Setting up profiles in RACF

To build a RACF key ring in the RACF database that is suitable for use in a CICS region, you must grant access to the appropriate profiles in the FACILITY class.

About this task

You must grant this access only to users who administer CICS systems and not to general CICS users. The following profiles are available:
CONTROL
  • IRR.DIGTCERT.GENCERT (to allow certificates to be signed by a CERTAUTH certificate)
  • IRR.DIGTCERT.ADD on first execution (to allow a CERTAUTH certificate to be generated)
  • IRR.DIGTCERT.CONNECT to connect CERTAUTH certificates for other users
UPDATE
  • IRR.DIGTCERT.CONNECT (to connect CERTAUTH certificates to your keyring).
  • IRR.DIGTCERT.* (to manage certificates for other users).
READ
IRR.DIGTCERT.* (to manage certificates for your own user ID).
IRR.DIGTCERT.* contains the wildcard asterisk, and is intended as a generic profile. To allow generic profiles to be created in the FACILITY class:

Procedure

  1. Issue the command SETROPTS GENERIC(FACILITY).
  2. Issue the following command: 
    RDEFINE FACILITY(IRR.DIGTCERT.*)    
RDEFINE FACILITY(IRR.DIGTCERT.ADD)    
RDEFINE FACILITY(IRR.DIGTCERT.CONNECT)    
RDEFINE FACILITY(IRR.DIGTCERT.GENCERT)
  3. Depending upon whether the FACILITY class is RACLISTed or not, issue one of the following commands: 
    SETROPTS RACLIST(FACILITY) REFRESH    
SETROPTS GENERIC(FACILITY) REFRESH
  4. To permit a user ID or group ringuser to use the commands contained in DFH$RING issue the following commands: 
    PERMIT IRR.DIGTCERT.*       CLASS(FACILITY) ID(ringuser) ACCESS(READ)    
PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(ringuser) ACCESS(UPDATE)  (for self)    
PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(ringuser) ACCESS(CONTROL)  (for another user)    
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(ringuser) ACCESS(CONTROL)
    DFH$RING is the sample that is provided with CICS to help you set up a suitable key ring.
  5. You must give the first user of DFH$RING, certauser, authority to create a certificate authority certificate: 
      PERMIT IRR.DIGTCERT.ADD CLASS(FACILITY) ID(certauser) ACCESS(CONTROL)
    This certificate is then used to sign all the other certificates created by DFH$RING.

Results

You can add certificate information for your own user ID if you have READ access to the IRR.DIGTCERT.ADD profile in the FACILITY class. You can add certificate information for other user IDs if you have UPDATE access to the IRR.DIGTCERT.ADD profile in the FACILITY class. If you have RACF SPECIAL authority you can execute RACDCERT ADD for any user ID. You can also generate a digital certificate for any RACF-defined user or for any certificate authority or site certificate with SPECIAL authority