Scribd
Upload
2K views4 pages

RACF - To - ACF2 Commands

This document provides information on managing user security and access controls on mainframe systems using RACF and ACF2. It outlines commands for adding and exporting digital certificates, defining user IDs, controlling system access, revoking accounts, defining access to datasets and passwords.

Uploaded by

Gino Thompson
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
2K views4 pages

RACF - To - ACF2 Commands

This document provides information on managing user security and access controls on mainframe systems using RACF and ACF2. It outlines commands for adding and exporting digital certificates, defining user IDs, controlling system access, revoking accounts, defining access to datasets and passwords.

Uploaded by

Gino Thompson
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 4

Digital Certificates • PKI / X.

509
• Use public/private keys
• Enable more secure authentication, non-repudiation
• On z/OS you can use, administer and export keys

• To Add a Certificate
• RACF: • RACDCERT ID(SYSMAN) ADD(MY.CERT) WITHLABEL('MIGRATED.KEY') PCICC(*)
• ACF2: • Set profile(user) div(certdata)
• INSERT SYSMAN.cert DSN(‘MY.CERT’) LABEL(MIGRATED.KEY) TRUST PCICC PKDSLBL(*)

• To Export a Certificate to z/OS dataset “MY.CERT”


• RACF: • RACDCERT ID(SYSMAN) EXPORT(LABEL('SECURE.KEY')) DSN(MY.CERT) FORMAT(CERTDER)
• ACF2: • Set profile(user) div(certdata)
• EXPORT SYSMAN LABEL(SECURE.KEY) DSN(‘MY.CERT’) FORMAT(CERTDER)
Displaying User Security Settings
• Listing a user’s information
• RACF: LISTUSER userid
• ACF2: SET LID
LIST logonid

Defining IDs
• RACF: ADDUSER user_id DFLTGRP(group) PASSWORD(pwd)
• ACF2: SET LID
INSERT logonid PASSWORD(pwd)

Controlling System Entry


• Batch
• RACF: SETROPTS JES(BATCHALLRACF) forces all BATCH users to be defined to RACF
SETROPTS CLASSACT(JESJOBS)
PERMIT SUBMIT.node.job.userid CLASS(JESJOBS) ID(userid) ACCESS(READ)
• ACF2: Specify the JOBCK option of the GSO OPTS record
SET LID
CHANGE logonid JOB

• TSO • Master Catalog Alias, SYS1.UADS


• RACF: ALTUSER userid TSO(ACCTNUM(accnum) PROC(logonproc))
• ACF2: SET LID
CHANGE logonid TSO
• CICS
• RACF: ALTUSER userid CICS
• ACF2: SET LID
CHANGE logonid CICS

Revoking/Suspending Accounts
• RACF: ALTUSER userid REVOKE
• ACF2: SET LID
CHANGE logonid SUSPEND

Access
• Defining Security for Datasets
• RACF: Discrete profile: ADDSD 'dsname‘ UACC(access)
Generic profile: ADDSD 'dsname-incl-generic-char‘ UACC(access)
or -> ADDSD 'dsname‘ UACC(access) GENERIC
• ACF2: $KEY(high-level-qualifier)
dsname-extent UID(pattern-for-UIDs) R(A) and/or other accesses

• Permitting Access to Datasets


• RACF: PERMIT ‘dsname-or-profile ‘ ID(userid) ACCESS(access)
• ACF2: $KEY(high-level-qualifier)
dsname-extent UID(pattern-for-UIDs) R(A) and/or other accesses

• Grouping Access
• RACF: CONNECT userid GROUP(group)
• ACF2: SET LID
CHANGE logonid DEPT(dept)

Passwords
• Changing a Password
• RACF: PASSWORD PASSWORD(newpwd) USER(userid)
• ACF2: SET LID
CHANGE logonid PASSWORD(newpwd)
Displaying User Security Settings

• Listing a user’s information

• RACF: LISTUSER userid


• ACF2: SET LID
LIST logonid

Mainframe Security Basics

• Modes Initial Installation


Implementation
Locked-down

• RACF: WARNING operand on the ADDSD, RDEFINE, ALTDSD, and RALTER commands
SETROPTS NOPROTECTALL | PROTECTALL specifies security for all datasets
PROTECTALL requires SETROPTS GENERIC(DATASET)
SETROPTS PROTECTALL(WARNING)
• ACF2: MODE=(QUIET | LOG | WARN | ABORT | RULE)

Admin Authority

• RACF: SPECIAL, AUDITOR, OPERATIONS Attributes; scoped using groupversions


CLAUTH, Access and Profile Ownership
• ACF2: ACCOUNT, SECURITY, LEADER, CONSULT, USER
Scoped by SCPLIST field defined in logonid record
https://support.ca.com/irj/portal/anonymous/kbsrch#-
7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51O
J%2Fff%2Fz9cZmQBbPbOStrJniGAqsgfP358Hz8ifvzHd3%2FXaTZtqt%2F1x3987%2Ff9Xffv7e%2Fs7u7e%2F5R%2BnW
YHu%2Bf3728f0Afb%2Bw%2Fvn29Pzvd2tvfu3Z882Jvu7E4%2FffD7%2Fq70zs7v%2B7tu39uhf3d%2FXwKy%2B%2Fv
%2Bvr8vQfxF%2BAGQ8lAj%2FeWkqt5O6P%2Fmb%2Fx%2FkbW3bX5clt%2Bt6pn%2FNv%2Ff9Ow%2BIIR
%2B1%2FnvNm3LnT3%2Bd0d%2Frxtui%2B87%2F9vFa7%2Fr7%2Fr%2FAA%3D%3D

You might also like