Complete the following to configure IBM RACF authentication providers.
See the IBM RACF Mainframe Requirements for complete RACF requirements, including required PTFs that must be installed on the MVS system to configure STA authentication with RACF.
Note:
STA supports third-party products that are compatible with IBM RACF—for example, CA's ACF-2 and Top Secret. It is up to the person installing STA, or a security administrator, to issue the commands appropriate for the security product installed.The mainframe side of the RACF service for STA is provided by a CGI routine that is part of the StorageTek Storage Management Component (SMC) for ELS 7.0 and 7.1. This CGI routine is called by the SMC HTTP server and uses RACF profiles defined in the FACILITY class.
For STA to use RACF for access authentication, on the MVS system you must set up an SMC Started Task that runs the HTTP server. See the ELS document Configuring and Managing SMC for detailed instructions.
Note:
The SMC Started Task must match the AT-TLS rule that has been defined. Alternately, allow the AT-TLS definition to use a generic jobname (for example, SMCW).If you are using a value-supplied STC identifier (for example, JOBNAME.JOB), this will cause a CGI routine connection failure.
The port number used for the HTTP server must match the one defined in the WebLogic console, and the host must match the IP name for the host where the SMC task runs.
Note:
An existing SMC can be used if it exists on the host where RACF authorization is to be performed. In this case, use the port number of the existing HTTP server when you are performing the WebLogic configuration.Application Transparent Transport Layer Security (AT-TLS) is an encryption solution for TCP/IP applications that is transparent to the application server and client. Packet encryption and decryption occurs in the z/OS TCPIP address space at the TCP protocol level. AT-TLS requirements for RACF authorization are stated in the IBM RACF Mainframe Requirements.
The following RACF commands list the status of the various RACF objects that you will define in the configuration process:
RLIST STARTED PAGENT.* STDATA ALL
RLIST DIGTRING *ALL
RLIST FACILITY IRR.DIGTCERT.LISTRING ALL
RLIST FACILITY IRR.DIGCERT.LST ALL
RLIST FACILITY IRR.DIGCERT.GENCERT ALL
RACDCERT ID(stcuser) LIST
RACDCERT ID(stcuser) LISTRING(keyringname)
RACDCERT CERTAUTH LIST
Use this procedure to configure AT-TLS so the port number defined to the SMC HTTP Server and WebLogic is encrypted to the STA server.
Specify the following parameter in the TCPIP profile data set to activate AT-TLS.
TCPCONFIG TTLS
This statement may be placed in the TCP OBEY file.
Configure the Policy Agent (PAGENT)
The Policy Agent address space controls which TCP/IP traffic is encrypted.
Enter the PAGENT started task JCL.
For example:
//PAGENT PROC //* //PAGENT EXEC PGM=PAGENT,REGION=0K,TIME=NOLIMIT, // PARM='POSIX(ON) ALL31(ON) ENVAR("_CEE_ENVFILE=DD:STDENV")/-d1' //* //STDENV DD DSN=pagentdataset,DISP=SHR//SYSPRINT DD SYSOUT=* //SYSOUT DD SYSOUT=* //* //CEEDUMP DD SYSOUT=*,DCB=(RECFM=FB,LRECL=132,BLKSIZE=132)
Enter the PAGENT
environment variables. The pagentdataset
data set contains the PAGENT
environment variables.
For example:
LIBPATH=/lib:/usr/lib:/usr/lpp/ldapclient/lib:. PAGENT_CONFIG_FILE=/etc/pagent.conf PAGENT_LOG_FILE=/tmp/pagent.log PAGENT_LOG_FILE_CONTROL=3000,2 _BPXK_SETIBMOPT_TRANSPORT=TCPIP TZ=MST7MDT
In this example, /etc/pagent.conf
contains the PAGENT
configuration parameters. Use your own time zone for the TZ
parameter.
Configure PAGENT
.
For example:
TTLSRule TBI-TO-ZOS { LocalAddr localtcpipaddress RemoteAddr remotetcpipaddress LocalPortRange localportrange RemotePortRange remoteportrange Jobname HTTPserverJobname Direction Inbound Priority 255 TTLSGroupActionRef gAct1~TBI_ICSF TTLSEnvironmentActionRef eAct1~TBI_ICSF TTLSConnectionActionRef cAct1~TBI_ICSF } TTLSGroupAction gAct1~TBI_ICSF { TTLSEnabled On Trace 2 } TTLSEnvironmentAction eAct1~TBI_ICSF { HandshakeRole Server EnvironmentUserInstance 0 TTLSKeyringParmsRef keyR~ZOS } TTLSConnectionAction cAct1~TBI_ICSF { HandshakeRole ServerWithClientAuth TTLSCipherParmsRef cipher1~AT-TLS__Gold TTLSConnectionAdvancedParmsRef cAdv1~TBI_ICSF CtraceClearText Off Trace 2 } TTLSConnectionAdvancedParms cAdv1~TBI_ICSF { ApplicationControlled Off HandshakeTimeout 10 ResetCipherTimer 0 CertificateLabel certificatelabel SecondaryMap Off } TTLSKeyringParms keyR~ZOS { Keyring keyringname } TTLSCipherParms cipher1~AT-TLS__Gold { V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA }
where:
localtcpipaddress
: Local TCP/IP address for the HTTP server
remotetcpipaddress
: Remote TCP/IP address for the STA client. This can be ALL for all TCP/IP addresses
localportrange
: Local port of HTTP server (specified in the HTTP or SMC startup)
remoteportrange
: Remote port range (1024-65535 for all ephemeral ports)
HTTPserverJobname
: Jobname of the HTTP Server
certificatelabel
: Label from the certificate definition
keyringname
: Name from the RACF keyring definition
Activate RACF Classes. Either the RACF panels or the CLI can be used.
The RACF classes include:
DIGTCERT
DIGTNMAP
DIGTRING
SERVAUTH
class must be RACLISTed to prevent PORTMAP
and RXSERV
from abending.
SETROPTS RACLIST(SERVAUTH) RDEFINE SERVAUTH **UACC(ALTER) OWNER (RACFADM) RDEFINE STARTED PAGENT*.* OWNER(RACFADM) STDATA(USER(TCPIP) GROUP(STCGROUP) RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) OWNER(RACFADM) RDEFINE FACLITY IRR.DIGTCERT.LIST UACC(NONE) OWNER(RACFADM) RDEFINE FACILITY IRR.DIGTCERT.GENCERT UACC(NONE) OWNER (RACFADM)
Define RACF Keyrings and Certificates
Enter the following RACF commands to create Keyrings and certificates:
RACDCERT ID(stcuser) ADDRING(keyringname)
where:
stcuser
: RACF user id associated with the TCPIP address space
keyringname
: Name of the keyring, must match the Keyring specified in the PAGENT configuration
RACDCERT ID(stcuser) GENCERT CERTAUTH SUBJECTSDN(CN('serverdomainname') O('companyname') OU('unitname') C('country')) WITHLABEL('calabel') TRUST SIZE(1024) KEYUSAGE(HANDSHAKE,DATAENCRYPT,CERTSIGN)
Note:
This is the CA certificate for the STA system.where:
stcuser
: RACF user id associated with the TCPIP address space
serverdomainname
: Domain name of the z/OS server (for example, MVSA.COMPANY.COM
)
companyname
: Organization name
unitname
: Organizational unit name
country
: Country
calabel
: Label for certificate authority (for example, CATBISERVER)
RACDCERT ID(stcuser) GENCERT SUBJECTSDN(CN('serverdomainname') O('companyname') OU('unitname') C('country')) WITHLABEL('serverlabel') TRUST SIZE(1024) SIGNWITH(CERTAUTH LABEL('calabel'))
Note:
This is the SERVER certificate.where:
stcuser:
RACF user id associated with the TCPIP address space
serverdomainname:
Domain name of the z/OS server (for example, MVSA.COMPANY.COM)
companyname:
Organization name
unitname:
Organizational unit name
country
: Country
serverlabel
: Label for the server certificate (for example, TBISERVER)
calabel:
Label for certificate authority, specified in the CA certificate definition
RACDCERT ID(stcuser) GENCERT SUBJECTSDN(CN('clientdomainname') O('companyname') OU('unitname') C('country')) WITHLABEL('clientlabel') TRUST SIZE(1024) SIGNWITH(CERTAUTH LABEL('calabel'))
Note:
This is the CLIENT certificate.where:
stcuser
: RACF user id associated with the TCPIP address space
clientdomainname
: Domain name of the STA client (for example, TBIA.COMPANY.COM
)
companyname
: Organization name
unitname
: Organizational unit name
country
: Country
clientlabel
: Label for the server certificate –TBICLIENT
calabel
: Label for certificate authority, specified in the CA certificate definition.
Connect the CA, SERVER, and CLIENT certificates to the keyring specified in the PAGENT configuration:
RACDCERT ID(stcuser) CONNECT(CERTAUTH LABEL('calabel') RING('keyringname') USAGE(CERTAUTH))
where:
stcuser
: RACF user id associated with the TCPIP address space
calabel:
Label for certificate authority, specified in the CA certificate definition
keyringname:
Name of the keyring, must match the Keyring specified in the PAGENT configuration
RACDCERT ID(stcuser) CONNECT(ID(stcuser) LABEL('serverlabel') RING('keyingname') DEFAULT USEAGE(PERSONAL)
where:
stcuser
: RACF user id associated with the TCPIP address space
serverlabel
: Label for the server certificate
keyringname
: Name of keyring, must match the Keyring specified in the PAGENT configuration
RACDCERT ID(stcuser) CONNECT(ID(stcuser) LABEL('clientlabel') RING('keyingname') USEAGE(PERSONAL)
where:
stcuser:
RACF user id associated with the TCPIP address space
clientlabel
: Label for the client certificate
keyringname
: Name of keyring, must match the Keyring specified in the PAGENT configuration
Export the CA and client certificates to be transmitted to STA:
RACDCERT EXPORT (LABEL('calabel')) CERTAUTH DSN('datasetname') FORMAT(CERTB64)
where:
calabel
: Label for certificate authority, specified in the CA certificate definition
datasetname:
Data set to receive the exported certificate
RACDCERT EXPORT (LABEL('clientlabel')) ID(stcuser) DSN('datasetname') FORMAT(PKCS12DER) PASSWORD(' password ')
where:
clientlabel
: Label for the client certificate
stcuser
: RACF user id associated with the TCPIP address space
datasetname
: Data set to receive the exported certificate
password
: Password for data encryption. Needed when the certificate is received on STA. The password must be eight characters or more.
The export data sets are now transmitted to STA, and FTP can be used. The CA certificate is transmitted with an EBCDIC to ASCII conversion. The CLIENT certificate is transmitted as a BINARY file and contains both the client certificate and its private key.
The profiles are defined in the FACILITY class. The first of the profiles is called SMC.ACCESS.STA
and determines whether a user has access to the STA application.
A user who requires access to STA must have READ access to this profile. The other profiles are all shown as SMC.ROLE.
nnn
and are used to determine which roles the user has once logged on.
Note:
The only role defined to STA isStorageTapeAnalyticsUser
. To obtain this role, you must request your user ID to be added to the SMC.ROLE.STORAGETAPEANALYTICSUSER
profile with READ access.Verify that public and private keys have been generated successfully and that user IDs and passwords with the appropriate permissions have been defined correctly.
The test can be done using any browser, but Firefox is used here as an example.
In the Firefox Tools menu, select Options.
Select the Advanced tab, and then select the Encryption tab.
Click View Certificates.
In the Certificate Manager dialog box, select the Authorities tab, and then select the certificate file to import.
Click Import.
Select the Your Certificates tab, and then enter the private key file to import.
Click Import.
Click OK to save and exit the dialog box.
Test the CGI routine from a browser.
Open a browser window, and enter the following URL, where host
, port
, userid
, and password
are set to appropriate values.
https://host:port/smcgsaf?type=authentication&userid=userid&password=password&roles=StorageTapeAnalyticsUser
The resulting output indicates whether the user is authorized to access STA and the StorageTapeAnalyticsUser
role.
Note:
The STA RACF authorization facility does not support changing the password of mainframe user IDs. If a user ID password expires, STA indicates this, and the password must be reset through normal mainframe channels before attempting to log in to STA again.The RACF Security Service Provider (or RACF SSP) must be installed as a WebLogic plug-in. If the RACF SSP has been installed, the STA installer should put the RACF SSP in the appropriate location within WebLogic.
Place the RACF SSP in the proper location, if it has not been already.
Place the RACF security jar file into the following directory:
/Oracle_storage_home/Middleware/wlserver_10.3/server/lib/mbeantypes/staRACF.jar
where Oracle_storage_home
is the Oracle storage home location specified during STA installation.
Install the MVS security certificate on the STA server and import it into the systemwide Java keystore.
Verify that the required PTFs have been installed on the MVS system. These PTFs allow for authentication with RACF or other third-party security software when you log in to the STA application. See Review IBM RACF Mainframe Minimum Requirements for details.
Obtain the following files:
MVS server certificate, in ASCII format
STA client private key, in binary PKCS12 format; the MVS system administrator should give you the password to this file.
Transfer the files to the STA server, and place them in the certificates directory. The directory location is as follows:
/Oracle_storage_home
/Middleware/user_projects/domains/TBI/cert
where Oracle_storage_home
is the Oracle storage home location specified during STA installation.
Convert the certificate from Distinguished Encoding Rules (DER) format to Privacy Enhanced Mail (PEM) format. For example:
$ openssl pkcs12 -clcerts -in PKCS12DR.xxxxxx -out mycert.pem
Where:
pkcs12
indicates PKCS#12 data management.
-clcerts
indicates you want to output client certifications only.
-in
specifies the input file.
-out
specifies the output file.
You will be asked to enter the import password (given to you with the certificate), a new PEM password, and password verification.
Change to the JRE binary directory. The directory location is as follows:
/Oracle_storage_home
/StorageTek_Tape_Analytics/jdk/jre/bin
where Oracle_storage_home
is the Oracle storage home location specified during STA installation.
For example:
$ cd /Oracle/StorageTek_Tape-Analytics/jdk/jre/bin
Use the Java keytool utility to import the certificate file into the systemwide Java keystore. The keystore is located in the following file:
/Oracle_storage_home
/StorageTek_Tape_Analytics/jdk1.6.0_xx
/jre/lib/security/cacerts
For example:
$ ./keytool -importcert -alias tbiServer -file mycert.pem -keystore /Oracle/StorageTek_Tape_Analytics/jdk1.6.0_75/jre/lib/security/cacerts -storetype jks
Where:
-importcert
indicates you want to import a certificate.
-alias
indicates the name you want to assign to the entry in the keystore.
-file
indicates the name of the certificate file you want to import.
-keystore
indicates the location of the systemwide Java keystore.
-storetype
indicates the type of keystore.
To configure WebLogic for RACF authentication, use the procedure in Reconfigure WebLogic to use a Different Security Certificate
Go to the WebLogic console login screen using the HTTP (STA 2.1.x default is 7019) or HTTPS (STA 2.1.x default is 7020) port number you selected during STA installation.
https://yourHostName:PortNumber/console/
For example:
https://sta_server:7020/console/
Log in using the WebLogic administration console username and password you defined during STA installation.
In the Domain Structure section, select Security Realms.
In the Realms section, select the myrealm active link (select the name itself, not the check box).
In the Change Center section, click Lock & Edit.
Select the Providers tab.
In the Authentication Providers section, click New.
Enter the name of the authentication provider you want to add (for example, STA RacfAuthenticator
), and select RacfAuthenticator
in the Type menu. Click OK.
Note:
The RACF jar file should be listed in the Type menu. If it is not, stop and restart STA using theSTA
command. See the STA Administration Guide for command usage details.Verify the RACF provider is included in the Authentication Providers table. The DefaultAuthenticator
and DefaultIdentityAsserter
must always be the first two providers in this list.
Select the DefaultAuthenticator active link (select the name itself, not the check box).
In the Control Flag menu, select Sufficient, and then click Save.
Click the Provider Specific tab, and then click Save.
Click the Providers locator link to return to the Authentication Providers screen.
In the Authentication Providers table, select the RACF authenticator name you created in Step 8 (select the name itself, not the check box).
In the Control Flag menu, select Sufficient
, and then click Save.
Click the Provider Specific tab.
Enter the Host name (for example, mvshost.yourcompany.com
) and Port number (for example, 8700
) where the MVS system is running, and then click Save.
In the Change Center section, click Activate Changes.
Log out of the WebLogic Administration console.
Stop and restart STA using the STA
command. See the STA Administration Guide for command usage details.
$ STA stop all $ STA start all