Configure IBM RACF Authentication Providers

Complete the following to configure IBM RACF authentication providers.

Review IBM RACF Mainframe Minimum Requirements
Enable Mainframe Support for STA RACF Authorization
Configure AT-TLS
Create the RACF Profiles Used by the CGI Routine
Import the Certificate File and Private Key File (optional)
Test the CGI Routine
Set Up RACF/SSP for the WebLogic Console
Configure SSL Between STA and RACF
Configure the WebLogic Server
Install RACF/SSP on the WebLogic Console

Review IBM RACF Mainframe Minimum Requirements

See the IBM RACF Mainframe Requirements for complete RACF requirements, including required PTFs that must be installed on the MVS system to configure STA authentication with RACF.

Note:

STA supports third-party products that are compatible with IBM RACF—for example, CA's ACF-2 and Top Secret. It is up to the person installing STA, or a security administrator, to issue the commands appropriate for the security product installed.

Enable Mainframe Support for STA RACF Authorization

The mainframe side of the RACF service for STA is provided by a CGI routine that is part of the StorageTek Storage Management Component (SMC) for ELS 7.0 and 7.1. This CGI routine is called by the SMC HTTP server and uses RACF profiles defined in the FACILITY class.

For STA to use RACF for access authentication, on the MVS system you must set up an SMC Started Task that runs the HTTP server. See the ELS document Configuring and Managing SMC for detailed instructions.

Note:

The SMC Started Task must match the AT-TLS rule that has been defined. Alternately, allow the AT-TLS definition to use a generic jobname (for example, SMCW).

If you are using a value-supplied STC identifier (for example, JOBNAME.JOB), this will cause a CGI routine connection failure.

The port number used for the HTTP server must match the one defined in the WebLogic console, and the host must match the IP name for the host where the SMC task runs.

Note:

An existing SMC can be used if it exists on the host where RACF authorization is to be performed. In this case, use the port number of the existing HTTP server when you are performing the WebLogic configuration.

Configure AT-TLS

Application Transparent Transport Layer Security (AT-TLS) is an encryption solution for TCP/IP applications that is transparent to the application server and client. Packet encryption and decryption occurs in the z/OS TCPIP address space at the TCP protocol level. AT-TLS requirements for RACF authorization are stated in the IBM RACF Mainframe Requirements.

The following RACF commands list the status of the various RACF objects that you will define in the configuration process:

RLIST STARTED PAGENT.* STDATA ALL
RLIST DIGTRING *ALL
RLIST FACILITY IRR.DIGTCERT.LISTRING ALL
RLIST FACILITY IRR.DIGCERT.LST ALL
RLIST FACILITY IRR.DIGCERT.GENCERT ALL
RACDCERT ID(stcuser) LIST
RACDCERT ID(stcuser) LISTRING(keyringname)
RACDCERT CERTAUTH LIST

Use this procedure to configure AT-TLS so the port number defined to the SMC HTTP Server and WebLogic is encrypted to the STA server.

Specify the following parameter in the TCPIP profile data set to activate AT-TLS.
```
TCPCONFIG TTLS
```
This statement may be placed in the TCP OBEY file.

Configure the Policy Agent (PAGENT)

The Policy Agent address space controls which TCP/IP traffic is encrypted.

Enter the PAGENT started task JCL.

For example:

//PAGENT PROC
//*
//PAGENT EXEC PGM=PAGENT,REGION=0K,TIME=NOLIMIT,
// PARM='POSIX(ON) ALL31(ON) ENVAR("_CEE_ENVFILE=DD:STDENV")/-d1'
//*
//STDENV DD DSN=pagentdataset,DISP=SHR//SYSPRINT DD SYSOUT=*
//SYSOUT DD SYSOUT=*
//*
//CEEDUMP DD SYSOUT=*,DCB=(RECFM=FB,LRECL=132,BLKSIZE=132)

Enter the PAGENT environment variables. The pagentdataset data set contains the PAGENT environment variables.

For example:
```
LIBPATH=/lib:/usr/lib:/usr/lpp/ldapclient/lib:.
PAGENT_CONFIG_FILE=/etc/pagent.conf
PAGENT_LOG_FILE=/tmp/pagent.log
PAGENT_LOG_FILE_CONTROL=3000,2
_BPXK_SETIBMOPT_TRANSPORT=TCPIP
TZ=MST7MDT
```
In this example, /etc/pagent.conf contains the PAGENT configuration parameters. Use your own time zone for the TZ parameter.

Configure PAGENT.

For example:

TTLSRule TBI-TO-ZOS
{
 LocalAddr localtcpipaddress
 RemoteAddr remotetcpipaddress
 LocalPortRange localportrange
 RemotePortRange remoteportrange
 Jobname HTTPserverJobname
 Direction Inbound
 Priority 255
 TTLSGroupActionRef gAct1~TBI_ICSF
 TTLSEnvironmentActionRef eAct1~TBI_ICSF
 TTLSConnectionActionRef cAct1~TBI_ICSF
}
TTLSGroupAction gAct1~TBI_ICSF
{
 TTLSEnabled On
 Trace 2
}
TTLSEnvironmentAction eAct1~TBI_ICSF
{
 HandshakeRole Server
 EnvironmentUserInstance 0
 TTLSKeyringParmsRef keyR~ZOS
}
TTLSConnectionAction cAct1~TBI_ICSF
{
 HandshakeRole ServerWithClientAuth
 TTLSCipherParmsRef cipher1~AT-TLS__Gold
 TTLSConnectionAdvancedParmsRef cAdv1~TBI_ICSF
 CtraceClearText Off
 Trace 2
}
TTLSConnectionAdvancedParms cAdv1~TBI_ICSF
{
 ApplicationControlled Off
 HandshakeTimeout 10
 ResetCipherTimer 0
 CertificateLabel certificatelabel
 SecondaryMap Off
}
TTLSKeyringParms keyR~ZOS
{
 Keyring keyringname
}
TTLSCipherParms cipher1~AT-TLS__Gold
{
 V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
 V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
}

where:

localtcpipaddress: Local TCP/IP address for the HTTP server
remotetcpipaddress: Remote TCP/IP address for the STA client. This can be ALL for all TCP/IP addresses
localportrange: Local port of HTTP server (specified in the HTTP or SMC startup)
remoteportrange: Remote port range (1024-65535 for all ephemeral ports)
HTTPserverJobname: Jobname of the HTTP Server
certificatelabel: Label from the certificate definition
keyringname: Name from the RACF keyring definition

Activate RACF Classes. Either the RACF panels or the CLI can be used.

The RACF classes include:

DIGTCERT
DIGTNMAP

DIGTRING

SERVAUTH class must be RACLISTed to prevent PORTMAP and RXSERV from abending.

SETROPTS RACLIST(SERVAUTH)
RDEFINE SERVAUTH **UACC(ALTER) OWNER (RACFADM)
RDEFINE STARTED PAGENT*.* OWNER(RACFADM) STDATA(USER(TCPIP) GROUP(STCGROUP)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) OWNER(RACFADM)
RDEFINE FACLITY IRR.DIGTCERT.LIST UACC(NONE) OWNER(RACFADM)
RDEFINE FACILITY IRR.DIGTCERT.GENCERT UACC(NONE) OWNER (RACFADM)

Define RACF Keyrings and Certificates
1. Enter the following RACF commands to create Keyrings and certificates:
```
RACDCERT ID(stcuser) ADDRING(keyringname)
```
  where:
  - stcuser: RACF user id associated with the TCPIP address space
  - keyringname: Name of the keyring, must match the Keyring specified in the PAGENT configuration
```
RACDCERT ID(stcuser) GENCERT CERTAUTH SUBJECTSDN(CN('serverdomainname') O('companyname') OU('unitname') C('country')) WITHLABEL('calabel') TRUST SIZE(1024) KEYUSAGE(HANDSHAKE,DATAENCRYPT,CERTSIGN)
```
  Note:
  This is the CA certificate for the STA system.
  
  where:
  - stcuser: RACF user id associated with the TCPIP address space
  - serverdomainname: Domain name of the z/OS server (for example, MVSA.COMPANY.COM)
  - companyname: Organization name
  - unitname: Organizational unit name
  - country: Country
  - calabel: Label for certificate authority (for example, CATBISERVER)
```
RACDCERT ID(stcuser) GENCERT SUBJECTSDN(CN('serverdomainname') O('companyname') OU('unitname') C('country')) WITHLABEL('serverlabel') TRUST SIZE(1024) SIGNWITH(CERTAUTH LABEL('calabel'))
```
  Note:
  This is the SERVER certificate.
  
  where:
  - stcuser: RACF user id associated with the TCPIP address space
  - serverdomainname: Domain name of the z/OS server (for example, MVSA.COMPANY.COM)
  - companyname: Organization name
  - unitname: Organizational unit name
  - country: Country
  - serverlabel: Label for the server certificate (for example, TBISERVER)
  - calabel: Label for certificate authority, specified in the CA certificate definition
```
RACDCERT ID(stcuser) GENCERT SUBJECTSDN(CN('clientdomainname') O('companyname') OU('unitname') C('country')) WITHLABEL('clientlabel') TRUST SIZE(1024) SIGNWITH(CERTAUTH LABEL('calabel'))
```
  Note:
  This is the CLIENT certificate.
  
  where:
  - stcuser: RACF user id associated with the TCPIP address space
  - clientdomainname: Domain name of the STA client (for example, TBIA.COMPANY.COM)
  - companyname: Organization name
  - unitname: Organizational unit name
  - country: Country
  - clientlabel: Label for the server certificate –TBICLIENT
  - calabel: Label for certificate authority, specified in the CA certificate definition.
2. Connect the CA, SERVER, and CLIENT certificates to the keyring specified in the PAGENT configuration:
```
RACDCERT ID(stcuser) CONNECT(CERTAUTH LABEL('calabel') RING('keyringname') USAGE(CERTAUTH))
```
  where:
  - stcuser: RACF user id associated with the TCPIP address space
  - calabel: Label for certificate authority, specified in the CA certificate definition
  - keyringname: Name of the keyring, must match the Keyring specified in the PAGENT configuration
```
RACDCERT ID(stcuser) CONNECT(ID(stcuser) LABEL('serverlabel') RING('keyingname') DEFAULT USEAGE(PERSONAL)
```
  where:
  - stcuser: RACF user id associated with the TCPIP address space
  - serverlabel: Label for the server certificate
  - keyringname: Name of keyring, must match the Keyring specified in the PAGENT configuration
```
RACDCERT ID(stcuser) CONNECT(ID(stcuser) LABEL('clientlabel') RING('keyingname') USEAGE(PERSONAL)
```
  where:
  - stcuser: RACF user id associated with the TCPIP address space
  - clientlabel: Label for the client certificate
  - keyringname: Name of keyring, must match the Keyring specified in the PAGENT configuration
3. Export the CA and client certificates to be transmitted to STA:
```
RACDCERT EXPORT (LABEL('calabel')) CERTAUTH DSN('datasetname') FORMAT(CERTB64)
```
  where:
  - calabel: Label for certificate authority, specified in the CA certificate definition
  - datasetname: Data set to receive the exported certificate
```
RACDCERT EXPORT (LABEL('clientlabel')) ID(stcuser) DSN('datasetname') FORMAT(PKCS12DER) PASSWORD(' password ')
```
  where:
  - clientlabel: Label for the client certificate
  - stcuser: RACF user id associated with the TCPIP address space
  - datasetname: Data set to receive the exported certificate
  - password: Password for data encryption. Needed when the certificate is received on STA. The password must be eight characters or more.

The export data sets are now transmitted to STA, and FTP can be used. The CA certificate is transmitted with an EBCDIC to ASCII conversion. The CLIENT certificate is transmitted as a BINARY file and contains both the client certificate and its private key.

Create the RACF Profiles Used by the CGI Routine

The profiles are defined in the FACILITY class. The first of the profiles is called SMC.ACCESS.STA and determines whether a user has access to the STA application.

A user who requires access to STA must have READ access to this profile. The other profiles are all shown as SMC.ROLE.nnn and are used to determine which roles the user has once logged on.

Note:

The only role defined to STA is StorageTapeAnalyticsUser. To obtain this role, you must request your user ID to be added to the SMC.ROLE.STORAGETAPEANALYTICSUSER profile with READ access.

Import the Certificate File and Private Key File (optional)

Verify that public and private keys have been generated successfully and that user IDs and passwords with the appropriate permissions have been defined correctly.

The test can be done using any browser, but Firefox is used here as an example.

In the Firefox Tools menu, select Options.
Select the Advanced tab, and then select the Encryption tab.
Click View Certificates.
In the Certificate Manager dialog box, select the Authorities tab, and then select the certificate file to import.
Click Import.
Select the Your Certificates tab, and then enter the private key file to import.
Click Import.
Click OK to save and exit the dialog box.

Test the CGI Routine

Test the CGI routine from a browser.

Open a browser window, and enter the following URL, where host, port, userid, and password are set to appropriate values.
```
https://host:port/smcgsaf?type=authentication&userid=userid&password=password&roles=StorageTapeAnalyticsUser
```
The resulting output indicates whether the user is authorized to access STA and the StorageTapeAnalyticsUser role.

Note:
The STA RACF authorization facility does not support changing the password of mainframe user IDs. If a user ID password expires, STA indicates this, and the password must be reset through normal mainframe channels before attempting to log in to STA again.

Set Up RACF/SSP for the WebLogic Console

The RACF Security Service Provider (or RACF SSP) must be installed as a WebLogic plug-in. If the RACF SSP has been installed, the STA installer should put the RACF SSP in the appropriate location within WebLogic.

Place the RACF SSP in the proper location, if it has not been already.

Place the RACF security jar file into the following directory:

/Oracle_storage_home/Middleware/wlserver_10.3/server/lib/mbeantypes/staRACF.jar

where Oracle_storage_home is the Oracle storage home location specified during STA installation.

Configure SSL Between STA and RACF

Install the MVS security certificate on the STA server and import it into the systemwide Java keystore.

Verify that the required PTFs have been installed on the MVS system. These PTFs allow for authentication with RACF or other third-party security software when you log in to the STA application. See Review IBM RACF Mainframe Minimum Requirements for details.
Obtain the following files:
- MVS server certificate, in ASCII format
- STA client private key, in binary PKCS12 format; the MVS system administrator should give you the password to this file.
Transfer the files to the STA server, and place them in the certificates directory. The directory location is as follows:

/Oracle_storage_home/Middleware/user_projects/domains/TBI/cert

where Oracle_storage_home is the Oracle storage home location specified during STA installation.
Convert the certificate from Distinguished Encoding Rules (DER) format to Privacy Enhanced Mail (PEM) format. For example:
```
$ openssl pkcs12 -clcerts -in PKCS12DR.xxxxxx -out mycert.pem
```
Where:
- pkcs12 indicates PKCS#12 data management.
- -clcerts indicates you want to output client certifications only.
- -in specifies the input file.
- -out specifies the output file.
You will be asked to enter the import password (given to you with the certificate), a new PEM password, and password verification.
Change to the JRE binary directory. The directory location is as follows:

/Oracle_storage_home/StorageTek_Tape_Analytics/jdk/jre/bin

where Oracle_storage_home is the Oracle storage home location specified during STA installation.

For example:
```
$ cd /Oracle/StorageTek_Tape-Analytics/jdk/jre/bin
```
Use the Java keytool utility to import the certificate file into the systemwide Java keystore. The keystore is located in the following file:

/Oracle_storage_home/StorageTek_Tape_Analytics/jdk1.6.0_xx/jre/lib/security/cacerts

For example:
```
$ ./keytool -importcert -alias tbiServer -file mycert.pem -keystore /Oracle/StorageTek_Tape_Analytics/jdk1.6.0_75/jre/lib/security/cacerts -storetype jks
```
Where:
- -importcert indicates you want to import a certificate.
- -alias indicates the name you want to assign to the entry in the keystore.
- -file indicates the name of the certificate file you want to import.
- -keystore indicates the location of the systemwide Java keystore.
- -storetype indicates the type of keystore.

Configure the WebLogic Server

To configure WebLogic for RACF authentication, use the procedure in Reconfigure WebLogic to use a Different Security Certificate

Install RACF/SSP on the WebLogic Console

Go to the WebLogic console login screen using the HTTP (STA 2.1.x default is 7019) or HTTPS (STA 2.1.x default is 7020) port number you selected during STA installation.
```
https://yourHostName:PortNumber/console/
```
For example:
```
https://sta_server:7020/console/
```
Log in using the WebLogic administration console username and password you defined during STA installation.
In the Domain Structure section, select Security Realms.
In the Realms section, select the myrealm active link (select the name itself, not the check box).
In the Change Center section, click Lock & Edit.
Select the Providers tab.
In the Authentication Providers section, click New.
Enter the name of the authentication provider you want to add (for example, STA RacfAuthenticator), and select RacfAuthenticator in the Type menu. Click OK.

Note:
The RACF jar file should be listed in the Type menu. If it is not, stop and restart STA using the STA command. See the STA Administration Guide for command usage details.
Verify the RACF provider is included in the Authentication Providers table. The DefaultAuthenticator and DefaultIdentityAsserter must always be the first two providers in this list.
Select the DefaultAuthenticator active link (select the name itself, not the check box).
In the Control Flag menu, select Sufficient, and then click Save.
Click the Provider Specific tab, and then click Save.
Click the Providers locator link to return to the Authentication Providers screen.
In the Authentication Providers table, select the RACF authenticator name you created in Step 8 (select the name itself, not the check box).
In the Control Flag menu, select Sufficient, and then click Save.
Click the Provider Specific tab.
Enter the Host name (for example, mvshost.yourcompany.com) and Port number (for example, 8700) where the MVS system is running, and then click Save.
In the Change Center section, click Activate Changes.
Log out of the WebLogic Administration console.
Stop and restart STA using the STA command. See the STA Administration Guide for command usage details.
```
$ STA stop all
$ STA start all
```