How can I replicate the RACF definitions for MQ on z/OS?

If you are the very careful person who makes all updates to RACF only through batch jobs, then this is easy – take the old jobs, and change the queue manager name and rerun them.

For the other 99.99% of us,  read on…

Even if you have been careful to keep track of any changes to security definitions,  someone else may have made a change either using the native TSO commands, or via the ISPF panels. 
You can list the RACF database, but there is no easy way of listing the RACF database in command format, to allow you to do a global rename, and submit the commands.

I have found two ways of extracting the RACF definitons.

1. Using an unloaded copy of the RACF database
2. Using RACF commands to extract and recreate the requests

Using an unloaded copy of the RACF database

I discovered dbsync on a RACF tools repository which does most of the hard work.   You can run a RACF utility to unload the RACF database into a flat file (omitting sensitive information like passwords etc).  Dbsync is a rexx program which takes two copies of an unloaded database, and generates the RACF commands for the differences. I simply used my existing unloaded file and a null file, and got out the commands to create all of the entries.

The steps are

1. Unload the RACF database
2. Get dbsync into your z/OS system
3. Run DBsync
4. Edit the files, and remove all lines which are not relevant
5. Run the output to create/modify the definitions

Unload the database

//IBMUSUN JOB 1,MSGCLASS=H 
//* use the TSO RVARY command to display databases 
//UNLOAD EXEC PGM=IRRDBU00,PARM=NOLOCKINPUT 
//SYSPRINT DD SYSOUT=* 
//INDD1 DD DISP=SHR,DSN=SYS1.RACFDS 
//OUTDD DD DISP=(MOD,CATLG),DSN=COLIN.RACF.UNLOAD, 
// SPACE=(CYL,(1,1)),DCB=(LRECL=4096,RECFM=VB,BLKSIZE=13030)

Of course this assumes you have the authority to create this file.  If not ask a friendly sysprog to run the command, edit the to output delete all records which do not have MQ in them.

Run dbsync

I had to make the following changes

1. Dataset 1 was the dataset I created above
2. Dataset 2 was a dummy

Modify the sort step to output to a temporary output file

//COLINRA JOB 1,MSGCLASS=H 
//* ftp://public.dhe.ibm.com/eserver/zseries/zos/racf/dbsync/ 
//SORT1 EXEC PGM=SORT 
//SYSOUT DD SYSOUT=* 
//SORTIN DD DISP=SHR,DSN=COLIN.RACF.UNLOAD 
//SORTOUT DD DISP=(NEW,PASS),DSN=&TEMP1,SPACE=(CYL,(1,1)) 
//SYSIN DD * 
SORT FIELDS=(5,2,CH,A,7,1,AQ,A,8,549,CH,A) 
ALTSEQ CODE=(F080,F181,F282,F383,F484,F585,F686,F787,F888,F989, 
C191,C292,C393,C494,C595,C696,C797,C898,C999, 
D1A1,D2A2,D3A3,D4A4,D5A5,D6A6,D7A7,D8A8,D9A9, 
E2B2,E3B3,E4B4,E5B5,E6B6,E7B7,E8B8,E9B9) 
OPTION VLSHRT,DYNALLOC=(SYSDA,3) 
/* 

Delete the sort of the other data set – as I was using a dummy file

Run dbsync

I changed the bold lines below, the template JCL had

//OUTSCD1 DD DSN=your.dsname.for.outscd1,
// DISP=(NEW,CATLG),

so I changed

• your.dsname.for to COLIN.RACF
• NEW,CATLG to MOD,CATLG
• Upper cased the changed lines using the ucc…ucc ISPF edit line command.

//DBSYNC EXEC PGM=IKJEFT01,REGION=5000K,DYNAMNBR=50,PARM='%DBSYNC' 
//SYSPRINT DD SYSOUT=* 
//SYSTSPRT DD SYSOUT=* 
//SYSTSIN DD DUMMY 
//SYSEXEC DD DISP=SHR,DSN=COLIN.DBSYNC.REXX 
//OPTIONS DD * 
/* your options here 
//INDD1 DD DISP=SHR,DSN=*.SORT1.SORTOUT 
//INDD2 DD DUMMY 
//OUTADD1 DD DSN=COLIN.RACF.ADDFILE1, 
// DISP=(MOD,CATLG), 
// UNIT=SYSDA,SPACE=(CYL,(25,25),RLSE), 
// DCB=(RECFM=VB,LRECL=255,BLKSIZE=6400) 
etc

The output was rexx commands in a file, such as

“rdefine MQCMDS CSQ9.** owner(IBMUSER ) uacc(CONTROL )
    audit(failures(READ )) level(00)”
“permit CSQ9.** class(MQCMDS) reset”
“rdefine MQQUEUE CSQ9.** owner(IBMUSER ) uacc(NONE )
     audit(failures(READ )) level(00) warning notify(IBMUSER )”
“permit CSQ9.** class(MQQUEUE) reset”
“rdefine MQCONN CSQ9.BATCH owner(IBMUSER ) uacc(CONTROL )
    audit(failures(READ )) level(00)”
“permit CSQ9.BATCH class(MQCONN) reset”
“rdefine MQCONN CSQ9.CHIN owner(IBMUSER ) uacc(READ )
    audit(failures(READ )) level(00)”
“permit CSQ9.BATCH class(MQCONN) id(IBMUSER ) access(ALTER )”
“permit CSQ9.BATCH class(MQCONN) id(START1 ) access(UPDATE )”
“permit CSQ9.CHIN class(MQCONN) id(IBMUSER ) access(ALTER )”

You edit and run the the Rexx exec to issue the commands.

Easy – it took me less than half an hour from start to finish.

Using RACF commands to extract and recreate the requests

I found that most people do not have access to an unloaded RACF database.  My normal userid does not have the authority to create the unloaded copy. 

I put an exec up on Github.   It issues a display command for each class in MQCMDS MXCMDS MQQUEUE MXQUEUE MXTOPIC MQADMIN MXADMIN MQCONN and formats it as a RDEFINE command, and then issues the permit command to give people access to it.  It writes the output in to the file being edited.

Use ISPF to edit a member where you want the output.

Make sure the rexx exec is in the SYSPROC or SYSEXEC concatenation, for example use ISRDDN to check.

Syntax

genclass <queuemanagername>

The output is like

 /* class:MXCMDS profile:MQPA class not found 
 /* class:MXQUEUE profile:MQPA profile not found 
 /* class:MXTOPIC profile:MQPA profile not found 
 /* class:MXADMIN profile:MQPA profile not found 
RDEFINE MQCONN - 
MQPA.CICS - 
- /* Create date 07/17/20 
OWNER(ADCDA) - 
- /* Last reference Date 07/17/20 
- /* Last changed date 07/17/20 
- /* Alter count 0 
- /* Control count 0 
- /* Update count 0 
- /* Read count 0 
UACC(NONE) - 
LEVEL(0) - 
- /* Global audit NONE 
/* Permit MQPA.CICS CLASS(MQCONN ) RESET 
Permit MQPA.CICS CLASS(MQCONN ) ID(ADCDA ) ACCESS(ALTER ) 
Permit MQPA.CICS CLASS(MQCONN ) ID(START1 ) ACCESS(READ ) 
/* class:MQCONN profile:MQPA.CICS profile not found 

It includes a Permit… RESET if you want to remove all access