If you need to know more about the PARMGEN configuration tool for the ITM z/OS environment, here are a couple of videos about it.
What is PARMGEN
Convert an ICAT RTE to PRMGEN and Upgrade the Products
In this post I talked about securing the enhanced 3270 User Interface with RACF
Since then a new level of the base code (FMID HKOB700) called Interim Feature One (IF1) has arrived in the form of PTF UA69877. But before you go off and apply that, don’t! Instead apply UA70618 which fixes some issues with the original code that may impact certain users.
In the hold doc (you do read all the hold doc don’t you!) for UA70618 are instructions on setting up new RACF profiles that may be needed if you are using security to protect the Enhanced 3270 User Interface environment. These are the new resources being checked:
KOBUI.USER.COMMAND.<command_name> KOBUI.ADMIN.PREFS.AUTOUPDATE KOBUI.ADMIN.LISTUSERS KOBUI.ADMIN.TRACE.UI.<trace_type> KOBUI.ADMIN.TRACE.INTERNAL.<trace_type> KOBUI.ADMIN.USEHUB.<hub_name> KOBUI.ADMIN.MEMBER.WRITE.<dd_name>.<member_name> KOBUI.ADMIN.ITM.<hub_name>.SERVICEINDEX KOBUI.ADMIN.ITM.<hub_name>.<servicepoint_name>.SERVICECONSOLE KOBUI.ADMIN.ITM.<hub_name>.<servicepoint_name>.SOAPCONSOLE SYSTEM.<managed_system_name>.<table_name>
You could protect these with the following RACF profiles:
PERMIT KOBUI.USER.** PERMIT KOBUI.ADMIN.** PERMIT SYSTEM.**
Recently I came across a problem where a customer needed additional RACF profiles setting up in order to log on to the Enhanced 3270 UI. These are:
The easiest way to add these would be with a UACC or READ but your installation standards may require a different implementation. I believe a tech note will be forthcoming on the issue soon.
This particular user had a default profile of * in the RACF class with a UACC of NONE so anything that was not specifically permitted was rejected. If you do not have such a profile in the RACF class used by the Enhanced 3270 UI then the default action is to allow the request if a profile does not exist which basically allows anyone to do anything unless you specifically lock it down. That approach results in the least amount of work to secure the Enhanced 3270 UI environment.
There are a variety of ways that you can secure the enhanced 3270 User Interface with RACF. you can control who can logon to the E3270UI, which managed systems and data they can see and which TAKE ACTION commands they can issue.
You enable RACF security by coding the RTE_SECURITY_CLASS=RACF_classname in the PARMGEN Run Time Environment (RTE) member. If you code RTE_SECURITY_CLASS=OMEGDEMO then only userid validation (of the userid and password) takes place at E3270UI logon time and no other security checking is done. This can be useful for proof of concept installs to minimize the work needed to bring the system up initially.
Within the specified RACF resource class, the following profiles control various aspects of the users experience:
- KOB.LOGON – Read access to this profile allow the user to logon to the E3270UI
- Kproduct_code.managed_system_name.table – Read access to these profiles control a users ability to view data.
- product_code is CP for CICS, M5 for z/OS
- managed_system_name (or originnode) is the fully qualified name of the managed system.
- For CICS, the managed system name of a CICS region is of the form padded_smfid.cicsname where padded_smfid is the smfid of the host system, padded with trailing underscores if less than 4 characters long and cicsname is the job, started task or modify name of the CICS region.The managed system name of a CICSPLEX is of the form cicsplex_name::CICSPLEX.
- For z/OS, the managed system name of an LPAR is of the form plexname:smfid:MVSSYS and the managed system name of the sysplex is of the form plexname:MVS:SYSPLEX
- table is the name of the attribute table, E.G. CICSROV for the CICS Region Overview. You can view the queries within each workspace in the TKANWENU library to see which tables it queries.
- Kproduct_code.managed_system_name.TAKEACTION – UPDATE access to these profiles control the users ability to issue take action commands.
A basic set of RACF profiles for the CICS and z/OS products might look like this:
KCP.**.TAKEACTION* (G) UACC(NONE)
KM5.**.TAKEACTION* (G) UACC(NONE)
KOB.LOGON.** (G) UACC(NONE)
KM5.** (G) UACC(READ)
KCP.** (G) UACC(READ)
Giving user access to the KOB.LOGON profile would allow them to logon to the E3270UI and the KM5.** and KCP.** profiels with UACC(READ) would allow them to see data for the CICS and M5 products. Only users with UPDATE authority to the KM5.**.TAKEACTION* and KCP.**.TAKEACTION* profiles would be able to issue take action commands.