.

The EC for Venafi agent address spaces require the necessary ESM permissions to issue the following commands:

  • RACDCERT
  • RLIST
  • GENCERT
  • GENREQ

The user ID for EC for Venafi requires access to the same FACILITY class IRR.DIGTCERT.* profiles that a standard administrator needs.

The commands are issued using the authority of the user ID specified for RACFAdminUser <userID> in the EC for Venafi configuration member.

To use certain EC for Venafi features, you must configure the following ESM profiles:

Set the required ESM profiles

ESM command authority requires that all profiles be in the FACILITY class. The following list presents the IBM RACF standard profiles in the FACILITY class. Use equivalent profiles for TSS and ACF2.

  • IRR.DIGTCERT.ADD       
  • IRR.DIGTCERT.ADDRING   
  • IRR.DIGTCERT.ALTER     
  • IRR.DIGTCERT.CHECKCERT
  • IRR.DIGTCERT.CONNECT   
  • IRR.DIGTCERT.DELETE    
  • IRR.DIGTCERT.DELRING   
  • IRR.DIGTCERT.EXPORT    
  • IRR.DIGTCERT.GENCERT   
  • IRR.DIGTCERT.GENREQ
  • IRR.DIGTCERT.IMPORT     
  • IRR.DIGTCERT.LIST      
  • IRR.DIGTCERT.LISTCHAIN
  • IRR.DIGTCERT.LISTRING  
  • IRR.DIGTRING.REKEY

Make sure that you assign appropriate access to the profiles:

  • READ access allows a user ID to manipulate only their own certificates
  • UPDATE access allows a user ID to manipulate other users' certificates
  • CONTROL allows a user ID to manipulate CA and SITE certificates

Additionally, if you are using profiles in the RDATLIB class, then the EC for Venafi started task requires access to the *.*.LST profiles, because the RDATALIB profiles are checked first.

Define a user ID that can issue SETROPTS REFRESH command

For the EC for Venafi started task to issue the following command, provide the STC user ID with access to CLAUTH(DIGTCERT):

SETR RACLIST(DIGTCERT) REFRESHALU STCUSER CLAUTH(DIGTCERT)

Define a user ID that can use the web interface

To access the web interface, the follow profiles are required for authorized users:

  • RSM.RSS.LOGIN—READ access to log in to RSS
  • RSM.RSS.VENAFI—READ access to access the EC for Venafi web interface

Define a user ID that can configure certificates and certificate objects

(SPE2501)

To use the EC for Venafi UI to create new certificates on z/OS or to create certificate objects on Venafi Trust Protection Platform (TPP), the following profile is required for authorized users:

  • BMC.RSS.UICERT – READ access is required

Additional configuration for TSS

Top Secret requires fix SO06741 to provide support for r_datalib.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*