Steps for authorizing the IKE daemon to RACF

The commands used to authorize the IKE daemon to RACF® are in EZARACF in the SEZAINST data set.

Procedure

Perform the following steps to authorize the IKE daemon to RACF:

  1. Add user ID IKED, and add IKED to the STARTED class.
    • If IKED is defined using UID 0: 
      ADDUSER  IKED     DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(0)  HOME('/'))
RDEFINE  STARTED  IKED.*            STDATA(USER(IKED))
PERMIT   BPX.DAEMON CLASS(FACILITY) ID(IKED)     ACCESS(READ)
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED)  REFRESH
    • If IKED is defined using a nonzero UID (for example, 300) and IKE GID (for example, 931), then IKED needs the following access: 
      ADDGROUP IKE OMVS(GID(931))
ADDUSER  IKED DFLTGRP(IKE) OMVS(UID(300) HOME('/var/ike/'))  NOPASSWORD
CONNECT  IKED GROUP(IKE) UACC(READ)
RDEFINE  STARTED  IKED.*            STDATA(USER(IKED))
PERMIT   BPX.DAEMON CLASS(FACILITY) ID(IKED)     ACCESS(READ)
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED) REFRESH
      1. Set the /var directory access to all using the following command: 
        chmod 777 /var
      2. If the /var/ike directory does not already exist, use a superuser ID to create it and modify this directory using the following commands: 
        mkdir /var/ike/ 
chown IKED /var/ike
chgrp IKE /var/ike
chmod 770 /var/ike
      3. If the /var/sock/ directory does not already exist, use a superuser ID to create it and set the access to all using the following commands: 
        mkdir /var/sock/
chown 0 /var/sock
chmod 777 /var/sock
      4. Define RACF definitions for IKED to retrieve IP security policies from Policy Agent: 
        RDEFINE SERVAUTH EZB.PAGENT.sysname.*.IPSEC UACC(NONE)  
PERMIT EZB.PAGENT.sysname.*.IPSEC CLASS(SERVAUTH) ID(IKED) ACCESS(READ) 
SETROPTS RACLIST(SERVAUTH) REFRESH
SETROPTS GENERIC(STARTED)  REFRESH
      5. Permit IKED to issue console messages directly without the BPXM023I message prefix: 
        RDEFINE FACILITY BPX.CONSOLE UACC(NONE)
PERMIT BPX.CONSOLE CLASS(FACILITY) ID(IKED) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
  2. Allow the IKED to access SYS1.PARMLIB as follows: 
    PERMIT   SYS1.PARMLIB  ID(IKED)        ACCESS(READ)
  3. Enable the IKED to access certificates by issuing the appropriate commands.
    • If the certificates used by the IKED are not site certificates, enable the IKED to access the certificates on an ESM key ring by issuing the following commands: 
      RDEFINE  FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
RDEFINE  FACILITY IRR.DIGTCERT.LIST     UACC(NONE)
PERMIT   IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IKED) ACCESS(READ)
PERMIT   IRR.DIGTCERT.LIST     CLASS(FACILITY) ID(IKED) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
    • If the certificates used by the IKED are site certificates, enable the IKED to access them by issuing the following commands: 
      RDEFINE  FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
RDEFINE  FACILITY IRR.DIGTCERT.LIST     UACC(NONE)
RDEFINE  FACILITY IRR.DIGTCERT.GENCERT  UACC(NONE)
PERMIT   IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IKED) ACCESS(UPDATE)
PERMIT   IRR.DIGTCERT.LIST     CLASS(FACILITY) ID(IKED) ACCESS(READ)
PERMIT   IRR.DIGTCERT.GENCERT  CLASS(FACILITY) ID(IKED) ACCESS(CONTROL)
SETROPTS RACLIST(FACILITY) REFRESH
  4. Enable the IKED to run as nonswappable. If you have defined the BPX.STOR.SWAP resource to RACF, you can enable the IKED using the following commands:
    PERMIT BPX.STOR.SWAP CLASS(FACILITY) ID(IKED) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
Parent topic: Step 2: Authorizing the IKE daemon to the external security manager