Resource Access Control Facility Tools
The following tools and techniques help you to manage
the security definitions used for WebSphere® Application
Server for z/OS®:
- RACF® ISPF panels for listing all the profiles in a class
- ISHELL for listing UIDs in UID or user-id order
- EXEC for listing GIDs in GID or group-id order
- EXEC for backing out RACF definitions
RACF ISPF panels
To list all profiles in a specific class, use the RACF ISPF panels. You must have RACF SPECIAL or AUDITOR authority to
complete the following steps:
- Select General Resource Profiles (option 2).
- Search (option S or 9).
- Type in a class name.
- Press enter two more times.
------------------------------------------------
RACF - SERVICES OPTION MENU
OPTION ===> 2
SELECT ONE OF THE FOLLOWING:
1 DATA SET PROFILES
2 GENERAL RESOURCE PROFILES
3 GROUP PROFILES AND USER-TO-GROUP CONNECTIONS
4 USER PROFILES AND YOUR OWN PASSWORD
5 SYSTEM OPTIONS
6 REMOTE SHARING FACILITY
7 DIGITAL CERTIFICATES AND KEY RINGS
99 EXIT
------------------------------------------------
-----------------------------------------------------
RACF - GENERAL RESOURCE PROFILE SERVICES
SELECT ONE OF THE FOLLOWING:
1 ADD Add a profile
2 CHANGE Change a profile
3 DELETE Delete a profile
4 ACCESS Maintain access list
5 AUDIT Monitor access attempts (Auditors only)
D or 8 DISPLAY Display profile contents
S or 9 SEARCH Search the RACF data base for profiles
-----------------------------------------------------
------------------------------------------
RACF - GENERAL RESOURCE SERVICES - SEARCH
OPTION ===>
ENTER THE FOLLOWING PROFILE INFORMATION:
CLASS ===> STARTED
PROFILE ===>
------------------------------------------
-----------------------------------
BROWSE - RACF COMMAND OUTPUT ----
COMMAND ===>
T5ACR.* (G)
T5DMN.* (G)
T5SRVNDS.* (G)
T5SRV1S.* (G)
T5SRV2S.* (G)
T5SRV3S.* (G)
WMQX*.* (G)
WSCWTRC.*
-----------------------------------
You can also obtain a list of all profiles in a class using the RACF SEARCH command: SEARCH CLASS(class_name).
Listing all user IDs in UID order
When defining
new user IDs with OMVS segments in RACF,
you should assign unique UIDs. WebSphere does
not yet support the RACF AUTOUID function. To find
unassigned (and duplicate) UIDs, use the ISPF ISHELL (option 3.4)
to obtain a list of all user IDs in UID order. You must be a superuser
(UID=0), and you must follow these steps:
- Select the Setup pull-down and the User list option.
- Browse the list of users.
- While browsing the list of users, select the File pull-down.
- Select the Sort UID option. (Note that a UID of -1 means that the user has no OMVS segment.)
The following example illustrates the panels
involved:
----------------------------------------------------------------------------------------
File Directory Special_file Tools File_systems Options Setup Help
----------------------------------------------------------------------------------------
UNIX System Services ISPF Shell
Command ===> _______________
----------------------------------------------------------------------------------------
-----------------------------
1. User...
2. User list...
3. All users...
4. All groups...
5. Permit field access...
6. Character Special...
7. Reset UID to 847039
-----------------------------
--------------------------------------------------------------------
File Help
--------------------------------------------------------------------
User List
Command ===>
--------------------------------------------------------------------
User ID UID Group
--------------------------------------------------------------------
ADMOORE 1024996 $GUSERS /u/admoore
AHMAD 2 DFSGRP /u/ahmad
AKILOV 125406 $GUSERS /u/akilov
ALLMOND 36 DFSGRP /u/allmond
AOPUSER 99129934 AOPOPER /u/aopuser
ASTLEY 787202 DFSGRP /u/astley
A5USR 112501 A5GRP /tmp
BAGWELL 342832 DFSGRP /u/bagwell
---------------------------------------------------------------------
-----------------------------
1. Sort name
2. Sort UID
3. Sort Group
4. Print
5. Exit User ID UID Group
-----------------------------
-----------------------------------------------
User ID UID Group
-----------------------------------------------
CBASRUH 2336 CBASRH
CBIVPH 2337 CBIVPGH
T5GUEST 2402 T5GUESG
T5ADMIN 2403 T5CFG
T5DMNU 2411 T5CFG
T5ACRNDU 2421 T5CFG
T5DMGSU 2422 T5SVRG
T5ASRNDU 2422 T5SVRG
T5ACRU 2431 T5CFG
T5ASRU 2432 T5SVRG
WSPETSC 2701 WSCNTLG
-----------------------------------------------
Listing all Group IDs in GID order
You should
also assign unique GIDs to new groups. There is no system-supplied
tool for listing groups in GID order (as there is for UIDs), so that
you can identify duplicates and assign new GIDs that are unique. Specify GID as
the sole parameter to list them in GID order. The default is to list
them in group ID order. (You must have RACF SPECIAL,
AUDITOR, or other specific authority.)
/* Rexx ---------------------------------------------------------- */
/* This exec uses the ishell bpxwirac service to display the group */
/* with OMVS segments and there group IDs. B. Pierce & MJ Loos */
/* --------------------------------------------------------------- */
/* Syntax: LISTGRP Name (default) | GID */
/* --------------------------------------------------------------- */
order = "N" /* set default to name */
Arg parm /* get argument for sort order */
if Abbrev("NAME",parm,1) then order = "N"
if Abbrev("GID",parm,1) then order = "I"
call bpxwirac "OMVSGROUP" /* call the service */
Address ISPEXEC /* using ISPF services */
if order = "N" then do /* already sorted */
do ix=1 by 1 while queued()>0
parse pull gname gid
say left(gname,8) right(gid,8)
end
end
else do /* sort the results */
"TBCREATE grptable names(tbgrpnm tbgrpid) replace nowrite"
rows = 0
do ix=1 by 1 while queued()>0 /* populate the table */
parse pull gname gid
tbgrpnm = left(gname,8)
tbgrpid = right(gid,8)
"TBADD grptable"
rows = rows + 1
end
"TBSORT grptable FIELDS(tbgrpid,C,A,tbgrpnm,C,A)" /* sort it */
"TBTOP grptable"
do ix = 1 to rows by 1 /* display the results */
"TBSKIP grptable"
say tbgrpnm tbgrpid
end
"TBEND grptable" /* throw out the table */
end
say
exit 0
/***************** end of EXEC ****************************/
Backing out RACF Definitions
When you are setting up servers, nodes and cells (and then deleting them), it would be convenient to have a simple way to delete the RACF definitions that you create in the process.
The attached exec reads the generated RACF commands from the BBOWBRAK member of the target .DATA partitioned data set, and creates RACF DELUSER, DELGROUP, RDELETE, and other RACF commands (in reverse order).
Before running the resulting RACF commands, you should review the output and delete any commands that delete users, groups, or profiles used by other servers that you want to retain.
Tip: Be
very careful not to delete users and generic profiles used by others.
/* REXX - UNDO2 - Create backout RACF commands to uninstall Server*/
Read RACF commands into linein.in, parse verb & Obj, push
"delete/undo" commands to cmdOut.out,then write out in rev order */
out = 1 /* Output line number for stem var. cmdOut. */
"EXECIO * DISKR RACFCMDS (STEM linein."
do in = 1 to linein.0 /* See what we read; call the appropriate rtne */
if pos('/*',linein.in) <> 0 then iterate
if pos('say',linein.in) = 1 then iterate
parse var linein.in '"' cmdVerb cmdObj '"'
select
when cmdVerb = "ADDGROUP" then call DelGrp
when cmdVerb = "ADDUSER" then call DelUsr
when cmdVerb = "CONNECT" then call ConUsr
when cmdVerb = "RDEFINE" then call DelPro
when cmdVerb = "PERMIT" then call PerUsr
when cmdVerb = "RACDCERT" then call RdCert
otherwise iterate
end /* select */
end /* in=1 to n */
call WriteCmds
exit 1
return
/*************** Subroutines: ********************/
DelUsr: /* DelUsr: Delete User */
parse var cmdObj user .
cmdOut.out = "DELUSER " || user
out = out + 1
return
DelGrp: /* DelGrp: Delete Group */
parse var cmdObj group .
cmdOut.out = "DELGROUP " || group
out = out + 1
return
ConUsr: /* ConUsr: Remove user from a group */
cmdOut.out = "REMOVE " || cmdObj
out = out + 1
return
DelPro: /* DelPro: Delete Profile */
parse var cmdObj class profile acc .
cmdOut.out = "RDELETE " || class profile
out = out + 1
return
PerUsr: /* PerUsr: Remove permission from a profile */
parse var cmdObj profile class ID acc
parse value cmdObj with 'ID(' id ')' acc
cmdOut.out = 'PERMIT '||profile class||' ID('||ID||') DELETE'
out = out + 1
return
RdCert: /* RdCert: Remove Certificates */
if pos('GENCERT',cmdObj) <> 0 then
DO
if pos('CERTAUTH',cmdObj) <> 0
then
DO
parse value cmdObj with 'WITHLABEL(' cert ')'
cmdOut.out = 'RACDCERT CERTAUTH DELETE(LABEL(' || cert || '))'
out = out + 1
END
ELSE DO
parse value cmdObj with 'WITHLABEL(' cert ')'
parse value cmdObj with 'ID (' id ')'
cmdOut.out = 'RACDCERT ID('||id||') DELETE(LABEL('||cert||'))'
out = out + 1
END
END
if pos('ADDRING',cmdObj) <> 0 then
DO
parse value cmdObj with 'ADDRING(' ringname ')'
parse value cmdObj with 'ID(' user ')'
cmdOut.out = 'RACDCERT DELRING('||ringname') ID('||user')'
out = out + 1
END
return
/* Finished - pull LIFO stack and Write it out *******************/
WriteCmds:
DO i = out-1 to 1 by -1
QUEUE cmdOut.i
EXECIO 1 DISKW RACFUNDO
END
return