IBM OS/390 Security Server (RACF) Planning: Installation and Migration Place graphic in this area. Outline is keyline only. DO NOT PRINT.
OS/390 IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-01
Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page xi. Second Edition, September 1996 This is a major revision of GC28-1920-00. This edition applies to Version 1 Release 2 of OS/390 (5645-001) and to all subsequent releases and modifications until otherwise indicated in new editions. Order publications through your IBM representative or the IBM branch office serving your locality. Publications are not stocked at the address below.
iii
iv OS/390 V1R2.
Contents Notices . Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About This Book . . . . . . . . . . . . . Who Should Use This Book . . . . . . . . How to Use This Book . . . . . . . . . . . Where to Find More Information . . . . . Softcopy Publications . . . . . . . . . . RACF Courses . . . . . . . . . . . . . . IBM Systems Center Publications . . . Other Sources of Information . .
Messages . . . . . Panels . . . . . . . Publications Library Routines . . . . . . SYS1.SAMPLIB . . Templates . . . . . Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 9. Operational Considerations Enhancements to the RESTART Command Enabling and Disabling RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 10. Application Development Considerations Year 2000 Support . . . . . . . . . . . . . . . . . . . . . . OS/390 OpenEdition DCE Application Servers . . . . . . New Application Services and Security . . . . . . . . . New Application Authorization Service . . . .
viii OS/390 V1R2.
Figures 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. Copyright IBM Corp. 1994, 1996 Function Shipped In OS/390 Release 1 Security Server (RACF) . . . . Function Introduced After the Availability of OS/390 Release 1 Security Server (RACF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Function Introduced In OS/390 Release 2 Security Server (RACF) . . . Function Not Shipped In OS/390 Release 2 Security Server (RACF) . Function Not Upgraded . . .
x OS/390 V1R2.
Notices References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM's product, program or service may be used. A functionally equivalent product, program, or service which does not infringe on any of IBM's intellectual property rights may be used instead of the IBM product, program or service.
Trademarks The following terms are trademarks of the IBM Corporation in the United States or other countries or both: AS/400 BookManager CICS CICS/ESA DB2 DFSMS DFSMS/MVS IBM IBMLink IMS Library Reader MVS MVS/ESA MVS/XA NetView OpenEdition OS/2 OS/390 Parallel Sysplex RACF RETAIN SOM SOMobjects SystemView S/390 System/390 TalkLink VM/ESA VM/XA UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Op
About This Book This book contains information about the Resource Access Control Facility (RACF), which is part of the OS/390 Security Server. The Security Server has two components: RACF OpenEdition DCE Security Server For information about the OpenEdition DCE Security Server, see the publications related to that component. This book provides information to guide you through the migration process from OS/390 Release 1 Security Server (RACF) or RACF 2.2 to OS/390 Release 2 Security Server (RACF).
Chapter 7, “Administration Considerations” on page 37, summarizes changes to administration procedures for the new release of RACF. Chapter 8, “Auditing Considerations” on page 45, summarizes changes to auditing procedures for the new release of RACF. Chapter 9, “Operational Considerations” on page 49, summarizes changes to operating procedures for the new release of RACF.
RACF Courses The following RACF classroom courses are also available: Effective RACF Administration, H3927 MVS/ESA RACF Security Topics, H3918 Implementing RACF Security for CICS/ESA, H3992 IBM provides a variety of educational offerings for RACF. For more information on classroom courses and other offerings, see your IBM representative, IBM Mainframe Training Solutions, GR28-5467, or call 1-800-IBM-TEACH (1-800-426-8322).
Other Sources of Information IBM provides customer-accessible discussion areas where RACF may be discussed by customer and IBM participants. Other information is available through the Internet. IBM Discussion Areas Two discussion areas provided by IBM are the MVSRACF discussion and the SECURITY discussion. MVSRACF MVSRACF is available to customers through IBM's TalkLink offering. To access MVSRACF from TalkLink: 1. Select S390 (the S/390 Developers' Association) 2.
You can get sample code, internally-developed tools, and exits to help you use RACF. All this code works1, but is not officially supported. Each tool or sample has a README file that describes the tool or sample and any restrictions on its use. The simplest way to reach this code is through the RACF home page. From the home page, click on System/390 FTP Servers under the topic, “RACF Sample Materials.” The code is also available from lscftp.pok.ibm.com through anonymous ftp. To get access: 1.
Elements and Features in OS/390 You can use the following table to see the relationship of a product you are familiar with and how it is referred to in OS/390 Release 2. OS/390 Release 2 is made up of elements and features that contain function at or beyond the release level of the products listed in the following table.
Product Name and Level OpenEdition Application Services OpenEdition DCE Base Services (OSF DCE level 1.1) OpenEdition DCE Distributed File Service (DFS) (OSF DCE level 1.
xx OS/390 V1R2.
Summary of Changes Summary of Changes for GC28-1920-01 OS/390 Release 2 This book contains new information for OS/390 Release 2 Security Server (RACF). Summary of Changes for GC28-1920-00 OS/390 Release 1 This book contains information previously presented in RACF Planning: Installation and Migration, GC23-3736, which supports RACF Version 2 Release 2. This book includes terminology, maintenance, and editorial changes. Copyright IBM Corp.
xxii OS/390 V1R2.
Chapter 1. Planning for Migration This chapter provides information to help you plan your installation's migration to the new release of RACF. Before attempting to migrate, you should define a plan to ensure a smooth and orderly transition. A well thought-out and documented migration plan can help minimize any interruption of service.
Installation Considerations Before installing a new release of RACF, you must determine what updates are needed for IBM-supplied products, system libraries, and non-IBM products. (Procedures for installing RACF are described in the program directory shipped with the product, not in this book.) Be sure you include the following steps when planning your pre-installation activities: Obtain and install any required program temporary fixes (PTFs) or updated versions of the operating system.
Auditing Considerations Auditors who are responsible for ensuring proper access control and accountability for their installation are interested in changes to security options, audit records, and report generation utilities. For more information, see Chapter 8, “Auditing Considerations” on page 45. Operational Considerations The installation of a new product release might introduce changes to the operating characteristics.
4 OS/390 V1R2.
Chapter 2. Release Overview This chapter lists the new and enhanced features of RACF for OS/390 Release 2. It also lists the support that has not been updated in the new release.
Figure 2 on page 6 identifies function introduced after the availability of OS/390 Release 1 Security Server (RACF). Figure 2. Function Introduced After the Availability of OS/390 Release 1 Security Server (RACF). These PTFs are shipped with OS/390 Release 2 Security Server (RACF).
OS/390 OpenEdition DCE single signon support uses to sign in an authenticated OS/390 user to DCE.
OS/390 OpenEdition OS/390 Release 2 OpenEdition adds new capabilities for which RACF provides support. Authorizing and Auditing Server Access to the CCS and WLM Services OS/390 Release 2 OpenEdition adds the capability to check whether servers are authorized to use the console communications service (CCS) and the workload manager (WLM) service.
so that the user's information can be customized independently of the user's workstation type. The SystemView Launch window lets users log on once, authenticating with their RACF password, and then get access to applications that SystemView for MVS supports by selecting an application from their customized task tree, without needing to specify a user ID and password again.
Output and notifications from commands that were directed via the AT or ONLYAT keywords. These are returned to the system on which the directed command was issued. Notifications from RACLINK commands. These are returned to the system on which the RACLINK command was issued. Output from password changes when automatic password direction is used. These are returned to the system on which the password was changed.
the IRRDCR00 module to allow customers to convert a 3-byte packed decimal date to a 4-byte packed decimal date, using RACF's interpretation of the yy value. For more information on IRRDCR00, see “Year 2000 Support” on page 51. NetView RACF has added the NGMFVSPN field to the NETVIEW segment of the RACF user profile for future use by the NetView Graphic Monitor Facility. To support this new field, a new keyword has been added to the RACF ADDUSER and ALTUSER commands, and the RACF panels have been enhanced.
The PTF must be applied to all systems in the sysplex in order for these enhancements to take effect. However, systems with and without the PTF applied can coexist in the sysplex, and there is no requirement to IPL all systems in the sysplex when the PTF is applied. Note: PTF UW90293 is not shipped with OS/390 Release 2 Security Server (RACF). You must obtain it and install it after you install OS/390 Release 2 Security Server (RACF).
Chapter 3. Summary of Changes to RACF Components for OS/390 Release 2 This chapter summarizes the new and changed components of OS/390 Release 2 Security Server (RACF). It includes summary charts for changes to the RACF: Class descriptor table (CDT) Commands Data Areas Exits Macros Messages Panels Publications Library Routines SYS1.SAMPLIB Templates Utilities Class Descriptor Table (CDT) Figure 6 lists the new classes provided in the IBM-supplied class descriptor table (ICHRRCDX).
Figure 6 (Page 2 of 2). New Classes Class Name Description Support FILE This class controls protection of shared file system (SFS) files on VM. RACF 1.10 for VM KEYSMSTR This class holds a key to encrypt DCE passwords stored in the RACF database. The profile in this class is named: OS/390 OpenEdition DCE DCE.PASSWORD.KEY The profile contains an SSIGNON segment that holds either the masked or encrypted value for the key that is used to encrypt DCE passwords.
Figure 8. Changes to RACF Commands Command Description Support all If an attempt is made to invoke a RACF command when RACF is not enabled, RACF issues message IRR418I, and the command is not processed. OS/390 Enable/Disable ADDUSER ALTUSER These commands accept the new NGMFVSPN subkeyword on the NETVIEW keyword for future use by the NetView Graphic Monitor Facility. The ALTUSER command also accepts the new NONGMFVSPN subkeyword on the NETVIEW keyword.
Data Areas Figure 9 lists changed general-use programming interface (GUPI) data areas for SAF to support RACF for OS/390 Release 2. Figure 9. Changes to SAF GUPI Data Areas Data Area Description Support ACEE This data area has been enhanced to identify a DCE client. OS/390 OpenEdition Figure 10 lists changed product-sensitive programming interface (PSPI) data areas for for RACF. Figure 10.
Figure 11. Changed Exits for RACF Exit Description Support ICHRCX01 ICHRCX02 For unauthenticated client ACEEs, the RACROUTE REQUEST=AUTH preprocessing and postprocessing exits are invoked for both the client ACEE and the server ACEE. For more information, see “Effects of OS/390 OpenEdition DCE Support on ICHRCX01, ICHRCX02, and IRRSXT00” on page 35. OS/390 OpenEdition DCE ICHRDX01 Processing of a RETPD value specified via the RACROUTE REQUEST=DEFINE preprocessing exit has changed.
New Messages The following messages are added: RACF Initialization Messages: ICH562I RACF Processing Messages: IRR418I Dynamic Parse (IRRDPI00 Command) Messages: IRR52152I RACF Database Split/Merge Utility (IRRUT400) Messages: IRR65038I Messages Issued by the RACF Subsystem: IRRB022I, IRRB077I, IRRB078I, IRRB079I, IRRB080I, IRRB081I, IRRB082I RRSF Handshaking Messages: IRRI014I, IRRI015I TARGET Command Messages: IRRM026I, IRRM027I, IRRM028I, IRRM029I, IRRM030I, IRRM031I, IRRM032I, IRRM033I, IRRM034I, IRRM03
Panels Figure 13 lists RACF panels that are changed. Figure 13. Changed Panels for RACF Panel Description Support ICHP41I ICHP42I Existing panels for user administration of the NETVIEW segment have been updated to allow a user to add, change, or delete the NGMFVSPN field. NetView Publications Library Figure 14 lists changes to the OS/390 Security Server (RACF) publications library. Figure 14.
SYS1.SAMPLIB Figure 16 identifies changes to RACF members of SYS1.SAMPLIB. Figure 16. Changes to SYS1.SAMPLIB Member Description Support IRRADULD This member has been updated with the SMF type 80 record for the new event code 65. OS/390 OpenEdition IRRADULD This member has been updated to support RACF 1.10 for VM audit records. RACF 1.10 for VM IRRADUTB This member has been updated with the SMF type 80 record for the new event code 65.
Figure 17. Changes to Templates Template Description of Change Support General A new SVFMR segment provides the following information: SystemView for MVS Group User Field Description SCRIPTN Script name PARMN Parameter list name A new OVM segment provides OpenEdition for VM information associated with a group. The segment provides the following information: Field Description GID GID binary A new DCE segment provides DCE information associated with a RACF user.
Figure 18. Changes to Utilities Utility Description of Change Support IRRADU00 The SMF data unload utility has been updated to support unloading data from audit records created on a system running RACF 1.10 for VM. This support allows RACF 1.10 for VM audit records to be processed by OS/390 Security Server (RACF). RACF 1.10 for VM IRRDBU00 The RACF database unload utility creates a new record type 0290 for the user DCE data.
Chapter 4. Planning Considerations This chapter describes the following high-level planning considerations for customers upgrading to Security Server (RACF) Release 2 from Security Server (RACF) Release 1: Migration strategy Migration paths Hardware requirements Software requirements Compatibility Migration Strategy The recommended steps for migrating to a new release of RACF are: 1. 2. 3. 4. 5. 6. Become familiar with the release documentation. Develop a migration plan for your installation.
RACROUTE REQUEST=EXTRACT,TYPE=EXTRACT or TYPE=REPLACE before installing OS/390 Release 2 Security Server (RACF). In addition to this book you should read: – OS/390 Security Server (RACF) Planning: Installation and Migration for OS/390 Release 1, – RACF Planning: Installation and Migration for RACF 2.1, and – RACF Migration and Planning for RACF 1.9.2. From RACF releases prior to 1.9 If you are on a RACF release prior to 1.9, you must install RACF 1.
Figure 19. Software Requirements for New Function Function Software Requirements OS/390 OpenEdition DCE interoperability support OpenEdition/MVS Release 3 plus APAR OW15865 (PTF UW23684) C Run Time Library plus APAR PN75309 (PTF UN90158) SOMobjects for MVS support Version 1 Release 2 of SOMobjects for MVS Compatibility This section describes considerations for compatibility between OS/390 Release 2 Security Server (RACF) and OS/390 Release 1 Security Server (RACF).
26 OS/390 V1R2.
Chapter 5. Installation Considerations This chapter describes changes of interest to the system programmer installing OS/390 Release 2 Security Server (RACF): Enabling RACF Considerations for RRSF networks Virtual storage considerations Customer additions to the CDT Templates Enabling RACF When you install OS/390 Release 2, make sure that RACF is enabled. If it is not, RACF initialization does not complete, message IFA104I is issued, and RACF does not provide security for the system.
prefix Is a value you specify with the PREFIX keyword on the TARGET command sysname Is the system name. This name must match the value in the CVTSNAME field for the system it identifies. ds_identity Is either INMSG or OUTMSG The naming convention for the workspace data sets for remote connections is now: prefix.local_luname.remote_luname.
the description of the TARGET command in OS/390 Security Server (RACF) Command Language Reference for details. If any of the INMSG or OUTMSG workspace data sets are not empty, you should rename them to follow the new naming convention. For an example of JCL to perform this task, see Figure 20 on page 30. 6. Restart the RACF subsystem address space to pick up the renamed workspace data sets and the updated code. 7. Use the IRRUT400 utility to unlock the RACF database.
//\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\// //\ \// //\ RRSFALTR: \// //\ \// //\ IDCAMS JOB to rename the workspace data sets when installing \// //\ PTF UW9ð235 (multisystem node support) \// //\ \// //\ NOTE NOTE NOTE NOTE \// //\ Please note that this job should only be run when the \// //\ RACF subsystem address space has been taken down using the \// //\ procedure that is documented in the RACF publications.
//RRSFALTR JOB 'JOB TO RENAME WORKSPACE DATA SETS',MSGLEVEL=1,1 //\ //\ USE A JOBCAT OR STEPCAT WHERE NEEDED TO POINT TO THE CATALOG //\ THAT CONTAINS THE INFORMATION NEEDED FOR YOUR DATA SETS. //\ //STEP1 EXEC PGM=IDCAMS //\ THE WORKSPACE DATA SETS THAT REFER TO THE LOCAL SYSTEM SHOULD //\ BE CHANGED AS FOLLOWS: //SYSPRINT DD SYSOUT=\ //SYSIN DD \ ALTER prefix.local-node.local-node.INMSG NEWNAME(prefix.sysname.INMSG) ALTER prefix.local-node.local-node.INMSG.INDEX NEWNAME(prefix.sysname.INMSG.
RACF Storage Considerations This section discusses storage considerations for RACF. Virtual Storage Figure 21 estimates RACF virtual storage usage, for planning purposes. Figure 21 (Page 1 of 2).
Figure 21 (Page 2 of 2). RACF Estimated Storage Usage Storage Subpool Usage How to Estimate Size ELSQA Connect group table 64 + (48 × number_of_groups_connected) In-storage generic profiles 160 + number_of_generic_profiles × (14 + average_profile_size + average_profile_name_length) RACF storage tracking table 3500 RACROUTE REQUEST=LIST profiles 52 + (number_of_profiles_in_class × 16) + (number_of_resident_profiles × (10 + average_profile_size + (1.
Templates for RACF on OS/390 Release 2 The RACF database must have templates at the Security Server (RACF) Release 2 level in order for RACF to function properly. If a Security Server (RACF) Release 2 system is sharing the database with a lower-level system (RACF 1.9, RACF 1.9.2, RACF 1.10, RACF 2.1, RACF 2.2, or Security Server (RACF) Release 1), the lower-level system is able to use the database with the Security Server (RACF) Release 2 templates. Use the IRRMIN00 utility to install the templates.
Chapter 6. Customization Considerations This chapter identifies customization considerations for RACF. For additional information, see OS/390 Security Server (RACF) System Programmer's Guide. Customer Additions to the CDT Installations must verify that classes they have added to the class descriptor table (CDT) do not conflict with new classes shipped with RACF.
– The first check uses the client ACEE. This is the ACEE that is associated with the current task. If the request is successful, the second check is performed. – The second check uses the ACEE associated with the server. This is the same ACEE that is associated with the address space. When each of these checks occurs, the RACF exits ICHRCX01 and ICHRCX02 are invoked.
Chapter 7. Administration Considerations This chapter summarizes the changes to administration procedures that the security administrator should be aware of. For more information, see OS/390 Security Server (RACF) Security Administrator's Guide. OS/390 OpenEdition DCE The interoperation of RACF with OS/390 OpenEdition DCE enables DCE application servers on MVS to map a DCE user identity (principal) to a RACF user ID. The mapping of a DCE principal to a RACF user ID is known as cross-linking.
database. The mvsexpt utility takes a specified input file or the DCE registry for each principal specified and creates the RACF DCE segment and profiles in the RACF general resource class, DCEUUIDS. For more information on these utilities, see OpenEdition DCE Administration Guide. Although you can administer the DCEUUIDS profiles using the RACF RDEFINE and RALTER commands, it is strongly recommended that you use the OS/390 OpenEdition DCE utilities.
The MVS user must have saved the current DCE password in the RACF DCE segment by invoking the DCE storepw command. Note: Users still need to maintain their passwords for RACF and OpenEdition DCE separately, and must use the DCE storepw to keep the DCE password that is stored in RACF current. Single signon support is not intended to be used by application servers. Single signon support should be enabled only for end users.
OpenEdition Planning, and in OS/390 OpenEdition Programming: Assembler Callable Services Reference. The C language support for the pthread_security_np() function is discussed in OS/390 R2 C/C++ Run-Time Library Reference. Threads and Security An application that uses the pthread_security_np service can customize the RACF identity of a thread. Consider a DCE application server on OS/390, which accepts requests through DCE remote procedure calls (RPC).
Changes to RACF Authorization Processing Extensions have been introduced to RACF's processing of authorization requests in which both the RACF identity of the server and the RACF identity of a client of the server application are used in a resource access decision. RACF support for OpenEdition DCE introduces new indicators in the ACEE. These indicators mark the ACEE as a client ACEE.
resources. Profiles must reside in storage before RACROUTE REQUEST=FASTAUTH can be used to verify a user's access to a resource. The client/server relationship is not propagated from the application server. If the security administrator implements access control to resources that use both the server's RACF identity and the client's RACF identity in an access control decision, application servers that the security administrator does not trust should be treated as end points on OS/390.
SystemView for MVS Before an installation can use SystemView for MVS, the security administrator must: Create profiles in the SYSMVIEW class for SystemView for MVS applications. The profiles define logon script and parameter information for the applications. Authorize SystemView for MVS users to access the defined applications via the SystemView for MVS Launch window. For information about SystemView for MVS and the Launch window, see SystemView for MVS Up and Running!. Chapter 7.
44 OS/390 V1R2.
Chapter 8. Auditing Considerations This section summarizes the changes to auditing procedures for the RACF: SMF records Report writer utility SMF data unload utility The auditor must decide on appropriate global auditing options for the new classes and on which auditing reports are to be produced. See OS/390 Security Server (RACF) Auditor's Guide and OS/390 Security Server (RACF) Macros and Interfaces for more information.
Figure 23 (Page 2 of 2). Changes to SMF Records Record Type Record Field Description of Change Support 80 Relocate 65 For event code 2, this SMF record contains flags indicating the ACEE type: OS/390 OpenEdition DCE Unauthenticated client Authenticated client Server 80 Relocate 315 For event codes 28, 29, 30, 31, 32, 33, 34, 41, 44, 47, 48, 54, 55, 56, 57, 63, and 64, this SMF record contains a link value to connect client and server audit records.
Auditing OS/390 OpenEdition DCE Support RACF provides one new audit function code (94) to audit OS/390 OpenEdition DCE support. Auditing SystemView for MVS Support Depending on the auditing options selecting when using the RACF SMF data unload utility (IRRADU00), customers might see SMF records returned for the new SYSMVIEW class and type 44 relocate sections for the new SVFMR segment. Report Writer The RACF report writer has not been enhanced since RACF 1.9.2, and it will not be enhanced in the future.
48 OS/390 V1R2.
Chapter 9. Operational Considerations This section summarizes the changes to operating procedures for RACF for OS/390 Release 2. Enhancements to the RESTART Command The RESTART command has been enhanced. The new SYSNAME keyword allows an operator to restart connections to systems on a multisystem node. See OS/390 Security Server (RACF) Command Language Reference for more information.
50 OS/390 V1R2.
Chapter 10. Application Development Considerations Application development is the process of planning, designing, and coding application programs that invoke RACF functions. This section highlights new support that might affect application development procedures: Year 2000 support OS/390 OpenEdition DCE Application Servers Changes to the class descriptor table Programming interfaces Year 2000 Support RACF provides a date conversion routine, IRRDCR00.
The security administrator has the option of enforcing the use of both the application server's RACF identity and the RACF identity of the client in resource access control decisions. RACF support for OS/390 OpenEdition DCE introduces new indicators in the ACEE. These indicators mark the ACEE as a client ACEE. Client ACEEs are created by OS/390 OpenEdition and RACF on behalf of multithreaded unauthorized application servers on OS/390.
For more information on the convert_id_np (BPX1CID) callable service, see OS/390 OpenEdition Programming: Assembler Callable Services Reference. The C language support for the __convert_id_np() is discussed in OS/390 R2 C/C++ Run-Time Library Reference New Application Authorization Service A DCE application server on OS/390 can use DCE security services for access control to resources that are owned by the application server.
“Macros” on page 17 “Templates” on page 20 “Utilities” on page 21 “Routines” on page 19 54 OS/390 V1R2.
Chapter 11. General User Considerations RACF general users use RACF to: Log on to the system Access resources on the system Protect their own resources and any group resources to which they have administrative authority This chapter highlights new support that might affect general user procedures.
56 OS/390 V1R2.
Chapter 12. NJE Considerations Several APARs shipped on OS/390 Release 2 Security Server (RACF) have implications for NJE. APAR OW14451 OS/390 Release 2 Security Server (RACF) includes a PTF that provides functions that change the way inbound NJE jobs and NJE sysout are handled by RACF. If your installation uses NJE and RACF nodes profiles it is imperative that you read and understand this chapter before installing the new RACF release.
Actions Required With OW08457 and OW14451, group propagation and group translation has been fixed for NODES profiles, both for batch jobs and for SYSOUT. This change can significantly alter the external results of your NJE environment and your installation must decide what changes will best suit your needs. Case 1: Nodes defined to &RACLNDE. For nodes defined to the RACFVARS variable &RACLNDE, there is no change (group propagation still does not occur, and group translation was never relevant).
List all GROUPJ and GROUPS NODES profiles that have a UACC value greater than or equal to READ, recording the profile names and all keywords necessary to add them back later. Then delete them. These profiles were previously irrelevant but now could result in failing jobs or unowned SYSOUT. Note that GROUPJ and GROUPS NODES profiles with a UACC value of NONE already worked and still work as documented. Step 2: Create the NODES profile *.GROUP%.
60 OS/390 V1R2.
Chapter 13. Scenarios This chapter contains scenarios that might help you in planning your migration to Security Server (RACF) Release 2. Migrating an Existing RRSF Network to Use Multisystem Nodes If an existing RRSF network contains single-system RRSF nodes that share a RACF database, you can reconfigure the single-system RRSF nodes to a multisystem RRSF node.
2. Issue TARGET DORMANT commands from the operator's console to make all RRSF conversations dormant: prefixTARGET NODE(MIAMI1) DORMANT prefixTARGET NODE(ORLANDO) DORMANT 3. Issue a TARGET command from the operator's console to make MIAMI1 the main system on the new multisystem node MIAMI1.
5. Issue a TARGET command from the operator's console to define system SYSTEM1 as the MAIN system for the multisystem node. (Issuing this command allows you to reconfigure the node to make SYSTEM2 the main system at some future time.) prefixTARGET NODE(MIAMI1) SYSNAME(SYSTEM1) LOCAL MAIN OPERATIVE PREFIX(...) PROTOCOL(...) WORKSPACE(...) Add this command to the RACF parameter library for SYSTEM2. On ORLANDO: 1.
On MIAMI2: 1. Issue a TARGET command from the operator's console to define the connection with ORLANDO. prefixTARGET NODE(ORLANDO) OPERATIVE PREFIX(...) PROTOCOL(...) WORKSPACE(...) Add this command to the RACF parameter library for SYSTEM2. Note: The TARGET commands for SYSTEM1 and SYSTEM2 are now identical. If you want, you can now use a single RACF parameter library member for the TARGET commands for the multisystem node MIAMI1. 64 OS/390 V1R2.
Glossary A active. See also automatic password direction and command direction. access. The ability to obtain the use of a protected resource. automatic direction. An RRSF function that automatically directs commands and password-related updates to one or more remote systems. See also automatic command direction and automatic password direction. access authority. An authority related to a request for a type of access to protected resources.
user ID on the same or a different RRSF node. Before a command can be directed from one user ID to another, a user ID association must be defined between them via the RACLINK command. causes a DEFINE request. The DEFINE request replaces the RACDEF function. command interpreter. A program that reads the commands that you type in and then executes them. When you are typing commands into the computer, you are actually typing input to the command interpreter.
F (optional) supplementary group IDs, or an (optional) saved set-group-ID. FASTAUTH request. The issuing of the RACROUTE macro with REQUEST=FASTAUTH specified. The primary function of a FASTAUTH request is to check a user's authorization to a RACF-protected resource or function. A FASTAUTH request uses only in-storage profiles for faster performance. The FASTAUTH request replaces the FRACHECK function. See also authorization checking. group profile. A profile that defines a group.
is the local LU, and the LU through which communication is received is the partner LU. P local node. The RRSF node from whose point of view you are talking. For example, if MVSA and MVSB are two RRSF nodes that are logically connected, from MVSA's point of view MVSA is the local node, and from MVSB's point of view MVSB is the local node. See also remote node. partner logical unit (partner LU). Partner LUs are LUs defined to remote systems; LUs defined to the MVS system are local LUs.
Daemon processes, which do systemwide functions in user mode, such as printer spooling Kernel processes, which do systemwide functions in kernel mode, such as paging A process can run in an OpenEdition user address space, an OpenEdition forked address space, or an OpenEdition kernel address space. In an MVS system, a process is handled like a task. See also task. (4) An address space and one or more threads of control that execute within that address space, and their required system resources.
RRSF nodes that are logically connected, from MVSX's point of view MVSY is a remote node, and from MVSY's point of view MVSX is a remote node. See also local node, target node. Resource Access Control Facility (RACF). An IBM-licensed product that provides for access control by identifying and verifying users to the system, authorizing access to protected resources, logging detected unauthorized attempts to enter the system, and logging detected accesses to protected resources. resource profile.
sysplex communication. An optional RACF function that allows the system to use XCF services and communicate with other systems that are also enabled for sysplex communication. system authorization facility (SAF). An MVS component that provides a central point of control for security decisions. It either processes requests directly or works with RACF or another security product to process them. system call. In OpenEdition MVS, synonym for callable service. T target node.
OpenEdition MVS, a string that is used to identify a user. user profile. A description of a RACF-defined user that includes the user ID, user name, default group name, password, profile owner, user attributes, and other information. A user profile can include information for subsystems such as TSO and DFP. See TSO segment and DFP segment. VERIFYX request. The issuing of the RACROUTE macro with REQUEST=VERIFYX specified.
Index A ADDUSER command 15 administration classroom courses xv administration considerations migration 2 Airline Control System/MVS, support for ALCS/MVS support ALCSAUTH class 13 ALCS/MVS, support for 11 ALCSAUTH class 11, 13 ALTUSER command 15 application development considerations DCE support 51 migration 3 year 2000 support 51 audit function codes 16 auditing considerations changed SMF records 45 IRRADU00 utility 47 migration 3 OpenEdition DCE 47 OpenEdition MVS 46 report writer utility 47 SMF data unlo
DCE support (continued) auditing considerations 47 command changes 15 controlling access to R_dceruid callable service DCEUUIDS class 13 deleting RACF user IDs 42 description 6 effect on exits 35, 36 general user considerations 55 KEYSMSTR class 14 new audit function codes 16 new record type for database unload utility 22 new segment for user template 21 RACF remove ID utility 22 SMF record changes 46 user passwords 55 DCEUUIDS class 13 DIRECTRY class 11, 13, 17 disabling RACF 10, 49 G 42 E ECSA storage r
J JCICSJCT class 14, 53 JCL for renaming workspace data sets N 30 K KCICSJCT class 14, 53 KEYSMSTR class 14 L library, RACF publications changes to 19 LSQA storage requirement 32 M macros changes to 17 ICHEINTY 17 RACROUTE REQUEST=DEFINE 17 main system 9 messages changes to 17 migration recommended strategy migration considerations administration 2 application development 3 auditing 3 customization 2 general user 3 installation 2 installation-defined classes 35 operational 3 overview 1 planning 1 migrat
PLPA storage requirement 32 programming interfaces changes to CDT 13 data areas 16 new routines 19 templates 21 publications changes to RACF library 19 on CD-ROM xiv softcopy xiv R R_dceruid callable service 42 RACDBULD member of SYS1.SAMPLIB 20 RACDBUTB member of SYS1.SAMPLIB 20 RACF classroom courses xv publications on CD-ROM xiv softcopy xiv RACF 1.
SMF data unload utility auditing considerations 47 changes to 22 SMF records changes to 45 OpenEdition DCE support 46 OpenEdition services 45 SOMDOBJS class 14 SOMobjects for MVS, support for administration considerations 42 CBIND class 13 description 8 SERVER class 14 SOMDOBJS class 14 SQA storage requirement 32 storage for RACF virtual 32 storage requirement virtual for RACF 32 storepw command 55 SVFMR segment for general template 21 SYS1.
78 OS/390 V1R2.
IBM Now you can! The IBM Online Library Productivity Edition OS/390 Security Server (RACF) Information Package includes key books from a wide variety of System/390 operating system and application product libraries that refer to RACF and OS/390 Security Server (including OpenEdition DCE Security Server and RACF). You can search the information package to find all the RACF hits and hints you need.
Communicating Your Comments to IBM OS/390 Security Server (RACF) Planning: Installation and Migration Publication No. GC28-1920-01 If you especially like or dislike anything about this book, please use one of the methods listed below to send your comments to IBM. Whichever method you choose, make sure you send your name, address, and telephone number if you would like a reply. Feel free to comment on specific errors or omissions, accuracy, organization, subject matter, or completeness of this book.
Reader's Comments — We'd Like to Hear from You OS/390 Security Server (RACF) Planning: Installation and Migration Publication No. GC28-1920-01 You may use this form to communicate your comments about this publication, its organization, or subject matter, with the understanding that IBM may use or distribute whatever information you supply in any way it believes appropriate without incurring any obligation to you.
Reader's Comments — We'd Like to Hear from You GC28-1920-01 Fold and Tape Please do not staple IBM Cut or Fold Along Line Fold and Tape NO POSTAGE NECESSARY IF MAILED IN THE UNITED STATES BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO.
IBM Program Number: 5645-001 Printed in the United States of America on recycled paper containing 10% recovered post-consumer fiber. Drop in Back Cover Image Here.
