1. Connector Guide for IBM RACF Advanced
  2. Configuring RACF Starter User ID and Access for Voyager Agent and Pioneer Agent Started Tasks

F Configuring RACF Starter User ID and Access for Voyager Agent and Pioneer Agent Started Tasks

Pioneer Started Task no longer supports or requires a RACF userid attribute 'SPECIAL'. A normal RACF userid as shown below can be used.

There are various modes that you can use. The modes and the required RACF definitions are shown below. Note that the normal RACF userid is italicized.

Note:

Depending on the requirement, select one of the modes between 1, 2, or 3.

One of the following 3 modes can be used:

  • Mode:

    SECURE_ID=YES,DEFAULT=YES

    This mode uses RACF userid IDFAGNT as the default userid. This must have SPECIAL as a coded attribute.

    Default Pioneer control file parameter is SECURE_ID=YES,DEFAULT=YES

    • ADDGROUP SECGRP
    • ADDUSER PIONEER NAME(PIONEER) DFLTGRP(SECGRP) NOPASS NOPHRASE
    • ADDUSER IDFAGNT NAME(DEFAULT-ID) DFLTGRP(SECGRP) NOPASS NOPHRASE SPECIAL
    • PW USER(PIONEER) NOINTERVAL
    • ALU PIONEER AUDITOR

      This is used for list type commands like LISTUSER, LISTGRP, and other similar commands.

    • RDEFINE FACILITY IDFADMIN.CMD UACC(NONE)
    • PERMIT IDFADMIN.CMD ID(PIONEER) ACCESS(READ)
    • CONNECT PIONEER GROUP(grpname)

      The grpname must be the same grpname used for FTPD. It must have a OMVS segment and a Permit for using BPX.DAEMON without which the Pioneer RACF Userid will fail as shown below:

      0090 IDMP006I - PIONEER DETECTS DEBUGGING IS ACTIVE
0090 IDMP011I - PIONEER DETECTS CPUID 1006112064
0090 IDMP012I - PIONEER DETECTS SYSPLEX SYSNAME ADCD113S
0090 IDMP013I - PIONEER DETECTS LPARNAME AS SYST
0090 IDMP014I - PIONEER DETECTS COUNTRY CODE OF US
0090 IDMP009I - PIONEER DETECTS ENCRYPTION ENABLED
0090 IDMP016I - PIONEER APF LIBRARY IS GOOD
0281 ICH408I JOB(PIONEER ) STEP(PIONEER ) CL(PROCESS ) 251
0281 OMVS SEGMENT NOT DEFINED
0090 IDMP402I PIONEER HAS NO OPEN SOCKETS
0090 IDMP402I PIONEER DID NOT OPEN TCPIP API
0090 IDMP402I PIONEER IS ENDING DUE TO ERRORS
0090 IDMP402I PIONEER - REVIEW SYSLOG OR PARMOUT
0090 IDMP402I PIONEER ENDS RC= 100
0090 IEF404I PIONEER - ENDED - TIME=10.26.13
0281 $HASP395 PIONEER ENDED
0281 IEA989I SLIP TRAP ID=X33E MATCHED. JOBNAME=*UNAVAIL, ASID=0037.

  • Mode:

    SECURE ID=YES,DEFAULT=NO,ENCRYPT=NO,ID=IDMSECU

    This mode uses the RACF userid for RACF API calls and must have 'SPECIAL' coded on that RACF userid.

    Using a user defined RACF secure id:

    Pioneer parameter is SECURE ID=YES,DEFAULT=NO,ENCRYPT=NO,ID=IDMSECU

    • ADDGROUP SECGRP
    • ADDUSER PIONEER NAME(PIONEER) DFLTGRP(SECGRP) NOPASS NOPHRASE
    • PW USER(PIONEER) NOINTERVAL
    • ALU PIONEER AUDITOR

      This is used for list type commands like LISTUSER, LISTGRP, and other similar commands.

    • ADDUSER IDMSECU NAME('SECURE-ID') DFLTGRP(SECGRP) NOPASS NOPHRASE SPECIAL
    • RDEFINE FACILITY IDFADMIN.CMD UACC(NONE)
    • PERMIT IDFADMIN.CMD ID(PIONEER) ACCESS(READ)
    • See Pioneer CONNECT above

  • Mode:

    SECURE_ID=YES,DEFAULT=NO,ENCRYPT=YES

    This mode uses the RACF userid that was encrypted using the new IDFSECUT program. This encrypted RACF userid will be used for all RACF API calls.

    Using a encrypted RACF userid:

    Pioneer parameter is SECURE_ID=YES,DEFAULT=NO,ENCRYPT=YES

    • ADDGROUP SECGRP
    • ADDUSER PIONEER NAME(PIONEER) DFLTGRP(SECGRP) NOPASS NOPHRASE
    • PW USER(PIONEER) NOINTERVAL
    • ALU PIONEER AUDITOR

      This is used for list type commands like LISTUSER, LISTGRP, and other similar commands.

    • ADDUSER <your-secure-id-that was encrypted> NAME('SECURE-ID') DFLTGRP(SECGRP) NOPASS NOPHRASE SPECIAL
    • RDEFINE FACILITY IDFADMIN.CMD UACC(NONE)
    • PERMIT IDFADMIN.CMD ID(PIONEER) ACCESS(READ)

      See Pioneer CONNECT above

    You can encrypt and decrypt the RACF userid, and implement the SECUREID process. To do so, perform the following procedures:

    • Procedure to encrypt the RACF userid:

      Execute IDFSECUT. In the sample below, JCL is supplied in the distribution JCLLIB. The 'DFLEOUT' ddname dataset must match the ddname//SECUREID of Pioneer. The member name of JCLLIB is 'SECUTLE' which is the encryption utility of JCL. Then, only the parameters are visible and the ID=XXXXX is the RACF userid that has to be encrypted.

      //IDFSECUT JOB SYSTEMS,MSGLEVEL=(1,1),
//   MSGCLASS=X,CLASS=A,PRTY=8,
//       NOTIFY=&SYSUID,REGION=4096K
//* ID=XXXXX IS THE RACF USER THAT HAS SPECIAL ATRIIBUTES
//* FOR USE WITH PIONEER
//STEP1    EXEC PGM=IDFSECUT,PARM='ID=XXXXX,FUNC=ENCRYPT'
//STEPLIB  DD   DSN=<YOURHLQ.PROD.LOADLIB,DISP=SHR
//DFLEOUT  DD   DSN=<YOURHLQ>.SECUREID.FILE,DISP=SHR
//LINEOUT  DD   SYSOUT=*
//SYSPRINT DD   SYSOUT=*
    • Procedure to decrypt the RACF userid:

      Execute IDFSECUT. In the sample below, JCL is supplied in the distribution JCLLIB. The 'DFLEOUT' ddname dataset must match he ddname//SECUREID of Pioneer. The member name of JCLLIB is 'SECUTLE' which is the encryption utility of JCL. The parameters are the only ones that are displayed.

      //IDFSECUT JOB SYSTEMS,MSGLEVEL=(1,1),
//   MSGCLASS=X,CLASS=A,PRTY=8,
//       NOTIFY=&SYSUID,REGION=4096K
//* ID=NONE IS TO VERIFY WHAT RACF USER ID IS CONTAINED IN
//* THE SECUREID FILE
//STEP1    EXEC PGM=IDFSECUT,PARM='ID=NONE,FUNC=DECRYPT'
//STEPLIB  DD   DSN=<YOURHLQ.PROD.LOADLIB,DISP=SHR
//DFLEOUT  DD   DSN=<YOURHLQ>.SECUREID.FILE,DISP=SHR
//LINEOUT  DD   SYSOUT=*
//SYSPRINT DD   SYSOUT=*
    • Procedure to implement the SECUREID process:
      • Select the RACF userid desired to perform the Pioneer RACF API calls to R_admin.
      • Define it to RACF as shown in Step 3.
      • Encrypt it using the IDFSECUT as shown in the above Step.
      • Start Pioneer.

        Pioneer reads the SECURE_ID file and stores the encrypted id.

        Pioneer also first receives the RACF command and accesses the RACF facility 'MYADMN.CMD'. If access is granted, Pioneer uses the encrypted id with which it decrypts all RACF calls.

The following steps are required to use all the modes as these are common for each mode.

Perform the following steps after you select the mode:

  1. RACF Facility must be changed as mentioned below in order to start Pioneer:
    RDEF STARTED PIONEER.* UACC(NONE) OWNER(xxxxxxx)
    RALT STARTED PIONEER.* AUDIT(FAILURES(READ))
    RALT STARTED PIONEER.* STDATA(USER(PIONEER) GROUP(SYS1) PRIVILEGED(NO) TRACE(NO))
  2. Pioneer (Other RACF definitions):
    RDEFINE FACILITY IRR.RADMIN.* UACC(NONE)
    PERMIT IRR.RADMIN CLASS(FACILITY) ID(<your-RACF-non-secure-id>) ACCESS(READ)
    ADDSD '<yourhlq>.CONTROL.FILE' UACC(NONE)
    PERMIT '<yourhlq>.CONTROL.FILE' ID(<your-RACF-non-secure-id>) ACCESS(READ)
    ADDSD '<yourhlq>.REXXOUT.FILE' UACC(NONE)
    PERMIT '<yourhlq>.REXXOUT.FILE' ID(<your-RACF-non-secure-id>)ACCESS(UPDATE)
    ADDSD '<yourhlq>.RECON.FILE' UACC(NONE)
    PERMIT '<yourhlq>.RECON.FILE' ID (<your-RACF-non-secure-id>)ACCESS(UPDATE)
    ADDSD '<yourhlq>.RECON.LIBRARY' UACC(NONE)
    PERMIT '<yourhlq>.RECON.LIBRARY' ID (<your-RACF-non-secure-id>)ACCESS(READ)
    ADDSD '<yourhlq>.IMPORTU.FILE' UACC(NONE)
    PERMIT '<yourhlq>.IMPORTU.FILE' ID (<your-RACF-non-secure-id>)ACCESS(UPDATE)
    ADDSD '<yourhlq>.IMPORTG.FILE' UACC(NONE)
    PERMIT '<yourhlq>.IMPORTG.FILE' ID (<your-RACF-non-secure-id>) ACCESS(UPDATE)
    ADDSD '<yourhlq>.ALIAS.LSTOUT' UACC(NONE)
    PERMIT '<yourhlq>.ALIAS.LSTOUT' ID(<your-RACF-non-secure-id>) ACCESS(UPDATE)
    ADDSD '<yourhlq>.IDCAMS.CTL' UACC(NONE)
    PERMIT '<yourhlq>.IDCAMS.CTL' ID (<your-RACF-non-secure-id>) ACCESS(UPDATE)