OS/390 IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-03
OS/390 IBM Security Server (RACF) Planning: Installation and Migration GC28-1920-03
Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page vii. Fourth Edition, September 1997 This is a major revision of GC28-1920-02. This edition applies to Version 2 Release 4 of OS/390 (5647-A01) and to all subsequent releases and modifications until otherwise indicated in new editions. Order publications through your IBM representative or the IBM branch office serving your locality.
Contents Notices Trademarks ix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About This Book . . . . . . . . . . . . . Who Should Use This Book . . . . . . . . How to Use This Book . . . . . . . . . . . Where to Find More Information . . . IBM Systems Center Publications . . . Other Sources of Information . . . . . To Request Copies of IBM Publications Summary of Changes . . . . . . . . . . . . . . . . . . . . . xi xi . xi xii xiii xiv xv . . . . . . . . . . . . . .
SYS1.SAMPLIB . . Publications Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 4. Planning Considerations . . . . . . . . . . . . . Migration Strategy . . . . . . . . . . . . . . . . . . . . . . . . . Migration Paths for OS/390 Release 4 Security Server (RACF) Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figures 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Copyright IBM Corp. 1994, 1997 New Callable Services . . . . . . . . . . . Changed Callable Services . . . . . . . . . New Classes . . . . . . . . . . . . . . . . . Changes to RACF Commands . . . . . . . Changes to PSPI Data Areas . . . . . . . Changed Executable Macros . . . . . . . . New Panels for RACF . . . . . . . . . . . . Changed Panels for RACF . . . . . . . . . Change to SYS1.SAMPLIB . . . . . . . . .
vi OS/390 V2R4.
Notices References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program, or service is not intended to state or imply that only IBM's product, program, or service may be used. A functionally equivalent product, program, or service which does not infringe on any of IBM's intellectual property rights may be used instead of the IBM product, program, or service.
viii OS/390 V2R4.
Trademarks The following terms are trademarks of the IBM Corporation in the United States or other countries or both: AIX/6000 BookManager CICS CICS/ESA DB2 DFSMS FFST FFST/MVS IBM IBMLink IMS Library Reader MVS/ESA MVS/XA NetView OpenEdition OS/2 OS/390 Parallel Sysplex RACF RETAIN S/390 SOMobjects System/390 SystemView TalkLink VM/ESA VM/XA UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Open C
x OS/390 V2R4.
About This Book This book contains information about the Resource Access Control Facility (RACF), which is part of the OS/390 Security Server. The Security Server has two components: RACF OpenEdition DCE Security Server For information about the OpenEdition DCE Security Server, see the publications related to that component. This book provides information to guide you through the migration process from OS/390 Release 3 Security Server (RACF) or RACF to OS/390 Release 4 Security Server (RACF).
Chapter 6, “Customization Considerations” on page 29, highlights information about customizing function to take advantage of new support after the new release of RACF is installed. Chapter 7, “Administration Considerations” on page 31, summarizes changes to administration procedures for the new release of RACF. Chapter 8, “Auditing Considerations” on page 33, summarizes changes to auditing procedures for the new release of RACF.
RACF Courses The following RACF classroom courses are also available: Effective RACF Administration, H3927 MVS/ESA RACF Security Topics, H3918 Implementing RACF Security for CICS/ESA, H3992 IBM provides a variety of educational offerings for RACF. For more information on classroom courses and other offerings, see your IBM representative, IBM Mainframe Training Solutions, GR28-5467, or call 1-800-IBM-TEACH (1-800-426-8322).
Other Sources of Information IBM provides customer-accessible discussion areas where RACF may be discussed by customer and IBM participants. Other information is available through the Internet. IBM Discussion Areas Two discussion areas provided by IBM are the MVSRACF discussion and the SECURITY discussion. MVSRACF MVSRACF is available to customers through IBM's TalkLink offering. To access MVSRACF from TalkLink: 1. Select S390 (the S/390 Developers' Association). 2. Use the fastpath keyword: MVSRACF.
You can get sample code, internally-developed tools, and exits to help you use RACF. All this code works in our environment, at the time we make it available, but is not officially supported. Each tool or sample has a README file that describes the tool or sample and any restrictions on its use. The simplest way to reach this code is through the RACF home page. From the home page, click on System/390 FTP Servers under the topic, “RACF Sample Materials.” The code is also available from lscftp.pok.ibm.
xvi OS/390 V2R4.
Summary of Changes | | | Summary of Changes for GC28-1920-03 OS/390 Version 2 Release 4 | | | This book contains primarily new information for OS/390 Version 2 Release 4 Security Server (RACF). When any information appeared in an earlier release, the information that is new is indicated by a vertical line to the left of the change. Summary of Changes for GC28-1920-02 OS/390 Release 3 This book contains new information for OS/390 Release 3 Security Server (RACF).
xviii OS/390 V2R4.
Chapter 1. Planning for Migration This chapter provides information to help you plan your installation's migration to the new release of OS/390 Security Server (RACF). Before attempting to migrate, you should define a plan to ensure a smooth and orderly transition. A well thought-out and documented migration plan can help minimize any interruption of service.
Installation Considerations Before installing a new release of RACF, you must determine what updates are needed for IBM-supplied products, system libraries, and non-IBM products. (Procedures for installing RACF are described in the program directory shipped with OS/390, not in this book.) Be sure you include the following steps when planning your pre-installation activities: Obtain and install any required program temporary fixes (PTFs) or updated versions of the operating system.
Auditing Considerations Auditors who are responsible for ensuring proper access control and accountability for their installation are interested in changes to security options, audit records, and report generation utilities. For more information, see Chapter 8, “Auditing Considerations” on page 33. Application Development Considerations Application development programmers must be aware of new functions introduced in a new release of RACF.
4 OS/390 V2R4.
Chapter 2. Release Overview This chapter lists the new and enhanced functions of RACF for OS/390 Release 4 and gives a brief overview of each new function or function enhancement.
Enhancements to Support for OpenEdition Services Enhancements to RACF's support for OpenEdition services include: Extended ability to audit the use of superuser status Default USER/GROUP support provided by APAR OW26800 Extended Ability to Audit the Use of Superuser Status This support allows the auditing of the new OpenEdition spawn service. It determines when a user is a superuser and the identity of that user.
The getUMAP and getGMAP services also look for default values. If getUMAP is given a UID as input and the corresponding USER profile has no OMVS segment, the caller of the getUMAP service receives the default. If no default value is found, RACF return code 8, reason code 4 are returned by the getUMAP service. If a UID is passed to getUMAP, then it returns a user ID, which is likely to return the user ID of the default user.
The ALTUSER command allows an administrator to reset a user's password to a temporary password or a default value. This command is modified to save the old password whenever the password is reset. The PASSWORD USER (userid) command provides users and administrators with a password reset function. This command is modified to save the old password whenever the password is reset.
system. This support provides a solution to many customers that find themselves in such a situation. The PERMIT command has a new keyword to add users and groups to the conditional access list, WHEN(SYSID(...)). This keyword is allowed only for the PROGRAM class. WHEN(SYSID(...)) is similar to the existing keywords WHEN(TERMINAL(...)), WHEN(PROGRAM(...)), and WHEN(JESINPUT(...)). No class is associated with SYSID. In addition, no check is made to determine whether the value specified for SYSID is valid.
Enable/Disable Changes OS/390 Version 2 Release 4 has a new product ID that affects the enable/disable function in all of its elements including the Security Server. The ID() value used in the IFAPRDxx parmlib member needs to be "5647-A01". The remainder of the parameters remain the same. Without this necessary change to the ID() parameter, the Security Server will not initialize. In order to keep from making changes in the future, you can use the value ID(*).
Chapter 3. Summary of Changes to RACF Components for OS/390 Release 4 This chapter summarizes the new and changed components of OS/390 Release 4 Security Server (RACF). It includes the following summary charts for changes to the RACF: Callable Services Class descriptor table (CDT) Commands Data Areas Exits Macros Messages Panels SYS1.SAMPLIB Publications Library Callable Services Figure 1 lists a new callable service.
Figure 2. Changed Callable Services Callable Service Name initUSP Description If no OMVS segment is found in the user's profile, the initUSP service checks the BPX.DEFAULT.USER profile in the FACILITY class. This profile may contain a user ID in its application data field that provides a default OMVS segment. If this default is found, it is used to set the UID, HOME, and PROGRAM for the user.
Figure 3.
Figure 4 (Page 2 of 3). Changes to RACF Commands Command Description Support ALTUSER This command supports the removal of all of the user's CLAUTH authorities by using NOCLAUTH(*). TME 10 For more information on the ALTUSER NOCLAUTH keywords, see OS/390 Security Server (RACF) Command Language Reference. PERMIT The PERMIT command allows the keywords WHEN(SYSID(system-identifier ...)).
Figure 4 (Page 3 of 3). Changes to RACF Commands Command Description Support TARGET The new keyword WDSQUAL is added to the RACF TARGET command to indicate that the variable that follows will be used by RRSF as the middle qualifier for the work space data set names of the INMSG and OUTMSG queues for the local RRSF node defined by the TARGET command. WDSQUAL cannot be used for a remote node. OW24966 The format for the qualifier name is prefix.wdsqual.ds_identity.
Figure 5. Changes to PSPI Data Areas Data Area Description Support AFC This data area maps the contents for the Open Edition MVS security audit function codes. An audit function code has been added to audit when ck_priv is called from OpenEdition_spawn (BPX1SPN). Auditability of super user requests. COMP This data area maps the common SAF/RACF parameter list for Open Edition MVS security functions. A new 24-byte DSECT ADMN has been added.
RFXALET and RFXLOGS correspond to new fields in the RACROUTE REQUEST=FASTAUTH parameter list. These fields only exist in parameter lists created with RELEASE=2.4 or higher. Therefore, these fields must only be accessed when the RFXPVERS indicates Release 2.4 or higher. Macros Figure 6 lists changes to executable macros for OS/390 Release 4. These are for your information; there is no reason to modify any existing programs to specify the new release level.
RALTER Command Messages: ICH11304I SETROPTS Command Messages: ICH14042I RACF Manager Error Messages: ICH51011I RACF Processing Messages: IRR410I RACF Utility Messages: IRR67032I, IRR67034I, IRR67124I, IRR67153I, IRR67183I RRSF Enveloping Messages: IRRV002I, IRRV005I, IRRV013I, IRRV014I RACF Operational Modes and Coupling Facility Messages: IRRX013A Deleted Messages The following messages have been deleted: ICH401I, ICH402I, ICH403I, ICH404I, ICH405I, ICH406I, ICH407I, ICH410I, ICH413I, ICH536I, ICH543I, IC
Figure 7. New Panels for RACF Panel Description Support ICHP241n This panel enables you to add an entry for the conditional access list and to identify the access authority for it.
Publications Library Figure 10 lists changes to the OS/390 Security Server (RACF) publications library. Figure 10. Changes to the RACF Publications Library Publication Change OS/390 Security Server (RACF) Callable Services This publication is available only in softcopy. OS/390 Security Server (RACF) Data Areas This is no longer a licensed publication. Its new form number is SY27-2640-03. Note: You are able to print the softcopy documentation, either in its entirety or simply portions of it.
Chapter 4. Planning Considerations This chapter describes the following high-level planning considerations for customers upgrading to OS/390 Release 4 Security Server (RACF) from OS/390 Release 3 Security Server (RACF): Migration strategy Migration paths Hardware requirements Compatibility Migration Strategy The recommended steps for migrating to a new release of RACF are: 1. 2. 3. 4. 5. 6. Become familiar with the release documentation. Develop a migration plan for your installation.
– OS/390 Security Server (RACF) Planning: Installation and Migration for OS/390 Release 1.(GC28-1920-00) If you have RACF 1.9.2 installed, in addition to this book, you should read: – OS/390 Security Server (RACF) Planning: Installation and Migration for OS/390 Release 2, (GC28-1920-01) and Release 3 (GC28-1920-02) – OS/390 Security Server (RACF) Planning: Installation and Migration for OS/390 Release 1(GC28-1920-00) – RACF Planning: Installation and Migration for RACF 2.1 (GT00-9241-00) From RACF 1.
Compatibility This section describes considerations for compatibility between OS/390 Release 4 Security Server (RACF) and OS/390 Release 3 Security Server (RACF). OpenEdition MVS If you are an OpenEdition MVS user, be sure to review carefully the following information on possible changes. For Auditability of Superusers If you are not already auditing the PROCESS class, you need to decide whether you want to receive the audit records.
24 OS/390 V2R4.
Chapter 5. Installation Considerations This chapter describes the following changes of interest to the system programmer installing OS/390 Release 4 Security Server (RACF): Virtual storage considerations Templates RACF Storage Considerations This section discusses storage considerations for RACF. Using the RACF DB2 external security module increases the number of profiles in the RACF database.
Figure 11 (Page 2 of 3).
Figure 11 (Page 3 of 3).
28 OS/390 V2R4.
Chapter 6. Customization Considerations This chapter identifies customization considerations for OS/390 Release 4 Security Server (RACF). For additional information, see OS/390 Security Server (RACF) System Programmer's Guide. Customer Additions to the Router Table and the CDT Installations must verify that classes they have added to the router table and class descriptor table (CDT) do not conflict with new classes shipped with RACF.
Set the options in the RACF/DB2 external security module. To do this, see OS/390 Security Server (RACF) System Programmer's Guide. Decide which DB2 objects are to be protected using RACF. Define the appropriate profiles. To do this, see OS/390 Security Server (RACF) Security Administrator's Guide. Activate the RACF/DB2 external security module. This includes assembling and linkediting the RACF/DB2 external security module. In addition confirm that it is in the appropriate library.
Chapter 7. Administration Considerations This chapter summarizes the changes to administration procedures that the security administrator should be aware of. For more information, see OS/390 Security Server (RACF) Security Administrator's Guide. The TMEADMIN Class The new TMEADMIN class is used to associate a TME administrator with a RACF MVS identity on any MVS system that is part of a Tivoli management region (TMR).
Enhancements of Global Access Checking When you use RACROUTE REQUEST=AUTH processing (which utilizes global access checking) for general resource classes, these classes can be processed whether or not the class is RACLISTed using SETROPTS RACLIST or RACROUTE REQUEST=LIST. 32 OS/390 V2R4.
Chapter 8. Auditing Considerations This section summarizes the changes to auditing procedures for SMF records. SMF Records Figure 12 summarizes changes to SMF records created by RACF for OS/390 Release 4. These changes are general-use programming interfaces (GUPI). Figure 12.
34 OS/390 V2R4.
Chapter 9. Application Development Considerations Application development is the process of planning, designing, and coding application programs that invoke RACF functions. This section highlights new support that might affect application development procedures: Programming interfaces RELEASE=2.
36 OS/390 V2R4.
Chapter 10. General User Considerations RACF general users use RACF to: Log on to the system Access resources on the system Protect their own resources and any group resources to which they have administrative authority For more information on the output general users might receive, see OS/390 Security Server (RACF) General User's Guide.
38 OS/390 V2R4.
Glossary A automatic direction of application updates, and command direction. access. The ability to obtain the use of a protected resource. automatic direction. An RRSF function that automatically directs commands, ICHEINTY and RACROUTE macros, and password-related updates to one or more remote systems. See also automatic command direction, automatic password direction, and automatic direction of application updates. access authority.
DATASET classes. The table is generated by executing the ICHERCDE macro once for each class. The class descriptor table contains both the IBM provided classes and also the installation defined classes. resource serialization protocol that allows concurrent RACF instances to directly access and change the same database while maintaining data integrity as always. Data sharing mode requires installation of coupling facility hardware. CLAUTH. See class authority. command direction.
E entity. A user, group, or resource (for example, a DASD data set) that is defined to RACF. EXTRACT request. The issuing of the RACROUTE macro with REQUEST=EXTRACT specified. An EXTRACT request retrieves or replaces certain specified fields from a RACF profile or encodes certain clear-text (readable) data. The EXTRACT request replaces the RACXTRT function. F FASTAUTH request. The issuing of the RACROUTE macro with REQUEST=FASTAUTH specified.
L N LIST request. The issuing of the RACROUTE macro with REQUEST=LIST specified. A LIST request builds in-storage profiles for RACF-defined resources. The LIST request replaces the RACLIST function. NetView segment. The portion of a RACF profile containing NetView logon information. local logical unit (LU). Local LUs are LUs defined to the MVS system; partner LUs are defined to remote systems. It is a matter of point of view.
posit. A number specified for each class in the class descriptor table that identifies a set of flags that control RACF processing options. See the keyword description for posit in OS/390 Security Server (RACF) Macros and Interfaces. process. (1) A function being performed or waiting to be performed. (2) An executing function, or one waiting to execute.
set that is RACF-protected by a discrete profile must also be RACF-indicated. S RACROUTE macro. An assembler macro that provides a means of calling RACF to provide security functions. See also AUDIT request, AUTH request, DEFINE request, DIRAUTH request, EXTRACT request, FASTAUTH request, LIST request, SIGNON request, STAT request, TOKENBLD request, TOKENMAP request, TOKENXTR request, VERIFY request, and VERIFYX request. SAF. System authorization facility. remote logical unit (remote LU).
supervisor. The part of a control program that coordinates the use of resources and maintains the flow of processing unit operations. Synonym for supervisory routine. supervisory routine. A routine, usually part of an operating system, that controls the execution of other routines and regulates the flow of work in a data processing system. Synonymous with supervisor. syscall. In OpenEdition MVS, deprecated term for callable service. sysplex.
security program for the system. The batch job owner is specified on the USER parameter on the JOB statement or inherited from the submitter of the job. This user ID identifies a RACF user profile. OMVS user ID: A numeric value between 0 and 2147483647, called a UID (or sometimes a user number), that identifies a user to OpenEdition services. These numbers appear in the RACF user profile for the user. A user ID is equivalent to an account on a UNIX-type system. (4) A symbol identifying a system user.
How to Get Your RACF CD You can view and search the books on CD-ROM at your workstation or terminal using: The IBM BookManager Library Reader for OS/2, DOS, or Windows**, all of which are provided at no charge with each CD-ROM Any of the IBM BookManager READ licensed programs for MVS, VM, OS/2, DOS, AIX/6000, or Windows.1 The OS/390 Security Server (RACF) Information Package is available as product feature code 8004 with OS/390 or as product feature code 9006 with RACF Version 2.
48 OS/390 V2R4.
Index A access list entry conditional 23 standard 23 ACEEALET keyword 16 ADDUSER command 15 administration classroom courses xiii administration considerations migration 2 ALTUSER command 7, 13, 14, 15 application development considerations migration 3 auditing 23 auditing considerations changed SMF records 33 migration 3 superuser status 6 C callable services changed 6, 12 new 8, 11, 12 CDT see class descriptor table (CDT) class descriptor table 1 See also classes class descriptor table (CDT) changes to 1
getGMAP callable service 6, 12 getUMAP callable service 6, 12 global access checking 10 migration path (continued) from releases prior to RACF 1.
R R_Admin callable service 8, 11 RACF classroom courses xiii publications on CD-ROM xii softcopy xii RACF 1.9 migration path from 22 RACF 1.9.2 migration path from 22 RACF 2.1 migration path from 22 RACF 2.2 migration path from 21 RACF administration classroom courses xiii RACF panels changed 19 RACF releases prior to 1.
Readers' Comments — We'd Like to Hear from You OS/390 Security Server (RACF) Planning: Installation and Migration Publication No.
Readers' Comments — We'd Like to Hear from You GC28-1920-03 Fold and Tape Please do not staple IBM Cut or Fold Along Line Fold and Tape NO POSTAGE NECESSARY IF MAILED IN THE UNITED STATES BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO.
IBM Program Number: 5647-A01 Printed in the United States of America on recycled paper containing 10% recovered post-consumer fiber.
