Configure RACF services for the DCAS
This section describes how to configure RACF services for the DCAS, including the following three subtopics:
- Define a User ID as superuser to OMVS Services
- Provide a User ID with Access to MVS.SERVMGR.DCAS
- Provide a RACF Definition for MVS Startup
For information on RACF commands, refer to https://www.ibm.com/docs/en/zos/3.1.0?topic=racf-zos-security-server-command-language-reference.
In the following example RACF commands, italicized items should be replaced with values appropriate for your environment. Refer Setting up RACF for DCAS for more details.
Define a User ID as superuser to OMVS Services
The DCAS server runs as a system daemon and must be started under a controlled user ID that has superuser authority (meaning, not an end-user or system programmer user ID). To define the user ID to use OMVS services, use the following command:
ADDUSER dcasid DFLTGRP(OMVSGRP) OMVS(UID(0) HOME('/'))where dcasid is the name of the user ID.
Provide a User ID with Access to MVS.SERVMGR.DCAS
RDEFINE OPERCMDS (MVS.SERVMGR.DCAS) UACC(NONE)
PERMIT MVS.SERVMGR.DCAS CLASS(OPERCMDS) ACCESS(CONTROL) ID(dcasid) where dcasid is the name of the user ID.
SETROPTS RACLIST(OPERCMDS) REFRESHProvide a RACF Definition for MVS Start-up
RDEFINE STARTED DCAS.* STDATA(USER(dcasid))SETROPTS RACLIST(STARTED) REFRESHwhere dcasid is the name of the user ID.
If CLIENTAUTH LOCAL2 is coded in the DCAS configuration file, at a minimum, you must use RACF to associate the certificate with a valid user ID. You can do this using the RACDCERT ADD command. The user ID could be the one associated with the DCAS itself or it could be any valid user ID. If you want additional checking, you must activate the SERVAUTH class and define an EZA.DCAS.cvtsysname profile with the user ID associated with the client certificate to access the profile.